google-apis-cloudasset_v1 0.50.0 → 0.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -51,7 +51,7 @@ module Google
51
51
  end
52
52
 
53
53
  # Represents the metadata of the longrunning operation for the
54
- # AnalyzeIamPolicyLongrunning rpc.
54
+ # AnalyzeIamPolicyLongrunning RPC.
55
55
  class AnalyzeIamPolicyLongrunningMetadata
56
56
  include Google::Apis::Core::Hashable
57
57
 
@@ -164,7 +164,7 @@ module Google
164
164
  include Google::Apis::Core::Hashable
165
165
 
166
166
  # The list of analyses returned from performing the intended resource move
167
- # analysis. The analysis is grouped by different Cloud services.
167
+ # analysis. The analysis is grouped by different Google Cloud services.
168
168
  # Corresponds to the JSON property `moveAnalysis`
169
169
  # @return [Array<Google::Apis::CloudassetV1::MoveAnalysis>]
170
170
  attr_accessor :move_analysis
@@ -179,11 +179,193 @@ module Google
179
179
  end
180
180
  end
181
181
 
182
+ # The response message for AssetService.AnalyzeOrgPolicies.
183
+ class AnalyzeOrgPoliciesResponse
184
+ include Google::Apis::Core::Hashable
185
+
186
+ # The organization policy constraint definition.
187
+ # Corresponds to the JSON property `constraint`
188
+ # @return [Google::Apis::CloudassetV1::AnalyzerOrgPolicyConstraint]
189
+ attr_accessor :constraint
190
+
191
+ # The page token to fetch the next page for AnalyzeOrgPoliciesResponse.
192
+ # org_policy_results.
193
+ # Corresponds to the JSON property `nextPageToken`
194
+ # @return [String]
195
+ attr_accessor :next_page_token
196
+
197
+ # The organization policies under the AnalyzeOrgPoliciesRequest.scope with the
198
+ # AnalyzeOrgPoliciesRequest.constraint.
199
+ # Corresponds to the JSON property `orgPolicyResults`
200
+ # @return [Array<Google::Apis::CloudassetV1::OrgPolicyResult>]
201
+ attr_accessor :org_policy_results
202
+
203
+ def initialize(**args)
204
+ update!(**args)
205
+ end
206
+
207
+ # Update properties of this object
208
+ def update!(**args)
209
+ @constraint = args[:constraint] if args.key?(:constraint)
210
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
211
+ @org_policy_results = args[:org_policy_results] if args.key?(:org_policy_results)
212
+ end
213
+ end
214
+
215
+ # The response message for AssetService.AnalyzeOrgPolicyGovernedAssets.
216
+ class AnalyzeOrgPolicyGovernedAssetsResponse
217
+ include Google::Apis::Core::Hashable
218
+
219
+ # The organization policy constraint definition.
220
+ # Corresponds to the JSON property `constraint`
221
+ # @return [Google::Apis::CloudassetV1::AnalyzerOrgPolicyConstraint]
222
+ attr_accessor :constraint
223
+
224
+ # The list of the analyzed governed assets.
225
+ # Corresponds to the JSON property `governedAssets`
226
+ # @return [Array<Google::Apis::CloudassetV1::GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedAsset>]
227
+ attr_accessor :governed_assets
228
+
229
+ # The page token to fetch the next page for
230
+ # AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets.
231
+ # Corresponds to the JSON property `nextPageToken`
232
+ # @return [String]
233
+ attr_accessor :next_page_token
234
+
235
+ def initialize(**args)
236
+ update!(**args)
237
+ end
238
+
239
+ # Update properties of this object
240
+ def update!(**args)
241
+ @constraint = args[:constraint] if args.key?(:constraint)
242
+ @governed_assets = args[:governed_assets] if args.key?(:governed_assets)
243
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
244
+ end
245
+ end
246
+
247
+ # The response message for AssetService.AnalyzeOrgPolicyGovernedContainers.
248
+ class AnalyzeOrgPolicyGovernedContainersResponse
249
+ include Google::Apis::Core::Hashable
250
+
251
+ # The organization policy constraint definition.
252
+ # Corresponds to the JSON property `constraint`
253
+ # @return [Google::Apis::CloudassetV1::AnalyzerOrgPolicyConstraint]
254
+ attr_accessor :constraint
255
+
256
+ # The list of the analyzed governed containers.
