From 49f575833aa4b5daa1f588fd261abe8dba344267 Mon Sep 17 00:00:00 2001 From: Google APIs Date: Thu, 12 Jan 2023 14:27:12 -0800 Subject: [PATCH] docs: Brand and typo fixes feat: Policy Analyzer for Organization Policy is publicly available PiperOrigin-RevId: 501667569 --- google/cloud/asset/v1/asset_service.proto | 1173 +++++++++++++---- google/cloud/asset/v1/assets.proto | 90 +- google/cloud/asset/v1/cloudasset_v1.yaml | 12 +- .../cloud/asset/v1p1beta1/asset_service.proto | 109 +- google/cloud/asset/v1p1beta1/assets.proto | 36 +- .../asset/v1p1beta1/cloudasset_v1p1beta1.yaml | 13 +- .../cloudasset_grpc_service_config.json | 8 + .../cloud/asset/v1p5beta1/asset_service.proto | 75 +- google/cloud/asset/v1p5beta1/assets.proto | 108 +- .../asset/v1p5beta1/cloudasset_v1p5beta1.yaml | 19 +- .../cloud/asset/v1p7beta1/asset_service.proto | 21 +- google/cloud/asset/v1p7beta1/assets.proto | 19 +- .../asset/v1p7beta1/cloudasset_v1p7beta1.yaml | 18 +- 13 files changed, 1215 insertions(+), 486 deletions(-) diff --git a/google/cloud/asset/v1/asset_service.proto b/google/cloud/asset/v1/asset_service.proto index 9e13d0662..8539dc0f5 100644 --- a/google/cloud/asset/v1/asset_service.proto +++ b/google/cloud/asset/v1/asset_service.proto @@ -41,18 +41,20 @@ option php_namespace = "Google\\Cloud\\Asset\\V1"; // Asset service definition. service AssetService { option (google.api.default_host) = "cloudasset.googleapis.com"; - option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + option (google.api.oauth_scopes) = + "https://www.googleapis.com/auth/cloud-platform"; // Exports assets with time and resource types to a given Cloud Storage // location/BigQuery table. For Cloud Storage location destinations, the // output format is newline-delimited JSON. Each line represents a - // [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON format; for BigQuery table - // destinations, the output table stores the fields in asset Protobuf as - // columns. This API implements the [google.longrunning.Operation][google.longrunning.Operation] API, - // which allows you to keep track of the export. We recommend intervals of at - // least 2 seconds with exponential retry to poll the export operation result. - // For regular-size resource parent, the export operation usually finishes - // within 5 minutes. + // [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON + // format; for BigQuery table destinations, the output table stores the fields + // in asset Protobuf as columns. This API implements the + // [google.longrunning.Operation][google.longrunning.Operation] API, which + // allows you to keep track of the export. We recommend intervals of at least + // 2 seconds with exponential retry to poll the export operation result. For + // regular-size resource parent, the export operation usually finishes within + // 5 minutes. rpc ExportAssets(ExportAssetsRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=*/*}:exportAssets" @@ -80,7 +82,8 @@ service AssetService { // deleted status. // If a specified asset does not exist, this API returns an INVALID_ARGUMENT // error. - rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) returns (BatchGetAssetsHistoryResponse) { + rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) + returns (BatchGetAssetsHistoryResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}:batchGetAssetsHistory" }; @@ -129,11 +132,12 @@ service AssetService { option (google.api.method_signature) = "name"; } - // Searches all Cloud resources within the specified scope, such as a project, - // folder, or organization. The caller must be granted the + // Searches all Google Cloud resources within the specified scope, such as a + // project, folder, or organization. The caller must be granted the // `cloudasset.assets.searchAllResources` permission on the desired scope, // otherwise the request will be rejected. - rpc SearchAllResources(SearchAllResourcesRequest) returns (SearchAllResourcesResponse) { + rpc SearchAllResources(SearchAllResourcesRequest) + returns (SearchAllResourcesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}:searchAllResources" }; @@ -144,7 +148,8 @@ service AssetService { // folder, or organization. The caller must be granted the // `cloudasset.assets.searchAllIamPolicies` permission on the desired scope, // otherwise the request will be rejected. - rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) returns (SearchAllIamPoliciesResponse) { + rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) + returns (SearchAllIamPoliciesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}:searchAllIamPolicies" }; @@ -153,7 +158,8 @@ service AssetService { // Analyzes IAM policies to answer which identities have what accesses on // which resources. - rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) returns (AnalyzeIamPolicyResponse) { + rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) + returns (AnalyzeIamPolicyResponse) { option (google.api.http) = { get: "/v1/{analysis_query.scope=*/*}:analyzeIamPolicy" }; @@ -163,12 +169,14 @@ service AssetService { // accesses on which resources, and writes the analysis results to a Google // Cloud Storage or a BigQuery destination. For Cloud Storage destination, the // output format is the JSON format that represents a - // [AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse]. This method implements the - // [google.longrunning.Operation][google.longrunning.Operation], which allows you to track the operation - // status. We recommend intervals of at least 2 seconds with exponential - // backoff retry to poll the operation result. The metadata contains the - // metadata for the long-running operation. - rpc AnalyzeIamPolicyLongrunning(AnalyzeIamPolicyLongrunningRequest) returns (google.longrunning.Operation) { + // [AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse]. + // This method implements the + // [google.longrunning.Operation][google.longrunning.Operation], which allows + // you to track the operation status. We recommend intervals of at least 2 + // seconds with exponential backoff retry to poll the operation result. The + // metadata contains the metadata for the long-running operation. + rpc AnalyzeIamPolicyLongrunning(AnalyzeIamPolicyLongrunningRequest) + returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{analysis_query.scope=*/*}:analyzeIamPolicyLongrunning" body: "*" @@ -229,7 +237,8 @@ service AssetService { } // Lists all saved queries in a parent project/folder/organization. - rpc ListSavedQueries(ListSavedQueriesRequest) returns (ListSavedQueriesResponse) { + rpc ListSavedQueries(ListSavedQueriesRequest) + returns (ListSavedQueriesResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}/savedQueries" }; @@ -246,7 +255,8 @@ service AssetService { } // Deletes a saved query. - rpc DeleteSavedQuery(DeleteSavedQueryRequest) returns (google.protobuf.Empty) { + rpc DeleteSavedQuery(DeleteSavedQueryRequest) + returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=*/*/savedQueries/*}" }; @@ -254,18 +264,67 @@ service AssetService { } // Gets effective IAM policies for a batch of resources. - rpc BatchGetEffectiveIamPolicies(BatchGetEffectiveIamPoliciesRequest) returns (BatchGetEffectiveIamPoliciesResponse) { + rpc BatchGetEffectiveIamPolicies(BatchGetEffectiveIamPoliciesRequest) + returns (BatchGetEffectiveIamPoliciesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}/effectiveIamPolicies:batchGet" }; } + + // Analyzes organization policies under a scope. + rpc AnalyzeOrgPolicies(AnalyzeOrgPoliciesRequest) + returns (AnalyzeOrgPoliciesResponse) { + option (google.api.http) = { + get: "/v1/{scope=*/*}:analyzeOrgPolicies" + }; + option (google.api.method_signature) = "scope,constraint,filter"; + } + + // Analyzes organization policies governed containers (projects, folders or + // organization) under a scope. + rpc AnalyzeOrgPolicyGovernedContainers( + AnalyzeOrgPolicyGovernedContainersRequest) + returns (AnalyzeOrgPolicyGovernedContainersResponse) { + option (google.api.http) = { + get: "/v1/{scope=*/*}:analyzeOrgPolicyGovernedContainers" + }; + option (google.api.method_signature) = "scope,constraint,filter"; + } + + // Analyzes organization policies governed assets (Google Cloud resources or + // policies) under a scope. This RPC supports custom constraints and the + // following 10 canned constraints: + // + // * storage.uniformBucketLevelAccess + // * iam.disableServiceAccountKeyCreation + // * iam.allowedPolicyMemberDomains + // * compute.vmExternalIpAccess + // * appengine.enforceServiceAccountActAsCheck + // * gcp.resourceLocations + // * compute.trustedImageProjects + // * compute.skipDefaultNetworkCreation + // * compute.requireOsLogin + // * compute.disableNestedVirtualization + // + // This RPC only returns either resources of types supported by [searchable + // asset + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types), + // or IAM policies. + rpc AnalyzeOrgPolicyGovernedAssets(AnalyzeOrgPolicyGovernedAssetsRequest) + returns (AnalyzeOrgPolicyGovernedAssetsResponse) { + option (google.api.http) = { + get: "/v1/{scope=*/*}:analyzeOrgPolicyGovernedAssets" + }; + option (google.api.method_signature) = "scope,constraint,filter"; + } } // Represents the metadata of the longrunning operation for the -// AnalyzeIamPolicyLongrunning rpc. +// AnalyzeIamPolicyLongrunning RPC. message AnalyzeIamPolicyLongrunningMetadata { // Output only. The time the operation was created. - google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + google.protobuf.Timestamp create_time = 1 + [(google.api.field_behavior) = OUTPUT_ONLY]; } // Export asset request. @@ -312,7 +371,8 @@ message ExportAssetsRequest { // returned. ContentType content_type = 4; - // Required. Output configuration indicating where the results will be output to. + // Required. Output configuration indicating where the results will be output + // to. OutputConfig output_config = 5 [(google.api.field_behavior) = REQUIRED]; // A list of relationship types to export, for example: @@ -334,8 +394,10 @@ message ExportAssetsRequest { } // The export asset response. This message is returned by the -// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] method in the returned -// [google.longrunning.Operation.response][google.longrunning.Operation.response] field. +// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] +// method in the returned +// [google.longrunning.Operation.response][google.longrunning.Operation.response] +// field. message ExportAssetsResponse { // Time the snapshot was taken. google.protobuf.Timestamp read_time = 1; @@ -344,20 +406,20 @@ message ExportAssetsResponse { OutputConfig output_config = 2; // Output result indicating where the assets were exported to. For example, a - // set of actual Google Cloud Storage object uris where the assets are - // exported to. The uris can be different from what [output_config] has - // specified, as the service will split the output object into multiple ones - // once it exceeds a single Google Cloud Storage object limit. + // set of actual Cloud Storage object URIs where the assets are exported to. + // The URIs can be different from what [output_config] has specified, as the + // service will split the output object into multiple ones once it exceeds a + // single Cloud Storage object limit. OutputResult output_result = 3; } // ListAssets request. message ListAssetsRequest { - // Required. Name of the organization, folder, or project the assets belong to. Format: - // "organizations/[organization-number]" (such as "organizations/123"), - // "projects/[project-id]" (such as "projects/my-project-id"), - // "projects/[project-number]" (such as "projects/12345"), or - // "folders/[folder-number]" (such as "folders/12345"). + // Required. Name of the organization, folder, or project the assets belong + // to. Format: "organizations/[organization-number]" (such as + // "organizations/123"), "projects/[project-id]" (such as + // "projects/my-project-id"), "projects/[project-number]" (such as + // "projects/12345"), or "folders/[folder-number]" (such as "folders/12345"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -486,7 +548,8 @@ message BatchGetAssetsHistoryRequest { // See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all // supported asset types and relationship types. - repeated string relationship_types = 5 [(google.api.field_behavior) = OPTIONAL]; + repeated string relationship_types = 5 + [(google.api.field_behavior) = OPTIONAL]; } // Batch get assets history response. @@ -508,9 +571,8 @@ message CreateFeedRequest { // be unique under a specific parent project/folder/organization. string feed_id = 2 [(google.api.field_behavior) = REQUIRED]; - // Required. The feed details. The field `name` must be empty and it will be generated - // in the format of: - // projects/project_number/feeds/feed_id + // Required. The feed details. The field `name` must be empty and it will be + // generated in the format of: projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id Feed feed = 3 [(google.api.field_behavior) = REQUIRED]; @@ -524,9 +586,7 @@ message GetFeedRequest { // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudasset.googleapis.com/Feed" - } + (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } @@ -545,8 +605,8 @@ message ListFeedsResponse { // Update asset feed request. message UpdateFeedRequest { - // Required. The new values of feed details. It must match an existing feed and the - // field `name` must be in the format of: + // Required. The new values of feed details. It must match an existing feed + // and the field `name` must be in the format of: // projects/project_number/feeds/feed_id or // folders/folder_number/feeds/feed_id or // organizations/organization_number/feeds/feed_id. @@ -555,7 +615,8 @@ message UpdateFeedRequest { // Required. Only updates the `feed` fields indicated by this mask. // The field mask must not be empty, and it must not contain fields that // are immutable or only set by the server. - google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; + google.protobuf.FieldMask update_mask = 2 + [(google.api.field_behavior) = REQUIRED]; } message DeleteFeedRequest { @@ -565,9 +626,7 @@ message DeleteFeedRequest { // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudasset.googleapis.com/Feed" - } + (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } @@ -595,7 +654,7 @@ message OutputResult { // A Cloud Storage output result. message GcsOutputResult { - // List of uris of the Cloud Storage objects. Example: + // List of URIs of the Cloud Storage objects. Example: // "gs://bucket_name/object_name". repeated string uris = 1; } @@ -604,7 +663,7 @@ message GcsOutputResult { message GcsDestination { // Required. oneof object_uri { - // The uri of the Cloud Storage object. It's the same uri that is used by + // The URI of the Cloud Storage object. It's the same URI that is used by // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and // Editing Object // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) @@ -615,8 +674,8 @@ message GcsDestination { // overwritten with the exported result. string uri = 1; - // The uri prefix of all generated Cloud Storage objects. Example: - // "gs://bucket_name/object_name_prefix". Each object uri is in format: + // The URI prefix of all generated Cloud Storage objects. Example: + // "gs://bucket_name/object_name_prefix". Each object URI is in format: // "gs://bucket_name/object_name_prefix// and only // contains assets for that type. starts from 0. Example: // "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is @@ -792,7 +851,8 @@ message Feed { // Required. Feed output configuration defining where the asset updates are // published to. - FeedOutputConfig feed_output_config = 5 [(google.api.field_behavior) = REQUIRED]; + FeedOutputConfig feed_output_config = 5 + [(google.api.field_behavior) = REQUIRED]; // A condition which determines whether an asset update should be published. // If specified, an asset will be returned only when the expression evaluates @@ -829,8 +889,9 @@ message Feed { // Search all resources request. message SearchAllResourcesRequest { - // Required. A scope can be a project, a folder, or an organization. The search is - // limited to the resources within the `scope`. The caller must be granted the + // Required. A scope can be a project, a folder, or an organization. The + // search is limited to the resources within the `scope`. The caller must be + // granted the // [`cloudasset.assets.searchAllResources`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) // permission on the desired scope. // @@ -849,55 +910,55 @@ message SearchAllResourcesRequest { // // Examples: // - // * `name:Important` to find Cloud resources whose name contains + // * `name:Important` to find Google Cloud resources whose name contains // "Important" as a word. - // * `name=Important` to find the Cloud resource whose name is exactly + // * `name=Important` to find the Google Cloud resource whose name is exactly // "Important". - // * `displayName:Impor*` to find Cloud resources whose display name + // * `displayName:Impor*` to find Google Cloud resources whose display name // contains "Impor" as a prefix of any word in the field. - // * `location:us-west*` to find Cloud resources whose location contains both - // "us" and "west" as prefixes. - // * `labels:prod` to find Cloud resources whose labels contain "prod" as - // a key or value. - // * `labels.env:prod` to find Cloud resources that have a label "env" + // * `location:us-west*` to find Google Cloud resources whose location + // contains both "us" and "west" as prefixes. + // * `labels:prod` to find Google Cloud resources whose labels contain "prod" + // as a key or value. + // * `labels.env:prod` to find Google Cloud resources that have a label "env" // and its value is "prod". - // * `labels.env:*` to find Cloud resources that have a label "env". - // * `kmsKey:key` to find Cloud resources encrypted with a customer-managed - // encryption key whose name contains "key" as a word. This field is - // deprecated. Please use the `kmsKeys` field to retrieve KMS key - // information. - // * `kmsKeys:key` to find Cloud resources encrypted with customer-managed - // encryption keys whose name contains the word "key". - // * `relationships:instance-group-1` to find Cloud resources that have + // * `labels.env:*` to find Google Cloud resources that have a label "env". + // * `kmsKey:key` to find Google Cloud resources encrypted with a + // customer-managed encryption key whose name contains "key" as a word. This + // field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS + // key information. + // * `kmsKeys:key` to find Google Cloud resources encrypted with + // customer-managed encryption keys whose name contains the word "key". + // * `relationships:instance-group-1` to find Google Cloud resources that have // relationships with "instance-group-1" in the related resource name. - // * `relationships:INSTANCE_TO_INSTANCEGROUP` to find compute instances that - // have relationships of type "INSTANCE_TO_INSTANCEGROUP". + // * `relationships:INSTANCE_TO_INSTANCEGROUP` to find Compute Engine + // instances that have relationships of type "INSTANCE_TO_INSTANCEGROUP". // * `relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1` to find - // compute instances that have relationships with "instance-group-1" in the - // compute instance group resource name, for relationship type + // Compute Engine instances that have relationships with "instance-group-1" + // in the Compute Engine instance group resource name, for relationship type // "INSTANCE_TO_INSTANCEGROUP". - // * `state:ACTIVE` to find Cloud resources whose state contains "ACTIVE" as a - // word. - // * `NOT state:ACTIVE` to find Cloud resources whose state doesn't contain + // * `state:ACTIVE` to find Google Cloud resources whose state contains // "ACTIVE" as a word. - // * `createTime<1609459200` to find Cloud resources that were created before - // "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of + // * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't + // contain "ACTIVE" as a word. + // * `createTime<1609459200` to find Google Cloud resources that were created + // before "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of // "2021-01-01 00:00:00 UTC" in seconds. - // * `updateTime>1609459200` to find Cloud resources that were updated after - // "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of + // * `updateTime>1609459200` to find Google Cloud resources that were updated + // after "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of // "2021-01-01 00:00:00 UTC" in seconds. - // * `Important` to find Cloud resources that contain "Important" as a word - // in any of the searchable fields. - // * `Impor*` to find Cloud resources that contain "Impor" as a prefix of any + // * `Important` to find Google Cloud resources that contain "Important" as a // word in any of the searchable fields. - // * `Important location:(us-west1 OR global)` to find Cloud + // * `Impor*` to find Google Cloud resources that contain "Impor" as a prefix + // of any word in any of the searchable fields. + // * `Important location:(us-west1 OR global)` to find Google Cloud // resources that contain "Important" as a word in any of the searchable // fields and are also located in the "us-west1" region or the "global" // location. string query = 2 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A list of asset types that this request searches for. If empty, it will - // search all the [searchable asset + // Optional. A list of asset types that this request searches for. If empty, + // it will search all the [searchable asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). // // Regular expressions are also supported. For example: @@ -912,21 +973,22 @@ message SearchAllResourcesRequest { // supported asset type, an INVALID_ARGUMENT error will be returned. repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL]; - // Optional. The page size for search result pagination. Page size is capped at 500 even - // if a larger value is given. If set to zero, server will pick an appropriate - // default. Returned results may be fewer than requested. When this happens, - // there could be more results as long as `next_page_token` is returned. + // Optional. The page size for search result pagination. Page size is capped + // at 500 even if a larger value is given. If set to zero, server will pick an + // appropriate default. Returned results may be fewer than requested. When + // this happens, there could be more results as long as `next_page_token` is + // returned. int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If present, then retrieve the next batch of results from the preceding call - // to this method. `page_token` must be the value of `next_page_token` from - // the previous response. The values of all other method parameters, must be - // identical to those in the previous call. + // Optional. If present, then retrieve the next batch of results from the + // preceding call to this method. `page_token` must be the value of + // `next_page_token` from the previous response. The values of all other + // method parameters, must be identical to those in the previous call. string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A comma-separated list of fields specifying the sorting order of the - // results. The default order is ascending. Add " DESC" after the field name - // to indicate descending order. Redundant space characters are ignored. + // Optional. A comma-separated list of fields specifying the sorting order of + // the results. The default order is ascending. Add " DESC" after the field + // name to indicate descending order. Redundant space characters are ignored. // Example: "location DESC, name". // Only singular primitive fields in the response are sortable: // @@ -947,10 +1009,10 @@ message SearchAllResourcesRequest { // `additionalAttributes`) are not supported. string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A comma-separated list of fields specifying which fields to be returned in - // ResourceSearchResult. Only '*' or combination of top level fields can be - // specified. Field names of both snake_case and camelCase are supported. - // Examples: `"*"`, `"name,location"`, `"name,versionedResources"`. + // Optional. A comma-separated list of fields specifying which fields to be + // returned in ResourceSearchResult. Only '*' or combination of top level + // fields can be specified. Field names of both snake_case and camelCase are + // supported. Examples: `"*"`, `"name,location"`, `"name,versionedResources"`. // // The read_mask paths must be valid field paths listed but not limited to // (both snake_case and camelCase are supported): @@ -967,7 +1029,7 @@ message SearchAllResourcesRequest { // * labels // * networkTags // * kmsKey (This field is deprecated. Please use the `kmsKeys` field to - // retrieve KMS key information.) + // retrieve Cloud KMS key information.) // * kmsKeys // * createTime // * updateTime @@ -980,7 +1042,8 @@ message SearchAllResourcesRequest { // If only '*' is specified, all fields including versionedResources will be // returned. // Any invalid field path will trigger INVALID_ARGUMENT error. - google.protobuf.FieldMask read_mask = 8 [(google.api.field_behavior) = OPTIONAL]; + google.protobuf.FieldMask read_mask = 8 + [(google.api.field_behavior) = OPTIONAL]; } // Search all resources response. @@ -997,9 +1060,9 @@ message SearchAllResourcesResponse { // Search all IAM policies request. message SearchAllIamPoliciesRequest { - // Required. A scope can be a project, a folder, or an organization. The search is - // limited to the IAM policies within the `scope`. The caller must be granted - // the + // Required. A scope can be a project, a folder, or an organization. The + // search is limited to the IAM policies within the `scope`. The caller must + // be granted the // [`cloudasset.assets.searchAllIamPolicies`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) // permission on the desired scope. // @@ -1015,8 +1078,8 @@ message SearchAllIamPoliciesRequest { // query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query) // for more information. If not specified or empty, it will search all the // IAM policies within the specified `scope`. Note that the query string is - // compared against each Cloud IAM policy binding, including its principals, - // roles, and Cloud IAM conditions. The returned Cloud IAM policies will only + // compared against each IAM policy binding, including its principals, + // roles, and IAM conditions. The returned IAM policies will only // contain the bindings that match your query. To learn more about the IAM // policy structure, see the [IAM policy // documentation](https://cloud.google.com/iam/help/allow-policies/structure). @@ -1055,20 +1118,22 @@ message SearchAllIamPoliciesRequest { // principal type "user". string query = 2 [(google.api.field_behavior) = OPTIONAL]; - // Optional. The page size for search result pagination. Page size is capped at 500 even - // if a larger value is given. If set to zero, server will pick an appropriate - // default. Returned results may be fewer than requested. When this happens, - // there could be more results as long as `next_page_token` is returned. + // Optional. The page size for search result pagination. Page size is capped + // at 500 even if a larger value is given. If set to zero, server will pick an + // appropriate default. Returned results may be fewer than requested. When + // this happens, there could be more results as long as `next_page_token` is + // returned. int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If present, retrieve the next batch of results from the preceding call to - // this method. `page_token` must be the value of `next_page_token` from the - // previous response. The values of all other method parameters must be - // identical to those in the previous call. + // Optional. If present, retrieve the next batch of results from the preceding + // call to this method. `page_token` must be the value of `next_page_token` + // from the previous response. The values of all other method parameters must + // be identical to those in the previous call. string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A list of asset types that the IAM policies are attached to. If empty, it - // will search the IAM policies that are attached to all the [searchable asset + // Optional. A list of asset types that the IAM policies are attached to. If + // empty, it will search the IAM policies that are attached to all the + // [searchable asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). // // Regular expressions are also supported. For example: @@ -1085,9 +1150,9 @@ message SearchAllIamPoliciesRequest { // supported asset type, an INVALID_ARGUMENT error will be returned. repeated string asset_types = 5 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A comma-separated list of fields specifying the sorting order of the - // results. The default order is ascending. Add " DESC" after the field name - // to indicate descending order. Redundant space characters are ignored. + // Optional. A comma-separated list of fields specifying the sorting order of + // the results. The default order is ascending. Add " DESC" after the field + // name to indicate descending order. Redundant space characters are ignored. // Example: "assetType DESC, resource". // Only singular primitive fields in the response are sortable: // * resource @@ -1100,8 +1165,8 @@ message SearchAllIamPoliciesRequest { // Search all IAM policies response. message SearchAllIamPoliciesResponse { - // A list of IamPolicy that match the search query. Related information such - // as the associated resource is returned along with the policy. + // A list of IAM policies that match the search query. Related information + // such as the associated resource is returned along with the policy. repeated IamPolicySearchResult results = 1; // Set if there are more results than those appearing in this response; to get @@ -1160,9 +1225,10 @@ message IamPolicyAnalysisQuery { // Optional. If true, the identities section of the result will expand any // Google groups appearing in an IAM policy binding. // - // If [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector] is specified, the - // identity in the result will be determined by the selector, and this flag - // is not allowed to set. + // If + // [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector] + // is specified, the identity in the result will be determined by the + // selector, and this flag is not allowed to set. // // If true, the default max expansion per group is 1000 for // AssetService.AnalyzeIamPolicy][]. @@ -1173,32 +1239,35 @@ message IamPolicyAnalysisQuery { // Optional. If true, the access section of result will expand any roles // appearing in IAM policy bindings to include their permissions. // - // If [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector] is specified, the access - // section of the result will be determined by the selector, and this flag - // is not allowed to set. + // If + // [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector] + // is specified, the access section of the result will be determined by the + // selector, and this flag is not allowed to set. // // Default is false. bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If true and [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] is not - // specified, the resource section of the result will expand any resource - // attached to an IAM policy to include resources lower in the resource - // hierarchy. + // Optional. If true and + // [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] + // is not specified, the resource section of the result will expand any + // resource attached to an IAM policy to include resources lower in the + // resource hierarchy. // // For example, if the request analyzes for which resources user A has - // permission P, and the results include an IAM policy with P