// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.assuredworkloads.v1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/timestamp.proto"; option csharp_namespace = "Google.Cloud.AssuredWorkloads.V1"; option go_package = "cloud.google.com/go/assuredworkloads/apiv1/assuredworkloadspb;assuredworkloadspb"; option java_multiple_files = true; option java_outer_classname = "AssuredworkloadsProto"; option java_package = "com.google.cloud.assuredworkloads.v1"; option php_namespace = "Google\\Cloud\\AssuredWorkloads\\V1"; option ruby_package = "Google::Cloud::AssuredWorkloads::V1"; option (google.api.resource_definition) = { type: "assuredworkloads.googleapis.com/Location" pattern: "organizations/{organization}/locations/{location}" }; // Service to manage AssuredWorkloads. service AssuredWorkloadsService { option (google.api.default_host) = "assuredworkloads.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Creates Assured Workload. rpc CreateWorkload(CreateWorkloadRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=organizations/*/locations/*}/workloads" body: "workload" }; option (google.api.method_signature) = "parent,workload"; option (google.longrunning.operation_info) = { response_type: "Workload" metadata_type: "CreateWorkloadOperationMetadata" }; } // Updates an existing workload. // Currently allows updating of workload display_name and labels. // For force updates don't set etag field in the Workload. // Only one update operation per workload can be in progress. rpc UpdateWorkload(UpdateWorkloadRequest) returns (Workload) { option (google.api.http) = { patch: "/v1/{workload.name=organizations/*/locations/*/workloads/*}" body: "workload" }; option (google.api.method_signature) = "workload,update_mask"; } // Restrict the list of resources allowed in the Workload environment. // The current list of allowed products can be found at // https://cloud.google.com/assured-workloads/docs/supported-products // In addition to assuredworkloads.workload.update permission, the user should // also have orgpolicy.policy.set permission on the folder resource // to use this functionality. rpc RestrictAllowedResources(RestrictAllowedResourcesRequest) returns (RestrictAllowedResourcesResponse) { option (google.api.http) = { post: "/v1/{name=organizations/*/locations/*/workloads/*}:restrictAllowedResources" body: "*" }; } // Deletes the workload. Make sure that workload's direct children are already // in a deleted state, otherwise the request will fail with a // FAILED_PRECONDITION error. rpc DeleteWorkload(DeleteWorkloadRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=organizations/*/locations/*/workloads/*}" }; option (google.api.method_signature) = "name"; } // Gets Assured Workload associated with a CRM Node rpc GetWorkload(GetWorkloadRequest) returns (Workload) { option (google.api.http) = { get: "/v1/{name=organizations/*/locations/*/workloads/*}" }; option (google.api.method_signature) = "name"; } // Lists Assured Workloads under a CRM Node. rpc ListWorkloads(ListWorkloadsRequest) returns (ListWorkloadsResponse) { option (google.api.http) = { get: "/v1/{parent=organizations/*/locations/*}/workloads" }; option (google.api.method_signature) = "parent"; } // Lists the Violations in the AssuredWorkload Environment. // Callers may also choose to read across multiple Workloads as per // [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash // character) as a wildcard character instead of workload-id in the parent. // Format `organizations/{org_id}/locations/{location}/workloads/-` rpc ListViolations(ListViolationsRequest) returns (ListViolationsResponse) { option (google.api.method_signature) = "parent"; } // Retrieves Assured Workload Violation based on ID. rpc GetViolation(GetViolationRequest) returns (Violation) { option (google.api.method_signature) = "name"; } // Acknowledges an existing violation. By acknowledging a violation, users // acknowledge the existence of a compliance violation in their workload and // decide to ignore it due to a valid business justification. Acknowledgement // is a permanent operation and it cannot be reverted. rpc AcknowledgeViolation(AcknowledgeViolationRequest) returns (AcknowledgeViolationResponse) { } } // Request for creating a workload. message CreateWorkloadRequest { // Required. The resource name of the new Workload's parent. // Must be of the form `organizations/{org_id}/locations/{location_id}`. string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "assuredworkloads.googleapis.com/Workload" } ]; // Required. Assured Workload to create Workload workload = 2 [(google.api.field_behavior) = REQUIRED]; // Optional. A identifier associated with the workload and underlying projects which // allows for the break down of billing costs for a workload. The value // provided for the identifier will add a label to the workload and contained // projects with the identifier as the value. string external_id = 3 [(google.api.field_behavior) = OPTIONAL]; } // Request for Updating a workload. message UpdateWorkloadRequest { // Required. The workload to update. // The workload's `name` field is used to identify the workload to be updated. // Format: // organizations/{org_id}/locations/{location_id}/workloads/{workload_id} Workload workload = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The list of fields to be updated. