privateca.projects.locations.caPools.certificateAuthorities.activate

valid {
    input.Body.pemCaCertificate == STRING
    input.Body.requestId == STRING
    input.Body.subordinateConfig.certificateAuthority == STRING
    input.Body.subordinateConfig.pemIssuerChain.pemCertificates[_] == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.certificateRevocationLists.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.certificateRevocationLists.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.certificateRevocationLists.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.filter == STRING
    input.Qs.orderBy == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.certificateRevocationLists.patch

valid {
    input.Body.labels.STRING == STRING
    input.Body.name == STRING
    input.ReqMap.name == STRING
    input.Qs.requestId == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.certificateRevocationLists.setIamPolicy

enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.certificateRevocationLists.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.create

enum_CertificateAuthorityType := [ "TYPE_UNSPECIFIED", "SELF_SIGNED", "SUBORDINATE" ]
enum_KeyVersionSpecAlgorithm := [ "SIGN_HASH_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_PKCS1_2048_SHA256", "RSA_PKCS1_3072_SHA256", "RSA_PKCS1_4096_SHA256", "EC_P256_SHA256", "EC_P384_SHA384" ]
enum_PublicKeyFormat := [ "KEY_FORMAT_UNSPECIFIED", "PEM" ]

valid {
    input.Body.config.publicKey.format == enum_PublicKeyFormat[_]
    input.Body.config.publicKey.key == STRING
    input.Body.config.subjectConfig.subject.commonName == STRING
    input.Body.config.subjectConfig.subject.countryCode == STRING
    input.Body.config.subjectConfig.subject.locality == STRING
    input.Body.config.subjectConfig.subject.organization == STRING
    input.Body.config.subjectConfig.subject.organizationalUnit == STRING
    input.Body.config.subjectConfig.subject.postalCode == STRING
    input.Body.config.subjectConfig.subject.province == STRING
    input.Body.config.subjectConfig.subject.streetAddress == STRING
    input.Body.config.subjectConfig.subjectAltName.customSans[_].critical == BOOLEAN
    input.Body.config.subjectConfig.subjectAltName.customSans[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.subjectConfig.subjectAltName.customSans[_].value == STRING
    input.Body.config.subjectConfig.subjectAltName.dnsNames[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.emailAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.ipAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.uris[_] == STRING
    input.Body.config.subjectKeyId.keyId == STRING
    input.Body.config.x509Config.additionalExtensions[_].critical == BOOLEAN
    input.Body.config.x509Config.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.x509Config.additionalExtensions[_].value == STRING
    input.Body.config.x509Config.aiaOcspServers[_] == STRING
    input.Body.config.x509Config.caOptions.isCa == BOOLEAN
    input.Body.config.x509Config.caOptions.maxIssuerPathLength == INTEGER
    input.Body.config.x509Config.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.config.x509Config.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.config.x509Config.nameConstraints.critical == BOOLEAN
    input.Body.config.x509Config.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedUris[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedUris[_] == STRING
    input.Body.config.x509Config.policyIds[_].objectIdPath[_] == INTEGER
    input.Body.gcsBucket == STRING
    input.Body.keySpec.algorithm == enum_KeyVersionSpecAlgorithm[_]
    input.Body.keySpec.cloudKmsKeyVersion == STRING
    input.Body.labels.STRING == STRING
    input.Body.lifetime == STRING
    input.Body.name == STRING
    input.Body.subordinateConfig.certificateAuthority == STRING
    input.Body.subordinateConfig.pemIssuerChain.pemCertificates[_] == STRING
    input.Body.type == enum_CertificateAuthorityType[_]
    input.ReqMap.parent == STRING
    input.Qs.certificateAuthorityId == STRING
    input.Qs.requestId == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.delete

valid {
    input.ReqMap.name == STRING
    input.Qs.ignoreActiveCertificates == BOOLEAN
    input.Qs.ignoreDependentResources == BOOLEAN
    input.Qs.requestId == STRING
    input.Qs.skipGracePeriod == BOOLEAN
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.disable

valid {
    input.Body.ignoreDependentResources == BOOLEAN
    input.Body.requestId == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.enable

valid {
    input.Body.requestId == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.fetch

