xref: /aosp_15_r20/external/googleapis/google/cloud/asset/v1/assets.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.asset.v1;
18
19import "google/api/resource.proto";
20import "google/cloud/orgpolicy/v1/orgpolicy.proto";
21import "google/cloud/osconfig/v1/inventory.proto";
22import "google/iam/v1/policy.proto";
23import "google/identity/accesscontextmanager/v1/access_level.proto";
24import "google/identity/accesscontextmanager/v1/access_policy.proto";
25import "google/identity/accesscontextmanager/v1/service_perimeter.proto";
26import "google/protobuf/struct.proto";
27import "google/protobuf/timestamp.proto";
28import "google/rpc/code.proto";
29
30option cc_enable_arenas = true;
31option csharp_namespace = "Google.Cloud.Asset.V1";
32option go_package = "cloud.google.com/go/asset/apiv1/assetpb;assetpb";
33option java_multiple_files = true;
34option java_outer_classname = "AssetProto";
35option java_package = "com.google.cloud.asset.v1";
36option php_namespace = "Google\\Cloud\\Asset\\V1";
37
38// An asset in Google Cloud and its temporal metadata, including the time window
39// when it was observed and its status during that window.
40message TemporalAsset {
41  // State of prior asset.
42  enum PriorAssetState {
43    // prior_asset is not applicable for the current asset.
44    PRIOR_ASSET_STATE_UNSPECIFIED = 0;
45
46    // prior_asset is populated correctly.
47    PRESENT = 1;
48
49    // Failed to set prior_asset.
50    INVALID = 2;
51
52    // Current asset is the first known state.
53    DOES_NOT_EXIST = 3;
54
55    // prior_asset is a deletion.
56    DELETED = 4;
57  }
58
59  // The time window when the asset data and state was observed.
60  TimeWindow window = 1;
61
62  // Whether the asset has been deleted or not.
63  bool deleted = 2;
64
65  // An asset in Google Cloud.
66  Asset asset = 3;
67
68  // State of prior_asset.
69  PriorAssetState prior_asset_state = 4;
70
71  // Prior copy of the asset. Populated if prior_asset_state is PRESENT.
72  // Currently this is only set for responses in Real-Time Feed.
73  Asset prior_asset = 5;
74}
75
76// A time window specified by its `start_time` and `end_time`.
77message TimeWindow {
78  // Start time of the time window (exclusive).
79  google.protobuf.Timestamp start_time = 1;
80
81  // End time of the time window (inclusive). If not specified, the current
82  // timestamp is used instead.
83  google.protobuf.Timestamp end_time = 2;
84}
85
86// An asset in Google Cloud. An asset can be any resource in the Google Cloud
87// [resource
88// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
89// a resource outside the Google Cloud resource hierarchy (such as Google
90// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy),
91// or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP relationship).
92// See [Supported asset
93// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
94// for more information.
95message Asset {
96  option (google.api.resource) = {
97    type: "cloudasset.googleapis.com/Asset"
98    pattern: "*"
99  };
100
101  // The last update timestamp of an asset. update_time is updated when
102  // create/update/delete operation is performed.
103  google.protobuf.Timestamp update_time = 11;
104
105  // The full name of the asset. Example:
106  // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
107  //
108  // See [Resource
109  // names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
110  // for more information.
111  string name = 1;
112
113  // The type of the asset. Example: `compute.googleapis.com/Disk`
114  //
115  // See [Supported asset
116  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
117  // for more information.
118  string asset_type = 2;
119
120  // A representation of the resource.
121  Resource resource = 3;
122
123  // A representation of the IAM policy set on a Google Cloud resource.
124  // There can be a maximum of one IAM policy set on any given resource.
125  // In addition, IAM policies inherit their granted access scope from any
126  // policies set on parent resources in the resource hierarchy. Therefore, the
127  // effectively policy is the union of both the policy set on this resource
128  // and each policy set on all of the resource's ancestry resource levels in
129  // the hierarchy. See
130  // [this topic](https://cloud.google.com/iam/help/allow-policies/inheritance)
131  // for more information.
132  google.iam.v1.Policy iam_policy = 4;
133
134  // A representation of an [organization
135  // policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).
136  // There can be more than one organization policy with different constraints
137  // set on a given resource.
