path: root/contrib/libs/yandex-cloud-api-protos/yandex/cloud/storage/v1/bucket.proto

syntax = "proto3";

package yandex.cloud.storage.v1;

import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/protobuf/wrappers.proto";
import "yandex/cloud/validation.proto";

option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/storage/v1;storage";
option java_package = "yandex.cloud.api.storage.v1";

// A bucket resource.
// For details about the concept, see [documentation](/docs/storage/concepts/bucket).
message Bucket {
  // ID of the bucket. Always equal to [name], which has priority.
  string id = 1;

  // Name of the bucket.
  //
  // The name is unique within the platform. For naming limitations and rules, see
  // [documentation](/docs/storage/concepts/bucket#naming).
  string name = 2;

  // ID of the folder that the bucket belongs to.
  string folder_id = 3;

  // Flags for configuring public (anonymous) access to the bucket's content and settings.
  // For details, see [documentation](/docs/storage/concepts/bucket#bucket-access).
  AnonymousAccessFlags anonymous_access_flags = 4;

  // Default storage class for objects in the bucket. Supported classes are standard storage (`STANDARD`), cold storage
  // (`COLD`, `STANDARD_IA`, `NEARLINE` all synonyms), and ice storage (`ICE` and `GLACIER` are synonyms).
  // For details, see [documentation](/docs/storage/concepts/storage-class).
  string default_storage_class = 5;

  // Bucket versioning status.
  // For details, see [documentation](/docs/storage/concepts/versioning).
  Versioning versioning = 6;

  // Maximum size of the bucket, in bytes.
  // For details, see [documentation](/docs/storage/operations/buckets/limit-max-volume).
  int64 max_size = 7;

  // Bucket policies that set permissions for actions with the bucket, its objects, and groups of objects.
  // For details, see [documentation](/docs/storage/concepts/policy).
  google.protobuf.Struct policy = 8;

  // Access control list (ACL) of the bucket.
  // For details, see [documentation](/docs/storage/concepts/acl).
  ACL acl = 9;

  // Creation timestamp.
  google.protobuf.Timestamp created_at = 10;

  // List of rules for cross-domain requests to objects in the bucket (cross-origin resource sharing, CORS).
  // For details, see [documentation](/docs/storage/concepts/cors).
  repeated CorsRule cors = 11;

  // Configuration for hosting a static website in the bucket.
  // For details, see [documentation](/docs/storage/concepts/hosting).
  WebsiteSettings website_settings = 12;

  // List of object lifecycle rules for the bucket.
  // For details, see [documentation](/docs/storage/concepts/lifecycles).
  repeated LifecycleRule lifecycle_rules = 13;

  // List of tags for the bucket.
  // For details, see [documentation](/docs/resource-manager/concepts/labels).
  repeated Tag tags = 14;

  // Configuration for object lock on the bucket.
  // For details about the concept, see [documentation](/docs/storage/concepts/object-lock).
  ObjectLock object_lock = 15;

  // Configuration for bucket's encryption
  // For detauls, see [documentation](/docs/storage/concepts/encryption)
  Encryption encryption = 16;
}

message Tag {
  // Key of the bucket tag.
  string key = 1;
  // Value of the bucket tag.
  string value = 2;
}

message ACL {
  // A grant resource, used to specify the permission granted and the grantee.
  message Grant {
    enum Permission {
      PERMISSION_UNSPECIFIED = 0;

      // Allows grantee the `PERMISSION_WRITE`, `PERMISSION_WRITE_ACP`, `PERMISSION_READ`, and `PERMISSION_READ_ACP`
      // on the bucket.
      //
      // Maps to `x-amz-grant-full-control` header for [bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of
      // Amazon S3-compatible HTTP API.
      PERMISSION_FULL_CONTROL = 1;

      // Allows grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also
      // allows deletions and overwrites of those objects.
      //
      // Maps to `x-amz-grant-write` header for [bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of Amazon
      // S3-compatible HTTP API.
      PERMISSION_WRITE = 2;

      // Allows grantee to write the ACL for the bucket.
      //
      // Maps to `x-amz-grant-write-acp` header for [bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of
      // Amazon S3-compatible HTTP API.
      PERMISSION_WRITE_ACP = 3;

      // Allows grantee to list the objects in the bucket.
      //
      // Maps to `x-amz-grant-read` header for [bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of Amazon
      // S3-compatible HTTP API.
      PERMISSION_READ = 4;

