// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.orgpolicy.v2;

import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.OrgPolicy.V2";
option go_package = "cloud.google.com/go/orgpolicy/apiv2/orgpolicypb;orgpolicypb";
option java_multiple_files = true;
option java_outer_classname = "ConstraintProto";
option java_package = "com.google.cloud.orgpolicy.v2";
option php_namespace = "Google\\Cloud\\OrgPolicy\\V2";
option ruby_package = "Google::Cloud::OrgPolicy::V2";

// A `constraint` describes a way to restrict resource's configuration. For
// example, you could enforce a constraint that controls which cloud services
// can be activated across an organization, or whether a Compute Engine instance
// can have serial port connections established. `Constraints` can be configured
// by the organization's policy administrator to fit the needs of the
// organization by setting a `policy` that includes `constraints` at different
// locations in the organization's resource hierarchy. Policies are inherited
// down the resource hierarchy from higher levels, but can also be overridden.
// For details about the inheritance rules please read about
// [`policies`][google.cloud.OrgPolicy.v2.Policy].
//
// `Constraints` have a default behavior determined by the `constraint_default`
// field, which is the enforcement behavior that is used in the absence of a
// `policy` being defined or inherited for the resource in question.
message Constraint {
  option (google.api.resource) = {
    type: "orgpolicy.googleapis.com/Constraint"
    pattern: "projects/{project}/constraints/{constraint}"
    pattern: "folders/{folder}/constraints/{constraint}"
    pattern: "organizations/{organization}/constraints/{constraint}"
  };

  // Specifies the default behavior in the absence of any `Policy` for the
  // `Constraint`. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
  //
  // Immutable after creation.
  enum ConstraintDefault {
    // This is only used for distinguishing unset values and should never be
    // used.
    CONSTRAINT_DEFAULT_UNSPECIFIED = 0;

    // Indicate that all values are allowed for list constraints.
    // Indicate that enforcement is off for boolean constraints.
    ALLOW = 1;

    // Indicate that all values are denied for list constraints.
    // Indicate that enforcement is on for boolean constraints.
    DENY = 2;
  }

  // A `Constraint` that allows or disallows a list of string values, which are
  // configured by an Organization's policy administrator with a `Policy`.
  message ListConstraint {
    // Indicates whether values grouped into categories can be used in
    // `Policy.allowed_values` and `Policy.denied_values`. For example,
    // `"in:Python"` would match any value in the 'Python' group.
    bool supports_in = 1;

    // Indicates whether subtrees of Cloud Resource Manager resource hierarchy
    // can be used in `Policy.allowed_values` and `Policy.denied_values`. For
    // example, `"under:folders/123"` would match any resource under the
    // 'folders/123' folder.
    bool supports_under = 2;
  }

  // A `Constraint` that is either enforced or not.
  //
  // For example a constraint `constraints/compute.disableSerialPortAccess`.
  // If it is enforced on a VM instance, serial port connections will not be
  // opened to that instance.
  message BooleanConstraint {}

  // Immutable. The resource name of the Constraint. Must be in one of
  // the following forms:
  // * `projects/{project_number}/constraints/{constraint_name}`
  // * `folders/{folder_id}/constraints/{constraint_name}`
  // * `organizations/{organization_id}/constraints/{constraint_name}`
  //
  // For example, "/projects/123/constraints/compute.disableSerialPortAccess".
  string name = 1 [(google.api.field_behavior) = IMMUTABLE];

  // The human readable name.
  //
  // Mutable.
  string display_name = 2;

  // Detailed description of what this `Constraint` controls as well as how and
  // where it is enforced.
  //
  // Mutable.
  string description = 3;

  // The evaluation behavior of this constraint in the absence of 'Policy'.
  ConstraintDefault constraint_default = 4;

  // The type of restrictions for this `Constraint`.
  //
  // Immutable after creation.
  oneof constraint_type {
    // Defines this constraint as being a ListConstraint.
    ListConstraint list_constraint = 5;

    // Defines this constraint as being a BooleanConstraint.
    BooleanConstraint boolean_constraint = 6;
  }
}