// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.auditmanager.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.AuditManager.V1";
option go_package = "cloud.google.com/go/auditmanager/apiv1/auditmanagerpb;auditmanagerpb";
option java_multiple_files = true;
option java_outer_classname = "V1mainProto";
option java_package = "com.google.cloud.auditmanager.v1";
option php_namespace = "Google\\Cloud\\AuditManager\\V1";
option ruby_package = "Google::Cloud::AuditManager::V1";
option (google.api.resource_definition) = {
  type: "auditmanager.googleapis.com/FolderLocation"
  pattern: "folders/{folder}/locations/{location}"
};
option (google.api.resource_definition) = {
  type: "auditmanager.googleapis.com/OrganizationLocation"
  pattern: "organizations/{organization}/locations/{location}"
};
option (google.api.resource_definition) = {
  type: "auditmanager.googleapis.com/Standard"
  pattern: "projects/{project}/locations/{location}/standards/{standard}"
  pattern: "folders/{folder}/locations/{location}/standards/{standard}"
  pattern: "organizations/{organization}/locations/{location}/standards/{standard}"
};
option (google.api.resource_definition) = {
  type: "auditmanager.googleapis.com/EnrollmentStatusScope"
  pattern: "folders/{folder}/locations/{location}"
  pattern: "organizations/{organization}/locations/{location}"
};

// Service describing handlers for resources
service AuditManager {
  option (google.api.default_host) = "auditmanager.googleapis.com";
  option (google.api.oauth_scopes) =
      "https://www.googleapis.com/auth/cloud-platform";

  // Enrolls the customer resource(folder/project/organization) to the audit
  // manager service by creating the audit managers Service Agent in customers
  // workload and granting required permissions to the Service Agent. Please
  // note that if enrollment request is made on the already enrolled workload
  // then enrollment is executed overriding the existing set of destinations.
  rpc EnrollResource(EnrollResourceRequest) returns (Enrollment) {
    option (google.api.http) = {
      post: "/v1/{scope=folders/*/locations/*}:enrollResource"
      body: "*"
      additional_bindings {
        post: "/v1/{scope=projects/*/locations/*}:enrollResource"
        body: "*"
      }
      additional_bindings {
        post: "/v1/{scope=organizations/*/locations/*}:enrollResource"
        body: "*"
      }
    };
    option (google.api.method_signature) = "scope,destinations";
  }

  // Generates a demo report highlighting different responsibilities
  // (Google/Customer/ shared) required to be fulfilled for the customer's
  // workload to be compliant with the given standard.
  rpc GenerateAuditScopeReport(GenerateAuditScopeReportRequest)
      returns (AuditScopeReport) {
    option (google.api.http) = {
      post: "/v1/{scope=folders/*/locations/*}/auditScopeReports:generate"
      body: "*"
      additional_bindings {
        post: "/v1/{scope=projects/*/locations/*}/auditScopeReports:generate"
        body: "*"
      }
    };
    option (google.api.method_signature) =
        "scope,compliance_standard,report_format";
  }

  // Register the Audit Report generation requests and returns the OperationId
  // using which the customer can track the report generation progress.
  rpc GenerateAuditReport(GenerateAuditReportRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{scope=folders/*/locations/*}/auditReports:generate"
      body: "*"
      additional_bindings {
        post: "/v1/{scope=projects/*/locations/*}/auditReports:generate"
        body: "*"
      }
    };
    option (google.api.method_signature) =
        "scope,gcs_uri,compliance_standard,report_format";
    option (google.longrunning.operation_info) = {
      response_type: "AuditReport"
      metadata_type: "OperationMetadata"
    };
  }

  // Lists audit reports in the selected parent scope
  rpc ListAuditReports(ListAuditReportsRequest)
      returns (ListAuditReportsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=organizations/*/locations/*}/auditReports"
      additional_bindings {
        get: "/v1/{parent=folders/*/locations/*}/auditReports"
      }
      additional_bindings {
        get: "/v1/{parent=projects/*/locations/*}/auditReports"
      }
    };
    option (google.api.method_signature) = "parent";
  }

