kpt-grpc-demo/google/cloud/assuredworkloads/v1beta1/assuredworkloads.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.assuredworkloads.v1beta1;

import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.AssuredWorkloads.V1Beta1";
option go_package = "google.golang.org/genproto/googleapis/cloud/assuredworkloads/v1beta1;assuredworkloads";
option java_multiple_files = true;
option java_outer_classname = "AssuredworkloadsProto";
option java_package = "com.google.cloud.assuredworkloads.v1beta1";
option php_namespace = "Google\\Cloud\\AssuredWorkloads\\V1beta1";
option ruby_package = "Google::Cloud::AssuredWorkloads::V1beta1";
option (google.api.resource_definition) = {
  type: "assuredworkloads.googleapis.com/Location"
  pattern: "organizations/{organization}/locations/{location}"
};

// Request for creating a workload.
message CreateWorkloadRequest {
  // Required. The resource name of the new Workload's parent.
  // Must be of the form `organizations/{org_id}/locations/{location_id}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "assuredworkloads.googleapis.com/Workload"
    }
  ];

  // Required. Assured Workload to create
  Workload workload = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. A identifier associated with the workload and underlying projects which
  // allows for the break down of billing costs for a workload. The value
  // provided for the identifier will add a label to the workload and contained
  // projects with the identifier as the value.
  string external_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request for Updating a workload.
message UpdateWorkloadRequest {
  // Required. The workload to update.
  // The workload's `name` field is used to identify the workload to be updated.
  // Format:
  // organizations/{org_id}/locations/{location_id}/workloads/{workload_id}
  Workload workload = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The list of fields to be updated.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
}

// Request for restricting list of available resources in Workload environment.
message RestrictAllowedResourcesRequest {
  // The type of restriction.
  enum RestrictionType {
    // Unknown restriction type.
    RESTRICTION_TYPE_UNSPECIFIED = 0;

    // Allow the use all of all gcp products, irrespective of the compliance
    // posture. This effectively removes gcp.restrictServiceUsage OrgPolicy
    // on the AssuredWorkloads Folder.
    ALLOW_ALL_GCP_RESOURCES = 1;

    // Based on Workload's compliance regime, allowed list changes.
    // See - https://cloud.google.com/assured-workloads/docs/supported-products
    // for the list of supported resources.
    ALLOW_COMPLIANT_RESOURCES = 2;
  }

  // Required. The resource name of the Workload. This is the workloads's
  // relative path in the API, formatted as
  // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}".
  // For example,
  // "organizations/123/locations/us-east1/workloads/assured-workload-1".
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The type of restriction for using gcp products in the Workload environment.
  RestrictionType restriction_type = 2 [(google.api.field_behavior) = REQUIRED];
}

// Response for restricting the list of allowed resources.
message RestrictAllowedResourcesResponse {

}

// Request for deleting a Workload.
message DeleteWorkloadRequest {
  // Required. The `name` field is used to identify the workload.
  // Format:
  // organizations/{org_id}/locations/{location_id}/workloads/{workload_id}
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "assuredworkloads.googleapis.com/Workload"
    }
  ];

  // Optional. The etag of the workload.
  // If this is provided, it must match the server's etag.
  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request for fetching a workload.
message GetWorkloadRequest {
  // Required. The resource name of the Workload to fetch. This is the workloads's
  // relative path in the API, formatted as
  // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}".
  // For example,
  // "organizations/123/locations/us-east1/workloads/assured-workload-1".
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "assuredworkloads.googleapis.com/Workload"
    }
  ];
}

// A request to analyze a hypothetical move of a source project or project-based
// workload to a target (destination) folder-based workload.
message AnalyzeWorkloadMoveRequest {
  // The resource type to be moved to the destination workload. It can be either
  // an existing project or a project-based workload.
  oneof projectOrWorkloadResource {
    // The source type is a project-based workload. Specify the workloads's
    // relative resource name, formatted as:
    // "organizations/{ORGANIZATION_ID}/locations/{LOCATION_ID}/workloads/{WORKLOAD_ID}"
    // For example:
    // "organizations/123/locations/us-east1/workloads/assured-workload-1"
    string source = 1;

