google-cloud-assured_workloads-v1 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,8 @@
1
1
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
2
  # source: google/cloud/assuredworkloads/v1/assuredworkloads.proto
3
3
 
4
+ require 'google/protobuf'
5
+
4
6
  require 'google/api/annotations_pb'
5
7
  require 'google/api/client_pb'
6
8
  require 'google/api/field_behavior_pb'
@@ -10,7 +12,6 @@ require 'google/protobuf/duration_pb'
10
12
  require 'google/protobuf/empty_pb'
11
13
  require 'google/protobuf/field_mask_pb'
12
14
  require 'google/protobuf/timestamp_pb'
13
- require 'google/protobuf'
14
15
 
15
16
  Google::Protobuf::DescriptorPool.generated_pool.build do
16
17
  add_file("google/cloud/assuredworkloads/v1/assuredworkloads.proto", :syntax => :proto3) do
@@ -55,6 +56,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
55
56
  optional :kaj_enrollment_state, :enum, 17, "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState"
56
57
  optional :enable_sovereign_controls, :bool, 18
57
58
  optional :saa_enrollment_response, :message, 20, "google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse"
59
+ repeated :compliant_but_disallowed_services, :string, 24
60
+ optional :partner, :enum, 25, "google.cloud.assuredworkloads.v1.Workload.Partner"
58
61
  end
59
62
  add_message "google.cloud.assuredworkloads.v1.Workload.ResourceInfo" do
60
63
  optional :resource_id, :int64, 1
@@ -63,6 +66,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
63
66
  add_enum "google.cloud.assuredworkloads.v1.Workload.ResourceInfo.ResourceType" do
64
67
  value :RESOURCE_TYPE_UNSPECIFIED, 0
65
68
  value :CONSUMER_PROJECT, 1
69
+ value :CONSUMER_FOLDER, 4
66
70
  value :ENCRYPTION_KEYS_PROJECT, 2
67
71
  value :KEYRING, 3
68
72
  end
@@ -102,18 +106,107 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
102
106
  value :HITRUST, 7
103
107
  value :EU_REGIONS_AND_SUPPORT, 8
104
108
  value :CA_REGIONS_AND_SUPPORT, 9
109
+ value :ITAR, 10
110
+ value :ASSURED_WORKLOADS_FOR_PARTNERS, 12
105
111
  end
106
112
  add_enum "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState" do
107
113
  value :KAJ_ENROLLMENT_STATE_UNSPECIFIED, 0
108
114
  value :KAJ_ENROLLMENT_STATE_PENDING, 1
109
115
  value :KAJ_ENROLLMENT_STATE_COMPLETE, 2
110
116
  end
117
+ add_enum "google.cloud.assuredworkloads.v1.Workload.Partner" do
118
+ value :PARTNER_UNSPECIFIED, 0
119
+ value :LOCAL_CONTROLS_BY_S3NS, 1
120
+ end
111
121
  add_message "google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata" do
112
122
  optional :create_time, :message, 1, "google.protobuf.Timestamp"
113
123
  optional :display_name, :string, 2
114
124
  optional :parent, :string, 3
115
125
  optional :compliance_regime, :enum, 4, "google.cloud.assuredworkloads.v1.Workload.ComplianceRegime"
116
126
  end
127
+ add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest" do
128
+ optional :name, :string, 1
129
+ optional :restriction_type, :enum, 2, "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType"
130
+ end
131
+ add_enum "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType" do
132
+ value :RESTRICTION_TYPE_UNSPECIFIED, 0
133
+ value :ALLOW_ALL_GCP_RESOURCES, 1
134
+ value :ALLOW_COMPLIANT_RESOURCES, 2
135
+ end
136
+ add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse" do
137
+ end
138
+ add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest" do
139
+ optional :name, :string, 1
140
+ optional :comment, :string, 2
141
+ optional :non_compliant_org_policy, :string, 3
142
+ end
143
+ add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse" do
144
+ end
145
+ add_message "google.cloud.assuredworkloads.v1.TimeWindow" do
146
+ optional :start_time, :message, 1, "google.protobuf.Timestamp"
147
+ optional :end_time, :message, 2, "google.protobuf.Timestamp"
148
+ end
149
+ add_message "google.cloud.assuredworkloads.v1.ListViolationsRequest" do
150
+ optional :parent, :string, 1
151
+ optional :interval, :message, 2, "google.cloud.assuredworkloads.v1.TimeWindow"
152
+ optional :page_size, :int32, 3
153
+ optional :page_token, :string, 4
154
+ optional :filter, :string, 5
155
+ end
156
+ add_message "google.cloud.assuredworkloads.v1.ListViolationsResponse" do
157
+ repeated :violations, :message, 1, "google.cloud.assuredworkloads.v1.Violation"
158
+ optional :next_page_token, :string, 2
159
+ end
160
+ add_message "google.cloud.assuredworkloads.v1.GetViolationRequest" do
161
+ optional :name, :string, 1
162
+ end
163
+ add_message "google.cloud.assuredworkloads.v1.Violation" do
164
+ optional :name, :string, 1
165
+ optional :description, :string, 2
