From a39bf33598924a6374477d5e77bb61bbce099875 Mon Sep 17 00:00:00 2001
From: Damian Debkowski <damian.debkowski@hashicorp.com>
Date: Wed, 3 Jan 2024 17:43:20 -0800
Subject: [PATCH] proto(iam): add scope policy storage policy

---
 .../api/resources/scopes/v1/scope.proto       |  3 ++
 .../api/services/v1/scope_service.proto       | 54 +++++++++++++++++++
 .../storage/iam/store/v1/scope.proto          | 10 ++++
 3 files changed, 67 insertions(+)

diff --git a/internal/proto/controller/api/resources/scopes/v1/scope.proto b/internal/proto/controller/api/resources/scopes/v1/scope.proto
index 5eb88a5e6a..3b82fdf4b2 100644
--- a/internal/proto/controller/api/resources/scopes/v1/scope.proto
+++ b/internal/proto/controller/api/resources/scopes/v1/scope.proto
@@ -87,6 +87,9 @@ message Scope {
 
   // Output only. The authorized actions for the scope's collections.
   map<string, google.protobuf.ListValue> authorized_collection_actions = 310 [json_name = "authorized_collection_actions"];
+
+  // Output only. The attached storage policy id.
+  string storage_policy_id = 320 [json_name = "storage_policy_id"]; // @gotags: `class:"public"`
 }
 
 // KeyVersion describes a specific version of a key and holds the actual key material
diff --git a/internal/proto/controller/api/services/v1/scope_service.proto b/internal/proto/controller/api/services/v1/scope_service.proto
index 46eddff0e3..dbd8606e8e 100644
--- a/internal/proto/controller/api/services/v1/scope_service.proto
+++ b/internal/proto/controller/api/services/v1/scope_service.proto
@@ -109,6 +109,37 @@ service ScopeService {
     };
     option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Destroy the specified key version in a Scope. This may start an asynchronous job that re-encrypts all data encrypted by the specified key version. Use GET /v1/scopes/{scope_id}:list-key-version-destruction-jobs to monitor pending destruction jobs."};
   }
+
+  // AttachStoragePolicy sets the Scope's Storage Policy. Any existing Storage
+  // Policy on the Scope will be overwritten. The provided request must include
+  // the Scope ID and the Storage Policy ID on which the Storage Policy will be
+  // set. A Storage Policy created under the global scope may be attached to any
+  // global or org scope. A Storage Policy created under a org scope may be attached
+  // to the same org scope. If any ID is missing, malformed, or references a
+  // non-existing resource, an error is returned.
+  rpc AttachStoragePolicy(AttachStoragePolicyRequest) returns (AttachStoragePolicyResponse) {
+    option (google.api.http) = {
+      post: "/v1/scopes/{id}:attach-storage-policy"
+      body: "*"
+      response_body: "item"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Attaches the specified Storage Policy to the Scope."};
+  }
+
+  // DetachStoragePolicy removes the Storage Policy from the specified Scope.
+  // The provided request must include the Scope ID for the Scope from which
+  // the Storage Policy will be removed. If the ID is missing, malformed, or
+  // references a non-existing scope, an error is returned. An error is returned
+  // if a Storage Policy is attempted to be removed from the Scope when the Scope
+  // does not have the Storage Policy attached to it.
+  rpc DetachStoragePolicy(DetachStoragePolicyRequest) returns (DetachStoragePolicyResponse) {
+    option (google.api.http) = {
+      post: "/v1/scopes/{id}:detach-storage-policy"
+      body: "*"
+      response_body: "item"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Detaches the specified Storage Policy from the Scope."};
+  }
 }
 
 message GetScopeRequest {
@@ -220,3 +251,26 @@ message DestroyKeyVersionResponse {
   // to monitor pending destruction jobs.
   string state = 1; // @gotags: `class:"public"`
 }
+
+message AttachStoragePolicyRequest {
+  string id = 1; // @gotags: `class:"public" eventstream:"observation"`
+  string storage_policy_id = 2; // @gotags: `class:"public"`
+  // Version is used to ensure this resource has not changed.
+  // The mutation will fail if the version does not match the latest known good version.
+  uint32 version = 3; // @gotags: `class:"public"`
+}
+
+message AttachStoragePolicyResponse {
+  api.resources.scopes.v1.Scope item = 1;
+}
+
+message DetachStoragePolicyRequest {
+  string id = 1; // @gotags: `class:"public" eventstream:"observation"`
+  // Version is used to ensure this resource has not changed.
+  // The mutation will fail if the version does not match the latest known good version.
+  uint32 version = 2; // @gotags: `class:"public"`
+}
+
+message DetachStoragePolicyResponse {
+  api.resources.scopes.v1.Scope item = 1;
+}
diff --git a/internal/proto/controller/storage/iam/store/v1/scope.proto b/internal/proto/controller/storage/iam/store/v1/scope.proto
index 4d72bce116..36399bc962 100644
--- a/internal/proto/controller/storage/iam/store/v1/scope.proto
+++ b/internal/proto/controller/storage/iam/store/v1/scope.proto
@@ -59,3 +59,13 @@ message Scope {
     that: "primary_auth_method_id"
   }];
 }
+
+message ScopePolicyStoragePolicy {
+  // scope_id of the ScopePolicyStoragePolicy
+  // @inject_tag: gorm:"primary_key"
+  string scope_id = 10;
+
+  // storage_policy_id of the ScopePolicyStoragePolicy
+  // @inject_tag: `gorm:"default:null"`
+  string storage_policy_id = 20;
+}