  // Get the overall audit report
  rpc GetAuditReport(GetAuditReportRequest) returns (AuditReport) {
    option (google.api.http) = {
      get: "/v1/{name=folders/*/locations/*/auditReports/*}"
      additional_bindings {
        get: "/v1/{name=projects/*/locations/*/auditReports/*}"
      }
    };
    option (google.api.method_signature) = "name";
  }

  // Get a resource along with its enrollment status.
  rpc GetResourceEnrollmentStatus(GetResourceEnrollmentStatusRequest)
      returns (ResourceEnrollmentStatus) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/resourceEnrollmentStatuses/*}"
      additional_bindings {
        get: "/v1/{name=folders/*/locations/*/resourceEnrollmentStatuses/*}"
      }
      additional_bindings {
        get: "/v1/{name=organizations/*/locations/*/resourceEnrollmentStatuses/*}"
      }
    };
    option (google.api.method_signature) = "name";
  }

  // Fetches all resources under the parent along with their enrollment.
  rpc ListResourceEnrollmentStatuses(ListResourceEnrollmentStatusesRequest)
      returns (ListResourceEnrollmentStatusesResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=organizations/*/locations/*}/resourceEnrollmentStatuses"
      additional_bindings {
        get: "/v1/{parent=folders/*/locations/*}/resourceEnrollmentStatuses"
      }
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets controls needed to be implemented to be compliant to a standard.
  rpc ListControls(ListControlsRequest) returns (ListControlsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=organizations/*/locations/*/standards/*}/controls"
      additional_bindings {
        get: "/v1/{parent=folders/*/locations/*/standards/*}/controls"
      }
      additional_bindings {
        get: "/v1/{parent=projects/*/locations/*/standards/*}/controls"
      }
    };
    option (google.api.method_signature) = "parent";
  }
}

// The different execution states of the Audit Manager service.
enum OperationState {
  // Unspecified. Invalid state.
  OPERATION_STATE_UNSPECIFIED = 0;

  // Audit report generation process has not started.
  OPERATION_STATE_NOT_STARTED = 10;

  // Audit Manager is currently evaluating the workloads against specific
  // standard.
  OPERATION_STATE_EVALUATION_IN_PROGRESS = 20;

  // Audit Manager has completed Evaluation for the workload.
  OPERATION_STATE_EVALUATION_DONE = 21;

  // Audit Manager is creating audit report from the evaluated data.
  OPERATION_STATE_EVIDENCE_REPORT_GENERATION_IN_PROGRESS = 30;

  // Audit Manager has completed generation of the audit report.
  OPERATION_STATE_EVIDENCE_REPORT_GENERATION_DONE = 31;

  // Audit Manager is uploading the audit report and evidences to the customer
  // provided destination.
  OPERATION_STATE_EVIDENCE_UPLOAD_IN_PROGRESS = 40;

  // Audit report generation process is completed.
  OPERATION_STATE_DONE = 50;

  // Audit report generation process has failed.
  OPERATION_STATE_FAILED = 60;
}

// The compliance state after evaluation.
enum ComplianceState {
  // Unspecified. Invalid state.
  COMPLIANCE_STATE_UNSPECIFIED = 0;

  // Compliant.
  COMPLIANT = 1;

  // Violation.
  VIOLATION = 2;

  // MANUAL_REVIEW_NEEDED, requires manual review
  MANUAL_REVIEW_NEEDED = 3;

  // Error while computing status.
  ERROR = 4;

  // Cannot be audited
  AUDIT_NOT_SUPPORTED = 5;
}

// Request message to subscribe the Audit Manager service for given resource.
message EnrollResourceRequest {
  // The destination details where the audit report must be uploaded.
  message EligibleDestination {
    // The options for the report destination location.
    oneof eligible_destinations {
      // The Cloud Storage bucket location where the audit report and evidences
      // can be uploaded during the `GenerateAuditReport` API call.
      string eligible_gcs_bucket = 3;
    }
  }