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.filter == STRING
    input.Qs.orderBy == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.patch

enum_CertificateAuthorityType := [ "TYPE_UNSPECIFIED", "SELF_SIGNED", "SUBORDINATE" ]
enum_KeyVersionSpecAlgorithm := [ "SIGN_HASH_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_PKCS1_2048_SHA256", "RSA_PKCS1_3072_SHA256", "RSA_PKCS1_4096_SHA256", "EC_P256_SHA256", "EC_P384_SHA384" ]
enum_PublicKeyFormat := [ "KEY_FORMAT_UNSPECIFIED", "PEM" ]

valid {
    input.Body.config.publicKey.format == enum_PublicKeyFormat[_]
    input.Body.config.publicKey.key == STRING
    input.Body.config.subjectConfig.subject.commonName == STRING
    input.Body.config.subjectConfig.subject.countryCode == STRING
    input.Body.config.subjectConfig.subject.locality == STRING
    input.Body.config.subjectConfig.subject.organization == STRING
    input.Body.config.subjectConfig.subject.organizationalUnit == STRING
    input.Body.config.subjectConfig.subject.postalCode == STRING
    input.Body.config.subjectConfig.subject.province == STRING
    input.Body.config.subjectConfig.subject.streetAddress == STRING
    input.Body.config.subjectConfig.subjectAltName.customSans[_].critical == BOOLEAN
    input.Body.config.subjectConfig.subjectAltName.customSans[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.subjectConfig.subjectAltName.customSans[_].value == STRING
    input.Body.config.subjectConfig.subjectAltName.dnsNames[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.emailAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.ipAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.uris[_] == STRING
    input.Body.config.subjectKeyId.keyId == STRING
    input.Body.config.x509Config.additionalExtensions[_].critical == BOOLEAN
    input.Body.config.x509Config.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.x509Config.additionalExtensions[_].value == STRING
    input.Body.config.x509Config.aiaOcspServers[_] == STRING
    input.Body.config.x509Config.caOptions.isCa == BOOLEAN
    input.Body.config.x509Config.caOptions.maxIssuerPathLength == INTEGER
    input.Body.config.x509Config.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.config.x509Config.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.config.x509Config.nameConstraints.critical == BOOLEAN
    input.Body.config.x509Config.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedUris[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedUris[_] == STRING
    input.Body.config.x509Config.policyIds[_].objectIdPath[_] == INTEGER
    input.Body.gcsBucket == STRING
    input.Body.keySpec.algorithm == enum_KeyVersionSpecAlgorithm[_]
    input.Body.keySpec.cloudKmsKeyVersion == STRING
    input.Body.labels.STRING == STRING
    input.Body.lifetime == STRING
    input.Body.name == STRING
    input.Body.subordinateConfig.certificateAuthority == STRING
    input.Body.subordinateConfig.pemIssuerChain.pemCertificates[_] == STRING
    input.Body.type == enum_CertificateAuthorityType[_]
    input.ReqMap.name == STRING
    input.Qs.requestId == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificateAuthorities.undelete

valid {
    input.Body.requestId == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificates.create

enum_CertificateSubjectMode := [ "SUBJECT_REQUEST_MODE_UNSPECIFIED", "DEFAULT", "REFLECTED_SPIFFE" ]
enum_PublicKeyFormat := [ "KEY_FORMAT_UNSPECIFIED", "PEM" ]

valid {
    input.Body.certificateTemplate == STRING
    input.Body.config.publicKey.format == enum_PublicKeyFormat[_]
    input.Body.config.publicKey.key == STRING
    input.Body.config.subjectConfig.subject.commonName == STRING
    input.Body.config.subjectConfig.subject.countryCode == STRING
    input.Body.config.subjectConfig.subject.locality == STRING
    input.Body.config.subjectConfig.subject.organization == STRING
    input.Body.config.subjectConfig.subject.organizationalUnit == STRING
    input.Body.config.subjectConfig.subject.postalCode == STRING
    input.Body.config.subjectConfig.subject.province == STRING
    input.Body.config.subjectConfig.subject.streetAddress == STRING
    input.Body.config.subjectConfig.subjectAltName.customSans[_].critical == BOOLEAN
    input.Body.config.subjectConfig.subjectAltName.customSans[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.subjectConfig.subjectAltName.customSans[_].value == STRING
    input.Body.config.subjectConfig.subjectAltName.dnsNames[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.emailAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.ipAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.uris[_] == STRING
    input.Body.config.subjectKeyId.keyId == STRING
    input.Body.config.x509Config.additionalExtensions[_].critical == BOOLEAN
    input.Body.config.x509Config.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.x509Config.additionalExtensions[_].value == STRING
    input.Body.config.x509Config.aiaOcspServers[_] == STRING
    input.Body.config.x509Config.caOptions.isCa == BOOLEAN
    input.Body.config.x509Config.caOptions.maxIssuerPathLength == INTEGER
    input.Body.config.x509Config.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.config.x509Config.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.config.x509Config.nameConstraints.critical == BOOLEAN
    input.Body.config.x509Config.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedUris[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedUris[_] == STRING
    input.Body.config.x509Config.policyIds[_].objectIdPath[_] == INTEGER
    input.Body.labels.STRING == STRING
    input.Body.lifetime == STRING
    input.Body.name == STRING
    input.Body.pemCsr == STRING
    input.Body.subjectMode == enum_CertificateSubjectMode[_]
    input.ReqMap.parent == STRING
    input.Qs.certificateId == STRING
    input.Qs.issuingCertificateAuthorityId == STRING
    input.Qs.requestId == STRING
    input.Qs.validateOnly == BOOLEAN
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificates.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificates.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.filter == STRING
    input.Qs.orderBy == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificates.patch