138  repeated google.cloud.orgpolicy.v1.Policy org_policy = 6;
139
140  // A representation of an [access
141  // policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
142  oneof access_context_policy {
143    // Also refer to the [access policy user
144    // guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
145    google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7;
146
147    // Also refer to the [access level user
148    // guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
149    google.identity.accesscontextmanager.v1.AccessLevel access_level = 8;
150
151    // Also refer to the [service perimeter user
152    // guide](https://cloud.google.com/vpc-service-controls/docs/overview).
153    google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter =
154        9;
155  }
156
157  // A representation of runtime OS Inventory information. See [this
158  // topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
159  // for more information.
160  google.cloud.osconfig.v1.Inventory os_inventory = 12;
161
162  // DEPRECATED. This field only presents for the purpose of
163  // backward-compatibility. The server will never generate responses with this
164  // field.
165  // The related assets of the asset of one relationship type. One asset
166  // only represents one type of relationship.
167  RelatedAssets related_assets = 13 [deprecated = true];
168
169  // One related asset of the current asset.
170  RelatedAsset related_asset = 15;
171
172  // The ancestry path of an asset in Google Cloud [resource
173  // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
174  // represented as a list of relative resource names. An ancestry path starts
175  // with the closest ancestor in the hierarchy and ends at root. If the asset
176  // is a project, folder, or organization, the ancestry path starts from the
177  // asset itself.
178  //
179  // Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
180  repeated string ancestors = 10;
181}
182
183// A representation of a Google Cloud resource.
184message Resource {
185  // The API version. Example: `v1`
186  string version = 1;
187
188  // The URL of the discovery document containing the resource's JSON schema.
189  // Example:
190  // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`
191  //
192  // This value is unspecified for resources that do not have an API based on a
193  // discovery document, such as Cloud Bigtable.
194  string discovery_document_uri = 2;
195
196  // The JSON schema name listed in the discovery document. Example:
197  // `Project`
198  //
199  // This value is unspecified for resources that do not have an API based on a
200  // discovery document, such as Cloud Bigtable.
201  string discovery_name = 3;
202
203  // The REST URL for accessing the resource. An HTTP `GET` request using this
204  // URL returns the resource itself. Example:
205  // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`
206  //
207  // This value is unspecified for resources without a REST API.
208  string resource_url = 4;
209
210  // The full name of the immediate parent of this resource. See
211  // [Resource
212  // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
213  // for more information.
214  //
215  // For Google Cloud assets, this value is the parent resource defined in the
216  // [IAM policy
217  // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
218  // Example:
219  // `//cloudresourcemanager.googleapis.com/projects/my_project_123`
220  string parent = 5;
221
222  // The content of the resource, in which some sensitive fields are removed
223  // and may not be present.
224  google.protobuf.Struct data = 6;
225
226  // The location of the resource in Google Cloud, such as its zone and region.
227  // For more information, see https://cloud.google.com/about/locations/.
228  string location = 8;
229}
230
231// DEPRECATED. This message only presents for the purpose of
232// backward-compatibility. The server will never populate this message in
233// responses.
234// The detailed related assets with the `relationship_type`.
235message RelatedAssets {
236  option deprecated = true;
237
238  // The detailed relationship attributes.
239  RelationshipAttributes relationship_attributes = 1;
240
241  // The peer resources of the relationship.
242  repeated RelatedAsset assets = 2;
243}
244
245// DEPRECATED. This message only presents for the purpose of
246// backward-compatibility. The server will never populate this message in
247// responses.
248// The relationship attributes which include  `type`, `source_resource_type`,
249// `target_resource_type` and `action`.
250message RelationshipAttributes {
251  option deprecated = true;
252
253  // The unique identifier of the relationship type. Example:
254  // `INSTANCE_TO_INSTANCEGROUP`
255  string type = 4;
256
257  // The source asset type. Example: `compute.googleapis.com/Instance`
258  string source_resource_type = 1;
259
260  // The target asset type. Example: `compute.googleapis.com/Disk`
261  string target_resource_type = 2;
262
263  // The detail of the relationship, e.g. `contains`, `attaches`
264  string action = 3;
265}
266
267// An asset identifier in Google Cloud which contains its name, type and
268// ancestors. An asset can be any resource in the Google Cloud [resource
269// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
270// a resource outside the Google Cloud resource hierarchy (such as Google
271// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy).
272// See [Supported asset
273// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
274// for more information.
275message RelatedAsset {
276  // The full name of the asset. Example:
277  // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
278  //
279  // See [Resource
280  // names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
281  // for more information.
282  string asset = 1 [(google.api.resource_reference) = {
283    type: "cloudasset.googleapis.com/Asset"
284  }];
285
286  // The type of the asset. Example: `compute.googleapis.com/Disk`
287  //
288  // See [Supported asset
289  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
290  // for more information.