  // Required. The resource to be enrolled to the audit manager. Scope format
  // should be resource_type/resource_identifier Eg:
  // projects/{project}/locations/{location},
  // folders/{folder}/locations/{location}
  // organizations/{organization}/locations/{location}
  string scope = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. List of destination among which customer can choose to upload
  // their reports during the audit process. While enrolling at a
  // organization/folder level, customer can choose Cloud storage bucket in any
  // project. If the audit is triggered at project level using the service agent
  // at organization/folder level, all the destination options associated with
  // respective organization/folder level service agent will be available to
  // auditing projects.
  repeated EligibleDestination destinations = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Message for requesting audit scope report.
message GenerateAuditScopeReportRequest {
  // The options for the audit scope report format.
  enum AuditScopeReportFormat {
    // Unspecified. Invalid format.
    AUDIT_SCOPE_REPORT_FORMAT_UNSPECIFIED = 0;

    // Audit Scope Report creation format is Open Document.
    AUDIT_SCOPE_REPORT_FORMAT_ODF = 1;
  }

  // Required. Scope for which the AuditScopeReport is required. Must be of
  // format resource_type/resource_identifier Eg:
  // projects/{project}/locations/{location},
  // folders/{folder}/locations/{location}
  string scope = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. Compliance Standard against which the Scope Report must be
  // generated. Eg: FEDRAMP_MODERATE
  string compliance_standard = 3 [(google.api.field_behavior) = REQUIRED];

  // Required. The format in which the Scope report bytes should be returned.
  AuditScopeReportFormat report_format = 4
      [(google.api.field_behavior) = REQUIRED];

  // Required. Compliance framework against which the Scope Report must be
  // generated.
  string compliance_framework = 5 [(google.api.field_behavior) = REQUIRED];
}

// Message for requesting the Audit Report.
message GenerateAuditReportRequest {
  // The options for the audit report format.
  enum AuditReportFormat {
    // Unspecified. Invalid state.
    AUDIT_REPORT_FORMAT_UNSPECIFIED = 0;

    // Audit Report creation format is Open Document.
    AUDIT_REPORT_FORMAT_ODF = 1;
  }

  // Set of options for the report destination location.
  oneof destination {
    // Destination Cloud storage bucket where report and evidence must be
    // uploaded. The Cloud storage bucket provided here must be selected among
    // the buckets entered during the enrollment process.
    string gcs_uri = 2;
  }

  // Required. Scope for which the AuditScopeReport is required. Must be of
  // format resource_type/resource_identifier Eg:
  // projects/{project}/locations/{location},
  // folders/{folder}/locations/{location}
  string scope = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. Compliance Standard against which the Scope Report must be
  // generated. Eg: FEDRAMP_MODERATE
  string compliance_standard = 3 [(google.api.field_behavior) = REQUIRED];

  // Required. The format in which the audit report should be created.
  AuditReportFormat report_format = 4 [(google.api.field_behavior) = REQUIRED];

  // Required. Compliance framework against which the Report must be generated.
  string compliance_framework = 5 [(google.api.field_behavior) = REQUIRED];
}

// Message for getting the enrollment status of a resource.
message GetResourceEnrollmentStatusRequest {
  // Required. Format
  // folders/{folder}/locations/{location}/resourceEnrollmentStatuses/{resource_enrollment_status},
  // projects/{project}/locations/{location}/resourceEnrollmentStatuses/{resource_enrollment_status},
  // organizations/{organization}/locations/{location}/resourceEnrollmentStatuses/{resource_enrollment_status}
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "auditmanager.googleapis.com/ResourceEnrollmentStatus"
    }
  ];
}

// Message for listing all the descendent resources under parent with
// enrollment.
message ListResourceEnrollmentStatusesRequest {
  // Required. The parent scope for which the list of resources with enrollments
  // are required.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "auditmanager.googleapis.com/EnrollmentStatusScope"
    }
  ];