      // Allows grantee to read the bucket ACL
      //
      // Maps to `x-amz-grant-read-acp` header for [bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of
      // Amazon S3-compatible HTTP API.
      PERMISSION_READ_ACP = 5;
    }

    enum GrantType {
      GRANT_TYPE_UNSPECIFIED = 0;

      // A grantee is an [account on the platform](/docs/iam/concepts/#accounts).
      //
      // For this grantee type, you need to specify the user ID in [Bucket.acl.grants.grantee_id] field. To get user ID, see
      // [instruction](/docs/iam/operations/users/get).
      //
      // Maps to using `id="*"` value for `x-amz-grant-*` header ([bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput)
      // method of Amazon S3-compatible HTTP API).
      GRANT_TYPE_ACCOUNT = 1;

      // Grantees are all authenticated users, both from your clouds and other users' clouds. Access
      // permission to this group allows any account on the platform to access the resource via a signed (authenticated)
      // request.
      //
      // Maps to using `uri="http://acs.amazonaws.com/groups/global/AuthenticatedUsers"` value for `x-amz-grant-*`
      // header ([bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of Amazon S3-compatible HTTP API).
      GRANT_TYPE_ALL_AUTHENTICATED_USERS = 2;

      // Grantees are all internet users. Access permission to this group allows anyone in the world access to the
      // resource via signed (authenticated) or unsigned (anonymous) requests.
      //
      // Maps to using `uri="http://acs.amazonaws.com/groups/global/AllUsers"` value for `x-amz-grant-*` header
      // ([bucketPutAcl](/docs/storage/s3/api-ref/acl/bucketput) method of Amazon S3-compatible HTTP API).
      GRANT_TYPE_ALL_USERS = 3;
    }

    // Permission granted by the grant.
    Permission permission = 1 [(required) = true];

    // The grantee type for the grant.
    GrantType grant_type = 2 [(required) = true];

    // ID of the account who is a grantee. Required when the [grant_type] is `GRANT_TYPE_ACCOUNT`.
    string grantee_id = 3;
  }

  // List of permissions granted and the grantees.
  repeated Grant grants = 1;
}

message AnonymousAccessFlags {
  // Specifies whether public (anonymous) access to read objects in the bucket is enabled.
  google.protobuf.BoolValue read = 1;

  // Specifies whether public (anonymous) access to the list of objects in the bucket is enabled.
  google.protobuf.BoolValue list = 2;

  // Specifies whether public (anonymous) access to read [CORS](/docs/storage/concepts/cors),
  // [static website hosting](/docs/storage/concepts/hosting), and
  // [object lifecycles](/docs/storage/concepts/lifecycles) settings of the bucket is enabled.
  google.protobuf.BoolValue config_read = 3;
}

// A CORS rule resource.
// For details about the concept, see [documentation](/docs/storage/concepts/cors).
message CorsRule {
  // List of HTTP methods that are allowed by the CORS rule.
  //
  // When a client sends a CORS-preflight `options` request with the `Access-Control-Request-Method` header (see
  // S3-compatible API reference](/docs/storage/s3/api-ref/object/options)), the specified method is checked against the
  // list of the allowed methods. If there is a match, all the allowed methods are listed in the
  // `Access-Control-Allow-Methods` header of the response.
  enum Method {
    METHOD_UNSPECIFIED = 0;

    // HTTP `GET` method.
    METHOD_GET = 1;

    // HTTP `HEAD` method.
    METHOD_HEAD = 2;

    // HTTP `POST` method.
    METHOD_POST = 3;

    // HTTP `PUT` method.
    METHOD_PUT = 4;

    // HTTP `DELETE` method.
    METHOD_DELETE = 5;
  }

  // ID of the CORS rule.
  string id = 1;

  // List of HTTP methods allowed by the CORS rule.
  //
  // When a client sends a CORS-preflight `options` request with the `Access-Control-Request-Method` header (see
  // [S3-compatible API reference](/docs/storage/s3/api-ref/object/options)), the specified method is checked against
  // the list of the allowed methods. If there is a match, all the allowed methods are listed in the
  // `Access-Control-Allow-Methods` header of the response.
  repeated Method allowed_methods = 2 [
    (size) = ">0",
    (unique) = true
  ];

