blob: c975c251fc8364579807d0d59d5a85d7dd6aae6d [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto3";
package host;
option go_package = "chromium.googlesource.com/enterprise/cel/go/host";
import "schema/asset/network.proto";
import "schema/common/file_reference.proto";
import "schema/common/validation.proto";
import "schema/gcp/compute/compute-api.proto";
import "schema/gcp/cloudkms/cloudkms-api.proto";
import "google/iam/admin/v1/iam.proto";
// GCP project hosting.
message Project {
// The project name. In GCP, this serves as the project ID.
//
// E.g. `my-project-123`.
string name = 1 [(common.v).type = ORGLABEL];
// The default zone to use when constructing resources. The |zone| also
// implicitly defines the region. See
// https://cloud.google.com/compute/docs/regions-zones/ for an up-to-date
// list of regions and zones.
//
// Only the zone identifier should be entered here. E.g. "us-west1-a"
string zone = 2 [(common.v).type = LABEL];
// Project
compute.Project project = 100 [(common.v).type = OUTPUT];
}
// Stackdriver log settings.
message LogSettings {
// Name of log used for administrative messages. These are logged during the
// deployment process and also when an instance is started / configured /
// shutdown.
string admin_log = 1 [(common.v).type = LABEL];
}
// Google Cloud Storage bucket to use for deployment and metadata management
// purposes.
//
// The storage configured here must exist throughout the entire lifetime of the
// lab. In addition, the bucket should ideally belong to the same project as
// the lab.
//
// TODO(asanka): Should include ways to configure retention of objects, and
// perhaps customize ACLs.
message Storage {
// Name of the GCS bucket. No `gs:` prefix. Just the name.
string bucket = 1 [(common.v).type = REQUIRED];
// A prefix to attach to every named object stored in the GCS bucket. If left
// empty, the default prefix of cel-config will be used.
//
// The prefix must not end in a forward slash, though it can contain forward
// slashes.
//
// A lab will not access objects outside of the prefix. Hence the prefix used
// at deployment time must be passed along to the client instances. All
// object references are validated against the prefix. The CEL toolchain will
// handle this for you. However, it does mean that object references created
// against one prefix will not work with another.
string prefix = 2;
// The time at which the storage bucket was created as a RFC 3339 formatted
// string.
string created_on = 10 [(common.v).type = OUTPUT];
}
// Dependencies are things that aren't referred to directly by an asset
// manifest, but can be referred to by other host environment settings.
// Describes a GCE source disk image. See
// https://cloud.google.com/compute/docs/images#image_families
//
// The image can be specified either using the project/family pair or using a
// direct URL. During asset resolution, a project/family pair will be resolved
// into a URL. I.e. a resolved Image{} resource always contains the URL of the
// selected image.
message Image {
// Name of the image. Used within the host environment schema to refer to
// this image.
string name = 1;
message Family {
// The GCP project providing the image. Not a foreign key into Project
// though since it is legal to refer to images provided by external
// projects.
string project = 1 [(common.v).type = ORGLABEL];
// The GCP Image family name. Combined with the |project| field, the
// |family| is used to locate the GCP image family. If the |url| is not
// specified, then the resolver will pick the latest available image from
// this family and populate the URL with it.
string family = 2 [(common.v).type = LABEL];
}
oneof source {
// If specified, indicates that the latest image matching project/family
// should be used as the base.
Family latest = 2;
// The full or partial URL to the disk image. If this is specified, then
// the |project| and |family| values are ignored.
string fixed = 3;
}
// Additional packages that should be applied to this image. The
// interpretation of this field is dependent on the type of machine being
// built. For example when building a WindowsMachine, these entries are
// prepended to the list of 'windows_feature' values for the machine.
repeated string package = 4;
// Output. Will contain the resolved base image URL on success.
string url = 5 [(common.v).type = OUTPUT];
}
message NestedVM {
// The image to use. It's a gs://path.
string image = 1 [(common.v).type = REQUIRED];
// The user name & password used to log in through ssh.
string user_name = 2;
string password = 3;
}
// Describes a type of machine (virtual or otherwise).
//
// Not to be confused with GCE machine type. I.e.
// These are not https://cloud.google.com/compute/docs/machine-types
message MachineType {
// Name is used to match machine type name from asset description.
string name = 1;
// One of the following will be used to resolve this machine type.
oneof base {
// InstanceProperties are used for constructing a new GCE instance.
//
// The instance_properties.AttachedDisk.Source can refer to an image name
// using the syntax "${host.image.<imagename>.url}" where <imagename> is
// the name of an Image object in the enclosing HostEnvironment.
compute.InstanceProperties instance_properties = 5;
// An instance template to use for constructing a new GCE instance. Should
// be a full or a partial URL.
string instance_template = 6 [(common.v).type = REQUIRED];
NestedVM nested_vm = 7;
}
}
// Describes an external address pool.
message AddressPool {
// Name of address pool. Used for matching incoming references from an asset
// description.
string name = 1;
// Static literal addresses.
repeated asset.Address fixed_address = 2;
// GCE reserved addresses by exact address name. Should refer to external
// addresses.
repeated string reserved_address = 3;
// GCE reserved addresses by regex. The provided regular expression must
// match the entire name. The reserved address must be an external address.
//
// E.g.:
// reserved_address_regex: "foo.*"
// ... matches "foobar", but not "egfoox"
repeated string reserved_address_regex = 4;
}
message Startup {
// Windows startup file. Must be a Powershell ps1 file.
common.FileReference win_startup = 100 [(common.v).type = OUTPUT];
// Windows CEL Agent executable.
common.FileReference win_agent_x64 = 101 [(common.v).type = OUTPUT];
// Linux startup file.
common.FileReference linux_startup = 102 [(common.v).type = OUTPUT];
// Linux CEL Agent executable.
common.FileReference linux_agent_x64 = 103 [(common.v).type = OUTPUT];
}
// Base support resources that must exist at the time the lab assets are
// deployed.
//
// These values are output only and are determined at deployment time. They are
// part of the schema so that on-host logic can refer to these values at
// runtime and so that these values will appear in the completed asset
// manifest.
message RuntimeSupport {
// The GCP service account that will be used on all lab VMs.
google.iam.admin.v1.ServiceAccount service_account = 100
[(common.v).type = OUTPUT];
// CryptoKey used for encrypting/decrypting privileged information between
// the deployer and the instance VMs.
cloudkms.CryptoKey crypto_key = 101 [(common.v).type = OUTPUT];
// Startup dependencies.
Startup startup = 102 [(common.v).type = REQUIRED];
}
message HostEnvironment {
Project project = 1 [(common.v).type = REQUIRED];
Storage storage = 2 [(common.v).type = REQUIRED];
LogSettings log_settings = 3 [(common.v).type = REQUIRED];
repeated MachineType machine_type = 10 [(common.v).type = TOPLEVEL];
repeated AddressPool address_pool = 11 [(common.v).type = TOPLEVEL];
repeated Image image = 12 [(common.v).type = TOPLEVEL];
// Determined at deployment time.
RuntimeSupport resources = 100 [(common.v).type = OUTPUT];
}