257
+ # Corresponds to the JSON property `governedContainers`
258
+ # @return [Array<Google::Apis::CloudassetV1::GoogleCloudAssetV1GovernedContainer>]
259
+ attr_accessor :governed_containers
260
+
261
+ # The page token to fetch the next page for
262
+ # AnalyzeOrgPolicyGovernedContainersResponse.governed_containers.
263
+ # Corresponds to the JSON property `nextPageToken`
264
+ # @return [String]
265
+ attr_accessor :next_page_token
266
+
267
+ def initialize(**args)
268
+ update!(**args)
269
+ end
270
+
271
+ # Update properties of this object
272
+ def update!(**args)
273
+ @constraint = args[:constraint] if args.key?(:constraint)
274
+ @governed_containers = args[:governed_containers] if args.key?(:governed_containers)
275
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
276
+ end
277
+ end
278
+
279
+ # This organization policy message is a modified version of the one defined in
280
+ # the Organization Policy system. This message contains several fields defined
281
+ # in the original organization policy with some new fields for analysis purpose.
282
+ class AnalyzerOrgPolicy
283
+ include Google::Apis::Core::Hashable
284
+
285
+ # The [full resource name] (https://cloud.google.com/asset-inventory/docs/
286
+ # resource-name-format) of an organization/folder/project resource where this
287
+ # organization policy applies to. For any user defined org policies, this field
288
+ # has the same value as the [attached_resource] field. Only for default policy,
289
+ # this field has the different value.
290
+ # Corresponds to the JSON property `appliedResource`
291
+ # @return [String]
292
+ attr_accessor :applied_resource
293
+
294
+ # The [full resource name] (https://cloud.google.com/asset-inventory/docs/
295
+ # resource-name-format) of an organization/folder/project resource where this
296
+ # organization policy is set. Notice that some type of constraints are defined
297
+ # with default policy. This field will be empty for them.
298
+ # Corresponds to the JSON property `attachedResource`
299
+ # @return [String]
300
+ attr_accessor :attached_resource
301
+
302
+ # If `inherit_from_parent` is true, Rules set higher up in the hierarchy (up to
303
+ # the closest root) are inherited and present in the effective policy. If it is
304
+ # false, then no rules are inherited, and this policy becomes the effective root
305
+ # for evaluation.
306
+ # Corresponds to the JSON property `inheritFromParent`
307
+ # @return [Boolean]
308
+ attr_accessor :inherit_from_parent
309
+ alias_method :inherit_from_parent?, :inherit_from_parent
310
+
311
+ # Ignores policies set above this resource and restores the default behavior of
312
+ # the constraint at this resource. This field can be set in policies for either
313
+ # list or boolean constraints. If set, `rules` must be empty and `
314
+ # inherit_from_parent` must be set to false.
315
+ # Corresponds to the JSON property `reset`
316
+ # @return [Boolean]
317
+ attr_accessor :reset
318
+ alias_method :reset?, :reset
319
+
320
+ # List of rules for this organization policy.
321
+ # Corresponds to the JSON property `rules`
322
+ # @return [Array<Google::Apis::CloudassetV1::GoogleCloudAssetV1Rule>]
323
+ attr_accessor :rules
324
+
325
+ def initialize(**args)
326
+ update!(**args)
327
+ end
328
+
329
+ # Update properties of this object
330
+ def update!(**args)
331
+ @applied_resource = args[:applied_resource] if args.key?(:applied_resource)
332
+ @attached_resource = args[:attached_resource] if args.key?(:attached_resource)
333
+ @inherit_from_parent = args[:inherit_from_parent] if args.key?(:inherit_from_parent)
334
+ @reset = args[:reset] if args.key?(:reset)
335
+ @rules = args[:rules] if args.key?(:rules)
336
+ end
337
+ end
338
+
339
+ # The organization policy constraint definition.
340
+ class AnalyzerOrgPolicyConstraint
341
+ include Google::Apis::Core::Hashable
342
+
343
+ # The definition of a custom constraint.
344
+ # Corresponds to the JSON property `customConstraint`
345
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1CustomConstraint]
346
+ attr_accessor :custom_constraint
347
+
348
+ # The definition of a constraint.
