# frozen_string_literal: true # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Auto-generated by gapic-generator-ruby. DO NOT EDIT! module Google module Cloud module OrgPolicy module V2 # A constraint describes a way to restrict resource's configuration. For # example, you could enforce a constraint that controls which Google Cloud # services can be activated across an organization, or whether a Compute Engine # instance can have serial port connections established. Constraints can be # configured by the organization policy administrator to fit the needs of the # organization by setting a policy that includes constraints at different # locations in the organization's resource hierarchy. Policies are inherited # down the resource hierarchy from higher levels, but can also be overridden. # For details about the inheritance rules please read about # [`policies`][google.cloud.OrgPolicy.v2.Policy]. # # Constraints have a default behavior determined by the `constraint_default` # field, which is the enforcement behavior that is used in the absence of a # policy being defined or inherited for the resource in question. # @!attribute [rw] name # @return [::String] # Immutable. The resource name of the constraint. Must be in one of # the following forms: # # * `projects/{project_number}/constraints/{constraint_name}` # * `folders/{folder_id}/constraints/{constraint_name}` # * `organizations/{organization_id}/constraints/{constraint_name}` # # For example, "/projects/123/constraints/compute.disableSerialPortAccess". # @!attribute [rw] display_name # @return [::String] # The human readable name. # # Mutable. # @!attribute [rw] description # @return [::String] # Detailed description of what this constraint controls as well as how and # where it is enforced. # # Mutable. # @!attribute [rw] constraint_default # @return [::Google::Cloud::OrgPolicy::V2::Constraint::ConstraintDefault] # The evaluation behavior of this constraint in the absence of a policy. # @!attribute [rw] list_constraint # @return [::Google::Cloud::OrgPolicy::V2::Constraint::ListConstraint] # Defines this constraint as being a ListConstraint. # @!attribute [rw] boolean_constraint # @return [::Google::Cloud::OrgPolicy::V2::Constraint::BooleanConstraint] # Defines this constraint as being a BooleanConstraint. # @!attribute [rw] supports_dry_run # @return [::Boolean] # Shows if dry run is supported for this constraint or not. class Constraint include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # A constraint that allows or disallows a list of string values, which are # configured by an Organization Policy administrator with a policy. # @!attribute [rw] supports_in # @return [::Boolean] # Indicates whether values grouped into categories can be used in # `Policy.allowed_values` and `Policy.denied_values`. For example, # `"in:Python"` would match any value in the 'Python' group. # @!attribute [rw] supports_under # @return [::Boolean] # Indicates whether subtrees of the Resource Manager resource hierarchy # can be used in `Policy.allowed_values` and `Policy.denied_values`. For # example, `"under:folders/123"` would match any resource under the # 'folders/123' folder. class ListConstraint include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # A constraint that is either enforced or not. # # For example, a constraint `constraints/compute.disableSerialPortAccess`. # If it is enforced on a VM instance, serial port connections will not be # opened to that instance. class BooleanConstraint include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies the default behavior in the absence of any policy for the # constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`. # # Immutable after creation. module ConstraintDefault # This is only used for distinguishing unset values and should never be # used. CONSTRAINT_DEFAULT_UNSPECIFIED = 0 # Indicate that all values are allowed for list constraints. # Indicate that enforcement is off for boolean constraints. ALLOW = 1 # Indicate that all values are denied for list constraints. # Indicate that enforcement is on for boolean constraints. DENY = 2 end end # A custom constraint defined by customers which can *only* be applied to the # given resource types and organization. # # By creating a custom constraint, customers can apply policies of this # custom constraint. *Creating a custom constraint itself does NOT apply any # policy enforcement*. # @!attribute [rw] name # @return [::String] # Immutable. Name of the constraint. This is unique within the organization. # Format of the name should be # # * `organizations/{organization_id}/customConstraints/{custom_constraint_id}` # # Example: `organizations/123/customConstraints/custom.createOnlyE2TypeVms` # # The max length is 70 characters and the minimum length is 1. Note that the # prefix `organizations/{organization_id}/customConstraints/` is not counted. # @!attribute [rw] resource_types # @return [::Array<::String>] # Immutable. The resource instance type on which this policy applies. Format # will be of the form : `/` Example: # # * `compute.googleapis.com/Instance`. # @!attribute [rw] method_types # @return [::Array<::Google::Cloud::OrgPolicy::V2::CustomConstraint::MethodType>] # All the operations being applied for this constraint. # @!attribute [rw] condition # @return [::String] # Org policy condition/expression. For example: # `resource.instanceName.matches("[production|test]_.*_(\d)+")` or, # `resource.management.auto_upgrade == true` # # The max length of the condition is 1000 characters. # @!attribute [rw] action_type # @return [::Google::Cloud::OrgPolicy::V2::CustomConstraint::ActionType] # Allow or deny type. # @!attribute [rw] display_name # @return [::String] # One line display name for the UI. # The max length of the display_name is 200 characters. # @!attribute [rw] description # @return [::String] # Detailed information about this custom policy constraint. # The max length of the description is 2000 characters. # @!attribute [r] update_time # @return [::Google::Protobuf::Timestamp] # Output only. The last time this custom constraint was updated. This # represents the last time that the `CreateCustomConstraint` or # `UpdateCustomConstraint` RPC was called class CustomConstraint include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The operation for which this constraint will be applied. To apply this # constraint only when creating new VMs, the `method_types` should be # `CREATE` only. To apply this constraint when creating or deleting # VMs, the `method_types` should be `CREATE` and `DELETE`. # # `UPDATE` only custom constraints are not supported. Use `CREATE` or # `CREATE, UPDATE`. module MethodType # Unspecified. Results in an error. METHOD_TYPE_UNSPECIFIED = 0 # Constraint applied when creating the resource. CREATE = 1 # Constraint applied when updating the resource. UPDATE = 2 # Constraint applied when deleting the resource. # Not supported yet. DELETE = 3 # Constraint applied when removing an IAM grant. REMOVE_GRANT = 4 # Constraint applied when enforcing forced tagging. GOVERN_TAGS = 5 end # Allow or deny type. module ActionType # Unspecified. Results in an error. ACTION_TYPE_UNSPECIFIED = 0 # Allowed action type. ALLOW = 1 # Deny action type. DENY = 2 end end end end end end