166
+ optional :begin_time, :message, 3, "google.protobuf.Timestamp"
167
+ optional :update_time, :message, 4, "google.protobuf.Timestamp"
168
+ optional :resolve_time, :message, 5, "google.protobuf.Timestamp"
169
+ optional :category, :string, 6
170
+ optional :state, :enum, 7, "google.cloud.assuredworkloads.v1.Violation.State"
171
+ optional :org_policy_constraint, :string, 8
172
+ optional :audit_log_link, :string, 11
173
+ optional :non_compliant_org_policy, :string, 12
174
+ optional :remediation, :message, 13, "google.cloud.assuredworkloads.v1.Violation.Remediation"
175
+ optional :acknowledged, :bool, 14
176
+ proto3_optional :acknowledgement_time, :message, 15, "google.protobuf.Timestamp"
177
+ end
178
+ add_message "google.cloud.assuredworkloads.v1.Violation.Remediation" do
179
+ optional :instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions"
180
+ repeated :compliant_values, :string, 2
181
+ optional :remediation_type, :enum, 3, "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType"
182
+ end
183
+ add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions" do
184
+ optional :gcloud_instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud"
185
+ optional :console_instructions, :message, 2, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console"
186
+ end
187
+ add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud" do
188
+ repeated :gcloud_commands, :string, 1
189
+ repeated :steps, :string, 2
190
+ repeated :additional_links, :string, 3
191
+ end
192
+ add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console" do
193
+ repeated :console_uris, :string, 1
194
+ repeated :steps, :string, 2
195
+ repeated :additional_links, :string, 3
196
+ end
197
+ add_enum "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType" do
198
+ value :REMEDIATION_TYPE_UNSPECIFIED, 0
199
+ value :REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION, 1
200
+ value :REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION, 2
201
+ value :REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION, 3
202
+ value :REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION, 4
203
+ end
204
+ add_enum "google.cloud.assuredworkloads.v1.Violation.State" do
205
+ value :STATE_UNSPECIFIED, 0
206
+ value :RESOLVED, 2
207
+ value :UNRESOLVED, 3
208
+ value :EXCEPTION, 4
209
+ end
117
210
  end
118
211
  end
119
212
 
@@ -137,7 +230,24 @@ module Google
137
230
  Workload::SaaEnrollmentResponse::SetupError = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse.SetupError").enummodule
138
231
  Workload::ComplianceRegime = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.ComplianceRegime").enummodule
139
232
  Workload::KajEnrollmentState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState").enummodule
233
+ Workload::Partner = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.Partner").enummodule
140
234
  CreateWorkloadOperationMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata").msgclass
235
+ RestrictAllowedResourcesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest").msgclass
236
+ RestrictAllowedResourcesRequest::RestrictionType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType").enummodule
237
+ RestrictAllowedResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse").msgclass
238
+ AcknowledgeViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest").msgclass
239
+ AcknowledgeViolationResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse").msgclass
240
+ TimeWindow = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.TimeWindow").msgclass
241
+ ListViolationsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsRequest").msgclass
242
+ ListViolationsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsResponse").msgclass
243
+ GetViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.GetViolationRequest").msgclass
244
+ Violation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation").msgclass
245
+ Violation::Remediation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation").msgclass
246
+ Violation::Remediation::Instructions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions").msgclass
247
+ Violation::Remediation::Instructions::Gcloud = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud").msgclass
248
+ Violation::Remediation::Instructions::Console = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console").msgclass
249
+ Violation::Remediation::RemediationType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType").enummodule
250
+ Violation::State = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.State").enummodule