349
+ # Corresponds to the JSON property `googleDefinedConstraint`
350
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1Constraint]
351
+ attr_accessor :google_defined_constraint
352
+
353
+ def initialize(**args)
354
+ update!(**args)
355
+ end
356
+
357
+ # Update properties of this object
358
+ def update!(**args)
359
+ @custom_constraint = args[:custom_constraint] if args.key?(:custom_constraint)
360
+ @google_defined_constraint = args[:google_defined_constraint] if args.key?(:google_defined_constraint)
361
+ end
362
+ end
363
+
182
364
  # An asset in Google Cloud. An asset can be any resource in the Google Cloud [
183
365
  # resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-
184
366
  # platform-resource-hierarchy), a resource outside the Google Cloud resource
185
367
  # hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy
186
- # (e.g. Cloud IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP
368
+ # (e.g. IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP
187
369
  # relationship). See [Supported asset types](https://cloud.google.com/asset-
188
370
  # inventory/docs/supported-asset-types) for more information.
189
371
  class Asset
@@ -282,9 +464,9 @@ module Google
282
464
  # ancestors. An asset can be any resource in the Google Cloud [resource
283
465
  # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-
284
466
  # resource-hierarchy), a resource outside the Google Cloud resource hierarchy (
285
- # such as Google Kubernetes Engine clusters and objects), or a policy (e.g.
286
- # Cloud IAM policy). See [Supported asset types](https://cloud.google.com/asset-
287
- # inventory/docs/supported-asset-types) for more information.
467
+ # such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM
468
+ # policy). See [Supported asset types](https://cloud.google.com/asset-inventory/
469
+ # docs/supported-asset-types) for more information.
288
470
  # Corresponds to the JSON property `relatedAsset`
289
471
  # @return [Google::Apis::CloudassetV1::RelatedAsset]
290
472
  attr_accessor :related_asset
@@ -1063,7 +1245,7 @@ module Google
1063
1245
  class GcsDestination
1064
1246
  include Google::Apis::Core::Hashable
1065
1247
 
1066
- # The uri of the Cloud Storage object. It's the same uri that is used by gsutil.
1248
+ # The URI of the Cloud Storage object. It's the same URI that is used by gsutil.
1067
1249
  # Example: "gs://bucket_name/object_name". See [Viewing and Editing Object
1068
1250
  # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) for
1069
1251
  # more information. If the specified Cloud Storage object already exists and
@@ -1073,8 +1255,8 @@ module Google
1073
1255
  # @return [String]
1074
1256
  attr_accessor :uri
1075
1257
 
1076
- # The uri prefix of all generated Cloud Storage objects. Example: "gs://
1077
- # bucket_name/object_name_prefix". Each object uri is in format: "gs://
1258
+ # The URI prefix of all generated Cloud Storage objects. Example: "gs://
1259
+ # bucket_name/object_name_prefix". Each object URI is in format: "gs://
1078
1260
  # bucket_name/object_name_prefix// and only contains assets for that type.
1079
1261
  # starts from 0. Example: "gs://bucket_name/object_name_prefix/compute.
1080
1262
  # googleapis.com/Disk/0" is the first shard of output objects containing all
@@ -1181,6 +1363,184 @@ module Google
1181
1363
  end
1182
1364
  end
1183
1365
 
1366
+ # Represents a Google Cloud asset(resource or IAM policy) governed by the
1367
+ # organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
1368
+ class GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedAsset
1369
+ include Google::Apis::Core::Hashable
1370
+
1371
+ # This organization policy message is a modified version of the one defined in
1372
+ # the Organization Policy system. This message contains several fields defined
1373
+ # in the original organization policy with some new fields for analysis purpose.
1374
+ # Corresponds to the JSON property `consolidatedPolicy`
1375
+ # @return [Google::Apis::CloudassetV1::AnalyzerOrgPolicy]
1376
+ attr_accessor :consolidated_policy
1377
+
1378
+ # The IAM policies governed by the organization policies of the
1379
+ # AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
1380
+ # Corresponds to the JSON property `governedIamPolicy`
1381
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy]
1382
+ attr_accessor :governed_iam_policy
1383
+
1384
+ # The Google Cloud resources governed by the organization policies of the
1385
+ # AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
1386
+ # Corresponds to the JSON property `governedResource`
1387
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedResource]
1388
+ attr_accessor :governed_resource
1389
+
1390
+ # The ordered list of all organization policies from the
1391
+ # AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.
1392
+ # attached_resource to the scope specified in the request. If the constraint is
1393
+ # defined with default policy, it will also appear in the list.