  // Optional. The maximum number of resources to return.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The next_page_token value returned from a previous List request,
  // if any.
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Response message with all the descendent resources with enrollment.
message ListResourceEnrollmentStatusesResponse {
  // The resources with their enrollment status.
  repeated ResourceEnrollmentStatus resource_enrollment_statuses = 1;

  // Output only. The token to retrieve the next page of results.
  string next_page_token = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Message for requesting to list the audit reports.
message ListAuditReportsRequest {
  // Required. The parent scope for which to list the reports.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "auditmanager.googleapis.com/AuditReport"
    }
  ];

  // Optional. The maximum number of resources to return.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The next_page_token value returned from a previous List request,
  // if any.
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Response message with all the audit reports.
message ListAuditReportsResponse {
  // Output only. The audit reports.
  repeated AuditReport audit_reports = 1
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The token to retrieve the next page of results.
  string next_page_token = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Message for requesting the overall audit report for an audit report name.
message GetAuditReportRequest {
  // Required. Format
  // projects/{project}/locations/{location}/auditReports/{audit_report},
  // folders/{folder}/locations/{location}/auditReports/{audit_report}
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "auditmanager.googleapis.com/AuditReport"
    }
  ];
}

// Message for requesting all the controls for a compliance standard.
message ListControlsRequest {
  // Required. Format
  // projects/{project}/locations/{location}/standards/{standard},
  // folders/{folder}/locations/{location}/standards/{standard}
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "auditmanager.googleapis.com/Standard"
    }
  ];

  // Optional. The maximum number of resources to return.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The next_page_token value returned from a previous List request,
  // if any.
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Response message with all the controls for a compliance standard.
message ListControlsResponse {
  // Output only. The controls for the compliance standard.
  repeated Control controls = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The token to retrieve the next page of results.
  string next_page_token = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The `ReportGenerationProgress` is part of
// [google.longrunning.Operation][google.longrunning.Operation] returned to the
// client for every `GetOperation` request.
message ReportGenerationProgress {
  // Output only. The current state of execution for report generation.
  OperationState state = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. States the reason of failure during the audit report
  // generation process. This field is set only if the state attribute is
  // OPERATION_STATE_FAILED.
  string failure_reason = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Shows the progress of the CESS service evaluation process. The progress is
  // defined in terms of percentage complete and is being fetched from the CESS
  // service.
  double evaluation_percent_complete = 20;

  // Shows the report generation progress of the CESS Result Processor Service.
  // The // progress is defined in terms of percentage complete and is being
  // fetched from the CESS service. If report_generation_in_progress is non zero
  // then evaluation_percent_complete will be 100%.
  double report_generation_percent_complete = 30;

  // Shows the report uploading progress of the CESS Result Processor Service.
  // The progress is defined in terms of percentage complete and is being
  // fetched from the CESS service. If report_uploading_in_progress is non zero
  // then evaluation_percent_complete and report_generation_percent_complete
  // will be 100%.
  double report_uploading_percent_complete = 40;

  // Output only. The Cloud Storage bucket where the audit report will be
  // uploaded once the evaluation process is completed.
  string destination_gcs_bucket = 50
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The name of the audit report.
  string audit_report = 51 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.resource_reference) = {
      type: "auditmanager.googleapis.com/AuditReport"
    }
  ];
}

// The enrollment resource.
message Enrollment {
  option (google.api.resource) = {
    type: "auditmanager.googleapis.com/Enrollment"
    pattern: "projects/{project}/locations/{location}/enrollments/{enrollment}"
    pattern: "folders/{folder}/locations/{location}/enrollments/{enrollment}"
    pattern: "organizations/{organization}/locations/{location}/enrollments/{enrollment}"
    plural: "enrollments"
    singular: "enrollment"
  };

  // Identifier. The name of this Enrollment, in the format of scope given in
  // request.
  string name = 1 [(google.api.field_behavior) = IDENTIFIER];

