go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers-sdk/v1/inventory/inventory.proto

// Copyright (c) Mondoo, Inc.
// SPDX-License-Identifier: BUSL-1.1

syntax = "proto3";
package cnquery.providers.v1;
option go_package = "go.mondoo.com/cnquery/providers-sdk/v1/inventory";

import "providers-sdk/v1/vault/vault.proto";
import "providers-sdk/v1/upstream/upstream.proto";

enum State {
  STATE_UNKNOWN = 0;
  // eg. permission or io error
  STATE_ERROR = 1;

  // run time states
  STATE_PENDING = 2;
  STATE_RUNNING = 3;
  STATE_STOPPING = 4;
  STATE_STOPPED = 5;
  STATE_SHUTDOWN = 6;
  STATE_TERMINATED = 7;
  STATE_REBOOT = 8;

  // static states
  STATE_ONLINE = 9;
  STATE_OFFLINE = 10;

  // the asset is marked as deleted
  STATE_DELETED = 11;
}

enum AssetCategory {
  CATEGORY_INVENTORY = 0;
  CATEGORY_CICD = 1;
}

message Asset {
  reserved 30;
  string id = 1;
  string mrn = 2;
  string name = 3;

  // 3rd-party platform id eg. amazon arn, gcp resource name or ssh host key
  repeated string platform_ids = 4;

  // asset state
  State state = 5;

  Platform platform = 6;

  // key is a lower case string of connection type
  repeated Config connections = 17;

  // labeled assets can be searched by labels
  map<string, string> labels = 18;

  // additional information that is not touched by the system
  map<string, string> annotations = 19;

  // additional options for that asset
  map<string, string> options = 20;

  // platform id detection mechanisms
  repeated string id_detector = 31;

  // indicator is this is an inventory object or a CI/CD run
  AssetCategory category = 32;

  repeated Asset related_assets = 33;

  string managed_by = 34;

  // optional url that can be used to access the asset via a browser
  string url = 35;

  string kind_string = 36;
}

// FIXME: DEPRECATED, remove in v10.0 (or later) vv
enum ProviderType {
  LOCAL_OS = 0;
  DOCKER_ENGINE_IMAGE = 1;
  DOCKER_ENGINE_CONTAINER = 2;
  SSH = 3;
  WINRM = 4;
  AWS_SSM_RUN_COMMAND = 5;
  CONTAINER_REGISTRY = 6;
  TAR = 7;
  MOCK = 8;
  VSPHERE = 9;
  ARISTAEOS = 10;
  reserved 11;
  AWS = 12;
  GCP = 13;
  AZURE = 14;
  MS365 = 15;
  IPMI = 16;
  VSPHERE_VM = 17;
  FS = 18;
  K8S = 19;
  EQUINIX_METAL = 20;
  DOCKER = 21; // unspecified if this is a container or image
  GITHUB = 22;
  VAGRANT = 23;
  AWS_EC2_EBS = 24;
  GITLAB = 25;
  TERRAFORM = 26;
  HOST = 27;
  UNKNOWN = 28;
  OKTA = 29;
  GOOGLE_WORKSPACE = 30;
  SLACK = 31;
  VCD = 32;
  OCI = 33;
  OPCUA = 34;
  GCP_COMPUTE_INSTANCE_SNAPSHOT =35;
}

message Config {
  reserved 6, 7, 9, 10, 20;
  // FIXME: DEPRECATED, remove in v10.0 (or later) vv
  // This is replaced by type. We use a different number here so it doesn't
  // conflict with the old "backend" while allowing us to load the field from yaml.
  ProviderType backend = 28;
  DeprecatedV8_Kind kind = 24;
  // ^^

  string host = 2;
  // Ports are not int by default, eg. docker://centos:latest parses a string as port
  // Therefore it is up to the provider to convert the port to what they need
  int32 port = 3;
  string path = 4;
  uint32 id = 5;
  string type = 12;

  // credentials available for this provider configuration
  repeated Credential credentials = 11;

  bool insecure = 8;  // disable ssl/tls checks
  Sudo sudo = 21;
  bool record = 22;

  map<string,string> options = 23;

  // flags for additional asset discovery
  Discovery discover = 27;
  // additional platform information, passed-through
  string runtime = 25;
  // configuration to uniquely identify an specific asset for multi-asset api connection
  string platform_id = 26;
  repeated string capabilities = 29;
}

message Sudo {
  bool active = 1;
  string user = 2;
  string shell = 3;
  string executable = 4;
}

message Discovery {
  repeated string targets = 1;
  map<string,string> filter = 2;
}

enum DeprecatedV8_Kind {
  KIND_UNKNOWN = 0;

  // at rest
  KIND_VIRTUAL_MACHINE_IMAGE = 1;
  KIND_CONTAINER_IMAGE = 2;
  KIND_CODE = 3;
  KIND_PACKAGE = 4;