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } // Request for deleting a Workload. message DeleteWorkloadRequest { // Required. The `name` field is used to identify the workload. // Format: // organizations/{org_id}/locations/{location_id}/workloads/{workload_id} string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "assuredworkloads.googleapis.com/Workload" } ]; // Optional. The etag of the workload. // If this is provided, it must match the server's etag. string etag = 2 [(google.api.field_behavior) = OPTIONAL]; } // Request for fetching a workload. message GetWorkloadRequest { // Required. The resource name of the Workload to fetch. This is the workload's // relative path in the API, formatted as // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". // For example, // "organizations/123/locations/us-east1/workloads/assured-workload-1". string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "assuredworkloads.googleapis.com/Workload" } ]; } // Request for fetching workloads in an organization. message ListWorkloadsRequest { // Required. Parent Resource to list workloads from. // Must be of the form `organizations/{org_id}/locations/{location}`. string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "assuredworkloads.googleapis.com/Workload" } ]; // Page size. int32 page_size = 2; // Page token returned from previous request. Page token contains context from // previous request. Page token needs to be passed in the second and following // requests. string page_token = 3; // A custom filter for filtering by properties of a workload. At this time, // only filtering by labels is supported. string filter = 4; } // Response of ListWorkloads endpoint. message ListWorkloadsResponse { // List of Workloads under a given parent. repeated Workload workloads = 1; // The next page token. Return empty if reached the last page. string next_page_token = 2; } // A Workload object for managing highly regulated workloads of cloud // customers. message Workload { option (google.api.resource) = { type: "assuredworkloads.googleapis.com/Workload" pattern: "organizations/{organization}/locations/{location}/workloads/{workload}" }; // Represent the resources that are children of this Workload. message ResourceInfo { // The type of resource. enum ResourceType { // Unknown resource type. RESOURCE_TYPE_UNSPECIFIED = 0; // Consumer project. // AssuredWorkloads Projects are no longer supported. This field will be // ignored only in CreateWorkload requests. ListWorkloads and GetWorkload // will continue to provide projects information. // Use CONSUMER_FOLDER instead. CONSUMER_PROJECT = 1 [deprecated = true]; // Consumer Folder. CONSUMER_FOLDER = 4; // Consumer project containing encryption keys. ENCRYPTION_KEYS_PROJECT = 2; // Keyring resource that hosts encryption keys. KEYRING = 3; } // Resource identifier. // For a project this represents project_number. int64 resource_id = 1; // Indicates the type of resource. ResourceType resource_type = 2; } // Supported Compliance Regimes. enum ComplianceRegime { // Unknown compliance regime. COMPLIANCE_REGIME_UNSPECIFIED = 0; // Information protection as per DoD IL4 requirements. IL4 = 1; // Criminal Justice Information Services (CJIS) Security policies. CJIS = 2; // FedRAMP High data protection controls FEDRAMP_HIGH = 3; // FedRAMP Moderate data protection controls FEDRAMP_MODERATE = 4; // Assured Workloads For US Regions data protection controls US_REGIONAL_ACCESS = 5; // Health Insurance Portability and Accountability Act controls HIPAA = 6; // Health Information Trust Alliance controls HITRUST = 7; // Assured Workloads For EU Regions and Support controls EU_REGIONS_AND_SUPPORT = 8; // Assured Workloads For Canada Regions and Support controls CA_REGIONS_AND_SUPPORT = 9; // International Traffic in Arms Regulations ITAR = 10; // Assured Workloads for Australia Regions and Support controls // Available for public preview consumption. // Don't create production workloads. AU_REGIONS_AND_US_SUPPORT = 11; // Assured Workloads for Partners ASSURED_WORKLOADS_FOR_PARTNERS = 12; } // Settings specific to the Key Management Service. // This message is deprecated. // In order to create a Keyring, callers should specify, // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. message KMSSettings { option deprecated = true; // Required. Input only. Immutable. The time at which the Key Management Service will automatically create a // new version of the crypto key and mark it as the primary. google.protobuf.Timestamp next_rotation_time = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.field_behavior) = INPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; // Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key // Management Service automatically rotates a key. Must be at least 24 hours // and at most 876,000 hours. google.protobuf.Duration rotation_period = 2 [ (google.api.field_behavior) = REQUIRED, (google.api.field_behavior) = INPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; } // Represent the custom settings for the resources to be created. message ResourceSettings { // Resource identifier. // For a project this represents project_id. If the project is already // taken, the workload creation will fail. // For KeyRing, this represents the keyring_id. // For a folder, don't set this value as folder_id is assigned by Google. string