From 05205e25e62d68648afbcce331872cd84d64cf01 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 17 Feb 2026 11:02:58 +0000 Subject: [PATCH] Publish proto files from c41082c0d --- endpoints.md | 2 + nebius/compute/v1/network_interface.proto | 10 + nebius/vpc/v1/security_group.proto | 51 +++++ nebius/vpc/v1/security_group_service.proto | 107 +++++++++ nebius/vpc/v1/security_rule.proto | 240 +++++++++++++++++++++ nebius/vpc/v1/security_rule_service.proto | 90 ++++++++ 6 files changed, 500 insertions(+) create mode 100644 nebius/vpc/v1/security_group.proto create mode 100644 nebius/vpc/v1/security_group_service.proto create mode 100644 nebius/vpc/v1/security_rule.proto create mode 100644 nebius/vpc/v1/security_rule_service.proto diff --git a/endpoints.md b/endpoints.md index 280d56b..83b4c45 100755 --- a/endpoints.md +++ b/endpoints.md @@ -106,6 +106,8 @@ * [nebius.vpc.v1.PoolService](nebius/vpc/v1/pool_service.proto) * [nebius.vpc.v1.RouteService](nebius/vpc/v1/route_service.proto) * [nebius.vpc.v1.RouteTableService](nebius/vpc/v1/route_table_service.proto) + * [nebius.vpc.v1.SecurityGroupService](nebius/vpc/v1/security_group_service.proto) + * [nebius.vpc.v1.SecurityRuleService](nebius/vpc/v1/security_rule_service.proto) * [nebius.vpc.v1.SubnetService](nebius/vpc/v1/subnet_service.proto) * [nebius.vpc.v1.TargetGroupService](nebius/vpc/v1/target_group_service.proto) * [nebius.vpc.v1alpha1.AllocationService](nebius/vpc/v1alpha1/allocation_service.proto) diff --git a/nebius/compute/v1/network_interface.proto b/nebius/compute/v1/network_interface.proto index ad4d121..1c4e259 100644 --- a/nebius/compute/v1/network_interface.proto +++ b/nebius/compute/v1/network_interface.proto @@ -45,6 +45,11 @@ message NetworkInterfaceSpec { // Assign ranges of IP addresses as aliases repeated IPAlias aliases = 6; + + // Security groups associated with the network interface. + // If an empty list is provided, the default security group for the network will be used. + // Effective security groups can be seen in the status. + repeated SecurityGroup security_groups = 7; } // Describes an IPv4 address. @@ -121,3 +126,8 @@ message PublicIPAddressStatus { message IPAliasesStatus { repeated string cidrs = 2; } + +message SecurityGroup { + // Security group identifier + string id = 1; +} diff --git a/nebius/vpc/v1/security_group.proto b/nebius/vpc/v1/security_group.proto new file mode 100644 index 0000000..6afebf4 --- /dev/null +++ b/nebius/vpc/v1/security_group.proto @@ -0,0 +1,51 @@ +syntax = "proto3"; + +package nebius.vpc.v1; + +import "buf/validate/validate.proto"; +import "nebius/annotations.proto"; +import "nebius/common/v1/metadata.proto"; + +option go_package = "github.com/nebius/gosdk/proto/nebius/vpc/v1"; +option java_multiple_files = true; +option java_outer_classname = "SecurityGroupProto"; +option java_package = "ai.nebius.pub.vpc.v1"; + +// SecurityGroup is a logical grouping of resources +// used to manage and apply network security policies collectively. +// Security group applies implicit deny at the end (traffic not matched by any rule will be denied). +message SecurityGroup { + // `metadata.parent_id` represents the Project. + common.v1.ResourceMetadata metadata = 1; + + // Specification of the security group's configuration. + SecurityGroupSpec spec = 2; + + // Current status of the security group. + SecurityGroupStatus status = 3; +} + +message SecurityGroupSpec { + // ID of the VPC network this security group belongs to. + string network_id = 1 [ + (buf.validate.field).required = true, + (field_behavior) = IMMUTABLE + ]; +} + +message SecurityGroupStatus { + // Enumeration of possible states of the security group. + enum State { + STATE_UNSPECIFIED = 0; // Default state, unspecified. + + READY = 2; // Security group is ready for use. + } + + // Current state of the security group. + State state = 1; + + // Indicates if this is the default security group for the network. + // Only one security group can be default per network. + // Will be used on the interface if