// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // The definition of validator RPC service. syntax = "proto3"; option go_package ="validator/"; package validator; import "google/iam/v1/policy.proto"; import "google/protobuf/struct.proto"; import "google/cloud/asset/v1/assets.proto"; import "google/cloud/orgpolicy/v1/orgpolicy.proto"; import "google/identity/accesscontextmanager/v1/access_level.proto"; import "google/identity/accesscontextmanager/v1/access_policy.proto"; import "google/identity/accesscontextmanager/v1/service_perimeter.proto"; import "google/cloud/orgpolicy/v2/orgpolicy.proto"; // Asset contains GCP resource metadata and additional metadata set on a resource, such as Cloud IAM policy. // WARNING: these field names are directly used to structure data passed to templates. // Changes in field names will result in changes to the data provided to the templates. message Asset { // GCP resource name as defined by Cloud Asset Inventory. // See https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/resource-name-format for the format. string name = 1; // Cloud Asset Inventory type (CAI API v1 format). Example: "sqladmin.googleapis.com/Instance" is the type of Cloud SQL instance. // This field has a redundant "asset" prefix to be consistent with Cloud Asset Inventory output. // See https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview#supported_resource_types for the list of types. string asset_type = 2; // Ancestral project/folder/org information in a path-like format. // For example, a GCP project that is nested under a folder may have the following path: // organization/9999/folder/8888/project/7777 string ancestry_path = 3; // GCP resource metadata. google.cloud.asset.v1.Resource resource = 4; // IAM policy associated with the resource. google.iam.v1.Policy iam_policy = 5; // Ancestor list as returned by CAI (added sometime around Oct 2019) repeated string ancestors = 6; // Representation of the Cloud Organization Policy set on an asset. For each // asset, there could be multiple Organization policies with different // constraints. repeated google.cloud.orgpolicy.v1.Policy org_policy = 7; // Representation of the Cloud Organization access policy. oneof access_context_policy { google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 8; google.identity.accesscontextmanager.v1.AccessLevel access_level = 9; google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 10; } //Representation of the Cloud Organization Policy V2 set on an asset. // There can be multiple V2 Organization Policies for an asset. repeated google.cloud.orgpolicy.v2.Policy v2_org_policies = 11; } // Constraint contains the configuration for a constraint. message Constraint { // ApiVersion is the version of the API. string api_version = 1; // Kind is the kind of object. string kind = 2; // Metadata contains the user-provided constraint metadata. google.protobuf.Value metadata = 5; // Spec is the object spec. google.protobuf.Value spec = 6; } // Violation contains the relevant information to explain how a constraint is violated. message Violation { // The name of the constraint that's violated. string constraint = 1; // GCP resource name. This is the same name in Asset. string resource = 2; // Human readable error message. string message = 3; // Metadata is optional. It contains the constraint-specific information that can potentially be used for remediation. // Example: In a firewall rule constraint violation, Metadata can contain the open port number. google.protobuf.Value metadata = 4; // The full constraint configuration. Constraint constraint_config = 5; // The constraint severity string severity = 6; } message AddDataRequest { repeated Asset assets = 1; } message AddDataResponse {} message AuditRequest {} message AuditResponse { repeated Violation violations = 1; } message ResetRequest {} message ResetResponse {} message ReviewRequest { repeated Asset assets = 1; } message ReviewResponse { repeated Violation violations = 1; } service Validator { // AddData adds GCP resource metadata to be audited later. rpc AddData(AddDataRequest) returns (AddDataResponse) {} // Audit checks the GCP resource metadata that has been added via AddData to determine if any of the constraint is violated. rpc Audit(AuditRequest) returns (AuditResponse) {} // Reset clears previously added data from the underlying query evaluation engine. rpc Reset(ResetRequest) returns (ResetResponse) {} // Review checks the GCP resources and returns any constraint violations. Note that referential checks are not supported // with this mode. rpc Review(ReviewRequest) returns (ReviewResponse) {} }