  // List of HTTP headers allowed by the CORS rule.
  //
  // When a client sends a CORS-preflight `options` request with the `Access-Control-Request-Headers` header (see
  // [S3-compatible API reference](/docs/storage/s3/api-ref/object/options)), the specified headers are checked against
  // the list of the allowed headers. If there is a match, the specified headers that are allowed are listed in the
  // `Access-Control-Allow-Headers` header of the response.
  //
  // Each string in the list can contain at most one `*` wildcard character that matches 0 or more characters.
  // For example, `x-amz-*` value will allow all Amazon S3-compatible headers.
  repeated string allowed_headers = 3;

  // List of request origins allowed by the CORS rule.
  //
  // Each string in the list can contain at most one `*` wildcard character that matches 0 or more characters.
  // For example, `http://*.example.com` value will allow requests originating from all subdomains of `example.com`.
  repeated string allowed_origins = 4 [(size) = ">0"];

  // List of headers contained in responses to CORS requests that can be accessed by applications.
  repeated string expose_headers = 5;

  // Time in seconds that a client can cache the response to a CORS-preflight request as identified by the
  // object requested, the HTTP method, and the origin.
  google.protobuf.Int64Value max_age_seconds = 6;
}

message WebsiteSettings {
  enum Protocol {
    PROTOCOL_UNSPECIFIED = 0;

    // `http` scheme.
    PROTOCOL_HTTP = 1;

    // `https` scheme.
    PROTOCOL_HTTPS = 2;
  }

  // A configuration resource for redirecting all requests sent to the website.
  message Scheme {
    // Scheme of the redirect URI.
    Protocol protocol = 1;

    // Hostname of the redirect URI.
    string hostname = 2;
  }

  message Condition {
    // HTTP status code (number only) that must match for the redirect to apply.
    string http_error_code_returned_equals = 1;

    // Prefix of the object key from which requests are redirected.
    string key_prefix_equals = 2;
  }

  message Redirect {
    // Hostname of the redirect URI.
    string hostname = 1;

    // HTTP status code of the redirect response.
    //
    // Default value: `"301"`.
    string http_redirect_code = 2 [(pattern) = "3(0[1-9]|[1-9][0-9])"];

    // Scheme of the redirect URI.
    Protocol protocol = 3;

    // Substitution for the prefix of the object key specified in [Condition.key_prefix_equals].
    //
    // At most one of [replace_key_prefix_with] and [replace_key_with] can be specified.
    string replace_key_prefix_with = 4;

    // New object key.
    //
    // At most one of [replace_key_with] and [replace_key_prefix_with] can be specified.
    string replace_key_with = 5;
  }

  // List of redirect rules.
  message RoutingRule {
    // Redirect condition.
    Condition condition = 1;

    // Redirect instructions.
    Redirect redirect = 2;
  }

  // Key of the index page object that is returned when a response is made to the root of the website.
  //
  // Either [index] or [redirect_all_requests] must be specified in order for the bucket to host a static website.
  //
  // If specified, the index page object must be located in the root of the bucket.
  string index = 1;

  // Key of the error page object that is returned when an error occurs.
  string error = 2;

  // Configuration for redirecting all requests sent to the website.
  //
  // Either [redirect_all_requests] or [index] must be specified in order for the bucket to host a static website.
  // If [redirect_all_requests] is specified, it must be the only field in [Bucket.website_settings].
  Scheme redirect_all_requests = 3;

  // List of redirect rules.
  repeated RoutingRule routing_rules = 4;
}

// An object lifecycle rule resource for the bucket.
// For details about the concept, see [documentation](/docs/storage/concepts/lifecycles).
message LifecycleRule {
  message AfterDays {
    // Time period, in number of days from the start of the multipart upload, after which the incomplete upload is
    // aborted.
    google.protobuf.Int64Value days_after_expiration = 1;
  }

  message NoncurrentDeleteMarkers {
    // Time period, in number of days since the version of a delete marker was classified as non-current, after which
    // the delete marker expires.
    google.protobuf.Int64Value noncurrent_days = 1;
  }

  message NoncurrentExpiration {
    // Time period, in number of days since the version of an object was classified as non-current, after which the
    // version expires.
    google.protobuf.Int64Value noncurrent_days = 1;
  }

  // List of transition rules for non-current versions of objects in a bucket with versioning enabled
  // ([Bucket.versioning] is `VERSIONING_ENABLED`) or suspended (`VERSIONING_SUSPENDED`).
  //
  // At transition, the non-current version of the object is transitioned to the specified storage class.
  message NoncurrentTransition {
    // Time period, in number of days since the version of an object was classified as non-current, after which the
    // version is transitioned.
    google.protobuf.Int64Value noncurrent_days = 1;