  // Output only. The locations where the generated reports can be uploaded.
  repeated DestinationDetails destination_details = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The audit scope report.
message AuditScopeReport {
  option (google.api.resource) = {
    type: "auditmanager.googleapis.com/AuditScopeReport"
    pattern: "projects/{project}/locations/{location}/auditScopeReports/{audit_scope_report}"
    pattern: "folders/{folder}/locations/{location}/auditScopeReports/{audit_scope_report}"
    plural: "auditScopeReports"
    singular: "auditScopeReport"
  };

  // The options in which the audit scope report is exported.
  oneof audit_report {
    // The audit scope report content in byte format.
    bytes scope_report_contents = 1;
  }

  // Identifier. The name of this Audit Report, in the format of scope given in
  // request.
  string name = 2 [(google.api.field_behavior) = IDENTIFIER];
}

// The metadata of the long-running operation.
message OperationMetadata {
  // Output only. The time the operation was created.
  google.protobuf.Timestamp create_time = 1
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time the operation finished running.
  google.protobuf.Timestamp end_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Server-defined resource path for the target of the operation.
  string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Name of the verb executed by the operation.
  string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Human-readable status of the operation, if any.
  string status_message = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Identifies whether the user has requested cancellation
  // of the operation. Operations that have been cancelled successfully
  // have [Operation.error][] value with a
  // [google.rpc.Status.code][google.rpc.Status.code] of 1, corresponding to
  // `Code.CANCELLED`.
  bool requested_cancellation = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. API version used to start the operation.
  string api_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// A resource with its enrollment status.
message ResourceEnrollmentStatus {
  option (google.api.resource) = {
    type: "auditmanager.googleapis.com/ResourceEnrollmentStatus"
    pattern: "folders/{folder}/locations/{location}/resourceEnrollmentStatuses/{resource_enrollment_status}"
    pattern: "projects/{project}/locations/{location}/resourceEnrollmentStatuses/{resource_enrollment_status}"
    pattern: "organizations/{organization}/locations/{location}/resourceEnrollmentStatuses/{resource_enrollment_status}"
    plural: "resourceEnrollmentStatuses"
    singular: "resourceEnrollmentStatus"
  };

  // The different enrollment states of a resource.
  enum ResourceEnrollmentState {
    // Unspecified. Invalid state.
    RESOURCE_ENROLLMENT_STATE_UNSPECIFIED = 0;

    // Not enrolled.
    NOT_ENROLLED = 1;

    // Resource is not enrolled but the parent is enrolled.
    INHERITED = 2;

    // Enrolled.
    ENROLLED = 3;
  }

  // Identifier. The name of this resource.
  string name = 1 [(google.api.field_behavior) = IDENTIFIER];

  // Output only. Enrollment which contains enrolled destination details for a
  // resource
  Enrollment enrollment = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Is resource enrolled.
  bool enrolled = 3
      [deprecated = true, (google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Display name of the project/folder/organization.
  string display_name = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Enrollment state of the resource.
  ResourceEnrollmentState enrollment_state = 5
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// An audit report.
message AuditReport {
  option (google.api.resource) = {
    type: "auditmanager.googleapis.com/AuditReport"
    pattern: "projects/{project}/locations/{location}/auditReports/{audit_report}"
    pattern: "folders/{folder}/locations/{location}/auditReports/{audit_report}"
    plural: "auditReports"
    singular: "auditReport"
  };

  // The different states of the Audit Manager report generation.
  enum ReportGenerationState {
    // Unspecified. Invalid state.
    REPORT_GENERATION_STATE_UNSPECIFIED = 0;

    // Audit report generation process is in progress, ie. operation state is
    // neither OPERATION_STATE_DONE nor OPERATION_STATE_FAILED.
    IN_PROGRESS = 1;

    // Audit report generation process is completed. Operation state is
    // OPERATION_STATE_DONE.
    COMPLETED = 2;