enum_CertificateSubjectMode := [ "SUBJECT_REQUEST_MODE_UNSPECIFIED", "DEFAULT", "REFLECTED_SPIFFE" ]
enum_PublicKeyFormat := [ "KEY_FORMAT_UNSPECIFIED", "PEM" ]

valid {
    input.Body.certificateTemplate == STRING
    input.Body.config.publicKey.format == enum_PublicKeyFormat[_]
    input.Body.config.publicKey.key == STRING
    input.Body.config.subjectConfig.subject.commonName == STRING
    input.Body.config.subjectConfig.subject.countryCode == STRING
    input.Body.config.subjectConfig.subject.locality == STRING
    input.Body.config.subjectConfig.subject.organization == STRING
    input.Body.config.subjectConfig.subject.organizationalUnit == STRING
    input.Body.config.subjectConfig.subject.postalCode == STRING
    input.Body.config.subjectConfig.subject.province == STRING
    input.Body.config.subjectConfig.subject.streetAddress == STRING
    input.Body.config.subjectConfig.subjectAltName.customSans[_].critical == BOOLEAN
    input.Body.config.subjectConfig.subjectAltName.customSans[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.subjectConfig.subjectAltName.customSans[_].value == STRING
    input.Body.config.subjectConfig.subjectAltName.dnsNames[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.emailAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.ipAddresses[_] == STRING
    input.Body.config.subjectConfig.subjectAltName.uris[_] == STRING
    input.Body.config.subjectKeyId.keyId == STRING
    input.Body.config.x509Config.additionalExtensions[_].critical == BOOLEAN
    input.Body.config.x509Config.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.config.x509Config.additionalExtensions[_].value == STRING
    input.Body.config.x509Config.aiaOcspServers[_] == STRING
    input.Body.config.x509Config.caOptions.isCa == BOOLEAN
    input.Body.config.x509Config.caOptions.maxIssuerPathLength == INTEGER
    input.Body.config.x509Config.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.config.x509Config.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.config.x509Config.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.config.x509Config.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.config.x509Config.nameConstraints.critical == BOOLEAN
    input.Body.config.x509Config.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.excludedUris[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.config.x509Config.nameConstraints.permittedUris[_] == STRING
    input.Body.config.x509Config.policyIds[_].objectIdPath[_] == INTEGER
    input.Body.labels.STRING == STRING
    input.Body.lifetime == STRING
    input.Body.name == STRING
    input.Body.pemCsr == STRING
    input.Body.subjectMode == enum_CertificateSubjectMode[_]
    input.ReqMap.name == STRING
    input.Qs.requestId == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.certificates.revoke

enum_RevokeCertificateRequestReason := [ "REVOCATION_REASON_UNSPECIFIED", "KEY_COMPROMISE", "CERTIFICATE_AUTHORITY_COMPROMISE", "AFFILIATION_CHANGED", "SUPERSEDED", "CESSATION_OF_OPERATION", "CERTIFICATE_HOLD", "PRIVILEGE_WITHDRAWN", "ATTRIBUTE_AUTHORITY_COMPROMISE" ]

valid {
    input.Body.reason == enum_RevokeCertificateRequestReason[_]
    input.Body.requestId == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.create