    // The source type is a project. Specify the project's relative resource
    // name, formatted as either a project number or a project ID:
    // "projects/{PROJECT_NUMBER}" or "projects/{PROJECT_ID}"
    // For example:
    // "projects/951040570662" when specifying a project number, or
    // "projects/my-project-123" when specifying a project ID.
    string project = 3;
  }

  // Required. The resource ID of the folder-based destination workload. This workload is
  // where the source project will hypothetically be moved to. Specify the
  // workload's relative resource name, formatted as:
  // "organizations/{ORGANIZATION_ID}/locations/{LOCATION_ID}/workloads/{WORKLOAD_ID}"
  // For example:
  // "organizations/123/locations/us-east1/workloads/assured-workload-2"
  string target = 2 [(google.api.field_behavior) = REQUIRED];
}

// A response that includes the analysis of the hypothetical resource move.
message AnalyzeWorkloadMoveResponse {
  // A list of blockers that should be addressed before moving the source
  // project or project-based workload to the destination folder-based workload.
  repeated string blockers = 1;
}

// Request for fetching workloads in an organization.
message ListWorkloadsRequest {
  // Required. Parent Resource to list workloads from.
  // Must be of the form `organizations/{org_id}/locations/{location}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "assuredworkloads.googleapis.com/Workload"
    }
  ];

  // Page size.
  int32 page_size = 2;

  // Page token returned from previous request. Page token contains context from
  // previous request. Page token needs to be passed in the second and following
  // requests.
  string page_token = 3;

  // A custom filter for filtering by properties of a workload. At this time,
  // only filtering by labels is supported.
  string filter = 4;
}

// Response of ListWorkloads endpoint.
message ListWorkloadsResponse {
  // List of Workloads under a given parent.
  repeated Workload workloads = 1;

  // The next page token. Return empty if reached the last page.
  string next_page_token = 2;
}

// An Workload object for managing highly regulated workloads of cloud
// customers.
message Workload {
  option (google.api.resource) = {
    type: "assuredworkloads.googleapis.com/Workload"
    pattern: "organizations/{organization}/locations/{location}/workloads/{workload}"
  };

  // Represent the resources that are children of this Workload.
  message ResourceInfo {
    // The type of resource.
    enum ResourceType {
      // Unknown resource type.
      RESOURCE_TYPE_UNSPECIFIED = 0;

      // Deprecated. Existing workloads will continue to support this, but new
      // CreateWorkloadRequests should not specify this as an input value.
      CONSUMER_PROJECT = 1 [deprecated = true];

      // Consumer Folder.
      CONSUMER_FOLDER = 4;

      // Consumer project containing encryption keys.
      ENCRYPTION_KEYS_PROJECT = 2;

      // Keyring resource that hosts encryption keys.
      KEYRING = 3;
    }

    // Resource identifier.
    // For a project this represents project_number.
    int64 resource_id = 1;

    // Indicates the type of resource.
    ResourceType resource_type = 2;
  }

  // Supported Compliance Regimes.
  enum ComplianceRegime {
    // Unknown compliance regime.
    COMPLIANCE_REGIME_UNSPECIFIED = 0;

    // Information protection as per DoD IL4 requirements.
    IL4 = 1;

    // Criminal Justice Information Services (CJIS) Security policies.
    CJIS = 2;

    // FedRAMP High data protection controls
    FEDRAMP_HIGH = 3;

    // FedRAMP Moderate data protection controls
    FEDRAMP_MODERATE = 4;

    // Assured Workloads For US Regions data protection controls
    US_REGIONAL_ACCESS = 5;

    // Health Insurance Portability and Accountability Act controls
    HIPAA = 6;

    // Health Information Trust Alliance controls
    HITRUST = 7;

    // Assured Workloads For EU Regions and Support controls
    EU_REGIONS_AND_SUPPORT = 8;

    // Assured Workloads For Canada Regions and Support controls
    CA_REGIONS_AND_SUPPORT = 9;

    // International Traffic in Arms Regulations
    ITAR = 10;

    // Assured Workloads for Australia Regions and Support controls
    AU_REGIONS_AND_US_SUPPORT = 11;
  }

