// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.dataplex.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/dataplex/v1/service.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.Dataplex.V1";
option go_package = "cloud.google.com/go/dataplex/apiv1/dataplexpb;dataplexpb";
option java_multiple_files = true;
option java_outer_classname = "CmekProto";
option java_package = "com.google.cloud.dataplex.v1";
option php_namespace = "Google\\Cloud\\Dataplex\\V1";
option ruby_package = "Google::Cloud::Dataplex::V1";
option (google.api.resource_definition) = {
  type: "dataplex.googleapis.com/OrganizationLocation"
  pattern: "organizations/{organization}/locations/{location}"
};

// Dataplex Cmek Service
service CmekService {
  option (google.api.default_host) = "dataplex.googleapis.com";
  option (google.api.oauth_scopes) =
      "https://www.googleapis.com/auth/cloud-platform";

  // Create an EncryptionConfig.
  rpc CreateEncryptionConfig(CreateEncryptionConfigRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=organizations/*/locations/*}/encryptionConfigs"
      body: "encryption_config"
    };
    option (google.api.method_signature) =
        "parent,encryption_config,encryption_config_id";
    option (google.longrunning.operation_info) = {
      response_type: "EncryptionConfig"
      metadata_type: "OperationMetadata"
    };
  }

  // Update an EncryptionConfig.
  rpc UpdateEncryptionConfig(UpdateEncryptionConfigRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{encryption_config.name=organizations/*/locations/*/encryptionConfigs/*}"
      body: "encryption_config"
    };
    option (google.api.method_signature) = "encryption_config,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "EncryptionConfig"
      metadata_type: "OperationMetadata"
    };
  }

  // Delete an EncryptionConfig.
  rpc DeleteEncryptionConfig(DeleteEncryptionConfigRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=organizations/*/locations/*/encryptionConfigs/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // List EncryptionConfigs.
  rpc ListEncryptionConfigs(ListEncryptionConfigsRequest)
      returns (ListEncryptionConfigsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=organizations/*/locations/*}/encryptionConfigs"
    };
    option (google.api.method_signature) = "parent";
  }

  // Get an EncryptionConfig.
  rpc GetEncryptionConfig(GetEncryptionConfigRequest)
      returns (EncryptionConfig) {
    option (google.api.http) = {
      get: "/v1/{name=organizations/*/locations/*/encryptionConfigs/*}"
    };
    option (google.api.method_signature) = "name";
  }
}

// A Resource designed to manage encryption configurations for customers to
// support Customer Managed Encryption Keys (CMEK).
message EncryptionConfig {
  option (google.api.resource) = {
    type: "dataplex.googleapis.com/EncryptionConfig"
    pattern: "organizations/{organization}/locations/{location}/encryptionConfigs/{encryption_config}"
  };

  // State of encryption of the databases when EncryptionConfig is created or
  // updated.
  enum EncryptionState {
    // State is not specified.
    ENCRYPTION_STATE_UNSPECIFIED = 0;

    // The encryption state of the database when the EncryptionConfig is created
    // or updated. If the encryption fails, it is retried indefinitely and the
    // state is shown as ENCRYPTING.
    ENCRYPTING = 1;

    // The encryption of data has completed successfully.
    COMPLETED = 2;

    // The encryption of data has failed.
    // The state is set to FAILED when the encryption fails due to reasons like
    // permission issues, invalid key etc.
    FAILED = 3;
  }

  // Details of the failure if anything related to Cmek db fails.
  message FailureDetails {
    // Error code for the failure if anything related to Cmek db fails.
    enum ErrorCode {
      // The error code is not specified
      UNKNOWN = 0;

      // Error because of internal server error, will be retried automatically.
      INTERNAL_ERROR = 1;

      // User action is required to resolve the error.
      REQUIRE_USER_ACTION = 2;
    }

    // Output only. The error code for the failure.
    ErrorCode error_code = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

    // Output only. The error message will be shown to the user. Set only if the
    // error code is REQUIRE_USER_ACTION.
    string error_message = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
  }

  // Identifier. The resource name of the EncryptionConfig.
  // Format:
  // organizations/{organization}/locations/{location}/encryptionConfigs/{encryption_config}
  // Global location is not supported.
  string name = 1 [
    (google.api.field_behavior) = IDENTIFIER,
    (google.api.resource_reference) = {
      type: "dataplex.googleapis.com/EncryptionConfig"
    }
  ];