  // in motion
  KIND_VIRTUAL_MACHINE = 5;
  KIND_CONTAINER = 6;
  KIND_PROCESS = 7;
  KIND_API = 8;
  KIND_BARE_METAL = 9;
  KIND_NETWORK = 10;
  KIND_K8S_OBJECT = 11;
  KIND_AWS_OBJECT = 12;
  KIND_GCP_OBJECT = 13;
  KIND_AZURE_OBJECT= 14;
}

message Platform {
  string name = 1;
  string arch = 3;
  string title = 4;
  repeated string family = 5;
  string build = 6;
  string version = 7;
  string kind = 8;

  // FIXME: DEPRECATED, remove in v10 vv
  DeprecatedV8_Kind deprecated_v8_kind = 20;
  // ^^

  string runtime = 21;
  map<string, string> labels = 22;
}

// NOTE: the k8s types are apache 2 licenced and copied from
// https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/generated.proto

// TypeMeta describes an individual object in an API response or request
// with strings representing the type of the object and its API schema version.
// Structures that are versioned or persisted should inline TypeMeta.
message TypeMeta {
  // Kind is a string value representing the REST resource this object represents.
  // Servers may infer this from the endpoint the client submits requests to.
  // Cannot be updated.
  // In CamelCase.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  // +optional
  string kind = 1;

  // APIVersion defines the versioned schema of this representation of an object.
  // Servers should convert recognized schemas to the latest internal value, and
  // may reject unrecognized values.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  // +optional
  string apiVersion = 2;
}


// ObjectMeta is metadata that all persisted resources must have, which includes all objects
// users must create.
message ObjectMeta {
  // Name must be unique within a namespace. Is required when creating resources, although
  // some resources may allow a client to request the generation of an appropriate name
  // automatically. Name is primarily intended for creation idempotence and configuration
  // definition.
  // Cannot be updated.
  // More info: http://kubernetes.io/docs/user-guide/identifiers#names
  // +optional
  string name = 1;

  // Namespace defines the space within which each name must be unique. An empty namespace is
  // equivalent to the "default" namespace, but "default" is the canonical representation.
  // Not all objects are required to be scoped to a namespace - the value of this field for
  // those objects will be empty.
  //
  // Must be a DNS_LABEL.
  // Cannot be updated.
  // More info: http://kubernetes.io/docs/user-guide/namespaces
  // +optional
  string namespace = 3;

  // Map of string keys and values that can be used to organize and categorize
  // (scope and select) objects. May match selectors of replication controllers
  // and services.
  // More info: http://kubernetes.io/docs/user-guide/labels
  // +optional
  map<string, string> labels = 11;

  // Annotations is an unstructured key value map stored with a resource that may be
  // set by external tools to store and retrieve arbitrary metadata. They are not
  // queryable and should be preserved when modifying objects.
  // More info: http://kubernetes.io/docs/user-guide/annotations
  // +optional
  map<string, string> annotations = 12;

  // List of objects depended by this object. If ALL objects in the list have
  // been deleted, this object will be garbage collected. If this object is managed by a controller,
  // then an entry in this list will point to this controller, with the controller field set to true.
  // There cannot be more than one managing controller.
  // +optional
  // +patchMergeKey=uid
  // +patchStrategy=merge
  repeated OwnerReference ownerReferences = 13;
}

// Time is a wrapper around time.Time which supports correct
// marshaling to YAML and JSON.  Wrappers are provided for many
// of the factory methods that the time package offers.
//
// +protobuf.options.marshal=false
// +protobuf.as=Timestamp
// +protobuf.options.(gogoproto.goproto_stringer)=false
message Time {
  // Represents seconds of UTC time since Unix epoch
  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
  // 9999-12-31T23:59:59Z inclusive.
  int64 seconds = 1;

  // Non-negative fractions of a second at nanosecond resolution. Negative
  // second values with fractions must still have non-negative nanos values
  // that count forward in time. Must be from 0 to 999,999,999
  // inclusive. This field may be limited in precision depending on context.
  int32 nanos = 2;
}

// OwnerReference contains enough information to let you identify an owning
// object. An owning object must be in the same namespace as the dependent, or
// be cluster-scoped, so there is no namespace field.
// +structType=atomic
message OwnerReference {
  // API version of the referent.
  string apiVersion = 5;

  // Kind of the referent.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  string kind = 1;

  // Name of the referent.
  // More info: http://kubernetes.io/docs/user-guide/identifiers#names
  string name = 3;

  // UID of the referent.
  // More info: http://kubernetes.io/docs/user-guide/identifiers#uids
  string uid = 4;
}

// Inventory declares the all assets and their credentials
message Inventory {
  // Standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  ObjectMeta metadata = 1;

  // Specification of the desired behavior of the Inventory.
  InventorySpec spec = 2;

  // Most recently observed status of the Inventory.
  InventoryStatus status = 3;
}

message InventorySpec {
  repeated Asset assets = 1;
  map<string, Credential> credentials = 2;
  VaultConfiguration vault = 3;
  string credential_query = 4;

  // optional: the upstream credentials to use for the inventory
  mondoo.cnquery.upstream.v1.ServiceAccountCredentials upstream_credentials = 16;
}

message InventoryStatus {}