141
251
  end
142
252
  end
143
253
  end
@@ -40,6 +40,13 @@ module Google
40
40
  # For force updates don't set etag field in the Workload.
41
41
  # Only one update operation per workload can be in progress.
42
42
  rpc :UpdateWorkload, ::Google::Cloud::AssuredWorkloads::V1::UpdateWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
43
+ # Restrict the list of resources allowed in the Workload environment.
44
+ # The current list of allowed products can be found at
45
+ # https://cloud.google.com/assured-workloads/docs/supported-products
46
+ # In addition to assuredworkloads.workload.update permission, the user should
47
+ # also have orgpolicy.policy.set permission on the folder resource
48
+ # to use this functionality.
49
+ rpc :RestrictAllowedResources, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse
43
50
  # Deletes the workload. Make sure that workload's direct children are already
44
51
  # in a deleted state, otherwise the request will fail with a
45
52
  # FAILED_PRECONDITION error.
@@ -48,6 +55,19 @@ module Google
48
55
  rpc :GetWorkload, ::Google::Cloud::AssuredWorkloads::V1::GetWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
49
56
  # Lists Assured Workloads under a CRM Node.
50
57
  rpc :ListWorkloads, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsResponse
58
+ # Lists the Violations in the AssuredWorkload Environment.
59
+ # Callers may also choose to read across multiple Workloads as per
60
+ # [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash
61
+ # character) as a wildcard character instead of workload-id in the parent.
62
+ # Format `organizations/{org_id}/locations/{location}/workloads/-`
63
+ rpc :ListViolations, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsResponse
64
+ # Retrieves Assured Workload Violation based on ID.
65
+ rpc :GetViolation, ::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::Violation
66
+ # Acknowledges an existing violation. By acknowledging a violation, users
67
+ # acknowledge the existence of a compliance violation in their workload and
68
+ # decide to ignore it due to a valid business justification. Acknowledgement
69
+ # is a permanent operation and it cannot be reverted.
70
+ rpc :AcknowledgeViolation, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse
51
71
  end
52
72
 
53
73
  Stub = Service.rpc_stub_class
@@ -31,8 +31,8 @@ module Google
31
31
  # Required. Assured Workload to create
32
32
  # @!attribute [rw] external_id
33
33
  # @return [::String]
34
- # Optional. A identifier associated with the workload and underlying projects
35
- # which allows for the break down of billing costs for a workload. The value
34
+ # Optional. A identifier associated with the workload and underlying projects which
35
+ # allows for the break down of billing costs for a workload. The value
36
36
  # provided for the identifier will add a label to the workload and contained
37
37
  # projects with the identifier as the value.
38
38
  class CreateWorkloadRequest
@@ -44,7 +44,7 @@ module Google
44
44
  # @!attribute [rw] workload
45
45
  # @return [::Google::Cloud::AssuredWorkloads::V1::Workload]
46
46
  # Required. The workload to update.
47
- # The workloads `name` field is used to identify the workload to be updated.
47
+ # The workload's `name` field is used to identify the workload to be updated.