no other is specified. + bool default = 2; +} diff --git a/nebius/vpc/v1/security_group_service.proto b/nebius/vpc/v1/security_group_service.proto new file mode 100644 index 0000000..aa0b620 --- /dev/null +++ b/nebius/vpc/v1/security_group_service.proto @@ -0,0 +1,107 @@ +syntax = "proto3"; + +package nebius.vpc.v1; + +import "buf/validate/validate.proto"; +import "nebius/annotations.proto"; +import "nebius/common/v1/metadata.proto"; +import "nebius/common/v1/operation.proto"; +import "nebius/vpc/v1/security_group.proto"; + +option go_package = "github.com/nebius/gosdk/proto/nebius/vpc/v1"; +option java_multiple_files = true; +option java_outer_classname = "SecurityGroupServiceProto"; +option java_package = "ai.nebius.pub.vpc.v1"; + +// SecurityGroupService provides operations for managing security groups. +service SecurityGroupService { + option (api_service_name) = "vpc"; + + rpc Get(GetSecurityGroupRequest) returns (SecurityGroup); + + rpc GetByName(GetSecurityGroupByNameRequest) returns (SecurityGroup); + + rpc List(ListSecurityGroupsRequest) returns (ListSecurityGroupsResponse); + + // Lists security groups in a specific network. + rpc ListByNetwork(ListSecurityGroupsByNetworkRequest) returns (ListSecurityGroupsResponse); + + rpc Create(CreateSecurityGroupRequest) returns (common.v1.Operation); + + rpc Update(UpdateSecurityGroupRequest) returns (common.v1.Operation); + + rpc Delete(DeleteSecurityGroupRequest) returns (common.v1.Operation); +} + +message GetSecurityGroupRequest { + string id = 1 [(buf.validate.field).required = true]; +} + +message GetSecurityGroupByNameRequest { + // ID of the Project. + string parent_id = 1 [(buf.validate.field).required = true]; + + string name = 2 [(buf.validate.field).required = true]; +} + +message ListSecurityGroupsRequest { + // ID of the Project. + string parent_id = 1 [(buf.validate.field).required = true]; + + int64 page_size = 2; + + string page_token = 3; +} + +message ListSecurityGroupsByNetworkRequest { + // ID of the Network. + string network_id = 1 [ + (buf.validate.field).required = true, + (nid) = { + resource: ["vpcnetwork"] + } + ]; + + int64 page_size = 2; + + string page_token = 3; +} + +message ListSecurityGroupsResponse { + repeated SecurityGroup items = 1; + + string next_page_token = 2; +} + +message CreateSecurityGroupRequest { + common.v1.ResourceMetadata metadata = 1 [(buf.validate.field) = { + cel: [ + { + id: "metadata_name" + message: "'name' must start with a letter or digit, allow '-', '_', '.', '/', and have a length between 2 and 255 characters." + expression: "this.name.matches('^[a-zA-Z0-9][-_./a-zA-Z0-9]{1,254}$')" + } + ] + required: true + }]; + + SecurityGroupSpec spec = 2 [(buf.validate.field).required = true]; +} + +message UpdateSecurityGroupRequest { + common.v1.ResourceMetadata metadata = 1 [(buf.validate.field) = { + cel: [ + { + id: "metadata_name" + message: "'name' must start with a letter or digit, allow '-', '_', '.', '/', and have a length between 2 and 255 characters." + expression: "this.name.matches('^[a-zA-Z0-9][-_./a-zA-Z0-9]{1,254}$')" + } + ] + }]; + + SecurityGroupSpec spec = 2; +} + +message DeleteSecurityGroupRequest { + string id = 1 [(buf.validate.field).required = true]; +} diff --git a/nebius/vpc/v1/security_rule.proto b/nebius/vpc/v1/security_rule.proto new file mode 100644 index 0000000..f053e22 --- /dev/null +++ b/nebius/vpc/v1/security_rule.proto @@ -0,0 +1,240 @@ +syntax = "proto3"; + +package nebius.vpc.v1; + +import "buf/validate/validate.proto"; +import "nebius/annotations.proto"; +import "nebius/common/v1/metadata.proto"; + +option go_package = "github.com/nebius/gosdk/proto/nebius/vpc/v1"; +option java_multiple_files = true; +option java_outer_classname = "SecurityRuleProto"; +option java_package = "ai.nebius.pub.vpc.v1"; + +// SecurityRules define rules for controlling network traffic within a network. +// These rules specify when traffic is ALLOWED or DENIED based on direction, protocol, +// match source, and ports. +message SecurityRule { + // `metadata.parent_id` represents the SecurityGroup. + common.v1.ResourceMetadata metadata = 1; + + // Specification of the security rule's configuration. + // Defines the parameters and constraints for rules that control network traffic. + SecurityRuleSpec spec = 2; + + // Current status of the security rule. + SecurityRuleStatus status = 3; +} + +message SecurityRuleSpec { + // Access action for the rule. + // Required. Determines whether matching traffic is allowed or denied. + RuleAccessAction access = 1 [ + (buf.validate.field).required = true, + (field_behavior) = IMMUTABLE + ]; + + // Priority of the rule. Valid range: 0-1000. + // Optional. If not specified or set to 0, defaults to 500. + // Rules are evaluated in priority order (lower numbers first) using a first-match algorithm: + // only the first matching rule takes effect (ALLOW or DENY), and subsequent rules are skipped. + // + // When multiple rules share the same priority, DENY rules are evaluated before ALLOW rules. + // The final evaluation order is reflected in 'effective_priority' (see SecurityRuleStatus). + int32 priority = 2 [ + (field_behavior) = IMMUTABLE, + (field_behavior) = NON_EMPTY_DEFAULT, + (buf.validate.field) = { + int32: { + lte: 1000 + gte: 0 + } + } + ]; + + // Protocol used in the rule. + // Supported values: ANY, TCP, UDP, ICMP. + RuleProtocol protocol = 3 [ + (buf.validate.field).required = true, + (field_behavior) = IMMUTABLE + ]; + + // Indicating whether the rule matches incoming or outgoing traffic. + oneof match { + option (buf.validate.oneof).required = true; + option (oneof_behavior) = IMMUTABLE; + + RuleIngress ingress = 4 [(field_behavior) = IMMUTABLE]; + + RuleEgress egress = 5 [(field_behavior) = IMMUTABLE]; + } + + // Type of the rule (STATEFUL or STATELESS) + // Default value is STATEFUL + RuleType type = 6 [ + (field_behavior) = IMMUTABLE, + (field_behavior) = NON_EMPTY_DEFAULT + ]; +} + +// Defines match for incoming traffic. +message RuleIngress { + // ID of the referenced Security Group as the source. + string source_security_group_id = 1; + + // CIDR blocks as the source. + // Optional. Empty list means any address. + // Must be a valid IPv4 + // Maximum of 8 CIDRs can be specified. + repeated string source_cidrs = 2 [(buf.validate.field) = { + repeated: { + max_items: 8 + items: { + cel: [ + { + id: "string.valid_cidr" + message: "value must be a valid CIDR" + expression: "this.isIpPrefix(true)" + } + ] + } + } + }]; + + // List of destination ports to which the rule applies. + // Optional. Empty list means any port. + // Valid range: 1–65535. + // Maximum of 8 ports can be specified. + repeated int32 destination_ports = 3 [(buf.validate.field) = { + repeated: { + max_items: 8 + items: { + int32: { + lte: 65535 + gte: 1 + } + } + } + }]; +} + +// Defines match for outgoing traffic. +message RuleEgress { + // ID of the referenced Security Group as the destination. + string destination_security_group_id = 1; + + // CIDR blocks as the destination. + // Optional. Empty list means any address. + // Must be a valid IPv4. + // Maximum of 8 CIDRs can be specified. + repeated string destination_cidrs = 2 [(buf.validate.field) = { + repeated: { + max_items: 8 + items: { + cel: [ + { + id: "string.valid_cidr" + message: "value must be a valid CIDR" + expression: "this.isIpPrefix(true)" + } + ] + } + } + }]; + + // List of ports to which the rule applies. + // Optional. Empty list means any port. + // Valid range: 1–65535. + // Maximum of 8 ports can be specified. + repeated int32 destination_ports = 3 [(buf.validate.field) = { + repeated: { + max_items: 8 + items: { + int32: { + lte: 65535 + gte: 1 + } + } + } + }]; +} + +// Direction specifies whether traffic is INGRESS (incoming) or EGRESS (outgoing). +enum RuleDirection { + DIRECTION_UNSPECIFIED = 0; + + INGRESS = 1; + + EGRESS = 2; +} + +// Protocol specifies traffic protocol. +enum RuleProtocol { + PROTOCOL_UNSPECIFIED = 0; + + ANY = 1; + + TCP = 2; + + UDP = 3; + + ICMP = 4; +} + +// Access specifies action