    // Storage class to which a non-current version of an object is transitioned from standard storage.
    //
    // The only supported class is cold storage (`COLD`, `STANDARD_IA`, `NEARLINE` all synonyms). Transitions from cold
    // to standard storage and transitions to or from ice storage are not allowed.
    string storage_class = 2 [(required) = true];
  }

  // List of transition rules.
  //
  // The transition of an object is described as follows.
  //
  // For the unversioned bucket ([Bucket.versioning] is `VERSIONING_DISABLED`), the object is transitioned to the
  // specified storage class.
  //
  // For the bucket with versioning enabled ([Bucket.versioning] is `VERSIONING_ENABLED`) or suspended
  // (`VERSIONING_SUSPENDED`), the current version of the object is transitioned to the specified storage class.
  message Transition {
    reserved 3;
    // Specific date of object transition.
    //
    // The rule continues to apply even after the date has passed, i.e. any new objects created in the bucket are
    // transitioned immediately.
    //
    // At most one of [date] and [days] fields can be specified.
    google.protobuf.Timestamp date = 1;

    // Time period, in number of days from the creation or modification of the object, after which an object is
    // transitioned.
    //
    // At most one of [days] and [date] fields can be specified.
    google.protobuf.Int64Value days = 2;

    // Storage class to which an object is transitioned from standard storage.
    //
    // The only supported class is cold storage (`COLD`, `STANDARD_IA`, `NEARLINE` all synonyms). Transitions from cold
    // to standard storage and transitions to or from ice storage are not allowed.
    string storage_class = 4 [(required) = true];
  }

  message Expiration {
    // Specific date of object expiration.
    //
    // The rule continues to apply even after the date has passed, i.e. any new objects created in the bucket expire
    // immediately.
    //
    // Exactly one of [date], [days], and [expired_object_delete_marker] fields can be specified.
    google.protobuf.Timestamp date = 1;

    // Time period, in number of days from the creation or modification of the object, after which an object expires.
    //
    // Exactly one of [days], [date], and [expired_object_delete_marker] fields can be specified.
    google.protobuf.Int64Value days = 2;

    // Indicates whether a delete marker of an object with no non-current versions (referred to as an expired object
    // delete marker) is removed at the object's expiration.
    //
    // Exactly one of [expired_object_delete_marker], [date], and [days] fields can be specified.
    google.protobuf.BoolValue expired_object_delete_marker = 3;
  }

  message RuleFilter {
    message And {
      string prefix = 1;
      google.protobuf.Int64Value object_size_greater_than = 2;
      google.protobuf.Int64Value object_size_less_than = 3;
      repeated Tag tag = 4;
    }
    // Key prefix that the object must have in order for the rule to apply.
    string prefix = 1;
    // Size that the object must be greater.
    google.protobuf.Int64Value object_size_greater_than = 2;
    // Size that the object must be less t.
    google.protobuf.Int64Value object_size_less_than = 3;
    // Tags that the object's tag set must have for the rule to apply.
    Tag tag = 4;
    // Apply a logical AND to all of the predicates configured inside the And operator.
    And and_operator = 5;
  }

  // ID of the rule. Provided by the client or generated at creation time.
  google.protobuf.StringValue id = 1;

  // Indicates whether the rule is in effect.
  bool enabled = 2;

  // Filter that identifies the objects to which the rule applies.
  //
  // If not specified, the rule applies to all objects in the bucket.
  RuleFilter filter = 3;

  // Expiration rule.
  //
  // The expiration of an object is described as follows.
  //
  // For the unversioned bucket ([Bucket.versioning] is `VERSIONING_DISABLED`), the object is deleted and cannot be
  // recovered.
  //
  // For the bucket with versioning enabled ([Bucket.versioning] is `VERSIONING_ENABLED`), the current version of the
  // object (if it exists and is not a delete marker) is retained as a non-current version, and a delete marker becomes
  // the current version of the object.
  //
  // For the bucket with versioning suspended ([Bucket.versioning] is `VERSIONING_SUSPENDED`), the current version of
  // the object is retained as a non-current version if it is not a delete marker, or is removed otherwise, and a
  // delete marker becomes the current version of the object.
  Expiration expiration = 4;

  // List of transition rules.
  //
  // The transition of an object is described as follows.
  //
  // For the unversioned bucket ([Bucket.versioning] is `VERSIONING_DISABLED`), the object is transitioned to the
  // specified storage class.
  //
  // For the bucket with versioning enabled ([Bucket.versioning] is `VERSIONING_ENABLED`) or suspended
  // (`VERSIONING_SUSPENDED`), the current version of the object is transitioned to the specified storage class.
  repeated Transition transitions = 5;