1394
+ # Corresponds to the JSON property `policyBundle`
1395
+ # @return [Array<Google::Apis::CloudassetV1::AnalyzerOrgPolicy>]
1396
+ attr_accessor :policy_bundle
1397
+
1398
+ def initialize(**args)
1399
+ update!(**args)
1400
+ end
1401
+
1402
+ # Update properties of this object
1403
+ def update!(**args)
1404
+ @consolidated_policy = args[:consolidated_policy] if args.key?(:consolidated_policy)
1405
+ @governed_iam_policy = args[:governed_iam_policy] if args.key?(:governed_iam_policy)
1406
+ @governed_resource = args[:governed_resource] if args.key?(:governed_resource)
1407
+ @policy_bundle = args[:policy_bundle] if args.key?(:policy_bundle)
1408
+ end
1409
+ end
1410
+
1411
+ # The IAM policies governed by the organization policies of the
1412
+ # AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
1413
+ class GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy
1414
+ include Google::Apis::Core::Hashable
1415
+
1416
+ # The full resource name of the resource associated with this IAM policy.
1417
+ # Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/
1418
+ # instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://
1419
+ # cloud.google.com/asset-inventory/docs/resource-name-format) for more
1420
+ # information.
1421
+ # Corresponds to the JSON property `attachedResource`
1422
+ # @return [String]
1423
+ attr_accessor :attached_resource
1424
+
1425
+ # The folder(s) that this IAM policy belongs to, in the form of folders/`
1426
+ # FOLDER_NUMBER`. This field is available when the IAM policy belongs(directly
1427
+ # or cascadingly) to one or more folders.
1428
+ # Corresponds to the JSON property `folders`
1429
+ # @return [Array<String>]
1430
+ attr_accessor :folders
1431
+
1432
+ # The organization that this IAM policy belongs to, in the form of organizations/
1433
+ # `ORGANIZATION_NUMBER`. This field is available when the IAM policy belongs(
1434
+ # directly or cascadingly) to an organization.
1435
+ # Corresponds to the JSON property `organization`
1436
+ # @return [String]
1437
+ attr_accessor :organization
1438
+
1439
+ # An Identity and Access Management (IAM) policy, which specifies access
1440
+ # controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
1441
+ # A `binding` binds one or more `members`, or principals, to a single `role`.
1442
+ # Principals can be user accounts, service accounts, Google groups, and domains (
1443
+ # such as G Suite). A `role` is a named list of permissions; each `role` can be
1444
+ # an IAM predefined role or a user-created custom role. For some types of Google
1445
+ # Cloud resources, a `binding` can also specify a `condition`, which is a
1446
+ # logical expression that allows access to a resource only if the expression
1447
+ # evaluates to `true`. A condition can add constraints based on attributes of
1448
+ # the request, the resource, or both. To learn which resources support
1449
+ # conditions in their IAM policies, see the [IAM documentation](https://cloud.
1450
+ # google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
1451
+ # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
1452
+ # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
1453
+ # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
1454
+ # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
1455
+ # ], "condition": ` "title": "expirable access", "description": "Does not grant
1456
+ # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
1457
+ # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:**
1458
+ # bindings: - members: - user:mike@example.com - group:admins@example.com -
1459
+ # domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
1460
+ # role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
1461
+ # com role: roles/resourcemanager.organizationViewer condition: title: expirable
1462
+ # access description: Does not grant access after Sep 2020 expression: request.
1463
+ # time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For
1464
+ # a description of IAM and its features, see the [IAM documentation](https://
1465
+ # cloud.google.com/iam/docs/).
1466
+ # Corresponds to the JSON property `policy`
1467
+ # @return [Google::Apis::CloudassetV1::Policy]
1468
+ attr_accessor :policy
1469
+
1470
+ # The project that this IAM policy belongs to, in the form of projects/`
1471
+ # PROJECT_NUMBER`. This field is available when the IAM policy belongs to a
1472
+ # project.
1473
+ # Corresponds to the JSON property `project`
1474
+ # @return [String]
1475
+ attr_accessor :project
1476
+
1477
+ def initialize(**args)
1478
+ update!(**args)
1479
+ end
1480
+
1481
+ # Update properties of this object
1482
+ def update!(**args)
1483
+ @attached_resource = args[:attached_resource] if args.key?(:attached_resource)
1484
+ @folders = args[:folders] if args.key?(:folders)
1485
+ @organization = args[:organization] if args.key?(:organization)
1486
+ @policy = args[:policy] if args.key?(:policy)
1487
+ @project = args[:project] if args.key?(:project)
1488
+ end
1489
+ end
1490
+
1491
+ # The Google Cloud resources governed by the organization policies of the
1492
+ # AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
1493
+ class GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedResource
1494
+ include Google::Apis::Core::Hashable
1495
+
1496
+ # The folder(s) that this resource belongs to, in the form of folders/`
1497
+ # FOLDER_NUMBER`. This field is available when the resource belongs(directly or
1498
+ # cascadingly) to one or more folders.
