1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.asset.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/cloud/asset/v1/assets.proto"; 24import "google/iam/v1/policy.proto"; 25import "google/longrunning/operations.proto"; 26import "google/protobuf/duration.proto"; 27import "google/protobuf/empty.proto"; 28import "google/protobuf/field_mask.proto"; 29import "google/protobuf/struct.proto"; 30import "google/protobuf/timestamp.proto"; 31import "google/rpc/status.proto"; 32import "google/type/expr.proto"; 33 34option csharp_namespace = "Google.Cloud.Asset.V1"; 35option go_package = "cloud.google.com/go/asset/apiv1/assetpb;assetpb"; 36option java_multiple_files = true; 37option java_outer_classname = "AssetServiceProto"; 38option java_package = "com.google.cloud.asset.v1"; 39option php_namespace = "Google\\Cloud\\Asset\\V1"; 40 41// Asset service definition. 42service AssetService { 43 option (google.api.default_host) = "cloudasset.googleapis.com"; 44 option (google.api.oauth_scopes) = 45 "https://www.googleapis.com/auth/cloud-platform"; 46 47 // Exports assets with time and resource types to a given Cloud Storage 48 // location/BigQuery table. For Cloud Storage location destinations, the 49 // output format is newline-delimited JSON. Each line represents a 50 // [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON 51 // format; for BigQuery table destinations, the output table stores the fields 52 // in asset Protobuf as columns. This API implements the 53 // [google.longrunning.Operation][google.longrunning.Operation] API, which 54 // allows you to keep track of the export. We recommend intervals of at least 55 // 2 seconds with exponential retry to poll the export operation result. For 56 // regular-size resource parent, the export operation usually finishes within 57 // 5 minutes. 58 rpc ExportAssets(ExportAssetsRequest) returns (google.longrunning.Operation) { 59 option (google.api.http) = { 60 post: "/v1/{parent=*/*}:exportAssets" 61 body: "*" 62 }; 63 option (google.longrunning.operation_info) = { 64 response_type: "google.cloud.asset.v1.ExportAssetsResponse" 65 metadata_type: "google.cloud.asset.v1.ExportAssetsRequest" 66 }; 67 } 68 69 // Lists assets with time and resource types and returns paged results in 70 // response. 71 rpc ListAssets(ListAssetsRequest) returns (ListAssetsResponse) { 72 option (google.api.http) = { 73 get: "/v1/{parent=*/*}/assets" 74 }; 75 option (google.api.method_signature) = "parent"; 76 } 77 78 // Batch gets the update history of assets that overlap a time window. 79 // For IAM_POLICY content, this API outputs history when the asset and its 80 // attached IAM POLICY both exist. This can create gaps in the output history. 81 // Otherwise, this API outputs history with asset in both non-delete or 82 // deleted status. 83 // If a specified asset does not exist, this API returns an INVALID_ARGUMENT 84 // error. 85 rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) 86 returns (BatchGetAssetsHistoryResponse) { 87 option (google.api.http) = { 88 get: "/v1/{parent=*/*}:batchGetAssetsHistory" 89 }; 90 } 91 92 // Creates a feed in a parent project/folder/organization to listen to its 93 // asset updates. 94 rpc CreateFeed(CreateFeedRequest) returns (Feed) { 95 option (google.api.http) = { 96 post: "/v1/{parent=*/*}/feeds" 97 body: "*" 98 }; 99 option (google.api.method_signature) = "parent"; 100 } 101 102 // Gets details about an asset feed. 103 rpc GetFeed(GetFeedRequest) returns (Feed) { 104 option (google.api.http) = { 105 get: "/v1/{name=*/*/feeds/*}" 106 }; 107 option (google.api.method_signature) = "name"; 108 } 109 110 // Lists all asset feeds in a parent project/folder/organization. 111 rpc ListFeeds(ListFeedsRequest) returns (ListFeedsResponse) { 112 option (google.api.http) = { 113 get: "/v1/{parent=*/*}/feeds" 114 }; 115 option (google.api.method_signature) = "parent"; 116 } 117 118 // Updates an asset feed configuration. 119 rpc UpdateFeed(UpdateFeedRequest) returns (Feed) { 120 option (google.api.http) = { 121 patch: "/v1/{feed.name=*/*/feeds/*}" 122 body: "*" 123 }; 124 option (google.api.method_signature) = "feed"; 125 } 126 127 // Deletes an asset feed. 128 rpc DeleteFeed(DeleteFeedRequest) returns (google.protobuf.Empty) { 129 option (google.api.http) = { 130 delete: "/v1/{name=*/*/feeds/*}" 131 }; 132 option (google.api.method_signature) = "name"; 133 } 134 135 // Searches all Google Cloud resources within the specified scope, such as a 136 // project, folder, or organization. The caller must be granted the 137 // `cloudasset.assets.searchAllResources` permission on the desired scope, 138 // otherwise the request will be rejected. 139 rpc SearchAllResources(SearchAllResourcesRequest) 140 returns (SearchAllResourcesResponse) { 141 option (google.api.http) = { 142 get: "/v1/{scope=*/*}:searchAllResources" 143 }; 144 option (google.api.method_signature) = "scope,query,asset_types"; 145 } 146 147 // Searches all IAM policies within the specified scope, such as a project, 148 // folder, or organization. The caller must be granted the 149 // `cloudasset.assets.searchAllIamPolicies` permission on the desired scope, 150 // otherwise the request will be rejected. 151 rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) 152 returns (SearchAllIamPoliciesResponse) { 153 option (google.api.http) = { 154 get: "/v1/{scope=*/*}:searchAllIamPolicies" 155 }; 156 option (google.api.method_signature) = "scope,query"; 157 } 158 159 // Analyzes IAM policies to answer which identities have what accesses on 160 // which resources. 161 rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) 162 returns (AnalyzeIamPolicyResponse) { 163 option (google.api.http) = { 164 get: "/v1/{analysis_query.scope=*/*}:analyzeIamPolicy" 165 }; 166 } 167 168 // Analyzes IAM policies asynchronously to answer which identities have what 169 // accesses on which resources, and writes the analysis results to a Google 170 // Cloud Storage or a BigQuery destination. For Cloud Storage destination, the 171 // output format is the JSON format that represents a 172 // [AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse]. 173 // This method implements the 174 // [google.longrunning.Operation][google.longrunning.Operation], which allows 175 // you to track the operation status. We recommend intervals of at least 2 176 // seconds with exponential backoff retry to poll the operation result. The 177 // metadata contains the metadata for the long-running operation. 178 rpc AnalyzeIamPolicyLongrunning(AnalyzeIamPolicyLongrunningRequest) 179 returns (google.longrunning.Operation) { 180 option (google.api.http) = { 181 post: "/v1/{analysis_query.scope=*/*}:analyzeIamPolicyLongrunning" 182 body: "*" 183 }; 184 option (google.longrunning.operation_info) = { 185 response_type: "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse" 186 metadata_type: "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningMetadata" 187 }; 188 } 189 190 // Analyze moving a resource to a specified destination without kicking off 191 // the actual move. The analysis is best effort depending on the user's 192 // permissions of viewing different hierarchical policies and configurations. 193 // The policies and configuration are subject to change before the actual 194 // resource migration takes place. 195 rpc AnalyzeMove(AnalyzeMoveRequest) returns (AnalyzeMoveResponse) { 196 option (google.api.http) = { 197 get: "/v1/{resource=*/*}:analyzeMove" 198 }; 199 } 200 201 // Issue a job that queries assets using a SQL statement compatible with 202 // [BigQuery SQL](https://cloud.google.com/bigquery/docs/introduction-sql). 203 // 204 // If the query execution finishes within timeout and there's no pagination, 205 // the full query results will be returned in the `QueryAssetsResponse`. 206 // 207 // Otherwise, full query results can be obtained by issuing extra requests 208 // with the `job_reference` from the a previous `QueryAssets` call. 209 // 210 // Note, the query result has approximately 10 GB limitation enforced by 211 // [BigQuery](https://cloud.google.com/bigquery/docs/best-practices-performance-output). 212 // Queries return larger results will result in errors. 213 rpc QueryAssets(QueryAssetsRequest) returns (QueryAssetsResponse) { 214 option (google.api.http) = { 215 post: "/v1/{parent=*/*}:queryAssets" 216 body: "*" 217 }; 218 } 219 220 // Creates a saved query in a parent project/folder/organization. 221 rpc CreateSavedQuery(CreateSavedQueryRequest) returns (SavedQuery) { 222 option (google.api.http) = { 223 post: "/v1/{parent=*/*}/savedQueries" 224 body: "saved_query" 225 }; 226 option (google.api.method_signature) = "parent,saved_query,saved_query_id"; 227 } 228 229 // Gets details about a saved query. 230 rpc GetSavedQuery(GetSavedQueryRequest) returns (SavedQuery) { 231 option (google.api.http) = { 232 get: "/v1/{name=*/*/savedQueries/*}" 233 }; 234 option (google.api.method_signature) = "name"; 235 } 236 237 // Lists all saved queries in a parent project/folder/organization. 238 rpc ListSavedQueries(ListSavedQueriesRequest) 239 returns (ListSavedQueriesResponse) { 240 option (google.api.http) = { 241 get: "/v1/{parent=*/*}/savedQueries" 242 }; 243 option (google.api.method_signature) = "parent"; 244 } 245 246 // Updates a saved query. 247 rpc UpdateSavedQuery(UpdateSavedQueryRequest) returns (SavedQuery) { 248 option (google.api.http) = { 249 patch: "/v1/{saved_query.name=*/*/savedQueries/*}" 250 body: "saved_query" 251 }; 252 option (google.api.method_signature) = "saved_query,update_mask"; 253 } 254 255 // Deletes a saved query. 256 rpc DeleteSavedQuery(DeleteSavedQueryRequest) 257 returns (google.protobuf.Empty) { 258 option (google.api.http) = { 259 delete: "/v1/{name=*/*/savedQueries/*}" 260 }; 261 option (google.api.method_signature) = "name"; 262 } 263 264 // Gets effective IAM policies for a batch of resources. 265 rpc BatchGetEffectiveIamPolicies(BatchGetEffectiveIamPoliciesRequest) 266 returns (BatchGetEffectiveIamPoliciesResponse) { 267 option (google.api.http) = { 268 get: "/v1/{scope=*/*}/effectiveIamPolicies:batchGet" 269 }; 270 } 271 272 // Analyzes organization policies under a scope. 273 rpc AnalyzeOrgPolicies(AnalyzeOrgPoliciesRequest) 274 returns (AnalyzeOrgPoliciesResponse) { 275 option (google.api.http) = { 276 get: "/v1/{scope=*/*}:analyzeOrgPolicies" 277 }; 278 option (google.api.method_signature) = "scope,constraint,filter"; 279 } 280 281 // Analyzes organization policies governed containers (projects, folders or 282 // organization) under a scope. 283 rpc AnalyzeOrgPolicyGovernedContainers( 284 AnalyzeOrgPolicyGovernedContainersRequest) 285 returns (AnalyzeOrgPolicyGovernedContainersResponse) { 286 option (google.api.http) = { 287 get: "/v1/{scope=*/*}:analyzeOrgPolicyGovernedContainers" 288 }; 289 option (google.api.method_signature) = "scope,constraint,filter"; 290 } 291 292 // Analyzes organization policies governed assets (Google Cloud resources or 293 // policies) under a scope. This RPC supports custom constraints and the 294 // following canned constraints: 295 // 296 // * constraints/ainotebooks.accessMode 297 // * constraints/ainotebooks.disableFileDownloads 298 // * constraints/ainotebooks.disableRootAccess 299 // * constraints/ainotebooks.disableTerminal 300 // * constraints/ainotebooks.environmentOptions 301 // * constraints/ainotebooks.requireAutoUpgradeSchedule 302 // * constraints/ainotebooks.restrictVpcNetworks 303 // * constraints/compute.disableGuestAttributesAccess 304 // * constraints/compute.disableInstanceDataAccessApis 305 // * constraints/compute.disableNestedVirtualization 306 // * constraints/compute.disableSerialPortAccess 307 // * constraints/compute.disableSerialPortLogging 308 // * constraints/compute.disableVpcExternalIpv6 309 // * constraints/compute.requireOsLogin 310 // * constraints/compute.requireShieldedVm 311 // * constraints/compute.restrictLoadBalancerCreationForTypes 312 // * constraints/compute.restrictProtocolForwardingCreationForTypes 313 // * constraints/compute.restrictXpnProjectLienRemoval 314 // * constraints/compute.setNewProjectDefaultToZonalDNSOnly 315 // * constraints/compute.skipDefaultNetworkCreation 316 // * constraints/compute.trustedImageProjects 317 // * constraints/compute.vmCanIpForward 318 // * constraints/compute.vmExternalIpAccess 319 // * constraints/gcp.detailedAuditLoggingMode 320 // * constraints/gcp.resourceLocations 321 // * constraints/iam.allowedPolicyMemberDomains 322 // * constraints/iam.automaticIamGrantsForDefaultServiceAccounts 323 // * constraints/iam.disableServiceAccountCreation 324 // * constraints/iam.disableServiceAccountKeyCreation 325 // * constraints/iam.disableServiceAccountKeyUpload 326 // * constraints/iam.restrictCrossProjectServiceAccountLienRemoval 327 // * constraints/iam.serviceAccountKeyExpiryHours 328 // * constraints/resourcemanager.accessBoundaries 329 // * constraints/resourcemanager.allowedExportDestinations 330 // * constraints/sql.restrictAuthorizedNetworks 331 // * constraints/sql.restrictNoncompliantDiagnosticDataAccess 332 // * constraints/sql.restrictNoncompliantResourceCreation 333 // * constraints/sql.restrictPublicIp 334 // * constraints/storage.publicAccessPrevention 335 // * constraints/storage.restrictAuthTypes 336 // * constraints/storage.uniformBucketLevelAccess 337 // 338 // This RPC only returns either resources of types [supported by search 339 // APIs](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 340 // or IAM policies. 341 rpc AnalyzeOrgPolicyGovernedAssets(AnalyzeOrgPolicyGovernedAssetsRequest) 342 returns (AnalyzeOrgPolicyGovernedAssetsResponse) { 343 option (google.api.http) = { 344 get: "/v1/{scope=*/*}:analyzeOrgPolicyGovernedAssets" 345 }; 346 option (google.api.method_signature) = "scope,constraint,filter"; 347 } 348} 349 350// Represents the metadata of the longrunning operation for the 351// AnalyzeIamPolicyLongrunning RPC. 352message AnalyzeIamPolicyLongrunningMetadata { 353 // Output only. The time the operation was created. 354 google.protobuf.Timestamp create_time = 1 355 [(google.api.field_behavior) = OUTPUT_ONLY]; 356} 357 358// Export asset request. 359message ExportAssetsRequest { 360 // Required. The relative name of the root asset. This can only be an 361 // organization number (such as "organizations/123"), a project ID (such as 362 // "projects/my-project-id"), or a project number (such as "projects/12345"), 363 // or a folder number (such as "folders/123"). 364 string parent = 1 [ 365 (google.api.field_behavior) = REQUIRED, 366 (google.api.resource_reference) = { 367 child_type: "cloudasset.googleapis.com/Asset" 368 } 369 ]; 370 371 // Timestamp to take an asset snapshot. This can only be set to a timestamp 372 // between the current time and the current time minus 35 days (inclusive). 373 // If not specified, the current time will be used. Due to delays in resource 374 // data collection and indexing, there is a volatile window during which 375 // running the same query may get different results. 376 google.protobuf.Timestamp read_time = 2; 377 378 // A list of asset types to take a snapshot for. For example: 379 // "compute.googleapis.com/Disk". 380 // 381 // Regular expressions are also supported. For example: 382 // 383 // * "compute.googleapis.com.*" snapshots resources whose asset type starts 384 // with "compute.googleapis.com". 