resource_id = 1; // Indicates the type of resource. This field should be specified to // correspond the id to the right resource type (CONSUMER_FOLDER or // ENCRYPTION_KEYS_PROJECT) ResourceInfo.ResourceType resource_type = 2; // User-assigned resource display name. // If not empty it will be used to create a resource with the specified // name. string display_name = 3; } // Key Access Justifications(KAJ) Enrollment State. enum KajEnrollmentState { // Default State for KAJ Enrollment. KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0; // Pending State for KAJ Enrollment. KAJ_ENROLLMENT_STATE_PENDING = 1; // Complete State for KAJ Enrollment. KAJ_ENROLLMENT_STATE_COMPLETE = 2; } // Signed Access Approvals (SAA) enrollment response. message SaaEnrollmentResponse { // Setup state of SAA enrollment. enum SetupState { // Unspecified. SETUP_STATE_UNSPECIFIED = 0; // SAA enrollment pending. STATUS_PENDING = 1; // SAA enrollment comopleted. STATUS_COMPLETE = 2; } // Setup error of SAA enrollment. enum SetupError { // Unspecified. SETUP_ERROR_UNSPECIFIED = 0; // Invalid states for all customers, to be redirected to AA UI for // additional details. ERROR_INVALID_BASE_SETUP = 1; // Returned when there is not an EKM key configured. ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2; // Returned when there are no enrolled services or the customer is // enrolled in CAA only for a subset of services. ERROR_NOT_ALL_SERVICES_ENROLLED = 3; // Returned when exception was encountered during evaluation of other // criteria. ERROR_SETUP_CHECK_FAILED = 4; } // Indicates SAA enrollment status of a given workload. optional SetupState setup_status = 1; // Indicates SAA enrollment setup error if any. repeated SetupError setup_errors = 2; } // Supported Assured Workloads Partners. enum Partner { // Unknown partner regime/controls. PARTNER_UNSPECIFIED = 0; // S3NS regime/controls. LOCAL_CONTROLS_BY_S3NS = 1; } // Optional. The resource name of the workload. // Format: // organizations/{organization}/locations/{location}/workloads/{workload} // // Read-only. string name = 1 [(google.api.field_behavior) = OPTIONAL]; // Required. The user-assigned display name of the Workload. // When present it must be between 4 to 30 characters. // Allowed characters are: lowercase and uppercase letters, numbers, // hyphen, and spaces. // // Example: My Workload string display_name = 2 [(google.api.field_behavior) = REQUIRED]; // Output only. The resources associated with this workload. // These resources will be created when creating the workload. // If any of the projects already exist, the workload creation will fail. // Always read only. repeated ResourceInfo resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // Required. Immutable. Compliance Regime associated with this workload. ComplianceRegime compliance_regime = 4 [ (google.api.field_behavior) = REQUIRED, (google.api.field_behavior) = IMMUTABLE ]; // Output only. Immutable. The Workload creation timestamp. google.protobuf.Timestamp create_time = 5 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; // Optional. The billing account used for the resources which are // direct children of workload. This billing account is initially associated // with the resources created as part of Workload creation. // After the initial creation of these resources, the customer can change // the assigned billing account. // The resource name has the form // `billingAccounts/{billing_account_id}`. For example, // `billingAccounts/012345-567890-ABCDEF`. string billing_account = 6 [(google.api.field_behavior) = OPTIONAL]; // Optional. ETag of the workload, it is calculated on the basis // of the Workload contents. It will be used in Update & Delete operations. string etag = 9 [(google.api.field_behavior) = OPTIONAL]; // Optional. Labels applied to the workload. map labels = 10 [(google.api.field_behavior) = OPTIONAL]; // Input only. The parent resource for the resources managed by this Assured Workload. May // be either empty or a folder resource which is a child of the // Workload parent. If not specified all resources are created under the // parent organization. // Format: // folders/{folder_id} string provisioned_resources_parent = 13 [(google.api.field_behavior) = INPUT_ONLY]; // Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS // CMEK key is provisioned. // This field is deprecated as of Feb 28, 2022. // In order to create a Keyring, callers should specify, // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. KMSSettings kms_settings = 14 [ deprecated = true, (google.api.field_behavior) = INPUT_ONLY ]; // Input only. Resource properties that are used to customize workload resources. // These properties (such as custom project id) will be used to create // workload resources if possible. This field is optional. repeated ResourceSettings resource_settings = 15 [(google.api.field_behavior) = INPUT_ONLY]; // Output only. Represents the KAJ enrollment state of the given workload. KajEnrollmentState kaj_enrollment_state = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; // Optional. Indicates the sovereignty status of the given workload. // Currently meant to be used by Europe/Canada customers. bool enable_sovereign_controls = 18 [(google.api.field_behavior) = OPTIONAL]; // Output only. Represents the SAA enrollment response of the given