Skip to main content

tf_types/generated/
policy.rs

1// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.
2
3#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]
4
5use serde::{Deserialize, Serialize};
6use super::*;
7
8/// Declarative policy definition referenced by TF-0004. Backend-agnostic (Cedar, Rego, custom, native, none).
9#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
10pub struct Policy {
11    /// Version of the policy manifest schema itself.
12    pub policy_version: Policy_PolicyVersion,
13    /// Trust domain this policy applies within.
14    pub trust_domain: TrustDomain,
15    /// Policy engine that interprets this manifest.
16    #[serde(skip_serializing_if = "Option::is_none", default)]
17    pub engine_hint: Option<Policy_EngineHint>,
18    /// Policy rules evaluated top-to-bottom until a match yields a decision.
19    pub rules: Vec<Rule>,
20    /// Explicit denials that override grants regardless of rule order.
21    #[serde(skip_serializing_if = "Option::is_none", default)]
22    pub negative_capabilities: Option<Vec<NegativeCapability>>,
23    /// Default quorum settings when a rule requests quorum approval without specifying one.
24    #[serde(skip_serializing_if = "Option::is_none", default)]
25    pub quorum_defaults: Option<Policy_QuorumDefaults>,
26    /// When live sessions must re-check this policy during execution.
27    #[serde(skip_serializing_if = "Option::is_none", default)]
28    pub continuous_reevaluation: Option<Policy_ContinuousReevaluation>,
29}
30
31/// When live sessions must re-check this policy during execution.
32#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
33pub struct Policy_ContinuousReevaluation {
34    /// Events that force a re-evaluation of in-flight authorizations.
35    pub triggers: Vec<String>,
36}
37
38/// Policy engine that interprets this manifest.
39#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
40pub enum Policy_EngineHint {
41    #[serde(rename = "cedar")]
42    Cedar,
43    #[serde(rename = "rego")]
44    Rego,
45    #[serde(rename = "custom")]
46    Custom,
47    #[serde(rename = "native")]
48    Native,
49    #[serde(rename = "none")]
50    None,
51}
52
53/// Version of the policy manifest schema itself.
54#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
55pub enum Policy_PolicyVersion {
56    #[serde(rename = "1")]
57    V1,
58}
59
60/// Default quorum settings when a rule requests quorum approval without specifying one.
61#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
62pub struct Policy_QuorumDefaults {
63    /// Minimum number of approvers required.
64    pub min_approvers: i64,
65    /// Eligible approvers.
66    pub of: Vec<ActorId>,
67}
68
69/// A single policy rule.
70#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
71pub struct Rule {
72    /// Rule identifier, used in proofs and audit logs.
73    pub id: String,
74    /// Decision produced when the rule matches.
75    pub effect: Rule_Effect,
76    /// Exact action this rule applies to.
77    #[serde(skip_serializing_if = "Option::is_none", default)]
78    pub action: Option<ActionName>,
79    /// Regex (ECMAScript) matched against action names when an exact action is not set.
80    #[serde(skip_serializing_if = "Option::is_none", default)]
81    pub action_pattern: Option<String>,
82    /// Regex matched against the subject actor URI.
83    #[serde(skip_serializing_if = "Option::is_none", default)]
84    pub subject_pattern: Option<String>,
85    /// Glob patterns matched against the action target.
86    #[serde(skip_serializing_if = "Option::is_none", default)]
87    pub target_patterns: Option<Vec<String>>,
88    /// Rule applies only to actions whose risk is at or below this class.
89    #[serde(skip_serializing_if = "Option::is_none", default)]
90    pub risk_at_most: Option<RiskClass>,
91    /// Minimum proof level demanded when this rule applies.
92    #[serde(skip_serializing_if = "Option::is_none", default)]
93    pub proof_required: Option<ProofLevel>,
94    /// Approval requirement demanded when this rule applies.
95    #[serde(skip_serializing_if = "Option::is_none", default)]
96    pub approval: Option<ApprovalRequirement>,
97    /// Additional constraints attached by this rule.
98    #[serde(skip_serializing_if = "Option::is_none", default)]
99    pub constraints: Option<Vec<Constraint>>,
100    /// Human-readable reason emitted in the decision.
101    #[serde(skip_serializing_if = "Option::is_none", default)]
102    pub reason: Option<String>,
103}
104
105/// Decision produced when the rule matches.
106#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
107pub enum Rule_Effect {
108    #[serde(rename = "allow")]
109    Allow,
110    #[serde(rename = "deny")]
111    Deny,
112    #[serde(rename = "escalate")]
113    Escalate,
114    #[serde(rename = "log_only")]
115    LogOnly,
116}