385 // * ".*Instance" snapshots resources whose asset type ends with "Instance". 386 // * ".*Instance.*" snapshots resources whose asset type contains "Instance". 387 // 388 // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported 389 // regular expression syntax. If the regular expression does not match any 390 // supported asset type, an INVALID_ARGUMENT error will be returned. 391 // 392 // If specified, only matching assets will be returned, otherwise, it will 393 // snapshot all asset types. See [Introduction to Cloud Asset 394 // Inventory](https://cloud.google.com/asset-inventory/docs/overview) 395 // for all supported asset types. 396 repeated string asset_types = 3; 397 398 // Asset content type. If not specified, no content but the asset name will be 399 // returned. 400 ContentType content_type = 4; 401 402 // Required. Output configuration indicating where the results will be output 403 // to. 404 OutputConfig output_config = 5 [(google.api.field_behavior) = REQUIRED]; 405 406 // A list of relationship types to export, for example: 407 // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if 408 // content_type=RELATIONSHIP. 409 // * If specified: 410 // it snapshots specified relationships. It returns an error if 411 // any of the [relationship_types] doesn't belong to the supported 412 // relationship types of the [asset_types] or if any of the [asset_types] 413 // doesn't belong to the source types of the [relationship_types]. 414 // * Otherwise: 415 // it snapshots the supported relationships for all [asset_types] or returns 416 // an error if any of the [asset_types] has no relationship support. 417 // An unspecified asset types field means all supported asset_types. 418 // See [Introduction to Cloud Asset 419 // Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all 420 // supported asset types and relationship types. 421 repeated string relationship_types = 6; 422} 423 424// The export asset response. This message is returned by the 425// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] 426// method in the returned 427// [google.longrunning.Operation.response][google.longrunning.Operation.response] 428// field. 429message ExportAssetsResponse { 430 // Time the snapshot was taken. 431 google.protobuf.Timestamp read_time = 1; 432 433 // Output configuration indicating where the results were output to. 434 OutputConfig output_config = 2; 435 436 // Output result indicating where the assets were exported to. For example, a 437 // set of actual Cloud Storage object URIs where the assets are exported to. 438 // The URIs can be different from what [output_config] has specified, as the 439 // service will split the output object into multiple ones once it exceeds a 440 // single Cloud Storage object limit. 441 OutputResult output_result = 3; 442} 443 444// ListAssets request. 445message ListAssetsRequest { 446 // Required. Name of the organization, folder, or project the assets belong 447 // to. Format: "organizations/[organization-number]" (such as 448 // "organizations/123"), "projects/[project-id]" (such as 449 // "projects/my-project-id"), "projects/[project-number]" (such as 450 // "projects/12345"), or "folders/[folder-number]" (such as "folders/12345"). 451 string parent = 1 [ 452 (google.api.field_behavior) = REQUIRED, 453 (google.api.resource_reference) = { 454 child_type: "cloudasset.googleapis.com/Asset" 455 } 456 ]; 457 458 // Timestamp to take an asset snapshot. This can only be set to a timestamp 459 // between the current time and the current time minus 35 days (inclusive). 460 // If not specified, the current time will be used. Due to delays in resource 461 // data collection and indexing, there is a volatile window during which 462 // running the same query may get different results. 463 google.protobuf.Timestamp read_time = 2; 464 465 // A list of asset types to take a snapshot for. For example: 466 // "compute.googleapis.com/Disk". 467 // 468 // Regular expression is also supported. For example: 469 // 470 // * "compute.googleapis.com.*" snapshots resources whose asset type starts 471 // with "compute.googleapis.com". 472 // * ".*Instance" snapshots resources whose asset type ends with "Instance". 473 // * ".*Instance.*" snapshots resources whose asset type contains "Instance". 474 // 475 // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported 476 // regular expression syntax. If the regular expression does not match any 477 // supported asset type, an INVALID_ARGUMENT error will be returned. 478 // 479 // If specified, only matching assets will be returned, otherwise, it will 480 // snapshot all asset types. See [Introduction to Cloud Asset 481 // Inventory](https://cloud.google.com/asset-inventory/docs/overview) 482 // for all supported asset types. 483 repeated string asset_types = 3; 484 485 // Asset content type. If not specified, no content but the asset name will 486 // be returned. 487 ContentType content_type = 4; 488 489 // The maximum number of assets to be returned in a single response. Default 490 // is 100, minimum is 1, and maximum is 1000. 491 int32 page_size = 5; 492 493 // The `next_page_token` returned from the previous `ListAssetsResponse`, or 494 // unspecified for the first `ListAssetsRequest`. It is a continuation of a 495 // prior `ListAssets` call, and the API should return the next page of assets. 496 string page_token = 6; 497 498 // A list of relationship types to output, for example: 499 // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if 500 // content_type=RELATIONSHIP. 501 // * If specified: 502 // it snapshots specified relationships. It returns an error if 503 // any of the [relationship_types] doesn't belong to the supported 504 // relationship types of the [asset_types] or if any of the [asset_types] 505 // doesn't belong to the source types of the [relationship_types]. 506 // * Otherwise: 507 // it snapshots the supported relationships for all [asset_types] or returns 508 // an error if any of the [asset_types] has no relationship support. 509 // An unspecified asset types field means all supported asset_types. 510 // See [Introduction to Cloud Asset 511 // Inventory](https://cloud.google.com/asset-inventory/docs/overview) 512 // for all supported asset types and relationship types. 513 repeated string relationship_types = 7; 514} 515 516// ListAssets response. 517message ListAssetsResponse { 518 // Time the snapshot was taken. 519 google.protobuf.Timestamp read_time = 1; 520 521 // Assets. 522 repeated Asset assets = 2; 523 524 // Token to retrieve the next page of results. It expires 72 hours after the 525 // page token for the first page is generated. Set to empty if there are no 526 // remaining results. 527 string next_page_token = 3; 528} 529 530// Batch get assets history request. 531message BatchGetAssetsHistoryRequest { 532 // Required. The relative name of the root asset. It can only be an 533 // organization number (such as "organizations/123"), a project ID (such as 534 // "projects/my-project-id")", or a project number (such as "projects/12345"). 535 string parent = 1 [ 536 (google.api.field_behavior) = REQUIRED, 537 (google.api.resource_reference) = { 538 child_type: "cloudasset.googleapis.com/Asset" 539 } 540 ]; 541 542 // A list of the full names of the assets. 543 // See: https://cloud.google.com/asset-inventory/docs/resource-name-format 544 // Example: 545 // 546 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. 547 // 548 // The request becomes a no-op if the asset name list is empty, and the max 549 // size of the asset name list is 100 in one request. 550 repeated string asset_names = 2; 551 552 // Optional. The content type. 553 ContentType content_type = 3 [(google.api.field_behavior) = OPTIONAL]; 554 555 // Optional. The time window for the asset history. Both start_time and 556 // end_time are optional and if set, it must be after the current time minus 557 // 35 days. If end_time is not set, it is default to current timestamp. 558 // If start_time is not set, the snapshot of the assets at end_time will be 559 // returned. The returned results contain all temporal assets whose time 560 // window overlap with read_time_window. 561 TimeWindow read_time_window = 4 [(google.api.field_behavior) = OPTIONAL]; 562 563 // Optional. A list of relationship types to output, for example: 564 // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if 565 // content_type=RELATIONSHIP. 566 // * If specified: 567 // it outputs specified relationships' history on the [asset_names]. It 568 // returns an error if any of the [relationship_types] doesn't belong to the 569 // supported relationship types of the [asset_names] or if any of the 570 // [asset_names]'s types doesn't belong to the source types of the 571 // [relationship_types]. 572 // * Otherwise: 573 // it outputs the supported relationships' history on the [asset_names] or 574 // returns an error if any of the [asset_names]'s types has no relationship 575 // support. 576 // See [Introduction to Cloud Asset 577 // Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all 578 // supported asset types and relationship types. 579 repeated string relationship_types = 5 580 [(google.api.field_behavior) = OPTIONAL]; 581} 582 583// Batch get assets history response. 584message BatchGetAssetsHistoryResponse { 585 // A list of assets with valid time windows. 586 repeated TemporalAsset assets = 1; 587} 588 589// Create asset feed request. 590message CreateFeedRequest { 591 // Required. The name of the project/folder/organization where this feed 592 // should be created in. It can only be an organization number (such as 593 // "organizations/123"), a folder number (such as "folders/123"), a project ID 594 // (such as "projects/my-project-id"), or a project number (such as 595 // "projects/12345"). 596 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 597 598 // Required. This is the client-assigned asset feed identifier and it needs to 599 // be unique under a specific parent project/folder/organization. 600 string feed_id = 2 [(google.api.field_behavior) = REQUIRED]; 601 602 // Required. The feed details. The field `name` must be empty and it will be 603 // generated in the format of: projects/project_number/feeds/feed_id 604 // folders/folder_number/feeds/feed_id 605 // organizations/organization_number/feeds/feed_id 606 Feed feed = 3 [(google.api.field_behavior) = REQUIRED]; 607} 608 609// Get asset feed request. 610message GetFeedRequest { 611 // Required. The name of the Feed and it must be in the format of: 612 // projects/project_number/feeds/feed_id 613 // folders/folder_number/feeds/feed_id 614 // organizations/organization_number/feeds/feed_id 615 string name = 1 [ 616 (google.api.field_behavior) = REQUIRED, 617 (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } 618 ]; 619} 620 621// List asset feeds request. 622message ListFeedsRequest { 623 // Required. The parent project/folder/organization whose feeds are to be 624 // listed. It can only be using project/folder/organization number (such as 625 // "folders/12345")", or a project ID (such as "projects/my-project-id"). 626 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 627} 628 629message ListFeedsResponse { 630 // A list of feeds. 631 repeated Feed feeds = 1; 632} 633 634// Update asset feed request. 635message UpdateFeedRequest { 636 // Required. The new values of feed details. It must match an existing feed 637 // and the field `name` must be in the format of: 638 // projects/project_number/feeds/feed_id or 639 // folders/folder_number/feeds/feed_id or 640 // organizations/organization_number/feeds/feed_id. 641 Feed feed = 1 [(google.api.field_behavior) = REQUIRED]; 642 643 // Required. Only updates the `feed` fields indicated by this mask. 644 // The field mask must not be empty, and it must not contain fields that 645 // are immutable or only set by the server. 646 google.protobuf.FieldMask update_mask = 2 647 [(google.api.field_behavior) = REQUIRED]; 648} 649 650message DeleteFeedRequest { 651 // Required. The name of the feed and it must be in the format of: 652 // projects/project_number/feeds/feed_id 653 // folders/folder_number/feeds/feed_id 654 // organizations/organization_number/feeds/feed_id 655 string name = 1 [ 656 (google.api.field_behavior) = REQUIRED, 657 (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } 658 ]; 659} 660 661// Output configuration for export assets destination. 662message OutputConfig { 663 // Asset export destination. 664 oneof destination { 665 // Destination on Cloud Storage. 666 GcsDestination gcs_destination = 1; 667 668 // Destination on BigQuery. The output table stores the fields in asset 669 // Protobuf as columns in BigQuery. 670 BigQueryDestination bigquery_destination = 2; 671 } 672} 673 674// Output result of export assets. 675message OutputResult { 676 // Asset export result. 677 oneof result { 678 // Export result on Cloud Storage. 679 GcsOutputResult gcs_result = 1; 680 } 681} 682 683// A Cloud Storage output result. 684message GcsOutputResult { 685 // List of URIs of the Cloud Storage objects. Example: 686 // "gs://bucket_name/object_name". 687 repeated string uris = 1; 688} 689 690// A Cloud Storage location. 691message GcsDestination { 692 // Required. 693 oneof object_uri { 694 // The URI of the Cloud Storage object. It's the same URI that is used by 695 // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and 696 // Editing Object 697 // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) 698 // for more information. 699 // 700 // If the specified Cloud Storage object already exists and there is no 701 // [hold](https://cloud.google.com/storage/docs/object-holds), it will be 702 // overwritten with the exported result. 703 string uri = 1; 704 705 // The URI prefix of all generated Cloud Storage objects. Example: 706 // "gs://bucket_name/object_name_prefix". Each object URI is in format: 707 // "gs://bucket_name/object_name_prefix/<asset type>/<shard number> and only 708 // contains assets for that type. <shard number> starts from 0. Example: 709 // "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is 710 // the first shard of output objects containing all 711 // compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be 712 // returned if file with the same name "gs://bucket_name/object_name_prefix" 713 // already exists. 714 string uri_prefix = 2; 715 } 716} 717 718// A BigQuery destination for exporting assets to. 719message BigQueryDestination { 720 // Required. The BigQuery dataset in format 721 // "projects/projectId/datasets/datasetId", to which the snapshot result 722 // should be exported. If this dataset does not exist, the export call returns 723 // an INVALID_ARGUMENT error. Setting the `contentType` for `exportAssets` 724 // determines the 725 // [schema](/asset-inventory/docs/exporting-to-bigquery#bigquery-schema) 726 // of the BigQuery table. Setting `separateTablesPerAssetType` to `TRUE` also 727 // influences the schema. 728 string dataset = 1 [(google.api.field_behavior) = REQUIRED]; 729 730 // Required. The BigQuery table to which the snapshot result should be 731 // written. If this table does not exist, a new table with the given name 732 // will be created. 