workload. // SAA enrollment response is queried during GetWorkload call. // In failure cases, user friendly error message is shown in SAA details page. SaaEnrollmentResponse saa_enrollment_response = 20 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Urls for services which are compliant for this Assured Workload, but which // are currently disallowed by the ResourceUsageRestriction org policy. // Invoke RestrictAllowedResources endpoint to allow your project developers // to use these services in their environment." repeated string compliant_but_disallowed_services = 24 [(google.api.field_behavior) = OUTPUT_ONLY]; // Optional. Compliance Regime associated with this workload. Partner partner = 25 [(google.api.field_behavior) = OPTIONAL]; } // Operation metadata to give request details of CreateWorkload. message CreateWorkloadOperationMetadata { // Optional. Time when the operation was created. google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. The display name of the workload. string display_name = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. The parent of the workload. string parent = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. Compliance controls that should be applied to the resources managed by // the workload. Workload.ComplianceRegime compliance_regime = 4 [(google.api.field_behavior) = OPTIONAL]; } // Request for restricting list of available resources in Workload environment. message RestrictAllowedResourcesRequest { // The type of restriction. enum RestrictionType { // Unknown restriction type. RESTRICTION_TYPE_UNSPECIFIED = 0; // Allow the use all of all gcp products, irrespective of the compliance // posture. This effectively removes gcp.restrictServiceUsage OrgPolicy // on the AssuredWorkloads Folder. ALLOW_ALL_GCP_RESOURCES = 1; // Based on Workload's compliance regime, allowed list changes. // See - https://cloud.google.com/assured-workloads/docs/supported-products // for the list of supported resources. ALLOW_COMPLIANT_RESOURCES = 2; } // Required. The resource name of the Workload. This is the workloads's // relative path in the API, formatted as // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". // For example, // "organizations/123/locations/us-east1/workloads/assured-workload-1". string name = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The type of restriction for using gcp products in the Workload environment. RestrictionType restriction_type = 2 [(google.api.field_behavior) = REQUIRED]; } // Response for restricting the list of allowed resources. message RestrictAllowedResourcesResponse { } // Request for acknowledging the violation // Next Id: 4 message AcknowledgeViolationRequest { // Required. The resource name of the Violation to acknowledge. // Format: // organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation} string name = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Business justification explaining the need for violation acknowledgement string comment = 2 [(google.api.field_behavior) = REQUIRED]; // Optional. This field is deprecated and will be removed in future version of the API. // Name of the OrgPolicy which was modified with non-compliant change and // resulted in this violation. // Format: // projects/{project_number}/policies/{constraint_name} // folders/{folder_id}/policies/{constraint_name} // organizations/{organization_id}/policies/{constraint_name} string non_compliant_org_policy = 3 [ deprecated = true, (google.api.field_behavior) = OPTIONAL ]; } // Response for violation acknowledgement message AcknowledgeViolationResponse { } // Interval defining a time window. message TimeWindow { // The start of the time window. google.protobuf.Timestamp start_time = 1; // The end of the time window. google.protobuf.Timestamp end_time = 2; } // Request for fetching violations in an organization. message ListViolationsRequest { // Required. The Workload name. // Format `organizations/{org_id}/locations/{location}/workloads/{workload}`. string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "assuredworkloads.googleapis.com/Violation" } ]; // Optional. Specifies the time window for retrieving active Violations. // When specified, retrieves Violations that were active between start_time // and end_time. TimeWindow interval = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. Page size. int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. Page token returned from previous request. string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. A custom filter for filtering by the Violations properties. string filter = 5 [(google.api.field_behavior) = OPTIONAL]; } // Response of ListViolations endpoint. message ListViolationsResponse { // List of Violations under a Workload. repeated Violation violations = 1; // The next page token. Returns empty if reached the last page. string next_page_token = 2; } // Request for fetching a Workload Violation. message GetViolationRequest { // Required. The resource name of the Violation to fetch (ie. Violation.name). // Format: // organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation} string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "assuredworkloads.googleapis.com/Violation" } ]; } // Workload monitoring Violation. message Violation { option (google.api.resource) = { type: "assuredworkloads.googleapis.com/Violation" pattern: "organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}" }; // Violation State Values enum State { // Unspecified state. STATE_UNSPECIFIED = 0; // Violation is resolved. RESOLVED = 2; // Violation is Unresolved UNRESOLVED = 3; // Violation is Exception EXCEPTION = 4; } // Represents remediation guidance to resolve compliance violation for // AssuredWorkload message Remediation { // Classifying remediation into various types based on the kind of // violation. For example, violations caused due to changes in boolean org // policy requires different remediation instructions compared to violation // caused due to changes in allowed values of list org policy. enum RemediationType { // Unspecified remediation type REMEDIATION_TYPE_UNSPECIFIED = 0; // Remediation type for boolean org policy REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1; // Remediation type for list org policy which have allowed values in the // monitoring rule REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2; // Remediation type for list org policy which have denied values in the // monitoring rule REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3; // Remediation type for gcp.restrictCmekCryptoKeyProjects REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4; } // Instructions to remediate violation message Instructions { // Remediation instructions to resolve violation via gcloud cli message Gcloud { // Gcloud command to resolve violation repeated string gcloud_commands = 1; // Steps to resolve violation via gcloud cli repeated string steps = 2; // Additional urls for more information about steps repeated string additional_links = 3; } // Remediation instructions to resolve violation via cloud console message Console { // Link to console page where violations can be resolved repeated string console_uris = 1; // Steps to resolve violation via cloud console repeated string steps = 2; // Additional urls for more information about steps repeated string additional_links = 3; } // Remediation instructions to resolve violation via gcloud cli Gcloud gcloud_instructions = 1; // Remediation instructions to resolve violation via cloud console Console console_instructions = 2; } // Required. Remediation instructions to resolve violations Instructions instructions = 1 [(google.api.field_behavior) = REQUIRED]; // Values that can resolve the violation // For example: for list org policy violations, this will either be the list // of allowed or denied values repeated string compliant_values = 2; // Output only. Reemediation type based on the type of org policy values violated RemediationType remediation_type = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; } // Output only. Immutable. Name of the Violation. // Format: // organizations/{organization}/locations/{location}/workloads/{workload_id}/violations/{violations_id} string name = 1 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; // Output only. Description for the Violation. // e.g. OrgPolicy gcp.resourceLocations has non compliant value. string description = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Time of the event which triggered the Violation. google.protobuf.Timestamp begin_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The last time when the Violation record was updated. google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Time of the event which fixed the Violation. // If the violation is ACTIVE this will be empty. google.protobuf.Timestamp resolve_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Category under which this violation is mapped. // e.g. Location, Service Usage, Access, Encryption, etc. string category = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. State of the violation State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in // this violation. string org_policy_constraint = 8 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; // Output only. Immutable. Audit Log Link for violated resource // Format: // https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{timeRange}{folder} string audit_log_link = 11 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; // Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and // resulted this violation. // Format: // projects/{project_number}/policies/{constraint_name} // folders/{folder_id}/policies/{constraint_name} // organizations/{organization_id}/policies/{constraint_name} string non_compliant_org_policy = 12 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; // Output only. Compliance violation remediation Remediation remediation = 13 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. A boolean that indicates if the violation is acknowledged bool acknowledged = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; // Optional. Timestamp when this violation was acknowledged last. // This will be absent when acknowledged field is marked as false. optional google.protobuf.Timestamp acknowledgement_time = 15 [(google.api.field_behavior) = OPTIONAL]; // Output only. Immutable. Audit Log link to find business justification provided for violation // exception. Format: // https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{protoPayload.methodName}{timeRange}{organization} string exception_audit_log_link = 16 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.field_behavior) = IMMUTABLE ]; }