enum_CaPoolTier := [ "TIER_UNSPECIFIED", "ENTERPRISE", "DEVOPS" ]
enum_CertificateExtensionConstraintsKnownExtensions := [ "KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED", "BASE_KEY_USAGE", "EXTENDED_KEY_USAGE", "CA_OPTIONS", "POLICY_IDS", "AIA_OCSP_SERVERS", "NAME_CONSTRAINTS" ]
enum_EcKeyTypeSignatureAlgorithm := [ "EC_SIGNATURE_ALGORITHM_UNSPECIFIED", "ECDSA_P256", "ECDSA_P384", "EDDSA_25519" ]
enum_PublishingOptionsEncodingFormat := [ "ENCODING_FORMAT_UNSPECIFIED", "PEM", "DER" ]

valid {
    input.Body.issuancePolicy.allowedIssuanceModes.allowConfigBasedIssuance == BOOLEAN
    input.Body.issuancePolicy.allowedIssuanceModes.allowCsrBasedIssuance == BOOLEAN
    input.Body.issuancePolicy.allowedKeyTypes[_].ellipticCurve.signatureAlgorithm == enum_EcKeyTypeSignatureAlgorithm[_]
    input.Body.issuancePolicy.allowedKeyTypes[_].rsa.maxModulusSize == STRING
    input.Body.issuancePolicy.allowedKeyTypes[_].rsa.minModulusSize == STRING
    input.Body.issuancePolicy.baselineValues.additionalExtensions[_].critical == BOOLEAN
    input.Body.issuancePolicy.baselineValues.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.baselineValues.additionalExtensions[_].value == STRING
    input.Body.issuancePolicy.baselineValues.aiaOcspServers[_] == STRING
    input.Body.issuancePolicy.baselineValues.caOptions.isCa == BOOLEAN
    input.Body.issuancePolicy.baselineValues.caOptions.maxIssuerPathLength == INTEGER
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.baselineValues.nameConstraints.critical == BOOLEAN
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedUris[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedUris[_] == STRING
    input.Body.issuancePolicy.baselineValues.policyIds[_].objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.identityConstraints.allowSubjectAltNamesPassthrough == BOOLEAN
    input.Body.issuancePolicy.identityConstraints.allowSubjectPassthrough == BOOLEAN
    input.Body.issuancePolicy.identityConstraints.celExpression.description == STRING
    input.Body.issuancePolicy.identityConstraints.celExpression.expression == STRING
    input.Body.issuancePolicy.identityConstraints.celExpression.location == STRING
    input.Body.issuancePolicy.identityConstraints.celExpression.title == STRING
    input.Body.issuancePolicy.maximumLifetime == STRING
    input.Body.issuancePolicy.passthroughExtensions.additionalExtensions[_].objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.passthroughExtensions.knownExtensions[_] == enum_CertificateExtensionConstraintsKnownExtensions[_]
    input.Body.labels.STRING == STRING
    input.Body.name == STRING
    input.Body.publishingOptions.encodingFormat == enum_PublishingOptionsEncodingFormat[_]
    input.Body.publishingOptions.publishCaCert == BOOLEAN
    input.Body.publishingOptions.publishCrl == BOOLEAN
    input.Body.tier == enum_CaPoolTier[_]
    input.ReqMap.parent == STRING
    input.Qs.caPoolId == STRING
    input.Qs.requestId == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.delete

valid {
    input.ReqMap.name == STRING
    input.Qs.ignoreDependentResources == BOOLEAN
    input.Qs.requestId == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.fetchCaCerts

valid {
    input.Body.requestId == STRING
    input.ReqMap.caPool == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.filter == STRING
    input.Qs.orderBy == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.patch

enum_CaPoolTier := [ "TIER_UNSPECIFIED", "ENTERPRISE", "DEVOPS" ]
enum_CertificateExtensionConstraintsKnownExtensions := [ "KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED", "BASE_KEY_USAGE", "EXTENDED_KEY_USAGE", "CA_OPTIONS", "POLICY_IDS", "AIA_OCSP_SERVERS", "NAME_CONSTRAINTS" ]
enum_EcKeyTypeSignatureAlgorithm := [ "EC_SIGNATURE_ALGORITHM_UNSPECIFIED", "ECDSA_P256", "ECDSA_P384", "EDDSA_25519" ]
enum_PublishingOptionsEncodingFormat := [ "ENCODING_FORMAT_UNSPECIFIED", "PEM", "DER" ]