291  string asset_type = 2;
292
293  // The ancestors of an asset in Google Cloud [resource
294  // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
295  // represented as a list of relative resource names. An ancestry path starts
296  // with the closest ancestor in the hierarchy and ends at root.
297  //
298  // Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
299  repeated string ancestors = 3;
300
301  // The unique identifier of the relationship type. Example:
302  // `INSTANCE_TO_INSTANCEGROUP`
303  string relationship_type = 4;
304}
305
306// The key and value for a
307// [tag](https://cloud.google.com/resource-manager/docs/tags/tags-overview).
308message Tag {
309  // TagKey namespaced name, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}.
310  optional string tag_key = 1;
311
312  // TagKey ID, in the format of tagKeys/{TAG_KEY_ID}.
313  optional string tag_key_id = 2;
314
315  // TagValue namespaced name, in the format of
316  // {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}.
317  optional string tag_value = 3;
318
319  // TagValue ID, in the format of tagValues/{TAG_VALUE_ID}.
320  optional string tag_value_id = 4;
321}
322
323// The effective tags and the ancestor resources from which they were inherited.
324message EffectiveTagDetails {
325  // The [full resource
326  // name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
327  // of the ancestor from which an [effective_tag][] is inherited, according to
328  // [tag
329  // inheritance](https://cloud.google.com/resource-manager/docs/tags/tags-overview#inheritance).
330  optional string attached_resource = 1;
331
332  // The effective tags inherited from the
333  // [attached_resource][google.cloud.asset.v1.EffectiveTagDetails.attached_resource].
334  // Note that tags with the same key but different values may attach to
335  // resources at a different hierarchy levels. The lower hierarchy tag value
336  // will overwrite the higher hierarchy tag value of the same tag key. In this
337  // case, the tag value at the higher hierarchy level will be removed. For more
338  // information, see [tag
339  // inheritance](https://cloud.google.com/resource-manager/docs/tags/tags-overview#inheritance).
340  repeated Tag effective_tags = 2;
341}
342
343// A result of Resource Search, containing information of a cloud resource.
344// Next ID: 34
345message ResourceSearchResult {
346  // The full resource name of this resource. Example:
347  // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
348  // See [Cloud Asset Inventory Resource Name
349  // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
350  // for more information.
351  //
352  // To search against the `name`:
353  //
354  // * Use a field query. Example: `name:instance1`
355  // * Use a free text query. Example: `instance1`
356  string name = 1;
357
358  // The type of this resource. Example: `compute.googleapis.com/Disk`.
359  //
360  // To search against the `asset_type`:
361  //
362  // * Specify the `asset_type` field in your search request.
363  string asset_type = 2;
364
365  // The project that this resource belongs to, in the form of
366  // projects/{PROJECT_NUMBER}. This field is available when the resource
367  // belongs to a project.
368  //
369  // To search against `project`:
370  //
371  // * Use a field query. Example: `project:12345`
372  // * Use a free text query. Example: `12345`
373  // * Specify the `scope` field as this project in your search request.
374  string project = 3;
375
376  // The folder(s) that this resource belongs to, in the form of
377  // folders/{FOLDER_NUMBER}. This field is available when the resource
378  // belongs to one or more folders.
379  //
380  // To search against `folders`:
381  //
382  // * Use a field query. Example: `folders:(123 OR 456)`
383  // * Use a free text query. Example: `123`
384  // * Specify the `scope` field as this folder in your search request.
385  repeated string folders = 17;
386
387  // The organization that this resource belongs to, in the form of
388  // organizations/{ORGANIZATION_NUMBER}. This field is available when the
389  // resource belongs to an organization.
390  //
391  // To search against `organization`:
392  //
393  // * Use a field query. Example: `organization:123`
394  // * Use a free text query. Example: `123`
395  // * Specify the `scope` field as this organization in your search request.
396  string organization = 18;
397
398  // The display name of this resource. This field is available only when the
399  // resource's Protobuf contains it.
400  //
401  // To search against the `display_name`:
402  //
403  // * Use a field query. Example: `displayName:"My Instance"`
404  // * Use a free text query. Example: `"My Instance"`
405  string display_name = 4;
406
407  // One or more paragraphs of text description of this resource. Maximum length
408  // could be up to 1M bytes. This field is available only when the resource's
409  // Protobuf contains it.