  // Configuration for aborting incomplete [multipart uploads](/docs/storage/concepts/multipart).
  AfterDays abort_incomplete_multipart_upload = 6;

  // Expiration rule for non-current versions of objects in a bucket with versioning enabled ([Bucket.versioning] is
  // `VERSIONING_ENABLED`) or suspended (`VERSIONING_SUSPENDED`).
  //
  // At expiration, the non-current version of the object is deleted and cannot be recovered.
  NoncurrentExpiration noncurrent_expiration = 7;

  // List of transition rules for non-current versions of objects in a bucket with versioning enabled
  // ([Bucket.versioning] is `VERSIONING_ENABLED`) or suspended (`VERSIONING_SUSPENDED`).
  //
  // At transition, the non-current version of the object is transitioned to the specified storage class.
  repeated NoncurrentTransition noncurrent_transitions = 8;

  // Expiration rule for non-current delete markers of an objects in a bucket with versioning
  // enabled ([Bucket.versioning] is `VERSIONING_ENABLED`) or suspended (`VERSIONING_SUSPENDED`).
  // Works in the same way as noncurrent_expiration rule, but only for delete markers.
  //
  // At expiration, the non-current delete marker of the object is deleted and cannot be recovered.
  NoncurrentDeleteMarkers noncurrent_delete_markers = 9;
}

enum Versioning {
  VERSIONING_UNSPECIFIED = 0;

  // The bucket is unversioned, i.e. versioning has never been enabled for the bucket, including at its creation.
  // Objects that are stored in the bucket have a version ID of `null`.
  //
  // To enable versioning, change status to `VERSIONING_ENABLED` via a [BucketService.Update] request. Note that this
  // action is irreversible, and a bucket with versioning enabled can never return to `VERSIONING_DISABLED` state.
  VERSIONING_DISABLED = 1;

  // Bucket versioning is enabled, i.e. all new objects are versioned and given a unique version ID, and objects that
  // already existed at the time versioning was enabled will be versioned and given a unique version ID when modified
  // by future requests.
  //
  // To suspend versioning, change status to `VERSIONING_SUSPENDED` via a [BucketService.Update] request. You cannot
  // disable versioning altogether for a bucket that already had it enabled; objects that had version IDs will keep
  // them.
  VERSIONING_ENABLED = 2;

  // Bucket versioning is suspended, i.e. new objects are not versioned, but objects that already existed at the time
  // versioning was suspended are still versioned and keep their version IDs.
  //
  // To resume versioning, change status to `VERSIONING_ENABLED` via a [BucketService.Update] request.
  VERSIONING_SUSPENDED = 3;
}

message Counters {
  // Total size of objects uploaded in single operation, in bytes.
  int64 simple_object_size = 1;

  // Number of objects uploaded in single operation.
  int64 simple_object_count = 2;

  // Total size of uploaded parts in incomplete multipart uploads, in bytes.
  int64 objects_parts_size = 3;

  // Number of uploaded parts in incomplete multipart uploads.
  int64 objects_parts_count = 4;

  // Total size of objects uploaded in multiple parts, in bytes.
  int64 multipart_objects_size = 5;

  // Number of objects uploaded in multiple parts.
  int64 multipart_objects_count = 6;

  // Number of incomplete multipart uploads.
  int64 active_multipart_count = 7;
}

// A resource for size of available space in a bucket for a storage class.
message OptionalSizeByClass {
  // Storage class. Supported classes are standard storage (`STANDARD`), cold storage (`COLD`, `STANDARD_IA`, `NEARLINE`
  // all synonyms), and ice storage (`ICE` and `GLACIER` are synonyms).
  // For details, see [documentation](/docs/storage/concepts/storage-class).
  string storage_class = 1;

  // Size of available space in the bucket for the storage class.
  google.protobuf.Int64Value class_size = 2;
}

// A resource for size of used space in a bucket for a storage class.
message SizeByClass {
  // Storage class. Supported classes are standard storage (`STANDARD`), cold storage (`COLD`, `STANDARD_IA`, `NEARLINE`
  // all synonyms), and ice storage (`ICE` and `GLACIER` are synonyms).
  // For details, see [documentation](/docs/storage/concepts/storage-class).
  string storage_class = 1;

  // Size of used space in the bucket for the storage class.
  int64 class_size = 2;
}