48
48
  # Format:
49
49
  # organizations/\\{org_id}/locations/\\{location_id}/workloads/\\{workload_id}
50
50
  # @!attribute [rw] update_mask
@@ -73,8 +73,8 @@ module Google
73
73
  # Request for fetching a workload.
74
74
  # @!attribute [rw] name
75
75
  # @return [::String]
76
- # Required. The resource name of the Workload to fetch. This is the
77
- # workloads's relative path in the API, formatted as
76
+ # Required. The resource name of the Workload to fetch. This is the workloads's
77
+ # relative path in the API, formatted as
78
78
  # "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
79
79
  # For example,
80
80
  # "organizations/123/locations/us-east1/workloads/assured-workload-1".
@@ -148,7 +148,7 @@ module Google
148
148
  # Output only. Immutable. The Workload creation timestamp.
149
149
  # @!attribute [rw] billing_account
150
150
  # @return [::String]
151
- # Required. Input only. The billing account used for the resources which are
151
+ # Optional. The billing account used for the resources which are
152
152
  # direct children of workload. This billing account is initially associated
153
153
  # with the resources created as part of Workload creation.
154
154
  # After the initial creation of these resources, the customer can change
@@ -165,22 +165,24 @@ module Google
165
165
  # Optional. Labels applied to the workload.
166
166
  # @!attribute [rw] provisioned_resources_parent
167
167
  # @return [::String]
168
- # Input only. The parent resource for the resources managed by this Assured
169
- # Workload. May be either empty or a folder resource which is a child of the
168
+ # Input only. The parent resource for the resources managed by this Assured Workload. May
169
+ # be either empty or a folder resource which is a child of the
170
170
  # Workload parent. If not specified all resources are created under the
171
171
  # parent organization.
172
172
  # Format:
173
173
  # folders/\\{folder_id}
174
174
  # @!attribute [rw] kms_settings
175
175
  # @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KMSSettings]
176
- # Input only. Settings used to create a CMEK crypto key. When set a project
177
- # with a KMS CMEK key is provisioned. This field is mandatory for a subset of
178
- # Compliance Regimes.
176
+ # Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS
177
+ # CMEK key is provisioned.
178
+ # This field is deprecated as of Feb 28, 2022.
179
+ # In order to create a Keyring, callers should specify,
180
+ # ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
179
181
  # @!attribute [rw] resource_settings
180
182
  # @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceSettings>]
181
- # Input only. Resource properties that are used to customize workload
182
- # resources. These properties (such as custom project id) will be used to
183
- # create workload resources if possible. This field is optional.
183
+ # Input only. Resource properties that are used to customize workload resources.
184
+ # These properties (such as custom project id) will be used to create
185
+ # workload resources if possible. This field is optional.
184
186
  # @!attribute [r] kaj_enrollment_state
185
187
  # @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KajEnrollmentState]
186
188
  # Output only. Represents the KAJ enrollment state of the given workload.
@@ -193,6 +195,15 @@ module Google
193
195
  # Output only. Represents the SAA enrollment response of the given workload.
194
196
  # SAA enrollment response is queried during GetWorkload call.
195
197
  # In failure cases, user friendly error message is shown in SAA details page.
198
+ # @!attribute [r] compliant_but_disallowed_services
199
+ # @return [::Array<::String>]
200
+ # Output only. Urls for services which are compliant for this Assured Workload, but which
201
+ # are currently disallowed by the ResourceUsageRestriction org policy.
202
+ # Invoke RestrictAllowedResources endpoint to allow your project developers
203
+ # to use these services in their environment."
204
+ # @!attribute [rw] partner
205
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Workload::Partner]
206
+ # Optional. Compliance Regime associated with this workload.
196
207
  class Workload
197
208
  include ::Google::Protobuf::MessageExts
198
209
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -215,8 +226,15 @@ module Google
215
226
  RESOURCE_TYPE_UNSPECIFIED = 0
216
227
 
217
228
  # Consumer project.
229
+ # AssuredWorkloads Projects are no longer supported. This field will be
230
+ # ignored only in CreateWorkload requests. ListWorkloads and GetWorkload
231
+ # will continue to provide projects information.