410  //
411  // To search against the `description`:
412  //
413  // * Use a field query. Example: `description:"important instance"`
414  // * Use a free text query. Example: `"important instance"`
415  string description = 5;
416
417  // Location can be `global`, regional like `us-east1`, or zonal like
418  // `us-west1-b`. This field is available only when the resource's Protobuf
419  // contains it.
420  //
421  // To search against the `location`:
422  //
423  // * Use a field query. Example: `location:us-west*`
424  // * Use a free text query. Example: `us-west*`
425  string location = 6;
426
427  // Labels associated with this resource. See [Labelling and grouping Google
428  // Cloud
429  // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
430  // for more information. This field is available only when the resource's
431  // Protobuf contains it.
432  //
433  // To search against the `labels`:
434  //
435  // * Use a field query:
436  //     - query on any label's key or value. Example: `labels:prod`
437  //     - query by a given label. Example: `labels.env:prod`
438  //     - query by a given label's existence. Example: `labels.env:*`
439  // * Use a free text query. Example: `prod`
440  map<string, string> labels = 7;
441
442  // Network tags associated with this resource. Like labels, network tags are a
443  // type of annotations used to group Google Cloud resources. See [Labelling
444  // Google Cloud
445  // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
446  // for more information. This field is available only when the resource's
447  // Protobuf contains it.
448  //
449  // To search against the `network_tags`:
450  //
451  // * Use a field query. Example: `networkTags:internal`
452  // * Use a free text query. Example: `internal`
453  repeated string network_tags = 8;
454
455  // The Cloud KMS
456  // [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
457  // name or
458  // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions)
459  // name.
460  //
461  // This field only presents for the purpose of backward compatibility.
462  // Use the `kms_keys` field to retrieve Cloud KMS key information. This field
463  // is available only when the resource's Protobuf contains it and will only be
464  // populated for [these resource
465  // types](https://cloud.google.com/asset-inventory/docs/legacy-field-names#resource_types_with_the_to_be_deprecated_kmskey_field)
466  // for backward compatible purposes.
467  //
468  // To search against the `kms_key`:
469  //
470  // * Use a field query. Example: `kmsKey:key`
471  // * Use a free text query. Example: `key`
472  string kms_key = 10 [deprecated = true];
473
474  // The Cloud KMS
475  // [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
476  // names or
477  // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions)
478  // names. This field is available only when the resource's Protobuf contains
479  // it.
480  //
481  // To search against the `kms_keys`:
482  //
483  // * Use a field query. Example: `kmsKeys:key`
484  // * Use a free text query. Example: `key`
485  repeated string kms_keys = 28;
486
487  // The create timestamp of this resource, at which the resource was created.
488  // The granularity is in seconds. Timestamp.nanos will always be 0. This field
489  // is available only when the resource's Protobuf contains it.
490  //
491  // To search against `create_time`:
492  //
493  // * Use a field query.
494  //     - value in seconds since unix epoch. Example: `createTime > 1609459200`
495  //     - value in date string. Example: `createTime > 2021-01-01`
496  //     - value in date-time string (must be quoted). Example: `createTime >
497  //     "2021-01-01T00:00:00"`
498  google.protobuf.Timestamp create_time = 11;
499
500  // The last update timestamp of this resource, at which the resource was last
501  // modified or deleted. The granularity is in seconds. Timestamp.nanos will
502  // always be 0. This field is available only when the resource's Protobuf
503  // contains it.
504  //
505  // To search against `update_time`:
506  //
507  // * Use a field query.
508  //     - value in seconds since unix epoch. Example: `updateTime < 1609459200`
509  //     - value in date string. Example: `updateTime < 2021-01-01`
510  //     - value in date-time string (must be quoted). Example: `updateTime <
511  //     "2021-01-01T00:00:00"`
512  google.protobuf.Timestamp update_time = 12;
513
514  // The state of this resource. Different resources types have different state
515  // definitions that are mapped from various fields of different resource
516  // types. This field is available only when the resource's Protobuf contains
517  // it.
518  //
519  // Example:
520  // If the resource is an instance provided by Compute Engine,
521  // its state will include PROVISIONING, STAGING, RUNNING, STOPPING,
522  // SUSPENDING, SUSPENDED, REPAIRING, and TERMINATED. See `status` definition
523  // in [API
524  // Reference](https://cloud.google.com/compute/docs/reference/rest/v1/instances).
525  // If the resource is a project provided by Resource Manager, its state
526  // will include LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and
527  // DELETE_IN_PROGRESS. See `lifecycleState` definition in [API
528  // Reference](https://cloud.google.com/resource-manager/reference/rest/v1/projects).