on a GCP - // folder, the results will also include resources in that folder with + // permission P, and the results include an IAM policy with P on a Google + // Cloud folder, the results will also include resources in that folder with // permission P. // - // If true and [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] is specified, - // the resource section of the result will expand the specified resource to - // include resources lower in the resource hierarchy. Only project or - // lower resources are supported. Folder and organization resource cannot be - // used together with this option. + // If true and + // [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] + // is specified, the resource section of the result will expand the + // specified resource to include resources lower in the resource hierarchy. + // Only project or lower resources are supported. Folder and organization + // resources cannot be used together with this option. // // For example, if the request analyzes for which users have permission P on - // a GCP project with this option enabled, the results will include all - // users who have permission P on that project or any lower resource. + // a Google Cloud project with this option enabled, the results will include + // all users who have permission P on that project or any lower resource. // // If true, the default max expansion per resource is 1000 for // AssetService.AnalyzeIamPolicy][] and 100000 for @@ -1207,36 +1276,38 @@ message IamPolicyAnalysisQuery { // Default is false. bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If true, the result will output the relevant parent/child relationships - // between resources. - // Default is false. + // Optional. If true, the result will output the relevant parent/child + // relationships between resources. Default is false. bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If true, the result will output the relevant membership relationships - // between groups and other groups, and between groups and principals. - // Default is false. + // Optional. If true, the result will output the relevant membership + // relationships between groups and other groups, and between groups and + // principals. Default is false. bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If true, the response will include access analysis from identities to - // resources via service account impersonation. This is a very expensive - // operation, because many derived queries will be executed. We highly - // recommend you use [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] rpc - // instead. + // Optional. If true, the response will include access analysis from + // identities to resources via service account impersonation. This is a very + // expensive operation, because many derived queries will be executed. We + // highly recommend you use + // [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] + // RPC instead. // // For example, if the request analyzes for which resources user A has // permission P, and there's an IAM policy states user A has // iam.serviceAccounts.getAccessToken permission to a service account SA, // and there's another IAM policy states service account SA has permission P - // to a GCP folder F, then user A potentially has access to the GCP folder - // F. And those advanced analysis results will be included in + // to a Google Cloud folder F, then user A potentially has access to the + // Google Cloud folder F. And those advanced analysis results will be + // included in // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. // // Another example, if the request analyzes for who has - // permission P to a GCP folder F, and there's an IAM policy states user A - // has iam.serviceAccounts.actAs permission to a service account SA, and - // there's another IAM policy states service account SA has permission P to - // the GCP folder F, then user A potentially has access to the GCP folder - // F. And those advanced analysis results will be included in + // permission P to a Google Cloud folder F, and there's an IAM policy states + // user A has iam.serviceAccounts.actAs permission to a service account SA, + // and there's another IAM policy states service account SA has permission P + // to the Google Cloud folder F, then user A potentially has access to the + // Google Cloud folder F. And those advanced analysis results will be + // included in // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. // // Only the following permissions are considered in this analysis: @@ -1249,7 +1320,8 @@ message IamPolicyAnalysisQuery { // * `iam.serviceAccounts.implicitDelegation` // // Default is false. - bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL]; + bool analyze_service_account_impersonation = 6 + [(google.api.field_behavior) = OPTIONAL]; } // The IAM conditions context. @@ -1263,8 +1335,8 @@ message IamPolicyAnalysisQuery { } } - // Required. The relative name of the root asset. Only resources and IAM policies within - // the scope will be analyzed. + // Required. The relative name of the root asset. Only resources and IAM + // policies within the scope will be analyzed. // // This can only be an organization number (such as "organizations/123"), a // folder number (such as "folders/123"), a project ID (such as @@ -1278,10 +1350,12 @@ message IamPolicyAnalysisQuery { string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. Specifies a resource for analysis. - ResourceSelector resource_selector = 2 [(google.api.field_behavior) = OPTIONAL]; + ResourceSelector resource_selector = 2 + [(google.api.field_behavior) = OPTIONAL]; // Optional. Specifies an identity for analysis. - IdentitySelector identity_selector = 3 [(google.api.field_behavior) = OPTIONAL]; + IdentitySelector identity_selector = 3 + [(google.api.field_behavior) = OPTIONAL]; // Optional. Specifies roles or permissions for analysis. This is optional. AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL]; @@ -1290,13 +1364,16 @@ message IamPolicyAnalysisQuery { Options options = 5 [(google.api.field_behavior) = OPTIONAL]; // Optional. The hypothetical context for IAM conditions evaluation. - ConditionContext condition_context = 6 [(google.api.field_behavior) = OPTIONAL]; + ConditionContext condition_context = 6 + [(google.api.field_behavior) = OPTIONAL]; } -// A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. +// A request message for +// [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. message AnalyzeIamPolicyRequest { // Required. The request query. - IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED]; + IamPolicyAnalysisQuery analysis_query = 1 + [(google.api.field_behavior) = REQUIRED]; // Optional. The name of a saved query, which must be in the format of: // @@ -1316,7 +1393,8 @@ message AnalyzeIamPolicyRequest { // presence yet. string saved_analysis_query = 3 [(google.api.field_behavior) = OPTIONAL]; - // Optional. Amount of time executable has to complete. See JSON representation of + // Optional. Amount of time executable has to complete. See JSON + // representation of // [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). // // If this field is set with a value less than the RPC deadline, and the @@ -1326,22 +1404,26 @@ message AnalyzeIamPolicyRequest { // If it's not finished until then, you will get a DEADLINE_EXCEEDED error. // // Default is empty. - google.protobuf.Duration execution_timeout = 2 [(google.api.field_behavior) = OPTIONAL]; + google.protobuf.Duration execution_timeout = 2 + [(google.api.field_behavior) = OPTIONAL]; } -// A response message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. +// A response message for +// [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. message AnalyzeIamPolicyResponse { // An analysis message to group the query and results. message IamPolicyAnalysis { // The analysis query. IamPolicyAnalysisQuery analysis_query = 1; - // A list of [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult] that matches the analysis query, or - // empty if no result is found. + // A list of + // [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult] + // that matches the analysis query, or empty if no result is found. repeated IamPolicyAnalysisResult analysis_results = 2; - // Represents whether all entries in the [analysis_results][google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] have been - // fully explored to answer the query. + // Represents whether all entries in the + // [analysis_results][google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] + // have been fully explored to answer the query. bool fully_explored = 3; // A list of non-critical errors happened during the query handling. @@ -1356,9 +1438,11 @@ message AnalyzeIamPolicyResponse { // enabled. repeated IamPolicyAnalysis service_account_impersonation_analysis = 2; - // Represents whether all entries in the [main_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.main_analysis] and - // [service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] have been fully explored to - // answer the query in the request. + // Represents whether all entries in the + // [main_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.main_analysis] + // and + // [service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] + // have been fully explored to answer the query in the request. bool fully_explored = 3; } @@ -1366,8 +1450,8 @@ message AnalyzeIamPolicyResponse { message IamPolicyAnalysisOutputConfig { // A Cloud Storage location. message GcsDestination { - // Required. The uri of the Cloud Storage object. It's the same uri that is used by - // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and + // Required. The URI of the Cloud Storage object. It's the same URI that is + // used by gsutil. Example: "gs://bucket_name/object_name". See [Viewing and // Editing Object // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) // for more information. @@ -1395,13 +1479,15 @@ message IamPolicyAnalysisOutputConfig { REQUEST_TIME = 1; } - // Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId", - // to which the analysis results should be exported. If this dataset does - // not exist, the export call will return an INVALID_ARGUMENT error. + // Required. The BigQuery dataset in format + // "projects/projectId/datasets/datasetId", to which the analysis results + // should be exported. If this dataset does not exist, the export call will + // return an INVALID_ARGUMENT error. string dataset = 1 [(google.api.field_behavior) = REQUIRED]; - // Required. The prefix of the BigQuery tables to which the analysis results will be - // written. Tables will be created based on this table_prefix if not exist: + // Required. The prefix of the BigQuery tables to which the analysis results + // will be written. Tables will be created based on this table_prefix if not + // exist: // * _analysis table will contain export operation's metadata. // * _analysis_result will contain all the // [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult]. @@ -1412,8 +1498,8 @@ message IamPolicyAnalysisOutputConfig { // The partition key for BigQuery partitioned table. PartitionKey partition_key = 3; - // Optional. Specifies the action that occurs if the destination table or partition - // already exists. The following values are supported: + // Optional. Specifies the action that occurs if the destination table or + // partition already exists. The following values are supported: // // * WRITE_TRUNCATE: If the table or partition already exists, BigQuery // overwrites the entire table or all the partitions data. @@ -1438,10 +1524,12 @@ message IamPolicyAnalysisOutputConfig { } } -// A request message for [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. +// A request message for +// [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. message AnalyzeIamPolicyLongrunningRequest { // Required. The request query. - IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED]; + IamPolicyAnalysisQuery analysis_query = 1 + [(google.api.field_behavior) = REQUIRED]; // Optional. The name of a saved query, which must be in the format of: // @@ -1461,14 +1549,15 @@ message AnalyzeIamPolicyLongrunningRequest { // presence yet. string saved_analysis_query = 3 [(google.api.field_behavior) = OPTIONAL]; - // Required. Output configuration indicating where the results will be output to. - IamPolicyAnalysisOutputConfig output_config = 2 [(google.api.field_behavior) = REQUIRED]; + // Required. Output configuration indicating where the results will be output + // to. + IamPolicyAnalysisOutputConfig output_config = 2 + [(google.api.field_behavior) = REQUIRED]; } -// A response message for [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. -message AnalyzeIamPolicyLongrunningResponse { - -} +// A response message for +// [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. +message AnalyzeIamPolicyLongrunningResponse {} // A saved query which can be shared with others or used later. message SavedQuery { @@ -1483,8 +1572,11 @@ message SavedQuery { message QueryContent { oneof query_content { // An IAM Policy Analysis query, which could be used in - // the [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy] rpc or - // the [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] rpc. + // the + // [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy] + // RPC or the + // [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] + // RPC. IamPolicyAnalysisQuery iam_policy_analysis_query = 1; } } @@ -1501,15 +1593,18 @@ message SavedQuery { string description = 2; // Output only. The create time of this saved query. - google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + google.protobuf.Timestamp create_time = 3 + [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The account's email address who has created this saved query. string creator = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The last update time of this saved query. - google.protobuf.Timestamp last_update_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + google.protobuf.Timestamp last_update_time = 5 + [(google.api.field_behavior) = OUTPUT_ONLY]; - // Output only. The account's email address who has updated this saved query most recently. + // Output only. The account's email address who has updated this saved query + // most recently. string last_updater = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; // Labels applied on the resource. @@ -1523,11 +1618,11 @@ message SavedQuery { // Request to create a saved query. message CreateSavedQueryRequest { - // Required. The name of the project/folder/organization where this saved_query - // should be created in. It can only be an organization number (such as - // "organizations/123"), a folder number (such as "folders/123"), a project ID - // (such as "projects/my-project-id")", or a project number (such as - // "projects/12345"). + // Required. The name of the project/folder/organization where this + // saved_query should be created in. It can only be an organization number + // (such as "organizations/123"), a folder number (such as "folders/123"), a + // project ID (such as "projects/my-project-id")", or a project number (such + // as "projects/12345"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -1535,16 +1630,16 @@ message CreateSavedQueryRequest { } ]; - // Required. The saved_query details. The `name` field must be empty as it will be - // generated based on the parent and saved_query_id. + // Required. The saved_query details. The `name` field must be empty as it + // will be generated based on the parent and saved_query_id. SavedQuery saved_query = 2 [(google.api.field_behavior) = REQUIRED]; - // Required. The ID to use for the saved query, which must be unique in the specified - // parent. It will become the final component of the saved query's resource - // name. + // Required. The ID to use for the saved query, which must be unique in the + // specified parent. It will become the final component of the saved query's + // resource name. // // This value should be 4-63 characters, and valid characters - // are /[a-z][0-9]-/. + // are `[a-z][0-9]-`. // // Notice that this field is required in the saved query creation, and the // `name` field of the `saved_query` will be ignored. @@ -1568,8 +1663,8 @@ message GetSavedQueryRequest { // Request to list saved queries. message ListSavedQueriesRequest { - // Required. The parent project/folder/organization whose savedQueries are to be - // listed. It can only be using project/folder/organization number (such as + // Required. The parent project/folder/organization whose savedQueries are to + // be listed. It can only be using project/folder/organization number (such as // "folders/12345")", or a project ID (such as "projects/my-project-id"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, @@ -1587,8 +1682,9 @@ message ListSavedQueriesRequest { // See https://google.aip.dev/160 for more information on the grammar. string filter = 4 [(google.api.field_behavior) = OPTIONAL]; - // Optional. The maximum number of saved queries to return per page. The service may - // return fewer than this value. If unspecified, at most 50 will be returned. + // Optional. The maximum number of saved queries to return per page. The + // service may return fewer than this value. If unspecified, at most 50 will + // be returned. // The maximum value is 1000; values above 1000 will be coerced to 1000. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; @@ -1623,12 +1719,14 @@ message UpdateSavedQueryRequest { SavedQuery saved_query = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The list of fields to update. - google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; + google.protobuf.FieldMask update_mask = 2 + [(google.api.field_behavior) = REQUIRED]; } // Request to delete a saved query. message DeleteSavedQueryRequest { - // Required. The name of the saved query to delete. It must be in the format of: + // Required. The name of the saved query to delete. It must be in the format + // of: // // * projects/project_number/savedQueries/saved_query_id // * folders/folder_number/savedQueries/saved_query_id @@ -1659,15 +1757,15 @@ message AnalyzeMoveRequest { } // Required. Name of the resource to perform the analysis against. - // Only GCP Project are supported as of today. Hence, this can only be Project - // ID (such as "projects/my-project-id") or a Project Number (such as - // "projects/12345"). + // Only Google Cloud projects are supported as of today. Hence, this can only + // be a project ID (such as "projects/my-project-id") or a project number + // (such as "projects/12345"). string resource = 1 [(google.api.field_behavior) = REQUIRED]; - // Required. Name of the GCP Folder or Organization to reparent the target - // resource. The analysis will be performed against hypothetically moving the - // resource to this specified desitination parent. This can only be a Folder - // number (such as "folders/123") or an Organization number (such as + // Required. Name of the Google Cloud folder or organization to reparent the + // target resource. The analysis will be performed against hypothetically + // moving the resource to this specified desitination parent. This can only be + // a folder number (such as "folders/123") or an organization number (such as // "organizations/123"). string destination_parent = 2 [(google.api.field_behavior) = REQUIRED]; @@ -1679,14 +1777,14 @@ message AnalyzeMoveRequest { // The response message for resource move analysis. message AnalyzeMoveResponse { // The list of analyses returned from performing the intended resource move - // analysis. The analysis is grouped by different Cloud services. + // analysis. The analysis is grouped by different Google Cloud services. repeated MoveAnalysis move_analysis = 1; } // A message to group the analysis information. message MoveAnalysis { - // The user friendly display name of the analysis. E.g. IAM, Organization - // Policy etc. + // The user friendly display name of the analysis. E.g. IAM, organization + // policy etc. string display_name = 1; oneof result { @@ -1720,12 +1818,13 @@ message MoveImpact { message QueryAssetsOutputConfig { // BigQuery destination. message BigQueryDestination { - // Required. The BigQuery dataset where the query results will be saved. It has the - // format of "projects/{projectId}/datasets/{datasetId}". + // Required. The BigQuery dataset where the query results will be saved. It + // has the format of "projects/{projectId}/datasets/{datasetId}". string dataset = 1 [(google.api.field_behavior) = REQUIRED]; - // Required. The BigQuery table where the query results will be saved. If this table - // does not exist, a new table with the given name will be created. + // Required. The BigQuery table where the query results will be saved. If + // this table does not exist, a new table with the given name will be + // created. string table = 2 [(google.api.field_behavior) = REQUIRED]; // Specifies the action that occurs if the destination table or partition @@ -1766,13 +1865,13 @@ message QueryAssetsRequest { // SQL](http://cloud/bigquery/docs/reference/standard-sql/enabling-standard-sql). string statement = 2 [(google.api.field_behavior) = OPTIONAL]; - // Optional. Reference to the query job, which is from the `QueryAssetsResponse` of - // previous `QueryAssets` call. + // Optional. Reference to the query job, which is from the + // `QueryAssetsResponse` of previous `QueryAssets` call. string job_reference = 3 [(google.api.field_behavior) = OPTIONAL]; } - // Optional. The maximum number of rows to return in the results. Responses are limited - // to 10 MB and 1000 rows. + // Optional. The maximum number of rows to return in the results. Responses + // are limited to 10 MB and 1000 rows. // // By default, the maximum row count is 1000. When the byte or row count limit // is reached, the rest of the query results will be paginated. @@ -1785,10 +1884,11 @@ message QueryAssetsRequest { // The field will be ignored when [output_config] is specified. string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; - // Optional. Specifies the maximum amount of time that the client is willing to wait - // for the query to complete. By default, this limit is 5 min for the first - // query, and 1 minute for the following queries. If the query is complete, - // the `done` field in the `QueryAssetsResponse` is true, otherwise false. + // Optional. Specifies the maximum amount of time that the client is willing + // to wait for the query to complete. By default, this limit is 5 min for the + // first query, and 1 minute for the following queries. If the query is + // complete, the `done` field in the `QueryAssetsResponse` is true, otherwise + // false. // // Like BigQuery [jobs.query // API](https://cloud.google.com/bigquery/docs/reference/rest/v2/jobs/query#queryrequest) @@ -1807,13 +1907,15 @@ message QueryAssetsRequest { // If data for the timestamp/date range selected does not exist, // it will simply return a valid response with no rows. oneof time { - // Optional. [start_time] is required. [start_time] must be less than [end_time] - // Defaults [end_time] to now if [start_time] is set and [end_time] isn't. - // Maximum permitted time range is 7 days. + // Optional. [start_time] is required. [start_time] must be less than + // [end_time] Defaults [end_time] to now if [start_time] is set and + // [end_time] isn't. Maximum permitted time range is 7 days. TimeWindow read_time_window = 7 [(google.api.field_behavior) = OPTIONAL]; - // Optional. Queries cloud assets as they appeared at the specified point in time. - google.protobuf.Timestamp read_time = 8 [(google.api.field_behavior) = OPTIONAL]; + // Optional. Queries cloud assets as they appeared at the specified point in + // time. + google.protobuf.Timestamp read_time = 8 + [(google.api.field_behavior) = OPTIONAL]; } // Optional. Destination where the query results will be saved. @@ -1825,7 +1927,8 @@ message QueryAssetsRequest { // Meanwhile, [QueryAssetsResponse.job_reference] will be set and can be used // to check the status of the query job when passed to a following // [QueryAssets] API call. - QueryAssetsOutputConfig output_config = 9 [(google.api.field_behavior) = OPTIONAL]; + QueryAssetsOutputConfig output_config = 9 + [(google.api.field_behavior) = OPTIONAL]; } // QueryAssets response. @@ -1912,7 +2015,8 @@ message TableFieldSchema { repeated TableFieldSchema fields = 4; } -// A request message for [AssetService.BatchGetEffectiveIamPolicies][google.cloud.asset.v1.AssetService.BatchGetEffectiveIamPolicies]. +// A request message for +// [AssetService.BatchGetEffectiveIamPolicies][google.cloud.asset.v1.AssetService.BatchGetEffectiveIamPolicies]. message BatchGetEffectiveIamPoliciesRequest { // Required. Only IAM policies on or below the scope will be returned. // @@ -1927,9 +2031,7 @@ message BatchGetEffectiveIamPoliciesRequest { // ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). string scope = 1 [ (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - child_type: "*" - } + (google.api.resource_reference) = { child_type: "*" } ]; // Required. The names refer to the [full_resource_names] @@ -1939,56 +2041,577 @@ message BatchGetEffectiveIamPoliciesRequest { // A maximum of 20 resources' effective policies can be retrieved in a batch. repeated string names = 3 [ (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "*" - } + (google.api.resource_reference) = { type: "*" } ]; } -// A response message for [AssetService.BatchGetEffectiveIamPolicies][google.cloud.asset.v1.AssetService.BatchGetEffectiveIamPolicies]. +// A response message for +// [AssetService.BatchGetEffectiveIamPolicies][google.cloud.asset.v1.AssetService.BatchGetEffectiveIamPolicies]. message BatchGetEffectiveIamPoliciesResponse { // The effective IAM policies on one resource. message EffectiveIamPolicy { // The IAM policy and its attached resource. message PolicyInfo { - // The full resource name the [policy][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.policy] is directly attached to. + // The full resource name the + // [policy][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.policy] + // is directly attached to. string attached_resource = 1; - // The IAM policy that's directly attached to the [attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource]. + // The IAM policy that's directly attached to the + // [attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource]. google.iam.v1.Policy policy = 2; } // The [full_resource_name] // (https://cloud.google.com/asset-inventory/docs/resource-name-format) - // for which the [policies][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.policies] are computed. This is one of the - // [BatchGetEffectiveIamPoliciesRequest.names][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.names] the caller provides in the - // request. + // for which the + // [policies][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.policies] + // are computed. This is one of the + // [BatchGetEffectiveIamPoliciesRequest.names][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.names] + // the caller provides in the request. string full_resource_name = 1; - // The effective policies for the [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name]. + // The effective policies for the + // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name]. // - // These policies include the policy set on the [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name] and - // those set on its parents and ancestors up to the - // [BatchGetEffectiveIamPoliciesRequest.scope][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.scope]. Note that these policies - // are not filtered according to the resource type of the + // These policies include the policy set on the + // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name] + // and those set on its parents and ancestors up to the + // [BatchGetEffectiveIamPoliciesRequest.scope][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.scope]. + // Note that these policies are not filtered according to the resource type + // of the // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name]. // // These policies are hierarchically ordered by - // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource] starting from [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name] + // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource] + // starting from + // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name] // itself to its parents and ancestors, such that policies[i]'s - // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource] is the child of policies[i+1]'s - // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource], if policies[i+1] exists. + // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource] + // is the child of policies[i+1]'s + // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource], + // if policies[i+1] exists. repeated PolicyInfo policies = 2; } // The effective policies for a batch of resources. Note that the results // order is the same as the order of - // [BatchGetEffectiveIamPoliciesRequest.names][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.names]. When a resource does not - // have any effective IAM policies, its corresponding policy_result will - // contain empty [EffectiveIamPolicy.policies][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.policies]. + // [BatchGetEffectiveIamPoliciesRequest.names][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.names]. + // When a resource does not have any effective IAM policies, its corresponding + // policy_result will contain empty + // [EffectiveIamPolicy.policies][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.policies]. repeated EffectiveIamPolicy policy_results = 2; } +// This organization policy message is a modified version of the one defined in +// the Organization Policy system. This message contains several fields defined +// in the original organization policy with some new fields for analysis +// purpose. +message AnalyzerOrgPolicy { + // Represents a rule defined in an organization policy + message Rule { + // The string values for the list constraints. + message StringValues { + // List of values allowed at this resource. + repeated string allowed_values = 1; + + // List of values denied at this resource. + repeated string denied_values = 2; + } + + oneof kind { + // List of values to be used for this PolicyRule. This field can be set + // only in Policies for list constraints. + StringValues values = 3; + + // Setting this to true means that all values are allowed. This field can + // be set only in Policies for list constraints. + bool allow_all = 4; + + // Setting this to true means that all values are denied. This field can + // be set only in Policies for list constraints. + bool deny_all = 5; + + // If `true`, then the `Policy` is enforced. If `false`, then any + // configuration is acceptable. + // This field can be set only in Policies for boolean constraints. + bool enforce = 6; + } + + // The evaluating condition for this rule. + google.type.Expr condition = 7; + } + + // The [full resource name] + // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of + // an organization/folder/project resource where this organization policy is + // set. + // + // Notice that some type of constraints are defined with default policy. This + // field will be empty for them. + string attached_resource = 1; + + // The [full resource name] + // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of + // an organization/folder/project resource where this organization policy + // applies to. + // + // For any user defined org policies, this field has the same value as + // the [attached_resource] field. Only for default policy, this field has + // the different value. + string applied_resource = 5; + + // List of rules for this organization policy. + repeated Rule rules = 2; + + // If `inherit_from_parent` is true, Rules set higher up in the + // hierarchy (up to the closest root) are inherited and present in the + // effective policy. If it is false, then no rules are inherited, and this + // policy becomes the effective root for evaluation. + bool inherit_from_parent = 3; + + // Ignores policies set above this resource and restores the default behavior + // of the constraint at this resource. + // This field can be set in policies for either list or boolean + // constraints. If set, `rules` must be empty and `inherit_from_parent` + // must be set to false. + bool reset = 4; +} + +// The organization policy constraint definition. +message AnalyzerOrgPolicyConstraint { + // The definition of a constraint. + message Constraint { + // Specifies the default behavior in the absence of any `Policy` for the + // `Constraint`. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`. + enum ConstraintDefault { + // This is only used for distinguishing unset values and should never be + // used. + CONSTRAINT_DEFAULT_UNSPECIFIED = 0; + + // Indicate that all values are allowed for list constraints. + // Indicate that enforcement is off for boolean constraints. + ALLOW = 1; + + // Indicate that all values are denied for list constraints. + // Indicate that enforcement is on for boolean constraints. + DENY = 2; + } + + // A `Constraint` that allows or disallows a list of string values, which + // are configured by an organization's policy administrator with a `Policy`. + message ListConstraint { + // Indicates whether values grouped into categories can be used in + // `Policy.allowed_values` and `Policy.denied_values`. For example, + // `"in:Python"` would match any value in the 'Python' group. + bool supports_in = 1; + + // Indicates whether subtrees of Cloud Resource Manager resource hierarchy + // can be used in `Policy.allowed_values` and `Policy.denied_values`. For + // example, `"under:folders/123"` would match any resource under the + // 'folders/123' folder. + bool supports_under = 2; + } + + // A `Constraint` that is either enforced or not. + // + // For example a constraint `constraints/compute.disableSerialPortAccess`. + // If it is enforced on a VM instance, serial port connections will not be + // opened to that instance. + message BooleanConstraint {} + + // The unique name of the constraint. Format of the name should be + // * `constraints/{constraint_name}` + // + // For example, `constraints/compute.disableSerialPortAccess`. + string name = 1; + + // The human readable name of the constraint. + string display_name = 2; + + // Detailed description of what this `Constraint` controls as well as how + // and where it is enforced. + string description = 3; + + // The evaluation behavior of this constraint in the absence of 'Policy'. + ConstraintDefault constraint_default = 4; + + // The type of restrictions for this `Constraint`. + // + // Immutable after creation. + oneof constraint_type { + // Defines this constraint as being a ListConstraint. + ListConstraint list_constraint = 5; + + // Defines this constraint as being a BooleanConstraint. + BooleanConstraint boolean_constraint = 6; + } + } + + // The definition of a custom constraint. + message CustomConstraint { + // The operation in which this constraint will be applied. For example: + // If the constraint applies only when create VMs, the method_types will be + // "CREATE" only. If the constraint applied when create or delete VMs, the + // method_types will be "CREATE" and "DELETE". + enum MethodType { + // Unspecified. Will results in user error. + METHOD_TYPE_UNSPECIFIED = 0; + + // Constraint applied when creating the resource. + CREATE = 1; + + // Constraint applied when updating the resource. + UPDATE = 2; + + // Constraint applied when deleting the resource. + DELETE = 3; + } + + // Allow or deny type. + enum ActionType { + // Unspecified. Will results in user error. + ACTION_TYPE_UNSPECIFIED = 0; + + // Allowed action type. + ALLOW = 1; + + // Deny action type. + DENY = 2; + } + + // Name of the constraint. This is unique within the organization. Format of + // the name should be + // * `organizations/{organization_id}/customConstraints/{custom_constraint_id}` + // + // Example : + // "organizations/123/customConstraints/custom.createOnlyE2TypeVms" + string name = 1; + + // The Resource Instance type on which this policy applies to. Format will + // be of the form : "/" Example: + // * `compute.googleapis.com/Instance`. + repeated string resource_types = 2; + + // All the operations being applied for this constraint. + repeated MethodType method_types = 3; + + // Organization Policy condition/expression. For example: + // `resource.instanceName.matches("[production|test]_.*_(\d)+")'` or, + // `resource.management.auto_upgrade == true` + string condition = 4; + + // Allow or deny type. + ActionType action_type = 5; + + // One line display name for the UI. + string display_name = 6; + + // Detailed information about this custom policy constraint. + string description = 7; + } + + oneof constraint_definition { + // The definition of the canned constraint defined by Google. + Constraint google_defined_constraint = 1; + + // The definition of the custom constraint. + CustomConstraint custom_constraint = 2; + } +} + +// A request message for +// [AssetService.AnalyzeOrgPolicies][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicies]. +message AnalyzeOrgPoliciesRequest { + // Required. The organization to scope the request. Only organization + // policies within the scope will be analyzed. + // + // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") + string scope = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. The name of the constraint to analyze organization policies for. + // The response only contains analyzed organization policies for the provided + // constraint. + string constraint = 2 [(google.api.field_behavior) = REQUIRED]; + + // The expression to filter + // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results]. + // The only supported field is `consolidated_policy.attached_resource`, and + // the only supported operator is `=`. + // + // Example: + // consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/folders/001" + // will return the org policy results of"folders/001". + string filter = 3; + + // The maximum number of items to return per page. If unspecified, + // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results] + // will contain 20 items with a maximum of 200. + optional int32 page_size = 4; + + // The pagination token to retrieve the next page. + string page_token = 5; +} + +// The response message for +// [AssetService.AnalyzeOrgPolicies][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicies]. +message AnalyzeOrgPoliciesResponse { + // The organization policy result to the query. + message OrgPolicyResult { + // The consolidated organization policy for the analyzed resource. The + // consolidated organization policy is computed by merging and evaluating + // [AnalyzeOrgPoliciesResponse.policy_bundle][]. + // The evaluation will respect the organization policy [hierarchy + // rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy). + AnalyzerOrgPolicy consolidated_policy = 1; + + // The ordered list of all organization policies from the + // [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][]. + // to the scope specified in the request. + // + // If the constraint is defined with default policy, it will also appear in + // the list. + repeated AnalyzerOrgPolicy policy_bundle = 2; + } + + // The organization policies under the + // [AnalyzeOrgPoliciesRequest.scope][google.cloud.asset.v1.AnalyzeOrgPoliciesRequest.scope] + // with the + // [AnalyzeOrgPoliciesRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPoliciesRequest.constraint]. + repeated OrgPolicyResult org_policy_results = 1; + + // The definition of the constraint in the request. + AnalyzerOrgPolicyConstraint constraint = 2; + + // The page token to fetch the next page for + // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results]. + string next_page_token = 3; +} + +// A request message for +// [AssetService.AnalyzeOrgPolicyGovernedContainers][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedContainers]. +message AnalyzeOrgPolicyGovernedContainersRequest { + // Required. The organization to scope the request. Only organization + // policies within the scope will be analyzed. The output containers will + // also be limited to the ones governed by those in-scope organization + // policies. + // + // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") + string scope = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. The name of the constraint to analyze governed containers for. + // The analysis only contains organization policies for the provided + // constraint. + string constraint = 2 [(google.api.field_behavior) = REQUIRED]; + + // The expression to filter the governed containers in result. + // The only supported field is `parent`, and the only supported operator is + // `=`. + // + // Example: + // parent="//cloudresourcemanager.googleapis.com/folders/001" will return all + // containers under "folders/001". + string filter = 3; + + // The maximum number of items to return per page. If unspecified, + // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers] + // will contain 100 items with a maximum of 200. + optional int32 page_size = 4; + + // The pagination token to retrieve the next page. + string page_token = 5; +} + +// The response message for +// [AssetService.AnalyzeOrgPolicyGovernedContainers][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedContainers]. +message AnalyzeOrgPolicyGovernedContainersResponse { + // The organization/folder/project resource governed by organization policies + // of + // [AnalyzeOrgPolicyGovernedContainersRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersRequest.constraint]. + message GovernedContainer { + // The [full resource name] + // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of + // an organization/folder/project resource. + string full_resource_name = 1; + + // The [full resource name] + // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of + // the parent of + // [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.full_resource_name]. + string parent = 2; + + // The consolidated organization policy for the analyzed resource. The + // consolidated organization policy is computed by merging and evaluating + // [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.policy_bundle][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.policy_bundle]. + // The evaluation will respect the organization policy [hierarchy + // rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy). + AnalyzerOrgPolicy consolidated_policy = 3; + + // The ordered list of all organization policies from the + // [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][]. + // to the scope specified in the request. + // + // If the constraint is defined with default policy, it will also appear in + // the list. + repeated AnalyzerOrgPolicy policy_bundle = 4; + } + + // The list of the analyzed governed containers. + repeated GovernedContainer governed_containers = 1; + + // The definition of the constraint in the request. + AnalyzerOrgPolicyConstraint constraint = 2; + + // The page token to fetch the next page for + // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers]. + string next_page_token = 3; +} + +// A request message for +// [AssetService.AnalyzeOrgPolicyGovernedAssets][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedAssets]. +message AnalyzeOrgPolicyGovernedAssetsRequest { + // Required. The organization to scope the request. Only organization + // policies within the scope will be analyzed. The output assets will + // also be limited to the ones governed by those in-scope organization + // policies. + // + // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") + string scope = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. The name of the constraint to analyze governed assets for. The + // analysis only contains analyzed organization policies for the provided + // constraint. + string constraint = 2 [(google.api.field_behavior) = REQUIRED]; + + // The expression to filter the governed assets in result. The only supported + // fields for governed resources are `governed_resource.project` and + // `governed_resource.folders`. The only supported fields for governed iam + // policies are `governed_iam_policy.project` and + // `governed_iam_policy.folders`. The only supported operator is `=`. + // + // Example 1: governed_resource.project="projects/12345678" filter will return + // all governed resources under projects/12345678 including the project + // ifself, if applicable. + // + // Example 2: governed_iam_policy.folders="folders/12345678" filter will + // return all governed iam policies under folders/12345678, if applicable. + string filter = 3; + + // The maximum number of items to return per page. If unspecified, + // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets] + // will contain 100 items with a maximum of 200. + optional int32 page_size = 4; + + // The pagination token to retrieve the next page. + string page_token = 5; +} + +// The response message for +// [AssetService.AnalyzeOrgPolicyGovernedAssets][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedAssets]. +message AnalyzeOrgPolicyGovernedAssetsResponse { + // The Google Cloud resources governed by the organization policies of the + // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. + message GovernedResource { + // The [full resource name] + // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of + // the Google Cloud resource. + string full_resource_name = 1; + + // The [full resource name] + // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of + // the parent of + // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name]. + string parent = 2; + + // The project that this resource belongs to, in the form of + // projects/{PROJECT_NUMBER}. This field is available when the resource + // belongs to a project. + string project = 5; + + // The folder(s) that this resource belongs to, in the form of + // folders/{FOLDER_NUMBER}. This field is available when the resource + // belongs(directly or cascadingly) to one or more folders. + repeated string folders = 6; + + // The organization that this resource belongs to, in the form of + // organizations/{ORGANIZATION_NUMBER}. This field is available when the + // resource belongs(directly or cascadingly) to an organization. + string organization = 7; + } + + // The IAM policies governed by the organization policies of the + // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. + message GovernedIamPolicy { + // The full resource name of the resource associated with this IAM policy. + // Example: + // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. + // See [Cloud Asset Inventory Resource Name + // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) + // for more information. + string attached_resource = 1; + + // The IAM policy directly set on the given resource. + google.iam.v1.Policy policy = 2; + + // The project that this IAM policy belongs to, in the form of + // projects/{PROJECT_NUMBER}. This field is available when the IAM policy + // belongs to a project. + string project = 5; + + // The folder(s) that this IAM policy belongs to, in the form of + // folders/{FOLDER_NUMBER}. This field is available when the IAM policy + // belongs(directly or cascadingly) to one or more folders. + repeated string folders = 6; + + // The organization that this IAM policy belongs to, in the form of + // organizations/{ORGANIZATION_NUMBER}. This field is available when the + // IAM policy belongs(directly or cascadingly) to an organization. + string organization = 7; + } + + // Represents a Google Cloud asset(resource or IAM policy) governed by the + // organization policies of the + // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. + message GovernedAsset { + oneof governed_asset { + // A Google Cloud resource governed by the organization + // policies of the + // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. + GovernedResource governed_resource = 1; + + // An IAM policy governed by the organization + // policies of the + // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. + GovernedIamPolicy governed_iam_policy = 2; + } + + // The consolidated policy for the analyzed asset. The consolidated + // policy is computed by merging and evaluating + // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.policy_bundle][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.policy_bundle]. + // The evaluation will respect the organization policy [hierarchy + // rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy). + AnalyzerOrgPolicy consolidated_policy = 3; + + // The ordered list of all organization policies from the + // [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][] + // to the scope specified in the request. + // + // If the constraint is defined with default policy, it will also appear in + // the list. + repeated AnalyzerOrgPolicy policy_bundle = 4; + } + + // The list of the analyzed governed assets. + repeated GovernedAsset governed_assets = 1; + + // The definition of the constraint in the request. + AnalyzerOrgPolicyConstraint constraint = 2; + + // The page token to fetch the next page for + // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets]. + string next_page_token = 3; +} + // Asset content type. enum ContentType { // Unspecified content type. @@ -2000,10 +2623,10 @@ enum ContentType { // The actual IAM policy set on a resource. IAM_POLICY = 2; - // The Cloud Organization Policy set on an asset. + // The organization policy set on an asset. ORG_POLICY = 4; - // The Cloud Access context manager Policy set on an asset. + // The Access Context Manager policy set on an asset. ACCESS_POLICY = 5; // The runtime OS Inventory information. diff --git a/google/cloud/asset/v1/assets.proto b/google/cloud/asset/v1/assets.proto index 8f22b5031..9e7774289 100644 --- a/google/cloud/asset/v1/assets.proto +++ b/google/cloud/asset/v1/assets.proto @@ -88,7 +88,7 @@ message TimeWindow { // [resource // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google -// Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy), +// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy), // or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP relationship). // See [Supported asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) @@ -121,9 +121,9 @@ message Asset { // A representation of the resource. Resource resource = 3; - // A representation of the Cloud IAM policy set on a Google Cloud resource. - // There can be a maximum of one Cloud IAM policy set on any given resource. - // In addition, Cloud IAM policies inherit their granted access scope from any + // A representation of the IAM policy set on a Google Cloud resource. + // There can be a maximum of one IAM policy set on any given resource. + // In addition, IAM policies inherit their granted access scope from any // policies set on parent resources in the resource hierarchy. Therefore, the // effectively policy is the union of both the policy set on this resource // and each policy set on all of the resource's ancestry resource levels in @@ -151,7 +151,8 @@ message Asset { // Please also refer to the [service perimeter user // guide](https://cloud.google.com/vpc-service-controls/docs/overview). - google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9; + google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = + 9; } // A representation of runtime OS Inventory information. See [this @@ -213,7 +214,7 @@ message Resource { // for more information. // // For Google Cloud assets, this value is the parent resource defined in the - // [Cloud IAM policy + // [IAM policy // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy). // Example: // `//cloudresourcemanager.googleapis.com/projects/my_project_123` @@ -270,7 +271,7 @@ message RelationshipAttributes { // ancestors. An asset can be any resource in the Google Cloud [resource // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google -// Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy). +// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). // See [Supported asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for more information. @@ -282,8 +283,8 @@ message RelatedAsset { // names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more information. string asset = 1 [(google.api.resource_reference) = { - type: "cloudasset.googleapis.com/Asset" - }]; + type: "cloudasset.googleapis.com/Asset" + }]; // The type of the asset. Example: `compute.googleapis.com/Disk` // @@ -389,7 +390,8 @@ message ResourceSearchResult { // * Use a free text query. Example: `us-west*` string location = 6; - // Labels associated with this resource. See [Labelling and grouping GCP + // Labels associated with this resource. See [Labelling and grouping Google + // Cloud // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) // for more information. This field is available only when the resource's // Protobuf contains it. @@ -404,7 +406,8 @@ message ResourceSearchResult { map labels = 7; // Network tags associated with this resource. Like labels, network tags are a - // type of annotations used to group GCP resources. See [Labelling GCP + // type of annotations used to group Google Cloud resources. See [Labelling + // Google Cloud // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) // for more information. This field is available only when the resource's // Protobuf contains it. @@ -422,8 +425,8 @@ message ResourceSearchResult { // name. // // This field only presents for the purpose of backward compatibility. Please - // use the `kms_keys` field to retrieve KMS key information. This field is - // available only when the resource's Protobuf contains it and will only be + // use the `kms_keys` field to retrieve Cloud KMS key information. This field + // is available only when the resource's Protobuf contains it and will only be // populated for [these resource // types](https://cloud.google.com/asset-inventory/docs/legacy-field-names#resource_types_with_the_to_be_deprecated_kmskey_field) // for backward compatible purposes. @@ -485,7 +488,7 @@ message ResourceSearchResult { // SUSPENDING, SUSPENDED, REPAIRING, and TERMINATED. See `status` definition // in [API // Reference](https://cloud.google.com/compute/docs/reference/rest/v1/instances). - // If the resource is a project provided by Cloud Resource Manager, its state + // If the resource is a project provided by Resource Manager, its state // will include LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and // DELETE_IN_PROGRESS. See `lifecycleState` definition in [API // Reference](https://cloud.google.com/resource-manager/reference/rest/v1/projects). @@ -500,15 +503,15 @@ message ResourceSearchResult { // vary from one resource type to another. Examples: `projectId` for Project, // `dnsName` for DNS ManagedZone. This field contains a subset of the resource // metadata fields that are returned by the List or Get APIs provided by the - // corresponding GCP service (e.g., Compute Engine). see [API references and - // supported searchable + // corresponding Google Cloud service (e.g., Compute Engine). see [API + // references and supported searchable // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types) // to see which fields are included. // // You can search values of these fields through free text search. However, // you should not consume the field programically as the field names and - // values may change as the GCP service updates to a new incompatible API - // version. + // values may change as the Google Cloud service updates to a new incompatible + // API version. // // To search against the `additional_attributes`: // @@ -700,11 +703,11 @@ message IamPolicySearchResult { // * specify the `asset_types` field in your search request. string asset_type = 5; - // The project that the associated GCP resource belongs to, in the form of - // projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM - // instance, Cloud Storage bucket), the project field will indicate the - // project that contains the resource. If an IAM policy is set on a folder or - // orgnization, this field will be empty. + // The project that the associated Google Cloud resource belongs to, in the + // form of projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource + // (like VM instance, Cloud Storage bucket), the project field will indicate + // the project that contains the resource. If an IAM policy is set on a folder + // or orgnization, this field will be empty. // // To search against the `project`: // @@ -876,8 +879,10 @@ message IamPolicyAnalysisResult { repeated Access accesses = 2; // Resource edges of the graph starting from the policy attached - // resource to any descendant resources. The [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] contains - // the full resource name of a parent resource and [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] + // resource to any descendant resources. The + // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] + // contains the full resource name of a parent resource and + // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] // contains the full resource name of a child resource. This field is // present only if the output_resource_edges option is enabled in request. repeated Edge resource_edges = 3; @@ -896,32 +901,41 @@ message IamPolicyAnalysisResult { repeated Identity identities = 1; // Group identity edges of the graph starting from the binding's - // group members to any node of the [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] + // group members to any node of the + // [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities]. + // The + // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] // contains a group, such as `group:parent@google.com`. The - // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group, - // such as `group:child@google.com` or `user:foo@google.com`. - // This field is present only if the output_group_edges option is enabled in - // request. + // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] + // contains a member of the group, such as `group:child@google.com` or + // `user:foo@google.com`. This field is present only if the + // output_group_edges option is enabled in request. repeated Edge group_edges = 2; } // The [full resource // name](https://cloud.google.com/asset-inventory/docs/resource-name-format) - // of the resource to which the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] policy attaches. + // of the resource to which the + // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] + // policy attaches. string attached_resource_full_name = 1; - // The Cloud IAM policy binding under analysis. + // The IAM policy binding under analysis. google.iam.v1.Binding iam_binding = 2; - // The access control lists derived from the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] that match or - // potentially match resource and access selectors specified in the request. + // The access control lists derived from the + // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] + // that match or potentially match resource and access selectors specified in + // the request. repeated AccessControlList access_control_lists = 3; - // The identity list derived from members of the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] that match or - // potentially match identity selector specified in the request. + // The identity list derived from members of the + // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] + // that match or potentially match identity selector specified in the request. IdentityList identity_list = 4; - // Represents whether all analyses on the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] have successfully - // finished. + // Represents whether all analyses on the + // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] + // have successfully finished. bool fully_explored = 5; } diff --git a/google/cloud/asset/v1/cloudasset_v1.yaml b/google/cloud/asset/v1/cloudasset_v1.yaml index 338af62a0..0ffb3c8d3 100644 --- a/google/cloud/asset/v1/cloudasset_v1.yaml +++ b/google/cloud/asset/v1/cloudasset_v1.yaml @@ -12,14 +12,16 @@ types: - name: google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse documentation: - summary: The cloud asset API manages the history and inventory of cloud resources. + summary: |- + The Cloud Asset API manages the history and inventory of Google Cloud + resources. overview: |- # Cloud Asset API - The Cloud Asset API keeps a history of Google Cloud Platform (GCP) asset - metadata, and allows GCP users to download a dump of all asset metadata - for the resource types listed below within an organization or a project at - a given timestamp. + The Cloud Asset API keeps a history of Google Cloud asset metadata, and + allows Google Cloud users to download a dump of all asset metadata for the + resource types listed below within an organization or a project at a given + timestamp. Read more documents here: https://cloud.google.com/asset-inventory/docs diff --git a/google/cloud/asset/v1p1beta1/asset_service.proto b/google/cloud/asset/v1p1beta1/asset_service.proto index d5a0d8c41..b7366dbd7 100644 --- a/google/cloud/asset/v1p1beta1/asset_service.proto +++ b/google/cloud/asset/v1p1beta1/asset_service.proto @@ -1,4 +1,4 @@ -// Copyright 2020 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -31,28 +31,31 @@ option php_namespace = "Google\\Cloud\\Asset\\V1p1beta1"; // Asset service definition. service AssetService { option (google.api.default_host) = "cloudasset.googleapis.com"; - option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; - - // Searches all the resources under a given accessible CRM scope - // (project/folder/organization). This RPC gives callers - // especially admins the ability to search all the resources under a scope, - // even if they don't have .get permission of all the resources. Callers - // should have cloud.assets.SearchAllResources permission on the requested - // scope, otherwise it will be rejected. - rpc SearchAllResources(SearchAllResourcesRequest) returns (SearchAllResourcesResponse) { + option (google.api.oauth_scopes) = + "https://www.googleapis.com/auth/cloud-platform"; + + // Searches all the resources within a given accessible Resource Manager scope + // (project/folder/organization). This RPC gives callers especially + // administrators the ability to search all the resources within a scope, even + // if they don't have `.get` permission of all the resources. Callers should + // have `cloud.assets.SearchAllResources` permission on the requested scope, + // otherwise the request will be rejected. + rpc SearchAllResources(SearchAllResourcesRequest) + returns (SearchAllResourcesResponse) { option (google.api.http) = { get: "/v1p1beta1/{scope=*/*}/resources:searchAll" }; option (google.api.method_signature) = "scope,query,asset_types"; } - // Searches all the IAM policies under a given accessible CRM scope - // (project/folder/organization). This RPC gives callers - // especially admins the ability to search all the IAM policies under a scope, - // even if they don't have .getIamPolicy permission of all the IAM policies. - // Callers should have cloud.assets.SearchAllIamPolicies permission on the - // requested scope, otherwise it will be rejected. - rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) returns (SearchAllIamPoliciesResponse) { + // Searches all the IAM policies within a given accessible Resource Manager + // scope (project/folder/organization). This RPC gives callers especially + // administrators the ability to search all the IAM policies within a scope, + // even if they don't have `.getIamPolicy` permission of all the IAM policies. + // Callers should have `cloud.assets.SearchAllIamPolicies` permission on the + // requested scope, otherwise the request will be rejected. + rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) + returns (SearchAllIamPoliciesResponse) { option (google.api.http) = { get: "/v1p1beta1/{scope=*/*}/iamPolicies:searchAll" }; @@ -62,37 +65,39 @@ service AssetService { // Search all resources request. message SearchAllResourcesRequest { - // Required. The relative name of an asset. The search is limited to the resources - // within the `scope`. The allowed value must be: + // Required. The relative name of an asset. The search is limited to the + // resources within the `scope`. The allowed value must be: + // // * Organization number (such as "organizations/123") - // * Folder number(such as "folders/1234") + // * Folder number (such as "folders/1234") // * Project number (such as "projects/12345") - // * Project id (such as "projects/abc") + // * Project ID (such as "projects/abc") string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. The query statement. string query = 2 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A list of asset types that this request searches for. If empty, it will - // search all the supported asset types. + // Optional. A list of asset types that this request searches for. If empty, + // it will search all the supported asset types. repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL]; - // Optional. The page size for search result pagination. Page size is capped at 500 even - // if a larger value is given. If set to zero, server will pick an appropriate - // default. Returned results may be fewer than requested. When this happens, - // there could be more results as long as `next_page_token` is returned. + // Optional. The page size for search result pagination. Page size is capped + // at 500 even if a larger value is given. If set to zero, server will pick an + // appropriate default. Returned results may be fewer than requested. When + // this happens, there could be more results as long as `next_page_token` is + // returned. int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If present, then retrieve the next batch of results from the preceding call - // to this method. `page_token` must be the value of `next_page_token` from - // the previous response. The values of all other method parameters, must be - // identical to those in the previous call. + // Optional. If present, then retrieve the next batch of results from the + // preceding call to this method. `page_token` must be the value of + // `next_page_token` from the previous response. The values of all other + // method parameters, must be identical to those in the previous call. string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; - // Optional. A comma separated list of fields specifying the sorting order of the - // results. The default order is ascending. Add " desc" after the field name - // to indicate descending order. Redundant space characters are ignored. For - // example, " foo , bar desc ". + // Optional. A comma separated list of fields specifying the sorting order of + // the results. The default order is ascending. Add ` DESC` after the field + // name to indicate descending order. Redundant space characters are ignored. + // For example, ` location DESC , name `. string order_by = 10 [(google.api.field_behavior) = OPTIONAL]; } @@ -109,37 +114,39 @@ message SearchAllResourcesResponse { // Search all IAM policies request. message SearchAllIamPoliciesRequest { - // Required. The relative name of an asset. The search is limited to the resources - // within the `scope`. The allowed value must be: + // Required. The relative name of an asset. The search is limited to the + // resources within the `scope`. The allowed value must be: + // // * Organization number (such as "organizations/123") - // * Folder number(such as "folders/1234") + // * Folder number (such as "folders/1234") // * Project number (such as "projects/12345") - // * Project id (such as "projects/abc") + // * Project ID (such as "projects/abc") string scope = 1 [(google.api.field_behavior) = REQUIRED]; - // Optional. The query statement. - // Examples: + // Optional. The query statement. Examples: + // // * "policy:myuser@mydomain.com" // * "policy:(myuser@mydomain.com viewer)" string query = 2 [(google.api.field_behavior) = OPTIONAL]; - // Optional. The page size for search result pagination. Page size is capped at 500 even - // if a larger value is given. If set to zero, server will pick an appropriate - // default. Returned results may be fewer than requested. When this happens, - // there could be more results as long as `next_page_token` is returned. + // Optional. The page size for search result pagination. Page size is capped + // at 500 even if a larger value is given. If set to zero, server will pick an + // appropriate default. Returned results may be fewer than requested. When + // this happens, there could be more results as long as `next_page_token` is + // returned. int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; - // Optional. If present, retrieve the next batch of results from the preceding call to - // this method. `page_token` must be the value of `next_page_token` from the - // previous response. The values of all other method parameters must be - // identical to those in the previous call. + // Optional. If present, retrieve the next batch of results from the preceding + // call to this method. `page_token` must be the value of `next_page_token` + // from the previous response. The values of all other method parameters must + // be identical to those in the previous call. string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; } // Search all IAM policies response. message SearchAllIamPoliciesResponse { - // A list of IamPolicy that match the search query. Related information such - // as the associated resource is returned along with the policy. + // A list of IAM policies that match the search query. Related information + // such as the associated resource is returned along with the policy. repeated IamPolicySearchResult results = 1; // Set if there are more results than those appearing in this response; to get diff --git a/google/cloud/asset/v1p1beta1/assets.proto b/google/cloud/asset/v1p1beta1/assets.proto index c0ac1403a..d2fb98e07 100644 --- a/google/cloud/asset/v1p1beta1/assets.proto +++ b/google/cloud/asset/v1p1beta1/assets.proto @@ -1,4 +1,4 @@ -// Copyright 2020 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -59,55 +59,59 @@ message StandardResourceMetadata { // "us-west1-b". string location = 11; - // Labels associated with this resource. See [Labelling and grouping GCP + // Labels associated with this resource. See [Labelling and grouping Google + // Cloud // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) // for more information. map labels = 12; // Network tags associated with this resource. Like labels, network tags are a - // type of annotations used to group GCP resources. See [Labelling GCP + // type of annotations used to group Google Cloud resources. See [Labelling + // Google Cloud // resources](lhttps://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) // for more information. repeated string network_tags = 13; } -// The result for a IAM Policy search. +// The result for an IAM policy search. message IamPolicySearchResult { // Explanation about the IAM policy search result. message Explanation { // The map from roles to their included permission matching the permission - // query (e.g. containing `policy.role.permissions:`). A sample role string: + // query (e.g. containing `policy.role.permissions:`). Example role string: // "roles/compute.instanceAdmin". The roles can also be found in the // returned `policy` bindings. Note that the map is populated only if // requesting with a permission query. map matched_permissions = 1; } - // The [full resource + // The + // [full resource // name](https://cloud.google.com/apis/design/resource_names#full_resource_name) // of the resource associated with this IAM policy. string resource = 1; - // The project that the associated GCP resource belongs to, in the form of - // `projects/{project_number}`. If an IAM policy is set on a resource (like VM - // instance, Cloud Storage bucket), the project field will indicate the - // project that contains the resource. If an IAM policy is set on a folder or - // orgnization, the project field will be empty. + // The project that the associated Google Cloud resource belongs to, in the + // form of `projects/{project_number}`. If an IAM policy is set on a resource + // -- such as a Compute Engine instance or a Cloud Storage bucket -- the + // project field will indicate the project that contains the resource. If an + // IAM policy is set on a folder or orgnization, the project field will be + // empty. string project = 3; - // The IAM policy directly set on the given resource. Note that the original + // The IAM policy attached to the specified resource. Note that the original // IAM policy can contain multiple bindings. This only contains the bindings - // that match the given query. For queries that don't contain a constrain on + // that match the given query. For queries that don't contain a constraint on // policies (e.g. an empty query), this contains all the bindings. google.iam.v1.Policy policy = 4; // Explanation about the IAM policy search result. It contains additional - // information to explain why the search result matches the query. + // information that explains why the search result matches the query. Explanation explanation = 5; } -// IAM permissions +// IAM permissions. message Permissions { - // A list of permissions. A sample permission string: "compute.disk.get". + // A list of permissions. Example permission string: "compute.disk.get". repeated string permissions = 1; } diff --git a/google/cloud/asset/v1p1beta1/cloudasset_v1p1beta1.yaml b/google/cloud/asset/v1p1beta1/cloudasset_v1p1beta1.yaml index 74aad50aa..96c1be248 100644 --- a/google/cloud/asset/v1p1beta1/cloudasset_v1p1beta1.yaml +++ b/google/cloud/asset/v1p1beta1/cloudasset_v1p1beta1.yaml @@ -5,16 +5,19 @@ title: Cloud Asset API apis: - name: google.cloud.asset.v1p1beta1.AssetService +- name: google.longrunning.Operations documentation: - summary: The cloud asset API manages the history and inventory of cloud resources. + summary: |- + The Cloud Asset API manages the history and inventory of Google Cloud + resources. overview: |- # Cloud Asset API - The Cloud Asset API keeps a history of Google Cloud Platform (GCP) asset - metadata, and allows GCP users to download a dump of all asset metadata - for the resource types listed below within an organization or a project at - a given timestamp. + The Cloud Asset API keeps a history of Google Cloud asset metadata, and + allows Google Cloud users to download a dump of all asset metadata for the + resource types listed below within an organization or a project at a given + timestamp. Read more documents here: https://cloud.google.com/asset-inventory/docs diff --git a/google/cloud/asset/v1p2beta1/cloudasset_grpc_service_config.json b/google/cloud/asset/v1p2beta1/cloudasset_grpc_service_config.json index 7e7147099..579478922 100755 --- a/google/cloud/asset/v1p2beta1/cloudasset_grpc_service_config.json +++ b/google/cloud/asset/v1p2beta1/cloudasset_grpc_service_config.json @@ -2,6 +2,10 @@ "methodConfig": [ { "name": [ + { + "service": "google.cloud.asset.v1p2beta1.AssetService", + "method": "ExportAssets" + }, { "service": "google.cloud.asset.v1p2beta1.AssetService", "method": "CreateFeed" @@ -15,6 +19,10 @@ }, { "name": [ + { + "service": "google.cloud.asset.v1p2beta1.AssetService", + "method": "BatchGetAssetsHistory" + }, { "service": "google.cloud.asset.v1p2beta1.AssetService", "method": "GetFeed" diff --git a/google/cloud/asset/v1p5beta1/asset_service.proto b/google/cloud/asset/v1p5beta1/asset_service.proto index 52233ad05..9a28cdb6e 100644 --- a/google/cloud/asset/v1p5beta1/asset_service.proto +++ b/google/cloud/asset/v1p5beta1/asset_service.proto @@ -1,4 +1,4 @@ -// Copyright 2020 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -19,6 +19,7 @@ package google.cloud.asset.v1p5beta1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; import "google/cloud/asset/v1p5beta1/assets.proto"; import "google/protobuf/timestamp.proto"; @@ -41,6 +42,7 @@ service AssetService { option (google.api.http) = { get: "/v1p5beta1/{parent=*/*}/assets" }; + option (google.api.method_signature) = "parent"; } } @@ -48,21 +50,39 @@ service AssetService { message ListAssetsRequest { // Required. Name of the organization or project the assets belong to. Format: // "organizations/[organization-number]" (such as "organizations/123"), - // "projects/[project-number]" (such as "projects/my-project-id"), or - // "projects/[project-id]" (such as "projects/12345"). - string parent = 1 [(google.api.field_behavior) = REQUIRED]; + // "projects/[project-id]" (such as "projects/my-project-id"), or + // "projects/[project-number]" (such as "projects/12345"). + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "cloudasset.googleapis.com/Asset" + } + ]; // Timestamp to take an asset snapshot. This can only be set to a timestamp - // between 2018-10-02 UTC (inclusive) and the current time. If not specified, - // the current time will be used. Due to delays in resource data collection - // and indexing, there is a volatile window during which running the same - // query may get different results. + // between the current time and the current time minus 35 days (inclusive). + // If not specified, the current time will be used. Due to delays in resource + // data collection and indexing, there is a volatile window during which + // running the same query may get different results. google.protobuf.Timestamp read_time = 2; - // A list of asset types of which to take a snapshot for. For example: - // "compute.googleapis.com/Disk". If specified, only matching assets will be - // returned. See [Introduction to Cloud Asset - // Inventory](https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview) + // A list of asset types to take a snapshot for. For example: + // "compute.googleapis.com/Disk". + // + // Regular expression is also supported. For example: + // + // * "compute.googleapis.com.*" snapshots resources whose asset type starts + // with "compute.googleapis.com". + // * ".*Instance" snapshots resources whose asset type ends with "Instance". + // * ".*Instance.