232
+ # Use CONSUMER_FOLDER instead.
218
233
  CONSUMER_PROJECT = 1
219
234
 
235
+ # Consumer Folder.
236
+ CONSUMER_FOLDER = 4
237
+
220
238
  # Consumer project containing encryption keys.
221
239
  ENCRYPTION_KEYS_PROJECT = 2
222
240
 
@@ -228,14 +246,13 @@ module Google
228
246
  # Settings specific to the Key Management Service.
229
247
  # @!attribute [rw] next_rotation_time
230
248
  # @return [::Google::Protobuf::Timestamp]
231
- # Required. Input only. Immutable. The time at which the Key Management
232
- # Service will automatically create a new version of the crypto key and
233
- # mark it as the primary.
249
+ # Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
250
+ # new version of the crypto key and mark it as the primary.
234
251
  # @!attribute [rw] rotation_period
235
252
  # @return [::Google::Protobuf::Duration]
236
- # Required. Input only. Immutable. [next_rotation_time] will be advanced by
237
- # this period when the Key Management Service automatically rotates a key.
238
- # Must be at least 24 hours and at most 876,000 hours.
253
+ # Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
254
+ # Management Service automatically rotates a key. Must be at least 24 hours
255
+ # and at most 876,000 hours.
239
256
  class KMSSettings
240
257
  include ::Google::Protobuf::MessageExts
241
258
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -247,6 +264,8 @@ module Google
247
264
  # Resource identifier.
248
265
  # For a project this represents project_id. If the project is already
249
266
  # taken, the workload creation will fail.
267
+ # For KeyRing, this represents the keyring_id.
268
+ # For a folder, don't set this value as folder_id is assigned by Google.
250
269
  # @!attribute [rw] resource_type
251
270
  # @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceInfo::ResourceType]
252
271
  # Indicates the type of resource. This field should be specified to
@@ -347,6 +366,12 @@ module Google
347
366
 
348
367
  # Assured Workloads For Canada Regions and Support controls
349
368
  CA_REGIONS_AND_SUPPORT = 9
369
+
370
+ # International Traffic in Arms Regulations
371
+ ITAR = 10
372
+
373
+ # Assured Workloads for Partners;
374
+ ASSURED_WORKLOADS_FOR_PARTNERS = 12
350
375
  end
351
376
 
352
377
  # Key Access Justifications(KAJ) Enrollment State.
@@ -360,6 +385,15 @@ module Google
360
385
  # Complete State for KAJ Enrollment.
361
386
  KAJ_ENROLLMENT_STATE_COMPLETE = 2
362
387
  end
388
+
389
+ # Supported Assured Workloads Partners.
390
+ module Partner
391
+ # Unknown compliance regime.
392
+ PARTNER_UNSPECIFIED = 0
393
+
394
+ # S3NS regime
395
+ LOCAL_CONTROLS_BY_S3NS = 1
396
+ end
363
397
  end
364
398
 
365
399
  # Operation metadata to give request details of CreateWorkload.
@@ -374,12 +408,295 @@ module Google
374
408
  # Optional. The parent of the workload.
375
409
  # @!attribute [rw] compliance_regime
376
410
  # @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ComplianceRegime]
377
- # Optional. Compliance controls that should be applied to the resources
378
- # managed by the workload.
411
+ # Optional. Compliance controls that should be applied to the resources managed by
412
+ # the workload.
379
413
  class CreateWorkloadOperationMetadata
380
414
  include ::Google::Protobuf::MessageExts
381
415
  extend ::Google::Protobuf::MessageExts::ClassMethods
382
416
  end
417
+
418
+ # Request for restricting list of available resources in Workload environment.
419
+ # @!attribute [rw] name
420
+ # @return [::String]
421
+ # Required. The resource name of the Workload. This is the workloads's
422
+ # relative path in the API, formatted as
423
+ # "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
424
+ # For example,
425
+ # "organizations/123/locations/us-east1/workloads/assured-workload-1".