529  //
530  // To search against the `state`:
531  //
532  // * Use a field query. Example: `state:RUNNING`
533  // * Use a free text query. Example: `RUNNING`
534  string state = 13;
535
536  // The additional searchable attributes of this resource. The attributes may
537  // vary from one resource type to another. Examples: `projectId` for Project,
538  // `dnsName` for DNS ManagedZone. This field contains a subset of the resource
539  // metadata fields that are returned by the List or Get APIs provided by the
540  // corresponding Google Cloud service (e.g., Compute Engine). see [API
541  // references and supported searchable
542  // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
543  // to see which fields are included.
544  //
545  // You can search values of these fields through free text search. However,
546  // you should not consume the field programically as the field names and
547  // values may change as the Google Cloud service updates to a new incompatible
548  // API version.
549  //
550  // To search against the `additional_attributes`:
551  //
552  // * Use a free text query to match the attributes values. Example: to search
553  //   `additional_attributes = { dnsName: "foobar" }`, you can issue a query
554  //   `foobar`.
555  google.protobuf.Struct additional_attributes = 9;
556
557  // The full resource name of this resource's parent, if it has one.
558  // To search against the `parent_full_resource_name`:
559  //
560  // * Use a field query. Example:
561  // `parentFullResourceName:"project-name"`
562  // * Use a free text query. Example:
563  // `project-name`
564  string parent_full_resource_name = 19;
565
566  // Versioned resource representations of this resource. This is repeated
567  // because there could be multiple versions of resource representations during
568  // version migration.
569  //
570  // This `versioned_resources` field is not searchable. Some attributes of the
571  // resource representations are exposed in `additional_attributes` field, so
572  // as to allow users to search on them.
573  repeated VersionedResource versioned_resources = 16;
574
575  // Attached resources of this resource. For example, an OSConfig
576  // Inventory is an attached resource of a Compute Instance. This field is
577  // repeated because a resource could have multiple attached resources.
578  //
579  // This `attached_resources` field is not searchable. Some attributes
580  // of the attached resources are exposed in `additional_attributes` field, so
581  // as to allow users to search on them.
582  repeated AttachedResource attached_resources = 20;
583
584  // A map of related resources of this resource, keyed by the
585  // relationship type. A relationship type is in the format of
586  // {SourceType}_{ACTION}_{DestType}. Example: `DISK_TO_INSTANCE`,
587  // `DISK_TO_NETWORK`, `INSTANCE_TO_INSTANCEGROUP`.
588  // See [supported relationship
589  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_relationship_types).
590  map<string, RelatedResources> relationships = 21;
591
592  // This field is only present for the purpose of backward compatibility.
593  // Use the `tags` field instead.
594  //
595  // TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}.
596  // To search against the `tagKeys`:
597  //
598  // * Use a field query. Example:
599  //     - `tagKeys:"123456789/env*"`
600  //     - `tagKeys="123456789/env"`
601  //     - `tagKeys:"env"`
602  //
603  // * Use a free text query. Example:
604  //     - `env`
605  repeated string tag_keys = 23 [deprecated = true];
606
607  // This field is only present for the purpose of backward compatibility.
608  // Use the `tags` field instead.
609  //
610  // TagValue namespaced names, in the format of
611  // {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}.
612  // To search against the `tagValues`:
613  //
614  // * Use a field query. Example:
615  //     - `tagValues:"env"`
616  //     - `tagValues:"env/prod"`
617  //     - `tagValues:"123456789/env/prod*"`
618  //     - `tagValues="123456789/env/prod"`
619  //
620  // * Use a free text query. Example:
621  //     - `prod`
622  repeated string tag_values = 25 [deprecated = true];
623
624  // This field is only present for the purpose of backward compatibility.
625  // Use the `tags` field instead.
626  //
627  // TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}.
628  // To search against the `tagValueIds`:
629  //
630  // * Use a field query. Example:
631  //     - `tagValueIds="tagValues/456"`
632  //
633  // * Use a free text query. Example:
634  //     - `456`
635  repeated string tag_value_ids = 26 [deprecated = true];
636
637  // The tags directly attached to this resource.