733 string table = 2 [(google.api.field_behavior) = REQUIRED]; 734 735 // If the destination table already exists and this flag is `TRUE`, the 736 // table will be overwritten by the contents of assets snapshot. If the flag 737 // is `FALSE` or unset and the destination table already exists, the export 738 // call returns an INVALID_ARGUMEMT error. 739 bool force = 3; 740 741 // [partition_spec] determines whether to export to partitioned table(s) and 742 // how to partition the data. 743 // 744 // If [partition_spec] is unset or [partition_spec.partition_key] is unset or 745 // `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to 746 // non-partitioned table(s). [force] will decide whether to overwrite existing 747 // table(s). 748 // 749 // If [partition_spec] is specified. First, the snapshot results will be 750 // written to partitioned table(s) with two additional timestamp columns, 751 // readTime and requestTime, one of which will be the partition key. Secondly, 752 // in the case when any destination table already exists, it will first try to 753 // update existing table's schema as necessary by appending additional 754 // columns. Then, if [force] is `TRUE`, the corresponding partition will be 755 // overwritten by the snapshot results (data in different partitions will 756 // remain intact); if [force] is unset or `FALSE`, it will append the data. An 757 // error will be returned if the schema update or data appension fails. 758 PartitionSpec partition_spec = 4; 759 760 // If this flag is `TRUE`, the snapshot results will be written to one or 761 // multiple tables, each of which contains results of one asset type. The 762 // [force] and [partition_spec] fields will apply to each of them. 763 // 764 // Field [table] will be concatenated with "_" and the asset type names (see 765 // https://cloud.google.com/asset-inventory/docs/supported-asset-types for 766 // supported asset types) to construct per-asset-type table names, in which 767 // all non-alphanumeric characters like "." and "/" will be substituted by 768 // "_". Example: if field [table] is "mytable" and snapshot results 769 // contain "storage.googleapis.com/Bucket" assets, the corresponding table 770 // name will be "mytable_storage_googleapis_com_Bucket". If any of these 771 // tables does not exist, a new table with the concatenated name will be 772 // created. 773 // 774 // When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of 775 // each table will include RECORD-type columns mapped to the nested fields in 776 // the Asset.resource.data field of that asset type (up to the 15 nested level 777 // BigQuery supports 778 // (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The 779 // fields in >15 nested levels will be stored in JSON format string as a child 780 // column of its parent RECORD column. 781 // 782 // If error occurs when exporting to any table, the whole export call will 783 // return an error but the export results that already succeed will persist. 784 // Example: if exporting to table_type_A succeeds when exporting to 785 // table_type_B fails during one export call, the results in table_type_A will 786 // persist and there will not be partial results persisting in a table. 787 bool separate_tables_per_asset_type = 5; 788} 789 790// Specifications of BigQuery partitioned table as export destination. 791message PartitionSpec { 792 // This enum is used to determine the partition key column when exporting 793 // assets to BigQuery partitioned table(s). Note that, if the partition key is 794 // a timestamp column, the actual partition is based on its date value 795 // (expressed in UTC. see details in 796 // https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables). 797 enum PartitionKey { 798 // Unspecified partition key. If used, it means using non-partitioned table. 799 PARTITION_KEY_UNSPECIFIED = 0; 800 801 // The time when the snapshot is taken. If specified as partition key, the 802 // result table(s) is partitoned by the additional timestamp column, 803 // readTime. If [read_time] in ExportAssetsRequest is specified, the 804 // readTime column's value will be the same as it. Otherwise, its value will 805 // be the current time that is used to take the snapshot. 806 READ_TIME = 1; 807 808 // The time when the request is received and started to be processed. If 809 // specified as partition key, the result table(s) is partitoned by the 810 // requestTime column, an additional timestamp column representing when the 811 // request was received. 812 REQUEST_TIME = 2; 813 } 814 815 // The partition key for BigQuery partitioned table. 816 PartitionKey partition_key = 1; 817} 818 819// A Pub/Sub destination. 820message PubsubDestination { 821 // The name of the Pub/Sub topic to publish to. 822 // Example: `projects/PROJECT_ID/topics/TOPIC_ID`. 823 string topic = 1; 824} 825 826// Output configuration for asset feed destination. 827message FeedOutputConfig { 828 // Asset feed destination. 829 oneof destination { 830 // Destination on Pub/Sub. 831 PubsubDestination pubsub_destination = 1; 832 } 833} 834 835// An asset feed used to export asset updates to a destinations. 836// An asset feed filter controls what updates are exported. 837// The asset feed must be created within a project, organization, or 838// folder. Supported destinations are: 839// Pub/Sub topics. 840message Feed { 841 option (google.api.resource) = { 842 type: "cloudasset.googleapis.com/Feed" 843 pattern: "projects/{project}/feeds/{feed}" 844 pattern: "folders/{folder}/feeds/{feed}" 845 pattern: "organizations/{organization}/feeds/{feed}" 846 history: ORIGINALLY_SINGLE_PATTERN 847 }; 848 849 // Required. The format will be 850 // projects/{project_number}/feeds/{client-assigned_feed_identifier} or 851 // folders/{folder_number}/feeds/{client-assigned_feed_identifier} or 852 // organizations/{organization_number}/feeds/{client-assigned_feed_identifier} 853 // 854 // The client-assigned feed identifier must be unique within the parent 855 // project/folder/organization. 856 string name = 1 [(google.api.field_behavior) = REQUIRED]; 857 858 // A list of the full names of the assets to receive updates. You must specify 859 // either or both of asset_names and asset_types. Only asset updates matching 860 // specified asset_names or asset_types are exported to the feed. 861 // Example: 862 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. 863 // For a list of the full names for supported asset types, see [Resource 864 // name format](/asset-inventory/docs/resource-name-format). 865 repeated string asset_names = 2; 866 867 // A list of types of the assets to receive updates. You must specify either 868 // or both of asset_names and asset_types. Only asset updates matching 869 // specified asset_names or asset_types are exported to the feed. 870 // Example: `"compute.googleapis.com/Disk"` 871 // 872 // For a list of all supported asset types, see 873 // [Supported asset types](/asset-inventory/docs/supported-asset-types). 874 repeated string asset_types = 3; 875 876 // Asset content type. If not specified, no content but the asset name and 877 // type will be returned. 878 ContentType content_type = 4; 879 880 // Required. Feed output configuration defining where the asset updates are 881 // published to. 882 FeedOutputConfig feed_output_config = 5 883 [(google.api.field_behavior) = REQUIRED]; 884 885 // A condition which determines whether an asset update should be published. 886 // If specified, an asset will be returned only when the expression evaluates 887 // to true. 888 // When set, `expression` field in the `Expr` must be a valid [CEL expression] 889 // (https://github.com/google/cel-spec) on a TemporalAsset with name 890 // `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted 891 // == true") will only publish Asset deletions. Other fields of `Expr` are 892 // optional. 893 // 894 // See our [user 895 // guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes-with-condition) 896 // for detailed instructions. 897 google.type.Expr condition = 6; 898 899 // A list of relationship types to output, for example: 900 // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if 901 // content_type=RELATIONSHIP. 902 // * If specified: 903 // it outputs specified relationship updates on the [asset_names] or the 904 // [asset_types]. It returns an error if any of the [relationship_types] 905 // doesn't belong to the supported relationship types of the [asset_names] or 906 // [asset_types], or any of the [asset_names] or the [asset_types] doesn't 907 // belong to the source types of the [relationship_types]. 908 // * Otherwise: 909 // it outputs the supported relationships of the types of [asset_names] and 910 // [asset_types] or returns an error if any of the [asset_names] or the 911 // [asset_types] has no replationship support. 912 // See [Introduction to Cloud Asset 913 // Inventory](https://cloud.google.com/asset-inventory/docs/overview) 914 // for all supported asset types and relationship types. 915 repeated string relationship_types = 7; 916} 917 918// Search all resources request. 919message SearchAllResourcesRequest { 920 // Required. A scope can be a project, a folder, or an organization. The 921 // search is limited to the resources within the `scope`. The caller must be 922 // granted the 923 // [`cloudasset.assets.searchAllResources`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) 924 // permission on the desired scope. 925 // 926 // The allowed values are: 927 // 928 // * projects/{PROJECT_ID} (e.g., "projects/foo-bar") 929 // * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") 930 // * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") 931 // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") 932 string scope = 1 [(google.api.field_behavior) = REQUIRED]; 933 934 // Optional. The query statement. See [how to construct a 935 // query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query) 936 // for more information. If not specified or empty, it will search all the 937 // resources within the specified `scope`. 938 // 939 // Examples: 940 // 941 // * `name:Important` to find Google Cloud resources whose name contains 942 // `Important` as a word. 943 // * `name=Important` to find the Google Cloud resource whose name is exactly 944 // `Important`. 945 // * `displayName:Impor*` to find Google Cloud resources whose display name 946 // contains `Impor` as a prefix of any word in the field. 947 // * `location:us-west*` to find Google Cloud resources whose location 948 // contains both `us` and `west` as prefixes. 949 // * `labels:prod` to find Google Cloud resources whose labels contain `prod` 950 // as a key or value. 951 // * `labels.env:prod` to find Google Cloud resources that have a label `env` 952 // and its value is `prod`. 953 // * `labels.env:*` to find Google Cloud resources that have a label `env`. 954 // * `tagKeys:env` to find Google Cloud resources that have directly 955 // attached tags where the 956 // [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey) 957 // contains `env`. 958 // * `tagValues:prod*` to find Google Cloud resources that have directly 959 // attached tags where the 960 // [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) 961 // contains a word prefixed by `prod`. 962 // * `tagValueIds=tagValues/123` to find Google Cloud resources that have 963 // directly attached tags where the 964 // [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) 965 // is exactly `tagValues/123`. 966 // * `effectiveTagKeys:env` to find Google Cloud resources that have 967 // directly attached or inherited tags where the 968 // [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey) 969 // contains `env`. 970 // * `effectiveTagValues:prod*` to find Google Cloud resources that have 971 // directly attached or inherited tags where the 972 // [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) 973 // contains a word prefixed by `prod`. 974 // * `effectiveTagValueIds=tagValues/123` to find Google Cloud resources that 975 // have directly attached or inherited tags where the 976 // [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) 977 // is exactly `tagValues/123`. 978 // * `kmsKey:key` to find Google Cloud resources encrypted with a 979 // customer-managed encryption key whose name contains `key` as a word. This 980 // field is deprecated. Use the `kmsKeys` field to retrieve Cloud KMS 981 // key information. 982 // * `kmsKeys:key` to find Google Cloud resources encrypted with 983 // customer-managed encryption keys whose name contains the word `key`. 984 // * `relationships:instance-group-1` to find Google Cloud resources that have 985 // relationships with `instance-group-1` in the related resource name. 986 // * `relationships:INSTANCE_TO_INSTANCEGROUP` to find Compute Engine 987 // instances that have relationships of type `INSTANCE_TO_INSTANCEGROUP`. 988 // * `relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1` to find 989 // Compute Engine instances that have relationships with `instance-group-1` 990 // in the Compute Engine instance group resource name, for relationship type 991 // `INSTANCE_TO_INSTANCEGROUP`. 992 // * `sccSecurityMarks.key=value` to find Cloud resources that are attached 993 // with security marks whose key is `key` and value is `value`. 994 // * `sccSecurityMarks.key:*` to find Cloud resources that are attached with 995 // security marks whose key is `key`. 996 // * `state:ACTIVE` to find Google Cloud resources whose state contains 997 // `ACTIVE` as a word. 998 // * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't 999 // contain `ACTIVE` as a word. 1000 // * `createTime<1609459200` to find Google Cloud resources that were created 1001 // before `2021-01-01 00:00:00 UTC`. `1609459200` is the epoch timestamp of 1002 // `2021-01-01 00:00:00 UTC` in seconds. 1003 // * `updateTime>1609459200` to find Google Cloud resources that were updated 1004 // after `2021-01-01 00:00:00 UTC`. `1609459200` is the epoch timestamp of 1005 // `2021-01-01 00:00:00 UTC` in seconds. 1006 // * `Important` to find Google Cloud resources that contain `Important` as a 1007 // word in any of the searchable fields. 1008 // * `Impor*` to find Google Cloud resources that contain `Impor` as a prefix 1009 // of any word in any of the searchable fields. 1010 // * `Important location:(us-west1 OR global)` to find Google Cloud 1011 // resources that contain `Important` as a word in any of the searchable 1012 // fields and are also located in the `us-west1` region or the `global` 1013 // location. 1014 string query = 2 [(google.api.field_behavior) = OPTIONAL]; 1015 1016 // Optional. A list of asset types that this request searches for. If empty, 1017 // it will search all the asset types [supported by search 1018 // APIs](https://cloud.google.com/asset-inventory/docs/supported-asset-types). 1019 // 1020 // Regular expressions are also supported. For example: 1021 // 1022 // * "compute.googleapis.com.*" snapshots resources whose asset type starts 1023 // with "compute.googleapis.com". 1024 // * ".*Instance" snapshots resources whose asset type ends with "Instance". 1025 // * ".*Instance.*" snapshots resources whose asset type contains "Instance". 1026 // 1027 // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported 1028 // regular expression syntax. If the regular expression does not match any 1029 // supported asset type, an INVALID_ARGUMENT error will be returned. 