*" snapshots resources whose asset type contains "Instance". + // + // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported + // regular expression syntax. If the regular expression does not match any + // supported asset type, an INVALID_ARGUMENT error will be returned. + // + // If specified, only matching assets will be returned, otherwise, it will + // snapshot all asset types. See [Introduction to Cloud Asset + // Inventory](https://cloud.google.com/asset-inventory/docs/overview) // for all supported asset types. repeated string asset_types = 3; @@ -80,6 +100,20 @@ message ListAssetsRequest { string page_token = 6; } +// ListAssets response. +message ListAssetsResponse { + // Time the snapshot was taken. + google.protobuf.Timestamp read_time = 1; + + // Assets. + repeated Asset assets = 2; + + // Token to retrieve the next page of results. It expires 72 hours after the + // page token for the first page is generated. Set to empty if there are no + // remaining results. + string next_page_token = 3; +} + // Asset content type. enum ContentType { // Unspecified content type. @@ -91,22 +125,9 @@ enum ContentType { // The actual IAM policy set on a resource. IAM_POLICY = 2; - // The Cloud Organization Policy set on an asset. + // The organization policy set on an asset. ORG_POLICY = 4; - // The Cloud Access context mananger Policy set on an asset. + // The Access Context Manager policy set on an asset. ACCESS_POLICY = 5; } - -// ListAssets response. -message ListAssetsResponse { - // Time the snapshot was taken. - google.protobuf.Timestamp read_time = 1; - - // Assets. - repeated Asset assets = 2; - - // Token to retrieve the next page of results. Set to empty if there are no - // remaining results. - string next_page_token = 3; -} diff --git a/google/cloud/asset/v1p5beta1/assets.proto b/google/cloud/asset/v1p5beta1/assets.proto index 7ad133a54..35faabebf 100644 --- a/google/cloud/asset/v1p5beta1/assets.proto +++ b/google/cloud/asset/v1p5beta1/assets.proto @@ -1,4 +1,4 @@ -// Copyright 2020 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -32,77 +32,108 @@ option java_outer_classname = "AssetProto"; option java_package = "com.google.cloud.asset.v1p5beta1"; option php_namespace = "Google\\Cloud\\Asset\\V1p5beta1"; -// Cloud asset. This includes all Google Cloud Platform resources, -// Cloud IAM policies, and other non-GCP assets. +// An asset in Google Cloud. An asset can be any resource in the Google Cloud +// [resource +// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), +// a resource outside the Google Cloud resource hierarchy (such as Google +// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). +// See [Supported asset +// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) +// for more information. message Asset { option (google.api.resource) = { type: "cloudasset.googleapis.com/Asset" pattern: "*" }; - // The full name of the asset. For example: - // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. + // The full name of the asset. Example: + // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1` + // // See [Resource - // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name) + // names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more information. string name = 1; - // Type of the asset. Example: "compute.googleapis.com/Disk". + // The type of the asset. Example: `compute.googleapis.com/Disk` + // + // See [Supported asset + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) + // for more information. string asset_type = 2; - // Representation of the resource. + // A representation of the resource. Resource resource = 3; - // Representation of the actual Cloud IAM policy set on a cloud resource. For - // each resource, there must be at most one Cloud IAM policy set on it. + // A representation of the IAM policy set on a Google Cloud resource. + // There can be a maximum of one IAM policy set on any given resource. + // In addition, IAM policies inherit their granted access scope from any + // policies set on parent resources in the resource hierarchy. Therefore, the + // effectively policy is the union of both the policy set on this resource + // and each policy set on all of the resource's ancestry resource levels in + // the hierarchy. See + // [this topic](https://cloud.google.com/iam/help/allow-policies/inheritance) + // for more information. google.iam.v1.Policy iam_policy = 4; - // Representation of the Cloud Organization Policy set on an asset. For each - // asset, there could be multiple Organization policies with different - // constraints. + // A representation of an [organization + // policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). + // There can be more than one organization policy with different constraints + // set on a given resource. repeated google.cloud.orgpolicy.v1.Policy org_policy = 6; - // Representation of the Cloud Organization access policy. + // A representation of an [access + // policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies). oneof access_context_policy { + // Please also refer to the [access policy user + // guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies). google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7; + // Please also refer to the [access level user + // guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels). google.identity.accesscontextmanager.v1.AccessLevel access_level = 8; + // Please also refer to the [service perimeter user + // guide](https://cloud.google.com/vpc-service-controls/docs/overview). google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9; } - // Asset's ancestry path in Cloud Resource Manager (CRM) hierarchy, - // represented as a list of relative resource names. Ancestry path starts with - // the closest CRM ancestor and ends at root. If the asset is a CRM - // project/folder/organization, this starts from the asset itself. + // The ancestry path of an asset in Google Cloud [resource + // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), + // represented as a list of relative resource names. An ancestry path starts + // with the closest ancestor in the hierarchy and ends at root. If the asset + // is a project, folder, or organization, the ancestry path starts from the + // asset itself. // - // Example: ["projects/123456789", "folders/5432", "organizations/1234"] + // Example: `["projects/123456789", "folders/5432", "organizations/1234"]` repeated string ancestors = 10; } -// Representation of a cloud resource. +// A representation of a Google Cloud resource. message Resource { // The API version. Example: "v1". string version = 1; // The URL of the discovery document containing the resource's JSON schema. - // For example: - // `"https://www.googleapis.com/discovery/v1/apis/compute/v1/rest"`. - // It will be left unspecified for resources without a discovery-based API, - // such as Cloud Bigtable. + // Example: + // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest` + // + // This value is unspecified for resources that do not have an API based on a + // discovery document, such as Cloud Bigtable. string discovery_document_uri = 2; - // The JSON schema name listed in the discovery document. - // Example: "Project". It will be left unspecified for resources (such as - // Cloud Bigtable) without a discovery-based API. + // The JSON schema name listed in the discovery document. Example: + // `Project` + // + // This value is unspecified for resources that do not have an API based on a + // discovery document, such as Cloud Bigtable. string discovery_name = 3; - // The REST URL for accessing the resource. An HTTP GET operation using this - // URL returns the resource itself. - // Example: - // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`. - // It will be left unspecified for resources without a REST API. + // The REST URL for accessing the resource. An HTTP `GET` request using this + // URL returns the resource itself. Example: + // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123` + // + // This value is unspecified for resources without a REST API. string resource_url = 4; // The full name of the immediate parent of this resource. See @@ -110,15 +141,16 @@ message Resource { // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more information. // - // For GCP assets, it is the parent resource defined in the [Cloud IAM policy + // For Google Cloud assets, this value is the parent resource defined in the + // [IAM policy // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy). - // For example: - // `"//cloudresourcemanager.googleapis.com/projects/my_project_123"`. + // Example: + // `//cloudresourcemanager.googleapis.com/projects/my_project_123` // - // For third-party assets, it is up to the users to define. + // For third-party assets, this field may be set differently. string parent = 5; - // The content of the resource, in which some sensitive fields are scrubbed - // away and may not be present. + // The content of the resource, in which some sensitive fields are removed + // and may not be present. google.protobuf.Struct data = 6; } diff --git a/google/cloud/asset/v1p5beta1/cloudasset_v1p5beta1.yaml b/google/cloud/asset/v1p5beta1/cloudasset_v1p5beta1.yaml index 07dbadacd..3d9a00735 100644 --- a/google/cloud/asset/v1p5beta1/cloudasset_v1p5beta1.yaml +++ b/google/cloud/asset/v1p5beta1/cloudasset_v1p5beta1.yaml @@ -5,16 +5,19 @@ title: Cloud Asset API apis: - name: google.cloud.asset.v1p5beta1.AssetService +- name: google.longrunning.Operations documentation: - summary: The cloud asset API manages the history and inventory of cloud resources. + summary: |- + The Cloud Asset API manages the history and inventory of Google Cloud + resources. overview: |- # Cloud Asset API - The Cloud Asset API keeps a history of Google Cloud Platform (GCP) asset - metadata, and allows GCP users to download a dump of all asset metadata - for the resource types listed below within an organization or a project at - a given timestamp. + The Cloud Asset API keeps a history of Google Cloud asset metadata, and + allows Google Cloud users to download a dump of all asset metadata for the + resource types listed below within an organization or a project at a given + timestamp. Read more documents here: https://cloud.google.com/asset-inventory/docs @@ -23,6 +26,8 @@ backend: rules: - selector: google.cloud.asset.v1p5beta1.AssetService.ListAssets deadline: 600.0 + - selector: google.longrunning.Operations.GetOperation + deadline: 60.0 authentication: rules: @@ -30,3 +35,7 @@ authentication: oauth: canonical_scopes: |- https://www.googleapis.com/auth/cloud-platform + - selector: google.longrunning.Operations.GetOperation + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/google/cloud/asset/v1p7beta1/asset_service.proto b/google/cloud/asset/v1p7beta1/asset_service.proto index 18fcff6c4..d184cf8ff 100644 --- a/google/cloud/asset/v1p7beta1/asset_service.proto +++ b/google/cloud/asset/v1p7beta1/asset_service.proto @@ -1,4 +1,4 @@ -// Copyright 2021 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -20,7 +20,6 @@ import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; -import "google/cloud/asset/v1p7beta1/assets.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/timestamp.proto"; @@ -134,10 +133,10 @@ message ExportAssetsResponse { OutputConfig output_config = 2; // Output result indicating where the assets were exported to. For example, a - // set of actual Google Cloud Storage object uris where the assets are - // exported to. The uris can be different from what [output_config] has + // set of actual Cloud Storage object URIs where the assets are + // exported to. The URIs can be different from what [output_config] has // specified, as the service will split the output object into multiple ones - // once it exceeds a single Google Cloud Storage object limit. + // once it exceeds a single Cloud Storage object limit. OutputResult output_result = 3; } @@ -165,7 +164,7 @@ message OutputResult { // A Cloud Storage output result. message GcsOutputResult { - // List of uris of the Cloud Storage objects. Example: + // List of URIs of the Cloud Storage objects. Example: // "gs://bucket_name/object_name". repeated string uris = 1; } @@ -174,15 +173,15 @@ message GcsOutputResult { message GcsDestination { // Required. oneof object_uri { - // The uri of the Cloud Storage object. It's the same uri that is used by + // The URI of the Cloud Storage object. It's the same URI that is used by // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and // Editing Object // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) // for more information. string uri = 1; - // The uri prefix of all generated Cloud Storage objects. Example: - // "gs://bucket_name/object_name_prefix". Each object uri is in format: + // The URI prefix of all generated Cloud Storage objects. Example: + // "gs://bucket_name/object_name_prefix". Each object URI is in format: // "gs://bucket_name/object_name_prefix/{ASSET_TYPE}/{SHARD_NUMBER} and only // contains assets for that type. starts from 0. Example: // "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is @@ -302,10 +301,10 @@ enum ContentType { // The actual IAM policy set on a resource. IAM_POLICY = 2; - // The Cloud Organization Policy set on an asset. + // The organization policy set on an asset. ORG_POLICY = 4; - // The Cloud Access context manager Policy set on an asset. + // The Access Context Manager policy set on an asset. ACCESS_POLICY = 5; // The related resources. diff --git a/google/cloud/asset/v1p7beta1/assets.proto b/google/cloud/asset/v1p7beta1/assets.proto index 26ac6b205..710a37acd 100644 --- a/google/cloud/asset/v1p7beta1/assets.proto +++ b/google/cloud/asset/v1p7beta1/assets.proto @@ -1,4 +1,4 @@ -// Copyright 2021 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -18,7 +18,6 @@ package google.cloud.asset.v1p7beta1; import "google/api/resource.proto"; import "google/cloud/orgpolicy/v1/orgpolicy.proto"; -import "google/cloud/osconfig/v1/inventory.proto"; import "google/iam/v1/policy.proto"; import "google/identity/accesscontextmanager/v1/access_level.proto"; import "google/identity/accesscontextmanager/v1/access_policy.proto"; @@ -40,7 +39,7 @@ option php_namespace = "Google\\Cloud\\Asset\\V1p7beta1"; // [resource // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google -// Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy). +// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). // See [Supported asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for more information. @@ -72,15 +71,15 @@ message Asset { // A representation of the resource. Resource resource = 3; - // A representation of the Cloud IAM policy set on a Google Cloud resource. - // There can be a maximum of one Cloud IAM policy set on any given resource. - // In addition, Cloud IAM policies inherit their granted access scope from any + // A representation of the IAM policy set on a Google Cloud resource. + // There can be a maximum of one IAM policy set on any given resource. + // In addition, IAM policies inherit their granted access scope from any // policies set on parent resources in the resource hierarchy. Therefore, the // effectively policy is the union of both the policy set on this resource // and each policy set on all of the resource's ancestry resource levels in // the hierarchy. See - // [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for - // more information. + // [this topic](https://cloud.google.com/iam/help/allow-policies/inheritance) + // for more information. google.iam.v1.Policy iam_policy = 4; // A representation of an [organization @@ -154,7 +153,7 @@ message Resource { // for more information. // // For Google Cloud assets, this value is the parent resource defined in the - // [Cloud IAM policy + // [IAM policy // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy). // Example: // `//cloudresourcemanager.googleapis.com/projects/my_project_123` @@ -201,7 +200,7 @@ message RelationshipAttributes { // ancestors. An asset can be any resource in the Google Cloud [resource // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google -// Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy). +// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). // See [Supported asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for more information. diff --git a/google/cloud/asset/v1p7beta1/cloudasset_v1p7beta1.yaml b/google/cloud/asset/v1p7beta1/cloudasset_v1p7beta1.yaml index 73e89e301..bee999b70 100644 --- a/google/cloud/asset/v1p7beta1/cloudasset_v1p7beta1.yaml +++ b/google/cloud/asset/v1p7beta1/cloudasset_v1p7beta1.yaml @@ -5,19 +5,22 @@ title: Cloud Asset API apis: - name: google.cloud.asset.v1p7beta1.AssetService +- name: google.longrunning.Operations types: - name: google.cloud.asset.v1p7beta1.Asset documentation: - summary: The cloud asset API manages the history and inventory of cloud resources. + summary: |- + The Cloud Asset API manages the history and inventory of Google Cloud + resources. overview: |- # Cloud Asset API - The Cloud Asset API keeps a history of Google Cloud Platform (GCP) asset - metadata, and allows GCP users to download a dump of all asset metadata - for the resource types listed below within an organization or a project at - a given timestamp. + The Cloud Asset API keeps a history of Google Cloud asset metadata, and + allows Google Cloud users to download a dump of all asset metadata for the + resource types listed below within an organization or a project at a given + timestamp. Read more documents here: https://cloud.google.com/asset-inventory/docs @@ -29,6 +32,11 @@ backend: - selector: google.longrunning.Operations.GetOperation deadline: 60.0 +http: + rules: + - selector: google.longrunning.Operations.GetOperation + get: '/v1p7beta1/{name=*/*/operations/*/**}' + authentication: rules: - selector: google.cloud.asset.v1p7beta1.AssetService.ExportAssets