638  //
639  // To search against the `tags`:
640  //
641  // * Use a field query. Example:
642  //     - `tagKeys:"123456789/env*"`
643  //     - `tagKeys="123456789/env"`
644  //     - `tagKeys:"env"`
645  //     - `tagKeyIds="tagKeys/123"`
646  //     - `tagValues:"env"`
647  //     - `tagValues:"env/prod"`
648  //     - `tagValues:"123456789/env/prod*"`
649  //     - `tagValues="123456789/env/prod"`
650  //     - `tagValueIds="tagValues/456"`
651  //
652  // * Use a free text query. Example:
653  //     - `env/prod`
654  repeated Tag tags = 29;
655
656  // The effective tags on this resource. All of the tags that are both attached
657  // to and inherited by a resource are collectively called the effective
658  // tags. For more information, see [tag
659  // inheritance](https://cloud.google.com/resource-manager/docs/tags/tags-overview#inheritance).
660  //
661  // To search against the `effective_tags`:
662  //
663  // * Use a field query. Example:
664  //     - `effectiveTagKeys:"123456789/env*"`
665  //     - `effectiveTagKeys="123456789/env"`
666  //     - `effectiveTagKeys:"env"`
667  //     - `effectiveTagKeyIds="tagKeys/123"`
668  //     - `effectiveTagValues:"env"`
669  //     - `effectiveTagValues:"env/prod"`
670  //     - `effectiveTagValues:"123456789/env/prod*"`
671  //     - `effectiveTagValues="123456789/env/prod"`
672  //     - `effectiveTagValueIds="tagValues/456"`
673  repeated EffectiveTagDetails effective_tags = 30;
674
675  // The type of this resource's immediate parent, if there is one.
676  //
677  // To search against the `parent_asset_type`:
678  //
679  // * Use a field query. Example:
680  // `parentAssetType:"cloudresourcemanager.googleapis.com/Project"`
681  // * Use a free text query. Example:
682  // `cloudresourcemanager.googleapis.com/Project`
683  string parent_asset_type = 103;
684
685  // The actual content of Security Command Center security marks associated
686  // with the asset.
687  //
688  //
689  // To search against SCC SecurityMarks field:
690  //
691  //   * Use a field query:
692  //     - query by a given key value pair. Example: `sccSecurityMarks.foo=bar`
693  //     - query by a given key's existence. Example: `sccSecurityMarks.foo:*`
694  map<string, string> scc_security_marks = 32;
695}
696
697// Resource representation as defined by the corresponding service providing the
698// resource for a given API version.
699message VersionedResource {
700  // API version of the resource.
701  //
702  // Example:
703  // If the resource is an instance provided by Compute Engine v1 API as defined
704  // in `https://cloud.google.com/compute/docs/reference/rest/v1/instances`,
705  // version will be "v1".
706  string version = 1;
707
708  // JSON representation of the resource as defined by the corresponding
709  // service providing this resource.
710  //
711  // Example:
712  // If the resource is an instance provided by Compute Engine, this field will
713  // contain the JSON representation of the instance as defined by Compute
714  // Engine:
715  // `https://cloud.google.com/compute/docs/reference/rest/v1/instances`.
716  //
717  // You can find the resource definition for each supported resource type in
718  // this table:
719  // `https://cloud.google.com/asset-inventory/docs/supported-asset-types`
720  google.protobuf.Struct resource = 2;
721}
722
723// Attached resource representation, which is defined by the corresponding
724// service provider. It represents an attached resource's payload.
725message AttachedResource {
726  // The type of this attached resource.
727  //
728  // Example: `osconfig.googleapis.com/Inventory`
729  //
730  // You can find the supported attached asset types of each resource in this
731  // table:
732  // `https://cloud.google.com/asset-inventory/docs/supported-asset-types`
733  string asset_type = 1;
734
735  // Versioned resource representations of this attached resource. This is
736  // repeated because there could be multiple versions of the attached resource
737  // representations during version migration.
738  repeated VersionedResource versioned_resources = 3;
739}
740
741// The related resources of the primary resource.
742message RelatedResources {
743  // The detailed related resources of the primary resource.
744  repeated RelatedResource related_resources = 1;
745}
746
747// The detailed related resource.
748message RelatedResource {
749  // The type of the asset. Example: `compute.googleapis.com/Instance`
750  string asset_type = 1;
751
752  // The full resource name of the related resource. Example:
753  // `//compute.googleapis.com/projects/my_proj_123/zones/instance/instance123`
754  string full_resource_name = 2;
755}
756
757// A result of IAM Policy search, containing information of an IAM policy.
758message IamPolicySearchResult {
759  // Explanation about the IAM policy search result.
760  message Explanation {
761    // IAM permissions
762    message Permissions {
763      // A list of permissions. A sample permission string: `compute.disk.get`.