1030 repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL]; 1031 1032 // Optional. The page size for search result pagination. Page size is capped 1033 // at 500 even if a larger value is given. If set to zero or a negative value, 1034 // server will pick an appropriate default. Returned results may be fewer than 1035 // requested. When this happens, there could be more results as long as 1036 // `next_page_token` is returned. 1037 int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; 1038 1039 // Optional. If present, then retrieve the next batch of results from the 1040 // preceding call to this method. `page_token` must be the value of 1041 // `next_page_token` from the previous response. The values of all other 1042 // method parameters, must be identical to those in the previous call. 1043 string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; 1044 1045 // Optional. A comma-separated list of fields specifying the sorting order of 1046 // the results. The default order is ascending. Add " DESC" after the field 1047 // name to indicate descending order. Redundant space characters are ignored. 1048 // Example: "location DESC, name". 1049 // Only the following fields in the response are sortable: 1050 // 1051 // * name 1052 // * assetType 1053 // * project 1054 // * displayName 1055 // * description 1056 // * location 1057 // * createTime 1058 // * updateTime 1059 // * state 1060 // * parentFullResourceName 1061 // * parentAssetType 1062 string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; 1063 1064 // Optional. A comma-separated list of fields that you want returned in the 1065 // results. The following fields are returned by default if not specified: 1066 // 1067 // * `name` 1068 // * `assetType` 1069 // * `project` 1070 // * `folders` 1071 // * `organization` 1072 // * `displayName` 1073 // * `description` 1074 // * `location` 1075 // * `labels` 1076 // * `tags` 1077 // * `effectiveTags` 1078 // * `networkTags` 1079 // * `kmsKeys` 1080 // * `createTime` 1081 // * `updateTime` 1082 // * `state` 1083 // * `additionalAttributes` 1084 // * `parentFullResourceName` 1085 // * `parentAssetType` 1086 // 1087 // Some fields of large size, such as `versionedResources`, 1088 // `attachedResources`, `effectiveTags` etc., are not returned by default, but 1089 // you can specify them in the `read_mask` parameter if you want to include 1090 // them. If `"*"` is specified, all [available 1091 // fields](https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllResources#resourcesearchresult) 1092 // are returned. 1093 // Examples: `"name,location"`, `"name,versionedResources"`, `"*"`. 1094 // Any invalid field path will trigger INVALID_ARGUMENT error. 1095 google.protobuf.FieldMask read_mask = 8 1096 [(google.api.field_behavior) = OPTIONAL]; 1097} 1098 1099// Search all resources response. 1100message SearchAllResourcesResponse { 1101 // A list of Resources that match the search query. It contains the resource 1102 // standard metadata information. 1103 repeated ResourceSearchResult results = 1; 1104 1105 // If there are more results than those appearing in this response, then 1106 // `next_page_token` is included. To get the next set of results, call this 1107 // method again using the value of `next_page_token` as `page_token`. 1108 string next_page_token = 2; 1109} 1110 1111// Search all IAM policies request. 1112message SearchAllIamPoliciesRequest { 1113 // Required. A scope can be a project, a folder, or an organization. The 1114 // search is limited to the IAM policies within the `scope`. The caller must 1115 // be granted the 1116 // [`cloudasset.assets.searchAllIamPolicies`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) 1117 // permission on the desired scope. 1118 // 1119 // The allowed values are: 1120 // 1121 // * projects/{PROJECT_ID} (e.g., "projects/foo-bar") 1122 // * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") 1123 // * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") 1124 // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") 1125 string scope = 1 [(google.api.field_behavior) = REQUIRED]; 1126 1127 // Optional. The query statement. See [how to construct a 1128 // query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query) 1129 // for more information. If not specified or empty, it will search all the 1130 // IAM policies within the specified `scope`. Note that the query string is 1131 // compared against each IAM policy binding, including its principals, 1132 // roles, and IAM conditions. The returned IAM policies will only 1133 // contain the bindings that match your query. To learn more about the IAM 1134 // policy structure, see the [IAM policy 1135 // documentation](https://cloud.google.com/iam/help/allow-policies/structure). 1136 // 1137 // Examples: 1138 // 1139 // * `policy:[email protected]` to find IAM policy bindings that specify user 1140 // "[email protected]". 1141 // * `policy:roles/compute.admin` to find IAM policy bindings that specify 1142 // the Compute Admin role. 1143 // * `policy:comp*` to find IAM policy bindings that contain "comp" as a 1144 // prefix of any word in the binding. 1145 // * `policy.role.permissions:storage.buckets.update` to find IAM policy 1146 // bindings that specify a role containing "storage.buckets.update" 1147 // permission. Note that if callers don't have `iam.roles.get` access to a 1148 // role's included permissions, policy bindings that specify this role will 1149 // be dropped from the search results. 1150 // * `policy.role.permissions:upd*` to find IAM policy bindings that specify a 1151 // role containing "upd" as a prefix of any word in the role permission. 1152 // Note that if callers don't have `iam.roles.get` access to a role's 1153 // included permissions, policy bindings that specify this role will be 1154 // dropped from the search results. 1155 // * `resource:organizations/123456` to find IAM policy bindings 1156 // that are set on "organizations/123456". 1157 // * `resource=//cloudresourcemanager.googleapis.com/projects/myproject` to 1158 // find IAM policy bindings that are set on the project named "myproject". 1159 // * `Important` to find IAM policy bindings that contain "Important" as a 1160 // word in any of the searchable fields (except for the included 1161 // permissions). 1162 // * `resource:(instance1 OR instance2) policy:amy` to find 1163 // IAM policy bindings that are set on resources "instance1" or 1164 // "instance2" and also specify user "amy". 1165 // * `roles:roles/compute.admin` to find IAM policy bindings that specify the 1166 // Compute Admin role. 1167 // * `memberTypes:user` to find IAM policy bindings that contain the 1168 // principal type "user". 1169 string query = 2 [(google.api.field_behavior) = OPTIONAL]; 1170 1171 // Optional. The page size for search result pagination. Page size is capped 1172 // at 500 even if a larger value is given. If set to zero or a negative value, 1173 // server will pick an appropriate default. Returned results may be fewer than 1174 // requested. When this happens, there could be more results as long as 1175 // `next_page_token` is returned. 1176 int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; 1177 1178 // Optional. If present, retrieve the next batch of results from the preceding 1179 // call to this method. `page_token` must be the value of `next_page_token` 1180 // from the previous response. The values of all other method parameters must 1181 // be identical to those in the previous call. 1182 string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; 1183 1184 // Optional. A list of asset types that the IAM policies are attached to. If 1185 // empty, it will search the IAM policies that are attached to all the asset 1186 // types [supported by search 1187 // APIs](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 1188 // 1189 // Regular expressions are also supported. For example: 1190 // 1191 // * "compute.googleapis.com.*" snapshots IAM policies attached to asset type 1192 // starts with "compute.googleapis.com". 1193 // * ".*Instance" snapshots IAM policies attached to asset type ends with 1194 // "Instance". 1195 // * ".*Instance.*" snapshots IAM policies attached to asset type contains 1196 // "Instance". 1197 // 1198 // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported 1199 // regular expression syntax. If the regular expression does not match any 1200 // supported asset type, an INVALID_ARGUMENT error will be returned. 1201 repeated string asset_types = 5 [(google.api.field_behavior) = OPTIONAL]; 1202 1203 // Optional. A comma-separated list of fields specifying the sorting order of 1204 // the results. The default order is ascending. Add " DESC" after the field 1205 // name to indicate descending order. Redundant space characters are ignored. 1206 // Example: "assetType DESC, resource". 1207 // Only singular primitive fields in the response are sortable: 1208 // * resource 1209 // * assetType 1210 // * project 1211 // All the other fields such as repeated fields (e.g., `folders`) and 1212 // non-primitive fields (e.g., `policy`) are not supported. 1213 string order_by = 7 [(google.api.field_behavior) = OPTIONAL]; 1214} 1215 1216// Search all IAM policies response. 1217message SearchAllIamPoliciesResponse { 1218 // A list of IAM policies that match the search query. Related information 1219 // such as the associated resource is returned along with the policy. 1220 repeated IamPolicySearchResult results = 1; 1221 1222 // Set if there are more results than those appearing in this response; to get 1223 // the next set of results, call this method again, using this value as the 1224 // `page_token`. 1225 string next_page_token = 2; 1226} 1227 1228// IAM policy analysis query message. 1229message IamPolicyAnalysisQuery { 1230 // Specifies the resource to analyze for access policies, which may be set 1231 // directly on the resource, or on ancestors such as organizations, folders or 1232 // projects. 1233 message ResourceSelector { 1234 // Required. The [full resource name] 1235 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 1236 // of a resource of [supported resource 1237 // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). 1238 string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; 1239 } 1240 1241 // Specifies an identity for which to determine resource access, based on 1242 // roles assigned either directly to them or to the groups they belong to, 1243 // directly or indirectly. 1244 message IdentitySelector { 1245 // Required. The identity appear in the form of principals in 1246 // [IAM policy 1247 // binding](https://cloud.google.com/iam/reference/rest/v1/Binding). 1248 // 1249 // The examples of supported forms are: 1250 // "user:[email protected]", 1251 // "group:[email protected]", 1252 // "domain:google.com", 1253 // "serviceAccount:[email protected]". 1254 // 1255 // Notice that wildcard characters (such as * and ?) are not supported. 1256 // You must give a specific identity. 1257 string identity = 1 [(google.api.field_behavior) = REQUIRED]; 1258 } 1259 1260 // Specifies roles and/or permissions to analyze, to determine both the 1261 // identities possessing them and the resources they control. If multiple 1262 // values are specified, results will include roles or permissions matching 1263 // any of them. The total number of roles and permissions should be equal or 1264 // less than 10. 1265 message AccessSelector { 1266 // Optional. The roles to appear in result. 1267 repeated string roles = 1 [(google.api.field_behavior) = OPTIONAL]; 1268 1269 // Optional. The permissions to appear in result. 1270 repeated string permissions = 2 [(google.api.field_behavior) = OPTIONAL]; 1271 } 1272 1273 // Contains query options. 1274 message Options { 1275 // Optional. If true, the identities section of the result will expand any 1276 // Google groups appearing in an IAM policy binding. 1277 // 1278 // If 1279 // [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector] 1280 // is specified, the identity in the result will be determined by the 1281 // selector, and this flag is not allowed to set. 1282 // 1283 // If true, the default max expansion per group is 1000 for 1284 // AssetService.AnalyzeIamPolicy][]. 1285 // 1286 // Default is false. 1287 bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL]; 1288 1289 // Optional. If true, the access section of result will expand any roles 1290 // appearing in IAM policy bindings to include their permissions. 1291 // 1292 // If 1293 // [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector] 1294 // is specified, the access section of the result will be determined by the 1295 // selector, and this flag is not allowed to set. 1296 // 1297 // Default is false. 1298 bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL]; 1299 1300 // Optional. If true and 1301 // [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] 1302 // is not specified, the resource section of the result will expand any 1303 // resource attached to an IAM policy to include resources lower in the 1304 // resource hierarchy. 1305 // 1306 // For example, if the request analyzes for which resources user A has 1307 // permission P, and the results include an IAM policy with P on a Google 1308 // Cloud folder, the results will also include resources in that folder with 1309 // permission P. 1310 // 1311 // If true and 1312 // [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] 1313 // is specified, the resource section of the result will expand the 1314 // specified resource to include resources lower in the resource hierarchy. 1315 // Only project or lower resources are supported. Folder and organization 1316 // resources cannot be used together with this option. 1317 // 1318 // For example, if the request analyzes for which users have permission P on 1319 // a Google Cloud project with this option enabled, the results will include 1320 // all users who have permission P on that project or any lower resource. 1321 // 1322 // If true, the default max expansion per resource is 1000 for 1323 // AssetService.AnalyzeIamPolicy][] and 100000 for 1324 // AssetService.AnalyzeIamPolicyLongrunning][]. 1325 // 1326 // Default is false. 1327 bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL]; 1328 1329 // Optional. If true, the result will output the relevant parent/child 1330 // relationships between resources. Default is false. 1331 bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL]; 1332 1333 // Optional. If true, the result will output the relevant membership 1334 // relationships between groups and other groups, and between groups and 1335 // principals. Default is false. 1336 bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL]; 1337 1338 // Optional. If true, the response will include access analysis from 1339 // identities to resources via service account impersonation. This is a very 1340 // expensive operation, because many derived queries will be executed. We 1341 // highly recommend you use 1342 // [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] 1343 // RPC instead. 