valid {
    input.Body.issuancePolicy.allowedIssuanceModes.allowConfigBasedIssuance == BOOLEAN
    input.Body.issuancePolicy.allowedIssuanceModes.allowCsrBasedIssuance == BOOLEAN
    input.Body.issuancePolicy.allowedKeyTypes[_].ellipticCurve.signatureAlgorithm == enum_EcKeyTypeSignatureAlgorithm[_]
    input.Body.issuancePolicy.allowedKeyTypes[_].rsa.maxModulusSize == STRING
    input.Body.issuancePolicy.allowedKeyTypes[_].rsa.minModulusSize == STRING
    input.Body.issuancePolicy.baselineValues.additionalExtensions[_].critical == BOOLEAN
    input.Body.issuancePolicy.baselineValues.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.baselineValues.additionalExtensions[_].value == STRING
    input.Body.issuancePolicy.baselineValues.aiaOcspServers[_] == STRING
    input.Body.issuancePolicy.baselineValues.caOptions.isCa == BOOLEAN
    input.Body.issuancePolicy.baselineValues.caOptions.maxIssuerPathLength == INTEGER
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.issuancePolicy.baselineValues.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.baselineValues.nameConstraints.critical == BOOLEAN
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.excludedUris[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.issuancePolicy.baselineValues.nameConstraints.permittedUris[_] == STRING
    input.Body.issuancePolicy.baselineValues.policyIds[_].objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.identityConstraints.allowSubjectAltNamesPassthrough == BOOLEAN
    input.Body.issuancePolicy.identityConstraints.allowSubjectPassthrough == BOOLEAN
    input.Body.issuancePolicy.identityConstraints.celExpression.description == STRING
    input.Body.issuancePolicy.identityConstraints.celExpression.expression == STRING
    input.Body.issuancePolicy.identityConstraints.celExpression.location == STRING
    input.Body.issuancePolicy.identityConstraints.celExpression.title == STRING
    input.Body.issuancePolicy.maximumLifetime == STRING
    input.Body.issuancePolicy.passthroughExtensions.additionalExtensions[_].objectIdPath[_] == INTEGER
    input.Body.issuancePolicy.passthroughExtensions.knownExtensions[_] == enum_CertificateExtensionConstraintsKnownExtensions[_]
    input.Body.labels.STRING == STRING
    input.Body.name == STRING
    input.Body.publishingOptions.encodingFormat == enum_PublishingOptionsEncodingFormat[_]
    input.Body.publishingOptions.publishCaCert == BOOLEAN
    input.Body.publishingOptions.publishCrl == BOOLEAN
    input.Body.tier == enum_CaPoolTier[_]
    input.ReqMap.name == STRING
    input.Qs.requestId == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.setIamPolicy

enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.caPools.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateAuthorities.certificateRevocationLists.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateAuthorities.certificateRevocationLists.setIamPolicy

enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateAuthorities.certificateRevocationLists.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateAuthorities.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateAuthorities.setIamPolicy

enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateAuthorities.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.create

enum_CertificateExtensionConstraintsKnownExtensions := [ "KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED", "BASE_KEY_USAGE", "EXTENDED_KEY_USAGE", "CA_OPTIONS", "POLICY_IDS", "AIA_OCSP_SERVERS", "NAME_CONSTRAINTS" ]

valid {
    input.Body.description == STRING
    input.Body.identityConstraints.allowSubjectAltNamesPassthrough == BOOLEAN
    input.Body.identityConstraints.allowSubjectPassthrough == BOOLEAN
    input.Body.identityConstraints.celExpression.description == STRING
    input.Body.identityConstraints.celExpression.expression == STRING
    input.Body.identityConstraints.celExpression.location == STRING
    input.Body.identityConstraints.celExpression.title == STRING
    input.Body.labels.STRING == STRING
    input.Body.maximumLifetime == STRING
    input.Body.name == STRING
    input.Body.passthroughExtensions.additionalExtensions[_].objectIdPath[_] == INTEGER
    input.Body.passthroughExtensions.knownExtensions[_] == enum_CertificateExtensionConstraintsKnownExtensions[_]
    input.Body.predefinedValues.additionalExtensions[_].critical == BOOLEAN
    input.Body.predefinedValues.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.predefinedValues.additionalExtensions[_].value == STRING
    input.Body.predefinedValues.aiaOcspServers[_] == STRING
    input.Body.predefinedValues.caOptions.isCa == BOOLEAN
    input.Body.predefinedValues.caOptions.maxIssuerPathLength == INTEGER
    input.Body.predefinedValues.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.predefinedValues.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.predefinedValues.nameConstraints.critical == BOOLEAN
    input.Body.predefinedValues.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.predefinedValues.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.predefinedValues.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.predefinedValues.nameConstraints.excludedUris[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedUris[_] == STRING
    input.Body.predefinedValues.policyIds[_].objectIdPath[_] == INTEGER
    input.ReqMap.parent == STRING
    input.Qs.certificateTemplateId == STRING
    input.Qs.requestId == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.delete