764      repeated string permissions = 1;
765    }
766
767    // The map from roles to their included permissions that match the
768    // permission query (i.e., a query containing `policy.role.permissions:`).
769    // Example: if query `policy.role.permissions:compute.disk.get`
770    // matches a policy binding that contains owner role, the
771    // matched_permissions will be `{"roles/owner": ["compute.disk.get"]}`. The
772    // roles can also be found in the returned `policy` bindings. Note that the
773    // map is populated only for requests with permission queries.
774    map<string, Permissions> matched_permissions = 1;
775  }
776
777  // The full resource name of the resource associated with this IAM policy.
778  // Example:
779  // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
780  // See [Cloud Asset Inventory Resource Name
781  // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
782  // for more information.
783  //
784  // To search against the `resource`:
785  //
786  // * use a field query. Example: `resource:organizations/123`
787  string resource = 1;
788
789  // The type of the resource associated with this IAM policy. Example:
790  // `compute.googleapis.com/Disk`.
791  //
792  // To search against the `asset_type`:
793  //
794  // * specify the `asset_types` field in your search request.
795  string asset_type = 5;
796
797  // The project that the associated Google Cloud resource belongs to, in the
798  // form of projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource
799  // (like VM instance, Cloud Storage bucket), the project field will indicate
800  // the project that contains the resource. If an IAM policy is set on a folder
801  // or orgnization, this field will be empty.
802  //
803  // To search against the `project`:
804  //
805  // * specify the `scope` field as this project in your search request.
806  string project = 2;
807
808  // The folder(s) that the IAM policy belongs to, in the form of
809  // folders/{FOLDER_NUMBER}. This field is available when the IAM policy
810  // belongs to one or more folders.
811  //
812  // To search against `folders`:
813  //
814  // * use a field query. Example: `folders:(123 OR 456)`
815  // * use a free text query. Example: `123`
816  // * specify the `scope` field as this folder in your search request.
817  repeated string folders = 6;
818
819  // The organization that the IAM policy belongs to, in the form
820  // of organizations/{ORGANIZATION_NUMBER}. This field is available when the
821  // IAM policy belongs to an organization.
822  //
823  // To search against `organization`:
824  //
825  // * use a field query. Example: `organization:123`
826  // * use a free text query. Example: `123`
827  // * specify the `scope` field as this organization in your search request.
828  string organization = 7;
829
830  // The IAM policy directly set on the given resource. Note that the original
831  // IAM policy can contain multiple bindings. This only contains the bindings
832  // that match the given query. For queries that don't contain a constrain on
833  // policies (e.g., an empty query), this contains all the bindings.
834  //
835  // To search against the `policy` bindings:
836  //
837  // * use a field query:
838  //     - query by the policy contained members. Example:
839  //       `policy:[email protected]`
840  //     - query by the policy contained roles. Example:
841  //       `policy:roles/compute.admin`
842  //     - query by the policy contained roles' included permissions. Example:
843  //       `policy.role.permissions:compute.instances.create`
844  google.iam.v1.Policy policy = 3;
845
846  // Explanation about the IAM policy search result. It contains additional
847  // information to explain why the search result matches the query.
848  Explanation explanation = 4;
849}
850
851// Represents the detailed state of an entity under analysis, such as a
852// resource, an identity or an access.
853message IamPolicyAnalysisState {
854  // The Google standard error code that best describes the state.
855  // For example:
856  // - OK means the analysis on this entity has been successfully finished;
857  // - PERMISSION_DENIED means an access denied error is encountered;
858  // - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started
859  // in time;
860  google.rpc.Code code = 1;
861
862  // The human-readable description of the cause of failure.
863  string cause = 2;
864}
865
866// The condition evaluation.
867message ConditionEvaluation {
868  // Value of this expression.
869  enum EvaluationValue {
870    // Reserved for future use.
871    EVALUATION_VALUE_UNSPECIFIED = 0;
872
873    // The evaluation result is `true`.
874    TRUE = 1;
875
876    // The evaluation result is `false`.
877    FALSE = 2;
878
879    // The evaluation result is `conditional` when the condition expression
880    // contains variables that are either missing input values or have not been
881    // supported by Policy Analyzer yet.
882    CONDITIONAL = 3;
883  }
884
885  // The evaluation result.
886  EvaluationValue evaluation_value = 1;
887}
888
889// IAM Policy analysis result, consisting of one IAM policy binding and derived
890// access control lists.
891message IamPolicyAnalysisResult {
892  // A Google Cloud resource under analysis.