// A resource for object-related statistics for a storage class by type of upload (simple vs. multipart).
message CountersByClass {
  // Storage class. Supported classes are standard storage (`STANDARD`), cold storage (`COLD`, `STANDARD_IA`, `NEARLINE`
  // all synonyms), and ice storage (`ice` and `GLACIER` are synonyms).
  // For details, see [documentation](/docs/storage/concepts/storage-class).
  string storage_class = 1;

  // Object-related statistics for the storage class by type of upload.
  Counters counters = 2;
}

// A bucket statistics resource.
message BucketStats {
  // Name of the bucket.
  string name = 1;

  // Maximum size of the bucket, in bytes.
  google.protobuf.Int64Value max_size = 2;

  // Size of used space in the bucket, in bytes.
  int64 used_size = 3;

  // Size of available space in the bucket by storage class, in bytes.
  repeated OptionalSizeByClass storage_class_max_sizes = 4;

  // Size of used space in the bucket by storage class, in bytes.
  repeated SizeByClass storage_class_used_sizes = 5;

  // Object-related statistics by storage class and type of upload (simple vs. multipart), in bytes.
  repeated CountersByClass storage_class_counters = 6;

  // Default storage class for objects in the bucket. Supported classes are standard storage (`STANDARD`), cold storage
  // (`COLD`, `STANDARD_IA`, `NEARLINE` all synonyms), and ice storage (`ICE` and `GLACIER` are synonyms).
  // For details, see [documentation](/docs/storage/concepts/storage-class).
  google.protobuf.StringValue default_storage_class = 7;

  // Flags for configuring public (anonymous) access to the bucket's content and settings.
  // For details, see [documentation](/docs/storage/concepts/bucket#bucket-access).
  AnonymousAccessFlags anonymous_access_flags = 8;

  // Bucket creation timestamp.
  google.protobuf.Timestamp created_at = 9;

  // Bucket latest update timestamp.
  google.protobuf.Timestamp updated_at = 10;
}

// A resource for HTTPS configuration of a bucket.
message HTTPSConfig {
  // A resource for type of TLS certificate source.
  enum SourceType {
    SOURCE_TYPE_UNSPECIFIED = 0;

    // Your certificate, uploaded directly.
    SOURCE_TYPE_SELF_MANAGED = 1;

    // Certificate managed by Certificate Manager.
    SOURCE_TYPE_MANAGED_BY_CERTIFICATE_MANAGER = 2;
  }

  // Name of the bucket.
  string name = 1;

  // Type of TLS certificate source.
  SourceType source_type = 2;

  // Issuer of the TLS certificate.
  google.protobuf.StringValue issuer = 3;

  // Subject of the TLS certificate.
  google.protobuf.StringValue subject = 4;

  // List of DNS names of the TLS certificate (Subject Alternative Name field).
  repeated string dns_names = 5;

  // Start of the TLS certificate validity period (Not Before field).
  google.protobuf.Timestamp not_before = 6;

  // End of the TLS certificate validity period (Not After field)
  google.protobuf.Timestamp not_after = 7;

  // ID of the TLS certificate in Certificate Manager.
  //
  // To get information about the certificate from Certificate Manager, make a
  // [yandex.cloud.certificatemanager.v1.CertificateService.Get] request.
  string certificate_id = 8;
}

// A resource for Object Lock configuration of a bucket.
// For details about the concept, see [documentation](/docs/storage/concepts/object-lock).
message ObjectLock {
  // Activity status of the object lock settings on the bucket
  enum ObjectLockStatus {
    OBJECT_LOCK_STATUS_UNSPECIFIED = 0;
    OBJECT_LOCK_STATUS_DISABLED = 1;
    OBJECT_LOCK_STATUS_ENABLED = 2;
  }

  // Default lock configuration for added objects
  message DefaultRetention {
    // Lock type
    enum Mode {
      MODE_UNSPECIFIED = 0;
      MODE_GOVERNANCE = 1;
      MODE_COMPLIANCE = 2;
    }

    Mode mode = 1;
    oneof period {
      option (exactly_one) = true;

      // Number of days for locking
      int64 days = 2;
      // Number of years for locking
      int64 years = 3;
    }
  }

  ObjectLockStatus status = 2;
  DefaultRetention default_retention = 3;
}

message Encryption {
  message EncryptionRule {
    string kms_master_key_id = 1;
    string sse_algorithm = 2;
  }

  repeated EncryptionRule rules = 1;
}