valid {
    input.ReqMap.name == STRING
    input.Qs.requestId == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.filter == STRING
    input.Qs.orderBy == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.patch

enum_CertificateExtensionConstraintsKnownExtensions := [ "KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED", "BASE_KEY_USAGE", "EXTENDED_KEY_USAGE", "CA_OPTIONS", "POLICY_IDS", "AIA_OCSP_SERVERS", "NAME_CONSTRAINTS" ]

valid {
    input.Body.description == STRING
    input.Body.identityConstraints.allowSubjectAltNamesPassthrough == BOOLEAN
    input.Body.identityConstraints.allowSubjectPassthrough == BOOLEAN
    input.Body.identityConstraints.celExpression.description == STRING
    input.Body.identityConstraints.celExpression.expression == STRING
    input.Body.identityConstraints.celExpression.location == STRING
    input.Body.identityConstraints.celExpression.title == STRING
    input.Body.labels.STRING == STRING
    input.Body.maximumLifetime == STRING
    input.Body.name == STRING
    input.Body.passthroughExtensions.additionalExtensions[_].objectIdPath[_] == INTEGER
    input.Body.passthroughExtensions.knownExtensions[_] == enum_CertificateExtensionConstraintsKnownExtensions[_]
    input.Body.predefinedValues.additionalExtensions[_].critical == BOOLEAN
    input.Body.predefinedValues.additionalExtensions[_].objectId.objectIdPath[_] == INTEGER
    input.Body.predefinedValues.additionalExtensions[_].value == STRING
    input.Body.predefinedValues.aiaOcspServers[_] == STRING
    input.Body.predefinedValues.caOptions.isCa == BOOLEAN
    input.Body.predefinedValues.caOptions.maxIssuerPathLength == INTEGER
    input.Body.predefinedValues.keyUsage.baseKeyUsage.certSign == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.contentCommitment == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.crlSign == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.dataEncipherment == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.decipherOnly == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.digitalSignature == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.encipherOnly == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.keyAgreement == BOOLEAN
    input.Body.predefinedValues.keyUsage.baseKeyUsage.keyEncipherment == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.clientAuth == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.codeSigning == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.emailProtection == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.ocspSigning == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.serverAuth == BOOLEAN
    input.Body.predefinedValues.keyUsage.extendedKeyUsage.timeStamping == BOOLEAN
    input.Body.predefinedValues.keyUsage.unknownExtendedKeyUsages[_].objectIdPath[_] == INTEGER
    input.Body.predefinedValues.nameConstraints.critical == BOOLEAN
    input.Body.predefinedValues.nameConstraints.excludedDnsNames[_] == STRING
    input.Body.predefinedValues.nameConstraints.excludedEmailAddresses[_] == STRING
    input.Body.predefinedValues.nameConstraints.excludedIpRanges[_] == STRING
    input.Body.predefinedValues.nameConstraints.excludedUris[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedDnsNames[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedEmailAddresses[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedIpRanges[_] == STRING
    input.Body.predefinedValues.nameConstraints.permittedUris[_] == STRING
    input.Body.predefinedValues.policyIds[_].objectIdPath[_] == INTEGER
    input.ReqMap.name == STRING
    input.Qs.requestId == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.setIamPolicy

enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.certificateTemplates.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.list

valid {
    input.ReqMap.name == STRING
    input.Qs.filter == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.operations.cancel

valid {
    input.Body.STRING == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.operations.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.operations.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.operations.list

valid {
    input.ReqMap.name == STRING
    input.Qs.filter == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.reusableConfigs.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.reusableConfigs.setIamPolicy

enum_AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

privateca.projects.locations.reusableConfigs.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}