893  message Resource {
894    // The [full resource
895    // name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
896    string full_resource_name = 1;
897
898    // The analysis state of this resource.
899    IamPolicyAnalysisState analysis_state = 2;
900  }
901
902  // An IAM role or permission under analysis.
903  message Access {
904    oneof oneof_access {
905      // The role.
906      string role = 1;
907
908      // The permission.
909      string permission = 2;
910    }
911
912    // The analysis state of this access.
913    IamPolicyAnalysisState analysis_state = 3;
914  }
915
916  // An identity under analysis.
917  message Identity {
918    // The identity of members, formatted as appear in an
919    // [IAM policy
920    // binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For
921    // example, they might be formatted like the following:
922    //
923    // - user:[email protected]
924    // - group:[email protected]
925    // - serviceAccount:[email protected]
926    // - projectOwner:some_project_id
927    // - domain:google.com
928    // - allUsers
929    string name = 1;
930
931    // The analysis state of this identity.
932    IamPolicyAnalysisState analysis_state = 2;
933  }
934
935  // A directional edge.
936  message Edge {
937    // The source node of the edge. For example, it could be a full resource
938    // name for a resource node or an email of an identity.
939    string source_node = 1;
940
941    // The target node of the edge. For example, it could be a full resource
942    // name for a resource node or an email of an identity.
943    string target_node = 2;
944  }
945
946  // An access control list, derived from the above IAM policy binding, which
947  // contains a set of resources and accesses. May include one
948  // item from each set to compose an access control entry.
949  //
950  // NOTICE that there could be multiple access control lists for one IAM policy
951  // binding. The access control lists are created based on resource and access
952  // combinations.
953  //
954  // For example, assume we have the following cases in one IAM policy binding:
955  // - Permission P1 and P2 apply to resource R1 and R2;
956  // - Permission P3 applies to resource R2 and R3;
957  //
958  // This will result in the following access control lists:
959  // - AccessControlList 1: [R1, R2], [P1, P2]
960  // - AccessControlList 2: [R2, R3], [P3]
961  message AccessControlList {
962    // The resources that match one of the following conditions:
963    // - The resource_selector, if it is specified in request;
964    // - Otherwise, resources reachable from the policy attached resource.
965    repeated Resource resources = 1;
966
967    // The accesses that match one of the following conditions:
968    // - The access_selector, if it is specified in request;
969    // - Otherwise, access specifiers reachable from the policy binding's role.
970    repeated Access accesses = 2;
971
972    // Resource edges of the graph starting from the policy attached
973    // resource to any descendant resources. The
974    // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node]
975    // contains the full resource name of a parent resource and
976    // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node]
977    // contains the full resource name of a child resource. This field is
978    // present only if the output_resource_edges option is enabled in request.
979    repeated Edge resource_edges = 3;
980
981    // Condition evaluation for this AccessControlList, if there is a condition
982    // defined in the above IAM policy binding.
983    ConditionEvaluation condition_evaluation = 4;
984  }
985
986  // The identities and group edges.
987  message IdentityList {
988    // Only the identities that match one of the following conditions will be
989    // presented:
990    // - The identity_selector, if it is specified in request;
991    // - Otherwise, identities reachable from the policy binding's members.
992    repeated Identity identities = 1;
993
994    // Group identity edges of the graph starting from the binding's
995    // group members to any node of the
996    // [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities].
997    // The
998    // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node]
999    // contains a group, such as `group:[email protected]`. The
1000    // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node]
1001    // contains a member of the group, such as `group:[email protected]` or
1002    // `user:[email protected]`. This field is present only if the
1003    // output_group_edges option is enabled in request.
1004    repeated Edge group_edges = 2;
1005  }
1006
1007  // The [full resource
1008  // name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
1009  // of the resource to which the
1010  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
1011  // policy attaches.
1012  string attached_resource_full_name = 1;
1013
1014  // The IAM policy binding under analysis.
1015  google.iam.v1.Binding iam_binding = 2;
1016
1017  // The access control lists derived from the
1018  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
1019  // that match or potentially match resource and access selectors specified in
1020  // the request.
1021  repeated AccessControlList access_control_lists = 3;
1022
1023  // The identity list derived from members of the
1024  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
1025  // that match or potentially match identity selector specified in the request.
1026  IdentityList identity_list = 4;
1027
1028  // Represents whether all analyses on the
1029  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
1030  // have successfully finished.
1031  bool fully_explored = 5;
1032}
1033