    // Audit report generation process has failed. Operation state is
    // OPERATION_STATE_FAILED.
    FAILED = 3;

    // Audit report generation process has completed. But report summary is
    // unknown. This is valid for older reports.
    SUMMARY_UNKNOWN = 4;
  }

  // Identifier. The name of this Audit Report, in the format of scope given in
  // request.
  string name = 1 [(google.api.field_behavior) = IDENTIFIER];

  // Output only. Report summary with compliance, violation counts etc.
  ReportSummary report_summary = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. ClientOperationId
  string operation_id = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The location where the generated report will be uploaded.
  DestinationDetails destination_details = 4
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Compliance Standard.
  string compliance_standard = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The parent scope on which the report was generated.
  string scope = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Creation time of the audit report.
  google.protobuf.Timestamp create_time = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The overall status of controls
  repeated ControlDetails control_details = 8
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The state of Audit Report Generation.
  ReportGenerationState report_generation_state = 9
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Compliance Framework of Audit Report
  string compliance_framework = 10 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The ID/ Number for the scope on which the audit report was
  // generated.
  string scope_id = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The regulatory family of the control.
message ControlFamily {
  // The ID of the regulatory control family.
  string family_id = 1;

  // The display name of the regulatory control family.
  string display_name = 2;
}

// A control.
message Control {
  // The family of the control. For example, Access Control.
  enum Family {
    // Unspecified. Invalid state.
    FAMILY_UNSPECIFIED = 0;

    // Access Control
    AC = 1;

    // Awareness and Training
    AT = 2;

    // Audit and Accountability
    AU = 3;

    // Certification, Accreditation and Security Assessments
    CA = 4;

    // Configuration Management
    CM = 5;

    // Contingency Planning
    CP = 6;

    // Identification and Authentication
    IA = 7;

    // Incident Response
    IR = 8;

    // Maintenance
    MA = 9;

    // Media Protection
    MP = 10;

    // Physical and Environmental Protection
    PE = 11;

    // Security Planning
    PL = 12;

    // Personnel Security
    PS = 13;

    // Risk Assessment
    RA = 14;

    // System Services and Acquisition
    SA = 15;

    // System and Communications Protection
    SC = 16;

    // System and Information Integrity
    SI = 17;

    // Supply Chain Risk Management
    SR = 18;
  }

  // Output only. The control identifier used to fetch the findings. This is
  // same as the control report name.
  string id = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Display name of the control.
  string display_name = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Group where the control belongs. E.g. Access Control.
  Family family = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Regulatory Family of the control E.g. Access Control
  ControlFamily control_family = 10 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Regulatory control ask of the control
  string description = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The type of responsibility for implementing this control. It
  // can be google, customer or shared.
  string responsibility_type = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Description of the google responsibility for implementing this
  // control.
  string google_responsibility_description = 6
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Implementation of the google responsibility for implementing
  // this control.
  string google_responsibility_implementation = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Description of the customer responsibility for implementing
  // this control.
  string customer_responsibility_description = 8
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Implementation of the customer responsibility for implementing
  // this control.
  string customer_responsibility_implementation = 9
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The locations where the generated reports are saved.
message DestinationDetails {
  oneof destination {
    // The Cloud Storage bucket where the audit report is/will be uploaded.
    string gcs_bucket_uri = 1;
  }
}

// The additional information for an audit operation.
message ReportSummary {
  // Total number of checks.
  int32 total_count = 1;

  // Number of compliant checks.
  int32 compliant_count = 2;

  // Number of checks with violations.
  int32 violation_count = 3;

  // Number of checks with "manual review needed" status.
  int32 manual_review_needed_count = 4;

  // Number of checks that could not be performed due to errors.
  int32 error_count = 5;
}

// The evaluation details for a control.
message ControlDetails {
  // The control for which the findings are being reported.
  Control control = 1;

  // Output only. Overall status of the findings for the control.
  ComplianceState compliance_state = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Report summary with compliance, violation counts etc.
  ReportSummary control_report_summary = 3;
}