  // Settings specific to the Key Management Service.
  message KMSSettings {
    option deprecated = true;

    // Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
    // new version of the crypto key and mark it as the primary.
    google.protobuf.Timestamp next_rotation_time = 1 [
      (google.api.field_behavior) = REQUIRED,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];

    // Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
    // Management Service automatically rotates a key. Must be at least 24 hours
    // and at most 876,000 hours.
    google.protobuf.Duration rotation_period = 2 [
      (google.api.field_behavior) = REQUIRED,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Settings specific to resources needed for IL4.
  message IL4Settings {
    option deprecated = true;

    // Input only. Immutable. Settings used to create a CMEK crypto key.
    KMSSettings kms_settings = 1 [
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Settings specific to resources needed for CJIS.
  message CJISSettings {
    option deprecated = true;

    // Input only. Immutable. Settings used to create a CMEK crypto key.
    KMSSettings kms_settings = 1 [
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Settings specific to resources needed for FedRAMP High.
  message FedrampHighSettings {
    option deprecated = true;

    // Input only. Immutable. Settings used to create a CMEK crypto key.
    KMSSettings kms_settings = 1 [
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Settings specific to resources needed for FedRAMP Moderate.
  message FedrampModerateSettings {
    option deprecated = true;

    // Input only. Immutable. Settings used to create a CMEK crypto key.
    KMSSettings kms_settings = 1 [
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Represent the custom settings for the resources to be created.
  message ResourceSettings {
    // Resource identifier.
    // For a project this represents project_id. If the project is already
    // taken, the workload creation will fail.
    // For KeyRing, this represents the keyring_id.
    // For a folder, don't set this value as folder_id is assigned by Google.
    string resource_id = 1;

    // Indicates the type of resource. This field should be specified to
    // correspond the id to the right project type (CONSUMER_PROJECT or
    // ENCRYPTION_KEYS_PROJECT)
    ResourceInfo.ResourceType resource_type = 2;

    // User-assigned resource display name.
    // If not empty it will be used to create a resource with the specified
    // name.
    string display_name = 3;
  }

  // Key Access Justifications(KAJ) Enrollment State.
  enum KajEnrollmentState {
    // Default State for KAJ Enrollment.
    KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0;

    // Pending State for KAJ Enrollment.
    KAJ_ENROLLMENT_STATE_PENDING = 1;

    // Complete State for KAJ Enrollment.
    KAJ_ENROLLMENT_STATE_COMPLETE = 2;
  }

  // Signed Access Approvals (SAA) enrollment response.
  message SaaEnrollmentResponse {
    // Setup state of SAA enrollment.
    enum SetupState {
      // Unspecified.
      SETUP_STATE_UNSPECIFIED = 0;

      // SAA enrollment pending.
      STATUS_PENDING = 1;

      // SAA enrollment comopleted.
      STATUS_COMPLETE = 2;
    }

    // Setup error of SAA enrollment.
    enum SetupError {
      // Unspecified.
      SETUP_ERROR_UNSPECIFIED = 0;

      // Invalid states for all customers, to be redirected to AA UI for
      // additional details.
      ERROR_INVALID_BASE_SETUP = 1;

      // Returned when there is not an EKM key configured.
      ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2;

      // Returned when there are no enrolled services or the customer is
      // enrolled in CAA only for a subset of services.
      ERROR_NOT_ALL_SERVICES_ENROLLED = 3;

      // Returned when exception was encountered during evaluation of other
      // criteria.
      ERROR_SETUP_CHECK_FAILED = 4;
    }

    // Indicates SAA enrollment status of a given workload.
    optional SetupState setup_status = 1;

    // Indicates SAA enrollment setup error if any.
    repeated SetupError setup_errors = 2;
  }

  // Optional. The resource name of the workload.
  // Format:
  // organizations/{organization}/locations/{location}/workloads/{workload}
  //
  // Read-only.
  string name = 1 [(google.api.field_behavior) = OPTIONAL];