  // Optional. If a key is chosen, it means that the customer is using CMEK.
  // If a key is not chosen, it means that the customer is using Google managed
  // encryption.
  string key = 2 [(google.api.field_behavior) = OPTIONAL];

  // Output only. The time when the Encryption configuration was created.
  google.protobuf.Timestamp create_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time when the Encryption configuration was last updated.
  google.protobuf.Timestamp update_time = 4
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The state of encryption of the databases.
  EncryptionState encryption_state = 5
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Etag of the EncryptionConfig. This is a strong etag.
  string etag = 6;

  // Output only. Details of the failure if anything related to Cmek db fails.
  FailureDetails failure_details = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Create EncryptionConfig Request
message CreateEncryptionConfigRequest {
  // Required. The location at which the EncryptionConfig is to be created.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "dataplex.googleapis.com/OrganizationLocation"
    }
  ];

  // Required. The ID of the
  // [EncryptionConfig][google.cloud.dataplex.v1.EncryptionConfig] to create.
  // Currently, only a value of "default" is supported.
  string encryption_config_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. The EncryptionConfig to create.
  EncryptionConfig encryption_config = 3
      [(google.api.field_behavior) = REQUIRED];
}

// Get EncryptionConfig Request
message GetEncryptionConfigRequest {
  // Required. The name of the EncryptionConfig to fetch.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "dataplex.googleapis.com/EncryptionConfig"
    }
  ];
}

// Update EncryptionConfig Request
message UpdateEncryptionConfigRequest {
  // Required. The EncryptionConfig to update.
  EncryptionConfig encryption_config = 1
      [(google.api.field_behavior) = REQUIRED];

  // Optional. Mask of fields to update.
  // The service treats an omitted field mask as an implied field mask
  // equivalent to all fields that are populated (have a non-empty value).
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = OPTIONAL];
}

// Delete EncryptionConfig Request
message DeleteEncryptionConfigRequest {
  // Required. The name of the EncryptionConfig to delete.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "dataplex.googleapis.com/EncryptionConfig"
    }
  ];

  // Optional. Etag of the EncryptionConfig. This is a strong etag.
  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
}

// List EncryptionConfigs Request
message ListEncryptionConfigsRequest {
  // Required. The location for which the EncryptionConfig is to be listed.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "dataplex.googleapis.com/EncryptionConfig"
    }
  ];

  // Optional. Maximum number of EncryptionConfigs to return. The service may
  // return fewer than this value. If unspecified, at most 10 EncryptionConfigs
  // will be returned. The maximum value is 1000; values above 1000 will be
  // coerced to 1000.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Page token received from a previous `ListEncryptionConfigs` call.
  // Provide this to retrieve the subsequent page. When paginating, the
  // parameters - filter and order_by provided to `ListEncryptionConfigs` must
  // match the call that provided the page token.
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Filter the EncryptionConfigs to be returned.
  // Using bare literals: (These values will be matched anywhere it may appear
  // in the object's field values)
  // * filter=some_value
  // Using fields: (These values will be matched only in the specified field)
  // * filter=some_field=some_value
  // Supported fields:
  // * name, key, create_time, update_time, encryption_state
  // Example:
  // * filter=name=organizations/123/locations/us-central1/encryptionConfigs/test-config
  // conjunctions: (AND, OR, NOT)
  // * filter=name=organizations/123/locations/us-central1/encryptionConfigs/test-config
  // AND mode=CMEK
  // logical operators: (>, <, >=, <=, !=, =, :),
  // * filter=create_time>2024-05-01T00:00:00.000Z
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Order by fields for the result.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// List EncryptionConfigs Response
message ListEncryptionConfigsResponse {
  // The list of EncryptionConfigs under the given parent location.
  repeated EncryptionConfig encryption_configs = 1;

  // Token to retrieve the next page of results, or empty if there are no more
  // results in the list.
  string next_page_token = 2;

  // Locations that could not be reached.
  repeated string unreachable_locations = 3 [(google.api.resource_reference) = {
    type: "locations.googleapis.com/Location"
  }];
}