1344 // 1345 // For example, if the request analyzes for which resources user A has 1346 // permission P, and there's an IAM policy states user A has 1347 // iam.serviceAccounts.getAccessToken permission to a service account SA, 1348 // and there's another IAM policy states service account SA has permission P 1349 // to a Google Cloud folder F, then user A potentially has access to the 1350 // Google Cloud folder F. And those advanced analysis results will be 1351 // included in 1352 // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. 1353 // 1354 // Another example, if the request analyzes for who has 1355 // permission P to a Google Cloud folder F, and there's an IAM policy states 1356 // user A has iam.serviceAccounts.actAs permission to a service account SA, 1357 // and there's another IAM policy states service account SA has permission P 1358 // to the Google Cloud folder F, then user A potentially has access to the 1359 // Google Cloud folder F. And those advanced analysis results will be 1360 // included in 1361 // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. 1362 // 1363 // Only the following permissions are considered in this analysis: 1364 // 1365 // * `iam.serviceAccounts.actAs` 1366 // * `iam.serviceAccounts.signBlob` 1367 // * `iam.serviceAccounts.signJwt` 1368 // * `iam.serviceAccounts.getAccessToken` 1369 // * `iam.serviceAccounts.getOpenIdToken` 1370 // * `iam.serviceAccounts.implicitDelegation` 1371 // 1372 // Default is false. 1373 bool analyze_service_account_impersonation = 6 1374 [(google.api.field_behavior) = OPTIONAL]; 1375 } 1376 1377 // The IAM conditions context. 1378 message ConditionContext { 1379 // The IAM conditions time context. 1380 oneof TimeContext { 1381 // The hypothetical access timestamp to evaluate IAM conditions. Note that 1382 // this value must not be earlier than the current time; otherwise, an 1383 // INVALID_ARGUMENT error will be returned. 1384 google.protobuf.Timestamp access_time = 1; 1385 } 1386 } 1387 1388 // Required. The relative name of the root asset. Only resources and IAM 1389 // policies within the scope will be analyzed. 1390 // 1391 // This can only be an organization number (such as "organizations/123"), a 1392 // folder number (such as "folders/123"), a project ID (such as 1393 // "projects/my-project-id"), or a project number (such as "projects/12345"). 1394 // 1395 // To know how to get organization ID, visit [here 1396 // ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). 1397 // 1398 // To know how to get folder or project ID, visit [here 1399 // ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). 1400 string scope = 1 [(google.api.field_behavior) = REQUIRED]; 1401 1402 // Optional. Specifies a resource for analysis. 1403 ResourceSelector resource_selector = 2 1404 [(google.api.field_behavior) = OPTIONAL]; 1405 1406 // Optional. Specifies an identity for analysis. 1407 IdentitySelector identity_selector = 3 1408 [(google.api.field_behavior) = OPTIONAL]; 1409 1410 // Optional. Specifies roles or permissions for analysis. This is optional. 1411 AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL]; 1412 1413 // Optional. The query options. 1414 Options options = 5 [(google.api.field_behavior) = OPTIONAL]; 1415 1416 // Optional. The hypothetical context for IAM conditions evaluation. 1417 ConditionContext condition_context = 6 1418 [(google.api.field_behavior) = OPTIONAL]; 1419} 1420 1421// A request message for 1422// [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. 1423message AnalyzeIamPolicyRequest { 1424 // Required. The request query. 1425 IamPolicyAnalysisQuery analysis_query = 1 1426 [(google.api.field_behavior) = REQUIRED]; 1427 1428 // Optional. The name of a saved query, which must be in the format of: 1429 // 1430 // * projects/project_number/savedQueries/saved_query_id 1431 // * folders/folder_number/savedQueries/saved_query_id 1432 // * organizations/organization_number/savedQueries/saved_query_id 1433 // 1434 // If both `analysis_query` and `saved_analysis_query` are provided, they 1435 // will be merged together with the `saved_analysis_query` as base and 1436 // the `analysis_query` as overrides. For more details of the merge behavior, 1437 // refer to the 1438 // [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) 1439 // page. 1440 // 1441 // Note that you cannot override primitive fields with default value, such as 1442 // 0 or empty string, etc., because we use proto3, which doesn't support field 1443 // presence yet. 1444 string saved_analysis_query = 3 [(google.api.field_behavior) = OPTIONAL]; 1445 1446 // Optional. Amount of time executable has to complete. See JSON 1447 // representation of 1448 // [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). 1449 // 1450 // If this field is set with a value less than the RPC deadline, and the 1451 // execution of your query hasn't finished in the specified 1452 // execution timeout, you will get a response with partial result. 1453 // Otherwise, your query's execution will continue until the RPC deadline. 1454 // If it's not finished until then, you will get a DEADLINE_EXCEEDED error. 1455 // 1456 // Default is empty. 1457 google.protobuf.Duration execution_timeout = 2 1458 [(google.api.field_behavior) = OPTIONAL]; 1459} 1460 1461// A response message for 1462// [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. 1463message AnalyzeIamPolicyResponse { 1464 // An analysis message to group the query and results. 1465 message IamPolicyAnalysis { 1466 // The analysis query. 1467 IamPolicyAnalysisQuery analysis_query = 1; 1468 1469 // A list of 1470 // [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult] 1471 // that matches the analysis query, or empty if no result is found. 1472 repeated IamPolicyAnalysisResult analysis_results = 2; 1473 1474 // Represents whether all entries in the 1475 // [analysis_results][google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] 1476 // have been fully explored to answer the query. 1477 bool fully_explored = 3; 1478 1479 // A list of non-critical errors happened during the query handling. 1480 repeated IamPolicyAnalysisState non_critical_errors = 5; 1481 } 1482 1483 // The main analysis that matches the original request. 1484 IamPolicyAnalysis main_analysis = 1; 1485 1486 // The service account impersonation analysis if 1487 // [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is 1488 // enabled. 1489 repeated IamPolicyAnalysis service_account_impersonation_analysis = 2; 1490 1491 // Represents whether all entries in the 1492 // [main_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.main_analysis] 1493 // and 1494 // [service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] 1495 // have been fully explored to answer the query in the request. 1496 bool fully_explored = 3; 1497} 1498 1499// Output configuration for export IAM policy analysis destination. 1500message IamPolicyAnalysisOutputConfig { 1501 // A Cloud Storage location. 1502 message GcsDestination { 1503 // Required. The URI of the Cloud Storage object. It's the same URI that is 1504 // used by gsutil. Example: "gs://bucket_name/object_name". See [Viewing and 1505 // Editing Object 1506 // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) 1507 // for more information. 1508 // 1509 // If the specified Cloud Storage object already exists and there is no 1510 // [hold](https://cloud.google.com/storage/docs/object-holds), it will be 1511 // overwritten with the analysis result. 1512 string uri = 1 [(google.api.field_behavior) = REQUIRED]; 1513 } 1514 1515 // A BigQuery destination. 1516 message BigQueryDestination { 1517 // This enum determines the partition key column for the bigquery tables. 1518 // Partitioning can improve query performance and reduce query cost by 1519 // filtering partitions. Refer to 1520 // https://cloud.google.com/bigquery/docs/partitioned-tables for details. 1521 enum PartitionKey { 1522 // Unspecified partition key. Tables won't be partitioned using this 1523 // option. 1524 PARTITION_KEY_UNSPECIFIED = 0; 1525 1526 // The time when the request is received. If specified as partition key, 1527 // the result table(s) is partitoned by the RequestTime column, an 1528 // additional timestamp column representing when the request was received. 1529 REQUEST_TIME = 1; 1530 } 1531 1532 // Required. The BigQuery dataset in format 1533 // "projects/projectId/datasets/datasetId", to which the analysis results 1534 // should be exported. If this dataset does not exist, the export call will 1535 // return an INVALID_ARGUMENT error. 1536 string dataset = 1 [(google.api.field_behavior) = REQUIRED]; 1537 1538 // Required. The prefix of the BigQuery tables to which the analysis results 1539 // will be written. Tables will be created based on this table_prefix if not 1540 // exist: 1541 // * <table_prefix>_analysis table will contain export operation's metadata. 1542 // * <table_prefix>_analysis_result will contain all the 1543 // [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult]. 1544 // When [partition_key] is specified, both tables will be partitioned based 1545 // on the [partition_key]. 1546 string table_prefix = 2 [(google.api.field_behavior) = REQUIRED]; 1547 1548 // The partition key for BigQuery partitioned table. 1549 PartitionKey partition_key = 3; 1550 1551 // Optional. Specifies the action that occurs if the destination table or 1552 // partition already exists. The following values are supported: 1553 // 1554 // * WRITE_TRUNCATE: If the table or partition already exists, BigQuery 1555 // overwrites the entire table or all the partitions data. 1556 // * WRITE_APPEND: If the table or partition already exists, BigQuery 1557 // appends the data to the table or the latest partition. 1558 // * WRITE_EMPTY: If the table already exists and contains data, an error is 1559 // returned. 1560 // 1561 // The default value is WRITE_APPEND. Each action is atomic and only occurs 1562 // if BigQuery is able to complete the job successfully. Details are at 1563 // https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file. 1564 string write_disposition = 4 [(google.api.field_behavior) = OPTIONAL]; 1565 } 1566 1567 // IAM policy analysis export destination. 1568 oneof destination { 1569 // Destination on Cloud Storage. 1570 GcsDestination gcs_destination = 1; 1571 1572 // Destination on BigQuery. 1573 BigQueryDestination bigquery_destination = 2; 1574 } 1575} 1576 1577// A request message for 1578// [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. 1579message AnalyzeIamPolicyLongrunningRequest { 1580 // Required. The request query. 1581 IamPolicyAnalysisQuery analysis_query = 1 1582 [(google.api.field_behavior) = REQUIRED]; 1583 1584 // Optional. The name of a saved query, which must be in the format of: 1585 // 1586 // * projects/project_number/savedQueries/saved_query_id 1587 // * folders/folder_number/savedQueries/saved_query_id 1588 // * organizations/organization_number/savedQueries/saved_query_id 1589 // 1590 // If both `analysis_query` and `saved_analysis_query` are provided, they 1591 // will be merged together with the `saved_analysis_query` as base and 1592 // the `analysis_query` as overrides. For more details of the merge behavior, 1593 // refer to the 1594 // [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) 1595 // doc. 1596 // 1597 // Note that you cannot override primitive fields with default value, such as 1598 // 0 or empty string, etc., because we use proto3, which doesn't support field 1599 // presence yet. 1600 string saved_analysis_query = 3 [(google.api.field_behavior) = OPTIONAL]; 1601 1602 // Required. Output configuration indicating where the results will be output 1603 // to. 1604 IamPolicyAnalysisOutputConfig output_config = 2 1605 [(google.api.field_behavior) = REQUIRED]; 1606} 1607 1608// A response message for 1609// [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. 1610message AnalyzeIamPolicyLongrunningResponse {} 1611 1612// A saved query which can be shared with others or used later. 1613message SavedQuery { 1614 option (google.api.resource) = { 1615 type: "cloudasset.googleapis.com/SavedQuery" 1616 pattern: "projects/{project}/savedQueries/{saved_query}" 1617 pattern: "folders/{folder}/savedQueries/{saved_query}" 1618 pattern: "organizations/{organization}/savedQueries/{saved_query}" 1619 }; 1620 1621 // The query content. 1622 message QueryContent { 1623 oneof query_content { 1624 // An IAM Policy Analysis query, which could be used in 1625 // the 1626 // [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy] 1627 // RPC or the 1628 // [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] 1629 // RPC. 1630 IamPolicyAnalysisQuery iam_policy_analysis_query = 1; 1631 } 1632 } 1633 1634 // The resource name of the saved query. The format must be: 1635 // 1636 // * projects/project_number/savedQueries/saved_query_id 1637 // * folders/folder_number/savedQueries/saved_query_id 1638 // * organizations/organization_number/savedQueries/saved_query_id 1639 string name = 1; 1640 1641 // The description of this saved query. This value should be fewer than 255 1642 // characters. 1643 string description = 2; 1644 1645 // Output only. The create time of this saved query. 1646 google.protobuf.Timestamp create_time = 3 1647 [(google.api.field_behavior) = OUTPUT_ONLY]; 1648 1649 // Output only. The account's email address who has created this saved query. 1650 string creator = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 1651 1652 // Output only. The last update time of this saved query. 1653 google.protobuf.Timestamp last_update_time = 5 1654 [(google.api.field_behavior) = OUTPUT_ONLY]; 1655 1656 // Output only. The account's email address who has updated this saved query 1657 // most recently. 1658 string last_updater = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 1659 1660 // Labels applied on the resource. 1661 // This value should not contain more than 10 entries. The key and value of 1662 // each entry must be non-empty and fewer than 64 characters. 1663 map<string, string> labels = 7; 1664 1665 // The query content. 1666 QueryContent content = 8; 1667} 1668 1669// Request to create a saved query. 1670message CreateSavedQueryRequest { 1671 // Required. The name of the project/folder/organization where this 1672 // saved_query should be created in. It can only be an organization number 1673 // (such as "organizations/123"), a folder number (such as "folders/123"), a 1674 // project ID (such as "projects/my-project-id"), or a project number (such as 1675 // "projects/12345"). 1676 string parent = 1 [ 1677 (google.api.field_behavior) = REQUIRED, 1678 (google.api.resource_reference) = { 1679 child_type: "cloudasset.googleapis.com/SavedQuery" 1680 } 1681 ]; 1682 1683 // Required. The saved_query details. The `name` field must be empty as it 1684 // will be generated based on the parent and saved_query_id. 1685 SavedQuery saved_query = 2 [(google.api.field_behavior) = REQUIRED]; 1686 1687 // Required. The ID to use for the saved query, which must be unique in the 1688 // specified parent. It will become the final component of the saved query's 1689 // resource name. 1690 // 1691 // This value should be 4-63 characters, and valid characters 1692 // are `[a-z][0-9]-`. 1693 // 1694 // Notice that this field is required in the saved query creation, and the 1695 // `name` field of the `saved_query` will be ignored. 