  // Required. The user-assigned display name of the Workload.
  // When present it must be between 4 to 30 characters.
  // Allowed characters are: lowercase and uppercase letters, numbers,
  // hyphen, and spaces.
  //
  // Example: My Workload
  string display_name = 2 [(google.api.field_behavior) = REQUIRED];

  // Output only. The resources associated with this workload.
  // These resources will be created when creating the workload.
  // If any of the projects already exist, the workload creation will fail.
  // Always read only.
  repeated ResourceInfo resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Required. Immutable. Compliance Regime associated with this workload.
  ComplianceRegime compliance_regime = 4 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Immutable. The Workload creation timestamp.
  google.protobuf.Timestamp create_time = 5 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. The billing account used for the resources which are
  // direct children of workload. This billing account is initially associated
  // with the resources created as part of Workload creation.
  // After the initial creation of these resources, the customer can change
  // the assigned billing account.
  // The resource name has the form
  // `billingAccounts/{billing_account_id}`. For example,
  // `billingAccounts/012345-567890-ABCDEF`.
  string billing_account = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Settings specific to the selected [compliance_regime]
  oneof compliance_regime_settings {
    // Input only. Immutable. Settings specific to resources needed for IL4.
    IL4Settings il4_settings = 7 [
      deprecated = true,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];

    // Input only. Immutable. Settings specific to resources needed for CJIS.
    CJISSettings cjis_settings = 8 [
      deprecated = true,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];

    // Input only. Immutable. Settings specific to resources needed for FedRAMP High.
    FedrampHighSettings fedramp_high_settings = 11 [
      deprecated = true,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];

    // Input only. Immutable. Settings specific to resources needed for FedRAMP Moderate.
    FedrampModerateSettings fedramp_moderate_settings = 12 [
      deprecated = true,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Optional. ETag of the workload, it is calculated on the basis
  // of the Workload contents. It will be used in Update & Delete operations.
  string etag = 9 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Labels applied to the workload.
  map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL];

  // Input only. The parent resource for the resources managed by this Assured Workload. May
  // be either empty or a folder resource which is a child of the
  // Workload parent. If not specified all resources are created under the
  // parent organization.
  // Format:
  // folders/{folder_id}
  string provisioned_resources_parent = 13 [(google.api.field_behavior) = INPUT_ONLY];

  // Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS
  // CMEK key is provisioned.
  // This field is deprecated as of Feb 28, 2022.
  // In order to create a Keyring, callers should specify,
  // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
  KMSSettings kms_settings = 14 [
    deprecated = true,
    (google.api.field_behavior) = INPUT_ONLY
  ];

  // Input only. Resource properties that are used to customize workload resources.
  // These properties (such as custom project id) will be used to create
  // workload resources if possible. This field is optional.
  repeated ResourceSettings resource_settings = 15 [(google.api.field_behavior) = INPUT_ONLY];

  // Output only. Represents the KAJ enrollment state of the given workload.
  KajEnrollmentState kaj_enrollment_state = 17 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. Indicates the sovereignty status of the given workload.
  // Currently meant to be used by Europe/Canada customers.
  bool enable_sovereign_controls = 18 [(google.api.field_behavior) = OPTIONAL];

  // Output only. Represents the SAA enrollment response of the given workload.
  // SAA enrollment response is queried during GetWorkload call.
  // In failure cases, user friendly error message is shown in SAA details page.
  SaaEnrollmentResponse saa_enrollment_response = 20 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Urls for services which are compliant for this Assured Workload, but which
  // are currently disallowed by the ResourceUsageRestriction org policy.
  // Invoke RestrictAllowedResources endpoint to allow your project developers
  // to use these services in their environment."
  repeated string compliant_but_disallowed_services = 24 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Operation metadata to give request details of CreateWorkload.
message CreateWorkloadOperationMetadata {
  // Optional. Time when the operation was created.
  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The display name of the workload.
  string display_name = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The parent of the workload.
  string parent = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Compliance controls that should be applied to the resources managed by
  // the workload.
  Workload.ComplianceRegime compliance_regime = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Resource properties in the input that are used for creating/customizing
  // workload resources.
  repeated Workload.ResourceSettings resource_settings = 5 [(google.api.field_behavior) = OPTIONAL];
}