426
+ # @!attribute [rw] restriction_type
427
+ # @return [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest::RestrictionType]
428
+ # Required. The type of restriction for using gcp products in the Workload environment.
429
+ class RestrictAllowedResourcesRequest
430
+ include ::Google::Protobuf::MessageExts
431
+ extend ::Google::Protobuf::MessageExts::ClassMethods
432
+
433
+ # The type of restriction.
434
+ module RestrictionType
435
+ # Unknown restriction type.
436
+ RESTRICTION_TYPE_UNSPECIFIED = 0
437
+
438
+ # Allow the use all of all gcp products, irrespective of the compliance
439
+ # posture. This effectively removes gcp.restrictServiceUsage OrgPolicy
440
+ # on the AssuredWorkloads Folder.
441
+ ALLOW_ALL_GCP_RESOURCES = 1
442
+
443
+ # Based on Workload's compliance regime, allowed list changes.
444
+ # See - https://cloud.google.com/assured-workloads/docs/supported-products
445
+ # for the list of supported resources.
446
+ ALLOW_COMPLIANT_RESOURCES = 2
447
+ end
448
+ end
449
+
450
+ # Response for restricting the list of allowed resources.
451
+ class RestrictAllowedResourcesResponse
452
+ include ::Google::Protobuf::MessageExts
453
+ extend ::Google::Protobuf::MessageExts::ClassMethods
454
+ end
455
+
456
+ # Request for acknowledging the violation
457
+ # Next Id: 4
458
+ # @!attribute [rw] name
459
+ # @return [::String]
460
+ # Required. The resource name of the Violation to acknowledge.
461
+ # Format:
462
+ # organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
463
+ # @!attribute [rw] comment
464
+ # @return [::String]
465
+ # Required. Business justification explaining the need for violation acknowledgement
466
+ # @!attribute [rw] non_compliant_org_policy
467
+ # @return [::String]
468
+ # Optional. Name of the OrgPolicy which was modified with non-compliant change and
469
+ # resulted in this violation.
470
+ # Format:
471
+ # projects/\\{project_number}/policies/\\{constraint_name}
472
+ # folders/\\{folder_id}/policies/\\{constraint_name}
473
+ # organizations/\\{organization_id}/policies/\\{constraint_name}
474
+ class AcknowledgeViolationRequest
475
+ include ::Google::Protobuf::MessageExts
476
+ extend ::Google::Protobuf::MessageExts::ClassMethods
477
+ end
478
+
479
+ # Response for violation acknowledgement
480
+ class AcknowledgeViolationResponse
481
+ include ::Google::Protobuf::MessageExts
482
+ extend ::Google::Protobuf::MessageExts::ClassMethods
483
+ end
484
+
485
+ # Interval defining a time window.
486
+ # @!attribute [rw] start_time
487
+ # @return [::Google::Protobuf::Timestamp]
488
+ # The start of the time window.
489
+ # @!attribute [rw] end_time
490
+ # @return [::Google::Protobuf::Timestamp]
491
+ # The end of the time window.
492
+ class TimeWindow
493
+ include ::Google::Protobuf::MessageExts
494
+ extend ::Google::Protobuf::MessageExts::ClassMethods
495
+ end
496
+
497
+ # Request for fetching violations in an organization.
498
+ # @!attribute [rw] parent
499
+ # @return [::String]
500
+ # Required. The Workload name.
501
+ # Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.
502
+ # @!attribute [rw] interval
503
+ # @return [::Google::Cloud::AssuredWorkloads::V1::TimeWindow]
504
+ # Optional. Specifies the time window for retrieving active Violations.
505
+ # When specified, retrieves Violations that were active between start_time
506
+ # and end_time.
507
+ # @!attribute [rw] page_size
508
+ # @return [::Integer]
509
+ # Optional. Page size.
510
+ # @!attribute [rw] page_token
511
+ # @return [::String]
512
+ # Optional. Page token returned from previous request.
513
+ # @!attribute [rw] filter
514
+ # @return [::String]
515
+ # Optional. A custom filter for filtering by the Violations properties.