1696 string saved_query_id = 3 [(google.api.field_behavior) = REQUIRED]; 1697} 1698 1699// Request to get a saved query. 1700message GetSavedQueryRequest { 1701 // Required. The name of the saved query and it must be in the format of: 1702 // 1703 // * projects/project_number/savedQueries/saved_query_id 1704 // * folders/folder_number/savedQueries/saved_query_id 1705 // * organizations/organization_number/savedQueries/saved_query_id 1706 string name = 1 [ 1707 (google.api.field_behavior) = REQUIRED, 1708 (google.api.resource_reference) = { 1709 type: "cloudasset.googleapis.com/SavedQuery" 1710 } 1711 ]; 1712} 1713 1714// Request to list saved queries. 1715message ListSavedQueriesRequest { 1716 // Required. The parent project/folder/organization whose savedQueries are to 1717 // be listed. It can only be using project/folder/organization number (such as 1718 // "folders/12345")", or a project ID (such as "projects/my-project-id"). 1719 string parent = 1 [ 1720 (google.api.field_behavior) = REQUIRED, 1721 (google.api.resource_reference) = { 1722 child_type: "cloudasset.googleapis.com/SavedQuery" 1723 } 1724 ]; 1725 1726 // Optional. The expression to filter resources. 1727 // The expression is a list of zero or more restrictions combined via logical 1728 // operators `AND` and `OR`. When `AND` and `OR` are both used in the 1729 // expression, parentheses must be appropriately used to group the 1730 // combinations. The expression may also contain regular expressions. 1731 // 1732 // See https://google.aip.dev/160 for more information on the grammar. 1733 string filter = 4 [(google.api.field_behavior) = OPTIONAL]; 1734 1735 // Optional. The maximum number of saved queries to return per page. The 1736 // service may return fewer than this value. If unspecified, at most 50 will 1737 // be returned. The maximum value is 1000; values above 1000 will be coerced 1738 // to 1000. 1739 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 1740 1741 // Optional. A page token, received from a previous `ListSavedQueries` call. 1742 // Provide this to retrieve the subsequent page. 1743 // 1744 // When paginating, all other parameters provided to `ListSavedQueries` must 1745 // match the call that provided the page token. 1746 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 1747} 1748 1749// Response of listing saved queries. 1750message ListSavedQueriesResponse { 1751 // A list of savedQueries. 1752 repeated SavedQuery saved_queries = 1; 1753 1754 // A token, which can be sent as `page_token` to retrieve the next page. 1755 // If this field is omitted, there are no subsequent pages. 1756 string next_page_token = 2; 1757} 1758 1759// Request to update a saved query. 1760message UpdateSavedQueryRequest { 1761 // Required. The saved query to update. 1762 // 1763 // The saved query's `name` field is used to identify the one to update, 1764 // which has format as below: 1765 // 1766 // * projects/project_number/savedQueries/saved_query_id 1767 // * folders/folder_number/savedQueries/saved_query_id 1768 // * organizations/organization_number/savedQueries/saved_query_id 1769 SavedQuery saved_query = 1 [(google.api.field_behavior) = REQUIRED]; 1770 1771 // Required. The list of fields to update. 1772 google.protobuf.FieldMask update_mask = 2 1773 [(google.api.field_behavior) = REQUIRED]; 1774} 1775 1776// Request to delete a saved query. 1777message DeleteSavedQueryRequest { 1778 // Required. The name of the saved query to delete. It must be in the format 1779 // of: 1780 // 1781 // * projects/project_number/savedQueries/saved_query_id 1782 // * folders/folder_number/savedQueries/saved_query_id 1783 // * organizations/organization_number/savedQueries/saved_query_id 1784 string name = 1 [ 1785 (google.api.field_behavior) = REQUIRED, 1786 (google.api.resource_reference) = { 1787 type: "cloudasset.googleapis.com/SavedQuery" 1788 } 1789 ]; 1790} 1791 1792// The request message for performing resource move analysis. 1793message AnalyzeMoveRequest { 1794 // View enum for supporting partial analysis responses. 1795 enum AnalysisView { 1796 // The default/unset value. 1797 // The API will default to the FULL view. 1798 ANALYSIS_VIEW_UNSPECIFIED = 0; 1799 1800 // Full analysis including all level of impacts of the specified resource 1801 // move. 1802 FULL = 1; 1803 1804 // Basic analysis only including blockers which will prevent the specified 1805 // resource move at runtime. 1806 BASIC = 2; 1807 } 1808 1809 // Required. Name of the resource to perform the analysis against. 1810 // Only Google Cloud projects are supported as of today. Hence, this can only 1811 // be a project ID (such as "projects/my-project-id") or a project number 1812 // (such as "projects/12345"). 1813 string resource = 1 [ 1814 (google.api.field_behavior) = REQUIRED, 1815 (google.api.resource_reference) = { 1816 type: "cloudresourcemanager.googleapis.com/Project" 1817 } 1818 ]; 1819 1820 // Required. Name of the Google Cloud folder or organization to reparent the 1821 // target resource. The analysis will be performed against hypothetically 1822 // moving the resource to this specified desitination parent. This can only be 1823 // a folder number (such as "folders/123") or an organization number (such as 1824 // "organizations/123"). 1825 string destination_parent = 2 [ 1826 (google.api.field_behavior) = REQUIRED, 1827 (google.api.resource_reference) = { type: "*" } 1828 ]; 1829 1830 // Analysis view indicating what information should be included in the 1831 // analysis response. If unspecified, the default view is FULL. 1832 AnalysisView view = 3; 1833} 1834 1835// The response message for resource move analysis. 1836message AnalyzeMoveResponse { 1837 // The list of analyses returned from performing the intended resource move 1838 // analysis. The analysis is grouped by different Google Cloud services. 1839 repeated MoveAnalysis move_analysis = 1; 1840} 1841 1842// A message to group the analysis information. 1843message MoveAnalysis { 1844 // The user friendly display name of the analysis. E.g. IAM, organization 1845 // policy etc. 1846 string display_name = 1; 1847 1848 oneof result { 1849 // Analysis result of moving the target resource. 1850 MoveAnalysisResult analysis = 2; 1851 1852 // Description of error encountered when performing the analysis. 1853 google.rpc.Status error = 3; 1854 } 1855} 1856 1857// An analysis result including blockers and warnings. 1858message MoveAnalysisResult { 1859 // Blocking information that would prevent the target resource from moving 1860 // to the specified destination at runtime. 1861 repeated MoveImpact blockers = 1; 1862 1863 // Warning information indicating that moving the target resource to the 1864 // specified destination might be unsafe. This can include important policy 1865 // information and configuration changes, but will not block moves at runtime. 1866 repeated MoveImpact warnings = 2; 1867} 1868 1869// A message to group impacts of moving the target resource. 1870message MoveImpact { 1871 // User friendly impact detail in a free form message. 1872 string detail = 1; 1873} 1874 1875// Output configuration query assets. 1876message QueryAssetsOutputConfig { 1877 // BigQuery destination. 1878 message BigQueryDestination { 1879 // Required. The BigQuery dataset where the query results will be saved. It 1880 // has the format of "projects/{projectId}/datasets/{datasetId}". 1881 string dataset = 1 [(google.api.field_behavior) = REQUIRED]; 1882 1883 // Required. The BigQuery table where the query results will be saved. If 1884 // this table does not exist, a new table with the given name will be 1885 // created. 1886 string table = 2 [(google.api.field_behavior) = REQUIRED]; 1887 1888 // Specifies the action that occurs if the destination table or partition 1889 // already exists. The following values are supported: 1890 // 1891 // * WRITE_TRUNCATE: If the table or partition already exists, BigQuery 1892 // overwrites the entire table or all the partitions data. 1893 // * WRITE_APPEND: If the table or partition already exists, BigQuery 1894 // appends the data to the table or the latest partition. 1895 // * WRITE_EMPTY: If the table already exists and contains data, a 1896 // 'duplicate' error is returned in the job result. 1897 // 1898 // The default value is WRITE_EMPTY. 1899 string write_disposition = 3; 1900 } 1901 1902 // BigQuery destination where the query results will be saved. 1903 BigQueryDestination bigquery_destination = 1; 1904} 1905 1906// QueryAssets request. 1907message QueryAssetsRequest { 1908 // Required. The relative name of the root asset. This can only be an 1909 // organization number (such as "organizations/123"), a project ID (such as 1910 // "projects/my-project-id"), or a project number (such as "projects/12345"), 1911 // or a folder number (such as "folders/123"). 1912 // 1913 // Only assets belonging to the `parent` will be returned. 1914 string parent = 1 [ 1915 (google.api.field_behavior) = REQUIRED, 1916 (google.api.resource_reference) = { 1917 child_type: "cloudasset.googleapis.com/Asset" 1918 } 1919 ]; 1920 1921 oneof query { 1922 // Optional. A SQL statement that's compatible with [BigQuery 1923 // SQL](https://cloud.google.com/bigquery/docs/introduction-sql). 1924 string statement = 2 [(google.api.field_behavior) = OPTIONAL]; 1925 1926 // Optional. Reference to the query job, which is from the 1927 // `QueryAssetsResponse` of previous `QueryAssets` call. 1928 string job_reference = 3 [(google.api.field_behavior) = OPTIONAL]; 1929 } 1930 1931 // Optional. The maximum number of rows to return in the results. Responses 1932 // are limited to 10 MB and 1000 rows. 1933 // 1934 // By default, the maximum row count is 1000. When the byte or row count limit 1935 // is reached, the rest of the query results will be paginated. 1936 // 1937 // The field will be ignored when [output_config] is specified. 1938 int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; 1939 1940 // Optional. A page token received from previous `QueryAssets`. 1941 // 1942 // The field will be ignored when [output_config] is specified. 1943 string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; 1944 1945 // Optional. Specifies the maximum amount of time that the client is willing 1946 // to wait for the query to complete. By default, this limit is 5 min for the 1947 // first query, and 1 minute for the following queries. If the query is 1948 // complete, the `done` field in the `QueryAssetsResponse` is true, otherwise 1949 // false. 1950 // 1951 // Like BigQuery [jobs.query 1952 // API](https://cloud.google.com/bigquery/docs/reference/rest/v2/jobs/query#queryrequest) 1953 // The call is not guaranteed to wait for the specified timeout; it typically 1954 // returns after around 200 seconds (200,000 milliseconds), even if the query 1955 // is not complete. 1956 // 1957 // The field will be ignored when [output_config] is specified. 1958 google.protobuf.Duration timeout = 6 [(google.api.field_behavior) = OPTIONAL]; 1959 1960 // Specifies what time period or point in time to query asset metadata at. 1961 // * unset - query asset metadata as it is right now 1962 // * [read_time_window] - query asset metadata as it was at any point in time 1963 // between [start_time] and [end_time]. 1964 // * [read_time] - query asset metadata as it was at that point in time. 1965 // If data for the timestamp/date range selected does not exist, 1966 // it will simply return a valid response with no rows. 1967 oneof time { 1968 // Optional. [start_time] is required. [start_time] must be less than 1969 // [end_time] Defaults [end_time] to now if [start_time] is set and 1970 // [end_time] isn't. Maximum permitted time range is 7 days. 1971 TimeWindow read_time_window = 7 [(google.api.field_behavior) = OPTIONAL]; 1972 1973 // Optional. Queries cloud assets as they appeared at the specified point in 1974 // time. 1975 google.protobuf.Timestamp read_time = 8 1976 [(google.api.field_behavior) = OPTIONAL]; 1977 } 1978 1979 // Optional. Destination where the query results will be saved. 1980 // 1981 // When this field is specified, the query results won't be saved in the 1982 // [QueryAssetsResponse.query_result]. Instead 1983 // [QueryAssetsResponse.output_config] will be set. 1984 // 1985 // Meanwhile, [QueryAssetsResponse.job_reference] will be set and can be used 1986 // to check the status of the query job when passed to a following 1987 // [QueryAssets] API call. 1988 QueryAssetsOutputConfig output_config = 9 1989 [(google.api.field_behavior) = OPTIONAL]; 1990} 1991 1992// QueryAssets response. 1993message QueryAssetsResponse { 1994 // Reference to a query job. 1995 string job_reference = 1; 1996 1997 // The query response, which can be either an `error` or a valid `response`. 1998 // 1999 // If `done` == `false` and the query result is being saved in a output, the 2000 // output_config field will be set. 2001 // If `done` == `true`, exactly one of 2002 // `error`, `query_result` or `output_config` will be set. 2003 bool done = 2; 2004 2005 oneof response { 2006 // Error status. 2007 google.rpc.Status error = 3; 2008 2009 // Result of the query. 2010 QueryResult query_result = 4; 2011 2012 // Output configuration which indicates instead of being returned in API 2013 // response on the fly, the query result will be saved in a specific output. 2014 QueryAssetsOutputConfig output_config = 5; 2015 } 2016} 2017 2018// Execution results of the query. 2019// 2020// The result is formatted as rows represented by BigQuery compatible [schema]. 2021// When pagination is necessary, it will contains the page token to retrieve 2022// the results of following pages. 2023message QueryResult { 2024 // Each row hold a query result in the format of `Struct`. 2025 repeated google.protobuf.Struct rows = 1; 2026 2027 // Describes the format of the [rows]. 2028 TableSchema schema = 2; 2029 2030 // Token to retrieve the next page of the results. 2031 string next_page_token = 3; 2032 2033 // Total rows of the whole query results. 2034 int64 total_rows = 4; 2035} 2036 2037// BigQuery Compatible table schema. 2038message TableSchema { 2039 // Describes the fields in a table. 2040 repeated TableFieldSchema fields = 1; 2041} 2042 2043// A field in TableSchema. 2044message TableFieldSchema { 2045 // The field name. The name must contain only letters (a-z, A-Z), 2046 // numbers (0-9), or underscores (_), and must start with a letter or 2047 // underscore. The maximum length is 128 characters. 2048 string field = 1; 2049 2050 // The field data type. Possible values include 2051 // * STRING 2052 // * BYTES 2053 // * INTEGER 2054 // * FLOAT 2055 // * BOOLEAN 2056 // * TIMESTAMP 2057 // * DATE 2058 // * TIME 2059 // * DATETIME 2060 // * GEOGRAPHY, 2061 // * NUMERIC, 2062 // * BIGNUMERIC, 2063 // * RECORD 2064 // (where RECORD indicates that the field contains a nested schema). 2065 string type = 2; 2066 2067 // The field mode. Possible values include NULLABLE, REQUIRED and 2068 // REPEATED. The default value is NULLABLE. 2069 string mode = 3; 2070 2071 // Describes the nested schema fields if the type property is set 2072 // to RECORD. 2073 repeated TableFieldSchema fields = 4; 2074} 2075 2076// A request message for 2077// [AssetService.BatchGetEffectiveIamPolicies][google.cloud.asset.v1.AssetService.BatchGetEffectiveIamPolicies]. 