on matching traffic: ALLOW or DENY. +enum RuleAccessAction { + ACCESS_UNSPECIFIED = 0; + + ALLOW = 1; + + DENY = 2; +} + +// RuleType specifies whether the security rule is stateful or stateless. +enum RuleType { + RULE_TYPE_UNSPECIFIED = 0; + + STATEFUL = 1; + + STATELESS = 2; +} + +message SecurityRuleStatus { + // State describes lifecycle phases of a security rule. + enum State { + STATE_UNSPECIFIED = 0; + + CREATING = 1; + + READY = 2; + + DELETING = 3; + } + + State state = 1; + + // Effective priority used for rule evaluation order, calculated by the system. + // This value is computed from the user-specified 'priority' (SecurityRuleSpec). + // Rules are evaluated in ascending order of effective_priority using a first-match algorithm. + int32 effective_priority = 4; + + // Direction of traffic affected by the rule. + RuleDirection direction = 6; + + // Source of the traffic that matched the rule. + RuleMatchStatus source = 7; + + // Destination of the traffic that matched the rule. + RuleMatchStatus destination = 8; +} + +message RuleMatchStatus { + // ID of the Security Group. + string security_group_id = 1; + + // List of CIDR blocks. + repeated string cidrs = 2; + + // List of ports. + repeated int32 ports = 3; +} diff --git a/nebius/vpc/v1/security_rule_service.proto b/nebius/vpc/v1/security_rule_service.proto new file mode 100644 index 0000000..8f115d1 --- /dev/null +++ b/nebius/vpc/v1/security_rule_service.proto @@ -0,0 +1,90 @@ +syntax = "proto3"; + +package nebius.vpc.v1; + +import "buf/validate/validate.proto"; +import "nebius/annotations.proto"; +import "nebius/common/v1/metadata.proto"; +import "nebius/common/v1/operation.proto"; +import "nebius/vpc/v1/security_rule.proto"; + +option go_package = "github.com/nebius/gosdk/proto/nebius/vpc/v1"; +option java_multiple_files = true; +option java_outer_classname = "SecurityRuleServiceProto"; +option java_package = "ai.nebius.pub.vpc.v1"; + +// SecurityRuleService provides operations for managing security rules. +service SecurityRuleService { + option (api_service_name) = "vpc"; + + rpc Get(GetSecurityRuleRequest) returns (SecurityRule); + + rpc GetByName(GetSecurityRuleByNameRequest) returns (SecurityRule); + + rpc List(ListSecurityRulesRequest) returns (ListSecurityRulesResponse); + + rpc Create(CreateSecurityRuleRequest) returns (common.v1.Operation); + + rpc Update(UpdateSecurityRuleRequest) returns (common.v1.Operation); + + rpc Delete(DeleteSecurityRuleRequest) returns (common.v1.Operation); +} + +message GetSecurityRuleRequest { + string id = 1 [(buf.validate.field).required = true]; +} + +message GetSecurityRuleByNameRequest { + // ID of the Security Group. + string parent_id = 1 [(buf.validate.field).required = true]; + + string name = 2 [(buf.validate.field).required = true]; +} + +message ListSecurityRulesRequest { + // ID of the Security Group. + string parent_id = 1 [(buf.validate.field).required = true]; + + int64 page_size = 2; + + string page_token = 3; +} + +message ListSecurityRulesResponse { + repeated SecurityRule items = 1; + + string next_page_token = 2; +} + +message CreateSecurityRuleRequest { + common.v1.ResourceMetadata metadata = 1 [(buf.validate.field) = { + cel: [ + { + id: "metadata_name" + message: "'name' must start with a letter or digit, allow '-', '_', '.', '/', and have a length between 2 and 255 characters." + expression: "this.name.matches('^[a-zA-Z0-9][-_./a-zA-Z0-9]{1,254}$')" + } + ] + required: true + }]; + + SecurityRuleSpec spec = 2 [(buf.validate.field).required = true]; +} + +message UpdateSecurityRuleRequest { + common.v1.ResourceMetadata metadata = 1 [(buf.validate.field) = { + cel: [ + { + id: "metadata_name" + message: "'name' must start with a letter or digit, allow '-', '_', '.', '/', and have a length between 2 and 255 characters." + expression: "this.name.matches('^[a-zA-Z0-9][-_./a-zA-Z0-9]{1,254}$')" + } + ] + }]; + + SecurityRuleSpec spec = 2; +} + +message DeleteSecurityRuleRequest { + string id = 1 [(buf.validate.field).required = true]; +}