516
+ class ListViolationsRequest
517
+ include ::Google::Protobuf::MessageExts
518
+ extend ::Google::Protobuf::MessageExts::ClassMethods
519
+ end
520
+
521
+ # Response of ListViolations endpoint.
522
+ # @!attribute [rw] violations
523
+ # @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Violation>]
524
+ # List of Violations under a Workload.
525
+ # @!attribute [rw] next_page_token
526
+ # @return [::String]
527
+ # The next page token. Returns empty if reached the last page.
528
+ class ListViolationsResponse
529
+ include ::Google::Protobuf::MessageExts
530
+ extend ::Google::Protobuf::MessageExts::ClassMethods
531
+ end
532
+
533
+ # Request for fetching a Workload Violation.
534
+ # @!attribute [rw] name
535
+ # @return [::String]
536
+ # Required. The resource name of the Violation to fetch (ie. Violation.name).
537
+ # Format:
538
+ # organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
539
+ class GetViolationRequest
540
+ include ::Google::Protobuf::MessageExts
541
+ extend ::Google::Protobuf::MessageExts::ClassMethods
542
+ end
543
+
544
+ # Workload monitoring Violation.
545
+ # @!attribute [r] name
546
+ # @return [::String]
547
+ # Output only. Immutable. Name of the Violation.
548
+ # Format:
549
+ # organizations/\\{organization}/locations/\\{location}/workloads/\\{workload_id}/violations/\\{violations_id}
550
+ # @!attribute [r] description
551
+ # @return [::String]
552
+ # Output only. Description for the Violation.
553
+ # e.g. OrgPolicy gcp.resourceLocations has non compliant value.
554
+ # @!attribute [r] begin_time
555
+ # @return [::Google::Protobuf::Timestamp]
556
+ # Output only. Time of the event which triggered the Violation.
557
+ # @!attribute [r] update_time
558
+ # @return [::Google::Protobuf::Timestamp]
559
+ # Output only. The last time when the Violation record was updated.
560
+ # @!attribute [r] resolve_time
561
+ # @return [::Google::Protobuf::Timestamp]
562
+ # Output only. Time of the event which fixed the Violation.
563
+ # If the violation is ACTIVE this will be empty.
564
+ # @!attribute [r] category
565
+ # @return [::String]
566
+ # Output only. Category under which this violation is mapped.
567
+ # e.g. Location, Service Usage, Access, Encryption, etc.
568
+ # @!attribute [r] state
569
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Violation::State]
570
+ # Output only. State of the violation
571
+ # @!attribute [r] org_policy_constraint
572
+ # @return [::String]
573
+ # Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in
574
+ # this violation.
575
+ # @!attribute [r] audit_log_link
576
+ # @return [::String]
577
+ # Output only. Immutable. Audit Log Link for violated resource
578
+ # Format:
579
+ # https://console.cloud.google.com/logs/query;query=\\{logName}\\{protoPayload.resourceName}\\{timeRange}\\{folder}
580
+ # @!attribute [r] non_compliant_org_policy
581
+ # @return [::String]
582
+ # Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and
583
+ # resulted this violation.
584
+ # Format:
585
+ # projects/\\{project_number}/policies/\\{constraint_name}
586
+ # folders/\\{folder_id}/policies/\\{constraint_name}
587
+ # organizations/\\{organization_id}/policies/\\{constraint_name}
588
+ # @!attribute [r] remediation
589
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation]
590
+ # Output only. Compliance violation remediation
591
+ # @!attribute [r] acknowledged
592
+ # @return [::Boolean]
593
+ # Output only. A boolean that indicates if the violation is acknowledged
594
+ # @!attribute [rw] acknowledgement_time
595
+ # @return [::Google::Protobuf::Timestamp]
596
+ # Optional. Timestamp when this violation was acknowledged last.
597
+ # This will be absent when acknowledged field is marked as false.