2078message BatchGetEffectiveIamPoliciesRequest { 2079 // Required. Only IAM policies on or below the scope will be returned. 2080 // 2081 // This can only be an organization number (such as "organizations/123"), a 2082 // folder number (such as "folders/123"), a project ID (such as 2083 // "projects/my-project-id"), or a project number (such as "projects/12345"). 2084 // 2085 // To know how to get organization ID, visit [here 2086 // ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). 2087 // 2088 // To know how to get folder or project ID, visit [here 2089 // ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). 2090 string scope = 1 [ 2091 (google.api.field_behavior) = REQUIRED, 2092 (google.api.resource_reference) = { child_type: "*" } 2093 ]; 2094 2095 // Required. The names refer to the [full_resource_names] 2096 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 2097 // of the asset types [supported by search 2098 // APIs](https://cloud.google.com/asset-inventory/docs/supported-asset-types). 2099 // A maximum of 20 resources' effective policies can be retrieved in a batch. 2100 repeated string names = 3 [ 2101 (google.api.field_behavior) = REQUIRED, 2102 (google.api.resource_reference) = { type: "*" } 2103 ]; 2104} 2105 2106// A response message for 2107// [AssetService.BatchGetEffectiveIamPolicies][google.cloud.asset.v1.AssetService.BatchGetEffectiveIamPolicies]. 2108message BatchGetEffectiveIamPoliciesResponse { 2109 // The effective IAM policies on one resource. 2110 message EffectiveIamPolicy { 2111 // The IAM policy and its attached resource. 2112 message PolicyInfo { 2113 // The full resource name the 2114 // [policy][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.policy] 2115 // is directly attached to. 2116 string attached_resource = 1; 2117 2118 // The IAM policy that's directly attached to the 2119 // [attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource]. 2120 google.iam.v1.Policy policy = 2; 2121 } 2122 2123 // The [full_resource_name] 2124 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) 2125 // for which the 2126 // [policies][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.policies] 2127 // are computed. This is one of the 2128 // [BatchGetEffectiveIamPoliciesRequest.names][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.names] 2129 // the caller provides in the request. 2130 string full_resource_name = 1; 2131 2132 // The effective policies for the 2133 // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name]. 2134 // 2135 // These policies include the policy set on the 2136 // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name] 2137 // and those set on its parents and ancestors up to the 2138 // [BatchGetEffectiveIamPoliciesRequest.scope][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.scope]. 2139 // Note that these policies are not filtered according to the resource type 2140 // of the 2141 // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name]. 2142 // 2143 // These policies are hierarchically ordered by 2144 // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource] 2145 // starting from 2146 // [full_resource_name][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.full_resource_name] 2147 // itself to its parents and ancestors, such that policies[i]'s 2148 // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource] 2149 // is the child of policies[i+1]'s 2150 // [PolicyInfo.attached_resource][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.PolicyInfo.attached_resource], 2151 // if policies[i+1] exists. 2152 repeated PolicyInfo policies = 2; 2153 } 2154 2155 // The effective policies for a batch of resources. Note that the results 2156 // order is the same as the order of 2157 // [BatchGetEffectiveIamPoliciesRequest.names][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesRequest.names]. 2158 // When a resource does not have any effective IAM policies, its corresponding 2159 // policy_result will contain empty 2160 // [EffectiveIamPolicy.policies][google.cloud.asset.v1.BatchGetEffectiveIamPoliciesResponse.EffectiveIamPolicy.policies]. 2161 repeated EffectiveIamPolicy policy_results = 2; 2162} 2163 2164// This organization policy message is a modified version of the one defined in 2165// the Organization Policy system. This message contains several fields defined 2166// in the original organization policy with some new fields for analysis 2167// purpose. 2168message AnalyzerOrgPolicy { 2169 // This rule message is a customized version of the one defined in the 2170 // Organization Policy system. In addition to the fields defined in the 2171 // original organization policy, it contains additional field(s) under 2172 // specific circumstances to support analysis results. 2173 message Rule { 2174 // The string values for the list constraints. 2175 message StringValues { 2176 // List of values allowed at this resource. 2177 repeated string allowed_values = 1; 2178 2179 // List of values denied at this resource. 2180 repeated string denied_values = 2; 2181 } 2182 2183 oneof kind { 2184 // List of values to be used for this policy rule. This field can be set 2185 // only in policies for list constraints. 2186 StringValues values = 3; 2187 2188 // Setting this to true means that all values are allowed. This field can 2189 // be set only in Policies for list constraints. 2190 bool allow_all = 4; 2191 2192 // Setting this to true means that all values are denied. This field can 2193 // be set only in Policies for list constraints. 2194 bool deny_all = 5; 2195 2196 // If `true`, then the `Policy` is enforced. If `false`, then any 2197 // configuration is acceptable. 2198 // This field can be set only in Policies for boolean constraints. 2199 bool enforce = 6; 2200 } 2201 2202 // The evaluating condition for this rule. 2203 google.type.Expr condition = 7; 2204 2205 // The condition evaluation result for this rule. 2206 // Only populated if it meets all the following criteria: 2207 // 2208 // * There is a 2209 // [condition][google.cloud.asset.v1.AnalyzerOrgPolicy.Rule.condition] 2210 // defined for this rule. 2211 // * This rule is within 2212 // [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.consolidated_policy][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.consolidated_policy], 2213 // or 2214 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.consolidated_policy][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.consolidated_policy] 2215 // when the 2216 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset] 2217 // has 2218 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.governed_resource][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.governed_resource]. 2219 ConditionEvaluation condition_evaluation = 8; 2220 } 2221 2222 // The [full resource name] 2223 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of 2224 // an organization/folder/project resource where this organization policy is 2225 // set. 2226 // 2227 // Notice that some type of constraints are defined with default policy. This 2228 // field will be empty for them. 2229 string attached_resource = 1; 2230 2231 // The [full resource name] 2232 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of 2233 // an organization/folder/project resource where this organization policy 2234 // applies to. 2235 // 2236 // For any user defined org policies, this field has the same value as 2237 // the [attached_resource] field. Only for default policy, this field has 2238 // the different value. 2239 string applied_resource = 5; 2240 2241 // List of rules for this organization policy. 2242 repeated Rule rules = 2; 2243 2244 // If `inherit_from_parent` is true, Rules set higher up in the 2245 // hierarchy (up to the closest root) are inherited and present in the 2246 // effective policy. If it is false, then no rules are inherited, and this 2247 // policy becomes the effective root for evaluation. 2248 bool inherit_from_parent = 3; 2249 2250 // Ignores policies set above this resource and restores the default behavior 2251 // of the constraint at this resource. 2252 // This field can be set in policies for either list or boolean 2253 // constraints. If set, `rules` must be empty and `inherit_from_parent` 2254 // must be set to false. 2255 bool reset = 4; 2256} 2257 2258// The organization policy constraint definition. 2259message AnalyzerOrgPolicyConstraint { 2260 // The definition of a constraint. 2261 message Constraint { 2262 // Specifies the default behavior in the absence of any `Policy` for the 2263 // `Constraint`. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`. 2264 enum ConstraintDefault { 2265 // This is only used for distinguishing unset values and should never be 2266 // used. 2267 CONSTRAINT_DEFAULT_UNSPECIFIED = 0; 2268 2269 // Indicate that all values are allowed for list constraints. 2270 // Indicate that enforcement is off for boolean constraints. 2271 ALLOW = 1; 2272 2273 // Indicate that all values are denied for list constraints. 2274 // Indicate that enforcement is on for boolean constraints. 2275 DENY = 2; 2276 } 2277 2278 // A `Constraint` that allows or disallows a list of string values, which 2279 // are configured by an organization's policy administrator with a `Policy`. 2280 message ListConstraint { 2281 // Indicates whether values grouped into categories can be used in 2282 // `Policy.allowed_values` and `Policy.denied_values`. For example, 2283 // `"in:Python"` would match any value in the 'Python' group. 2284 bool supports_in = 1; 2285 2286 // Indicates whether subtrees of Cloud Resource Manager resource hierarchy 2287 // can be used in `Policy.allowed_values` and `Policy.denied_values`. For 2288 // example, `"under:folders/123"` would match any resource under the 2289 // 'folders/123' folder. 2290 bool supports_under = 2; 2291 } 2292 2293 // A `Constraint` that is either enforced or not. 2294 // 2295 // For example a constraint `constraints/compute.disableSerialPortAccess`. 2296 // If it is enforced on a VM instance, serial port connections will not be 2297 // opened to that instance. 2298 message BooleanConstraint {} 2299 2300 // The unique name of the constraint. Format of the name should be 2301 // * `constraints/{constraint_name}` 2302 // 2303 // For example, `constraints/compute.disableSerialPortAccess`. 2304 string name = 1; 2305 2306 // The human readable name of the constraint. 2307 string display_name = 2; 2308 2309 // Detailed description of what this `Constraint` controls as well as how 2310 // and where it is enforced. 2311 string description = 3; 2312 2313 // The evaluation behavior of this constraint in the absence of 'Policy'. 2314 ConstraintDefault constraint_default = 4; 2315 2316 // The type of restrictions for this `Constraint`. 2317 // 2318 // Immutable after creation. 2319 oneof constraint_type { 2320 // Defines this constraint as being a ListConstraint. 2321 ListConstraint list_constraint = 5; 2322 2323 // Defines this constraint as being a BooleanConstraint. 2324 BooleanConstraint boolean_constraint = 6; 2325 } 2326 } 2327 2328 // The definition of a custom constraint. 2329 message CustomConstraint { 2330 // The operation in which this constraint will be applied. For example: 2331 // If the constraint applies only when create VMs, the method_types will be 2332 // "CREATE" only. If the constraint applied when create or delete VMs, the 2333 // method_types will be "CREATE" and "DELETE". 2334 enum MethodType { 2335 // Unspecified. Will results in user error. 2336 METHOD_TYPE_UNSPECIFIED = 0; 2337 2338 // Constraint applied when creating the resource. 2339 CREATE = 1; 2340 2341 // Constraint applied when updating the resource. 2342 UPDATE = 2; 2343 2344 // Constraint applied when deleting the resource. 2345 DELETE = 3; 2346 } 2347 2348 // Allow or deny type. 2349 enum ActionType { 2350 // Unspecified. Will results in user error. 2351 ACTION_TYPE_UNSPECIFIED = 0; 2352 2353 // Allowed action type. 2354 ALLOW = 1; 2355 2356 // Deny action type. 2357 DENY = 2; 2358 } 2359 2360 // Name of the constraint. This is unique within the organization. Format of 2361 // the name should be 2362 // * `organizations/{organization_id}/customConstraints/{custom_constraint_id}` 2363 // 2364 // Example : 2365 // "organizations/123/customConstraints/custom.createOnlyE2TypeVms" 2366 string name = 1; 2367 2368 // The Resource Instance type on which this policy applies to. Format will 2369 // be of the form : "<canonical service name>/<type>" Example: 2370 // * `compute.googleapis.com/Instance`. 2371 repeated string resource_types = 2; 2372 2373 // All the operations being applied for this constraint. 2374 repeated MethodType method_types = 3; 2375 2376 // Organization Policy condition/expression. For example: 2377 // `resource.instanceName.matches("[production|test]_.*_(\d)+")'` or, 2378 // `resource.management.auto_upgrade == true` 2379 string condition = 4; 2380 2381 // Allow or deny type. 2382 ActionType action_type = 5; 2383 2384 // One line display name for the UI. 2385 string display_name = 6; 2386 2387 // Detailed information about this custom policy constraint. 2388 string description = 7; 2389 } 2390 2391 oneof constraint_definition { 2392 // The definition of the canned constraint defined by Google. 2393 Constraint google_defined_constraint = 1; 2394 2395 // The definition of the custom constraint. 2396 CustomConstraint custom_constraint = 2; 2397 } 2398} 2399 2400// A request message for 2401// [AssetService.AnalyzeOrgPolicies][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicies]. 2402message AnalyzeOrgPoliciesRequest { 2403 // Required. The organization to scope the request. Only organization 2404 // policies within the scope will be analyzed. 2405 // 2406 // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") 2407 string scope = 1 [(google.api.field_behavior) = REQUIRED]; 2408 2409 // Required. The name of the constraint to analyze organization policies for. 2410 // The response only contains analyzed organization policies for the provided 2411 // constraint. 2412 string constraint = 2 [(google.api.field_behavior) = REQUIRED]; 2413 2414 // The expression to filter 2415 // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results]. 2416 // Filtering is currently available for bare literal values and the following 2417 // fields: 2418 // * consolidated_policy.attached_resource 2419 // * consolidated_policy.rules.enforce 2420 // 2421 // When filtering by a specific field, the only supported operator is `=`. 2422 // For example, filtering by 2423 // consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/folders/001" 2424 // will return all the Organization Policy results attached to "folders/001". 2425 string filter = 3; 2426 2427 // The maximum number of items to return per page. If unspecified, 2428 // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results] 2429 // will contain 20 items with a maximum of 200. 2430 optional int32 page_size = 4; 2431 2432 // The pagination token to retrieve the next page. 2433 string page_token = 5; 2434} 2435 2436// The response message for 2437// [AssetService.AnalyzeOrgPolicies][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicies]. 2438message AnalyzeOrgPoliciesResponse { 2439 // The organization policy result to the query. 2440 message OrgPolicyResult { 2441 // The consolidated organization policy for the analyzed resource. The 2442 // consolidated organization policy is computed by merging and evaluating 2443 // [AnalyzeOrgPoliciesResponse.policy_bundle][]. 2444 // The evaluation will respect the organization policy [hierarchy 2445 // rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy). 2446 AnalyzerOrgPolicy consolidated_policy = 1; 2447 2448 // The ordered list of all organization policies from the 2449 // [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][]. 2450 // to the scope specified in the request. 2451 // 2452 // If the constraint is defined with default policy, it will also appear in 2453 // the list. 2454 repeated AnalyzerOrgPolicy policy_bundle = 2; 2455 2456 // The project that this consolidated policy belongs to, in the format of 2457 // projects/{PROJECT_NUMBER}. This field is available when the consolidated 2458 // policy belongs to a project. 2459 string project = 3; 2460 2461 // The folder(s) that this consolidated policy belongs to, in the format of 2462 // folders/{FOLDER_NUMBER}. This field is available when the consolidated 2463 // policy belongs (directly or cascadingly) to one or more folders. 2464 repeated string folders = 4; 2465 2466 // The organization that this consolidated policy belongs to, in the format 2467 // of organizations/{ORGANIZATION_NUMBER}. This field is available when the 2468 // consolidated policy belongs (directly or cascadingly) to an organization. 2469 string organization = 5; 2470 } 2471 2472 // The organization policies under the 2473 // [AnalyzeOrgPoliciesRequest.scope][google.cloud.asset.v1.AnalyzeOrgPoliciesRequest.scope] 2474 // with the 2475 // [AnalyzeOrgPoliciesRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPoliciesRequest.constraint]. 2476 repeated OrgPolicyResult org_policy_results = 1; 2477 2478 // The definition of the constraint in the request. 2479 AnalyzerOrgPolicyConstraint constraint = 2; 2480 2481 // The page token to fetch the next page for 2482 // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results]. 2483 string next_page_token = 3; 2484} 2485 2486// A request message for 2487// [AssetService.AnalyzeOrgPolicyGovernedContainers][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedContainers]. 2488message AnalyzeOrgPolicyGovernedContainersRequest { 2489 // Required. The organization to scope the request. Only organization 2490 // policies within the scope will be analyzed. The output containers will 2491 // also be limited to the ones governed by those in-scope organization 2492 // policies. 2493 // 2494 // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") 2495 string scope = 1 [(google.api.field_behavior) = REQUIRED]; 2496 2497 // Required. The name of the constraint to analyze governed containers for. 2498 // The analysis only contains organization policies for the provided 2499 // constraint. 2500 string constraint = 2 [(google.api.field_behavior) = REQUIRED]; 2501 2502 // The expression to filter 2503 // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers]. 2504 // Filtering is currently available for bare literal values and the following 2505 // fields: 2506 // * parent 2507 // * consolidated_policy.rules.enforce 2508 // 2509 // When filtering by a specific field, the only supported operator is `=`. 2510 // For example, filtering by 2511 // parent="//cloudresourcemanager.googleapis.com/folders/001" 2512 // will return all the containers under "folders/001". 2513 string filter = 3; 2514 2515 // The maximum number of items to return per page. If unspecified, 2516 // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers] 2517 // will contain 100 items with a maximum of 200. 2518 optional int32 page_size = 4; 2519 2520 // The pagination token to retrieve the next page. 2521 string page_token = 5; 2522} 2523 2524// The response message for 2525// [AssetService.AnalyzeOrgPolicyGovernedContainers][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedContainers]. 2526message AnalyzeOrgPolicyGovernedContainersResponse { 2527 // The organization/folder/project resource governed by organization policies 2528 // of 2529 // [AnalyzeOrgPolicyGovernedContainersRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersRequest.constraint]. 2530 message GovernedContainer { 2531 // The [full resource name] 2532 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of 2533 // an organization/folder/project resource. 2534 string full_resource_name = 1; 2535 2536 // The [full resource name] 2537 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of 2538 // the parent of 2539 // [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.full_resource_name]. 2540 string parent = 2; 2541 2542 // The consolidated organization policy for the analyzed resource. The 2543 // consolidated organization policy is computed by merging and evaluating 2544 // [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.policy_bundle][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.policy_bundle]. 2545 // The evaluation will respect the organization policy [hierarchy 2546 // rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy). 2547 AnalyzerOrgPolicy consolidated_policy = 3; 2548 2549 // The ordered list of all organization policies from the 2550 // [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][]. 2551 // to the scope specified in the request. 2552 // 2553 // If the constraint is defined with default policy, it will also appear in 2554 // the list. 2555 repeated AnalyzerOrgPolicy policy_bundle = 4; 2556 2557 // The project that this resource belongs to, in the format of 2558 // projects/{PROJECT_NUMBER}. This field is available when the resource 2559 // belongs to a project. 2560 string project = 5; 2561 2562 // The folder(s) that this resource belongs to, in the format of 2563 // folders/{FOLDER_NUMBER}. This field is available when the resource 2564 // belongs (directly or cascadingly) to one or more folders. 2565 repeated string folders = 6; 2566 2567 // The organization that this resource belongs to, in the format of 2568 // organizations/{ORGANIZATION_NUMBER}. This field is available when the 2569 // resource belongs (directly or cascadingly) to an organization. 2570 string organization = 7; 2571 2572 // The effective tags on this resource. 2573 repeated EffectiveTagDetails effective_tags = 8; 2574 } 2575 2576 // The list of the analyzed governed containers. 2577 repeated GovernedContainer governed_containers = 1; 2578 2579 // The definition of the constraint in the request. 2580 AnalyzerOrgPolicyConstraint constraint = 2; 2581 2582 // The page token to fetch the next page for 2583 // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers]. 2584 string next_page_token = 3; 2585} 2586 2587// A request message for 2588// [AssetService.AnalyzeOrgPolicyGovernedAssets][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedAssets]. 2589message AnalyzeOrgPolicyGovernedAssetsRequest { 2590 // Required. The organization to scope the request. Only organization 2591 // policies within the scope will be analyzed. The output assets will 2592 // also be limited to the ones governed by those in-scope organization 2593 // policies. 2594 // 2595 // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") 2596 string scope = 1 [(google.api.field_behavior) = REQUIRED]; 2597 2598 // Required. The name of the constraint to analyze governed assets for. The 2599 // analysis only contains analyzed organization policies for the provided 2600 // constraint. 2601 string constraint = 2 [(google.api.field_behavior) = REQUIRED]; 2602 2603 // The expression to filter 2604 // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets]. 2605 // 2606 // For governed resources, filtering is currently available for bare literal 2607 // values and the following fields: 2608 // * governed_resource.project 2609 // * governed_resource.folders 2610 // * consolidated_policy.rules.enforce 2611 // When filtering by `governed_resource.project` or 2612 // `consolidated_policy.rules.enforce`, the only supported operator is `=`. 2613 // When filtering by `governed_resource.folders`, the supported operators 2614 // are `=` and `:`. 2615 // For example, filtering by `governed_resource.project="projects/12345678"` 2616 // will return all the governed resources under "projects/12345678", 2617 // including the project itself if applicable. 2618 // 2619 // For governed IAM policies, filtering is currently available for bare 2620 // literal values and the following fields: 2621 // * governed_iam_policy.project 2622 // * governed_iam_policy.folders 2623 // * consolidated_policy.rules.enforce 2624 // When filtering by `governed_iam_policy.project` or 2625 // `consolidated_policy.rules.enforce`, the only supported operator is `=`. 2626 // When filtering by `governed_iam_policy.folders`, the supported operators 2627 // are `=` and `:`. 2628 // For example, filtering by `governed_iam_policy.folders:"folders/12345678"` 2629 // will return all the governed IAM policies under "folders/001". 2630 string filter = 3; 2631 2632 // The maximum number of items to return per page. If unspecified, 2633 // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets] 2634 // will contain 100 items with a maximum of 200. 2635 optional int32 page_size = 4; 2636 2637 // The pagination token to retrieve the next page. 2638 string page_token = 5; 2639} 2640 2641// The response message for 2642// [AssetService.AnalyzeOrgPolicyGovernedAssets][google.cloud.asset.v1.AssetService.AnalyzeOrgPolicyGovernedAssets]. 2643message AnalyzeOrgPolicyGovernedAssetsResponse { 2644 // The Google Cloud resources governed by the organization policies of the 2645 // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. 2646 message GovernedResource { 2647 // The [full resource name] 2648 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of 2649 // the Google Cloud resource. 2650 string full_resource_name = 1; 2651 2652 // The [full resource name] 2653 // (https://cloud.google.com/asset-inventory/docs/resource-name-format) of 2654 // the parent of 2655 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name]. 2656 string parent = 2; 2657 2658 // The project that this resource belongs to, in the format of 2659 // projects/{PROJECT_NUMBER}. This field is available when the resource 2660 // belongs to a project. 2661 string project = 5; 2662 2663 // The folder(s) that this resource belongs to, in the format of 2664 // folders/{FOLDER_NUMBER}. This field is available when the resource 2665 // belongs (directly or cascadingly) to one or more folders. 2666 repeated string folders = 6; 2667 2668 // The organization that this resource belongs to, in the format of 2669 // organizations/{ORGANIZATION_NUMBER}. This field is available when the 2670 // resource belongs (directly or cascadingly) to an organization. 2671 string organization = 7; 2672 2673 // The asset type of the 2674 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name] 2675 // Example: 2676 // `cloudresourcemanager.googleapis.com/Project` 2677 // See [Cloud Asset Inventory Supported Asset 2678 // Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 2679 // for all supported asset types. 2680 string asset_type = 8; 2681 2682 // The effective tags on this resource. 2683 repeated EffectiveTagDetails effective_tags = 9; 2684 } 2685 2686 // The IAM policies governed by the organization policies of the 2687 // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. 2688 message GovernedIamPolicy { 2689 // The full resource name of the resource on which this IAM policy is set. 2690 // Example: 2691 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. 2692 // See [Cloud Asset Inventory Resource Name 2693 // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) 2694 // for more information. 2695 string attached_resource = 1; 2696 2697 // The IAM policy directly set on the given resource. 2698 google.iam.v1.Policy policy = 2; 2699 2700 // The project that this IAM policy belongs to, in the format of 2701 // projects/{PROJECT_NUMBER}. This field is available when the IAM policy 2702 // belongs to a project. 2703 string project = 5; 2704 2705 // The folder(s) that this IAM policy belongs to, in the format of 2706 // folders/{FOLDER_NUMBER}. This field is available when the IAM policy 2707 // belongs (directly or cascadingly) to one or more folders. 2708 repeated string folders = 6; 2709 2710 // The organization that this IAM policy belongs to, in the format of 2711 // organizations/{ORGANIZATION_NUMBER}. This field is available when the 2712 // IAM policy belongs (directly or cascadingly) to an organization. 2713 string organization = 7; 2714 2715 // The asset type of the 2716 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource]. 2717 // Example: 2718 // `cloudresourcemanager.googleapis.com/Project` 2719 // See [Cloud Asset Inventory Supported Asset 2720 // Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 2721 // for all supported asset types. 2722 string asset_type = 8; 2723 } 2724 2725 // Represents a Google Cloud asset(resource or IAM policy) governed by the 2726 // organization policies of the 2727 // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. 2728 message GovernedAsset { 2729 oneof governed_asset { 2730 // A Google Cloud resource governed by the organization 2731 // policies of the 2732 // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. 2733 GovernedResource governed_resource = 1; 2734 2735 // An IAM policy governed by the organization 2736 // policies of the 2737 // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint]. 2738 GovernedIamPolicy governed_iam_policy = 2; 2739 } 2740 2741 // The consolidated policy for the analyzed asset. The consolidated 2742 // policy is computed by merging and evaluating 2743 // [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.policy_bundle][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.policy_bundle]. 2744 // The evaluation will respect the organization policy [hierarchy 2745 // rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy). 2746 AnalyzerOrgPolicy consolidated_policy = 3; 2747 2748 // The ordered list of all organization policies from the 2749 // [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][] 2750 // to the scope specified in the request. 2751 // 2752 // If the constraint is defined with default policy, it will also appear in 2753 // the list. 2754 repeated AnalyzerOrgPolicy policy_bundle = 4; 2755 } 2756 2757 // The list of the analyzed governed assets. 2758 repeated GovernedAsset governed_assets = 1; 2759 2760 // The definition of the constraint in the request. 2761 AnalyzerOrgPolicyConstraint constraint = 2; 2762 2763 // The page token to fetch the next page for 2764 // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets]. 2765 string next_page_token = 3; 2766} 2767 2768// Asset content type. 2769enum ContentType { 2770 // Unspecified content type. 2771 CONTENT_TYPE_UNSPECIFIED = 0; 2772 2773 // Resource metadata. 2774 RESOURCE = 1; 2775 2776 // The actual IAM policy set on a resource. 2777 IAM_POLICY = 2; 2778 2779 // The organization policy set on an asset. 2780 ORG_POLICY = 4; 2781 2782 // The Access Context Manager policy set on an asset. 2783 ACCESS_POLICY = 5; 2784 2785 // The runtime OS Inventory information. 2786 OS_INVENTORY = 6; 2787 2788 // The related resources. 2789 RELATIONSHIP = 7; 2790} 2791