598
+ class Violation
599
+ include ::Google::Protobuf::MessageExts
600
+ extend ::Google::Protobuf::MessageExts::ClassMethods
601
+
602
+ # Represents remediation guidance to resolve compliance violation for
603
+ # AssuredWorkload
604
+ # @!attribute [rw] instructions
605
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions]
606
+ # Required. Remediation instructions to resolve violations
607
+ # @!attribute [rw] compliant_values
608
+ # @return [::Array<::String>]
609
+ # Values that can resolve the violation
610
+ # For example: for list org policy violations, this will either be the list
611
+ # of allowed or denied values
612
+ # @!attribute [r] remediation_type
613
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::RemediationType]
614
+ # Output only. Reemediation type based on the type of org policy values violated
615
+ class Remediation
616
+ include ::Google::Protobuf::MessageExts
617
+ extend ::Google::Protobuf::MessageExts::ClassMethods
618
+
619
+ # Instructions to remediate violation
620
+ # @!attribute [rw] gcloud_instructions
621
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Gcloud]
622
+ # Remediation instructions to resolve violation via gcloud cli
623
+ # @!attribute [rw] console_instructions
624
+ # @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Console]
625
+ # Remediation instructions to resolve violation via cloud console
626
+ class Instructions
627
+ include ::Google::Protobuf::MessageExts
628
+ extend ::Google::Protobuf::MessageExts::ClassMethods
629
+
630
+ # Remediation instructions to resolve violation via gcloud cli
631
+ # @!attribute [rw] gcloud_commands
632
+ # @return [::Array<::String>]
633
+ # Gcloud command to resolve violation
634
+ # @!attribute [rw] steps
635
+ # @return [::Array<::String>]
636
+ # Steps to resolve violation via gcloud cli
637
+ # @!attribute [rw] additional_links
638
+ # @return [::Array<::String>]
639
+ # Additional urls for more information about steps
640
+ class Gcloud
641
+ include ::Google::Protobuf::MessageExts
642
+ extend ::Google::Protobuf::MessageExts::ClassMethods
643
+ end
644
+
645
+ # Remediation instructions to resolve violation via cloud console
646
+ # @!attribute [rw] console_uris
647
+ # @return [::Array<::String>]
648
+ # Link to console page where violations can be resolved
649
+ # @!attribute [rw] steps
650
+ # @return [::Array<::String>]
651
+ # Steps to resolve violation via cloud console
652
+ # @!attribute [rw] additional_links
653
+ # @return [::Array<::String>]
654
+ # Additional urls for more information about steps
655
+ class Console
656
+ include ::Google::Protobuf::MessageExts
657
+ extend ::Google::Protobuf::MessageExts::ClassMethods
658
+ end
659
+ end
660
+
661
+ # Classifying remediation into various types based on the kind of
662
+ # violation. For example, violations caused due to changes in boolean org
663
+ # policy requires different remediation instructions compared to violation
664
+ # caused due to changes in allowed values of list org policy.
665
+ module RemediationType
666
+ # Unspecified remediation type
667
+ REMEDIATION_TYPE_UNSPECIFIED = 0
668
+
669
+ # Remediation type for boolean org policy
670
+ REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1
671
+
672
+ # Remediation type for list org policy which have allowed values in the
673
+ # monitoring rule
674
+ REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2
675
+
676
+ # Remediation type for list org policy which have denied values in the
677
+ # monitoring rule
678
+ REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3
679
+
680
+ # Remediation type for gcp.restrictCmekCryptoKeyProjects
681
+ REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4
682
+ end
683
+ end
684
+
685
+ # Violation State Values
686
+ module State
687
+ # Unspecified state.
688
+ STATE_UNSPECIFIED = 0
689
+
690
+ # Violation is resolved.
691
+ RESOLVED = 2
692
+
693
+ # Violation is Unresolved
694
+ UNRESOLVED = 3
695
+
696
+ # Violation is Exception
697
+ EXCEPTION = 4
698
+ end
699
+ end
383
700
  end
384
701
  end
385
702
  end