1499
+ # Corresponds to the JSON property `folders`
1500
+ # @return [Array<String>]
1501
+ attr_accessor :folders
1502
+
1503
+ # The [full resource name] (https://cloud.google.com/asset-inventory/docs/
1504
+ # resource-name-format) of the Google Cloud resource.
1505
+ # Corresponds to the JSON property `fullResourceName`
1506
+ # @return [String]
1507
+ attr_accessor :full_resource_name
1508
+
1509
+ # The organization that this resource belongs to, in the form of organizations/`
1510
+ # ORGANIZATION_NUMBER`. This field is available when the resource belongs(
1511
+ # directly or cascadingly) to an organization.
1512
+ # Corresponds to the JSON property `organization`
1513
+ # @return [String]
1514
+ attr_accessor :organization
1515
+
1516
+ # The [full resource name] (https://cloud.google.com/asset-inventory/docs/
1517
+ # resource-name-format) of the parent of AnalyzeOrgPolicyGovernedAssetsResponse.
1518
+ # GovernedResource.full_resource_name.
1519
+ # Corresponds to the JSON property `parent`
1520
+ # @return [String]
1521
+ attr_accessor :parent
1522
+
1523
+ # The project that this resource belongs to, in the form of projects/`
1524
+ # PROJECT_NUMBER`. This field is available when the resource belongs to a
1525
+ # project.
1526
+ # Corresponds to the JSON property `project`
1527
+ # @return [String]
1528
+ attr_accessor :project
1529
+
1530
+ def initialize(**args)
1531
+ update!(**args)
1532
+ end
1533
+
1534
+ # Update properties of this object
1535
+ def update!(**args)
1536
+ @folders = args[:folders] if args.key?(:folders)
1537
+ @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
1538
+ @organization = args[:organization] if args.key?(:organization)
1539
+ @parent = args[:parent] if args.key?(:parent)
1540
+ @project = args[:project] if args.key?(:project)
1541
+ end
1542
+ end
1543
+
1184
1544
  # A BigQuery destination.
1185
1545
  class GoogleCloudAssetV1BigQueryDestination
1186
1546
  include Google::Apis::Core::Hashable
@@ -1233,6 +1593,136 @@ module Google
1233
1593
  end
1234
1594
  end
1235
1595
 
1596
+ # A `Constraint` that is either enforced or not. For example a constraint `
1597
+ # constraints/compute.disableSerialPortAccess`. If it is enforced on a VM
1598
+ # instance, serial port connections will not be opened to that instance.
1599
+ class GoogleCloudAssetV1BooleanConstraint
1600
+ include Google::Apis::Core::Hashable
1601
+
1602
+ def initialize(**args)
1603
+ update!(**args)
1604
+ end
1605
+
1606
+ # Update properties of this object
1607
+ def update!(**args)
1608
+ end
1609
+ end
1610
+
1611
+ # The definition of a constraint.
1612
+ class GoogleCloudAssetV1Constraint
1613
+ include Google::Apis::Core::Hashable
1614
+
1615
+ # A `Constraint` that is either enforced or not. For example a constraint `
1616
+ # constraints/compute.disableSerialPortAccess`. If it is enforced on a VM
1617
+ # instance, serial port connections will not be opened to that instance.
1618
+ # Corresponds to the JSON property `booleanConstraint`
1619
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1BooleanConstraint]
1620
+ attr_accessor :boolean_constraint
1621
+
1622
+ # The evaluation behavior of this constraint in the absence of 'Policy'.
1623
+ # Corresponds to the JSON property `constraintDefault`
1624
+ # @return [String]
1625
+ attr_accessor :constraint_default
1626
+
1627
+ # Detailed description of what this `Constraint` controls as well as how and
1628
+ # where it is enforced.
1629
+ # Corresponds to the JSON property `description`
1630
+ # @return [String]
1631
+ attr_accessor :description
1632
+
1633
+ # The human readable name of the constraint.
1634
+ # Corresponds to the JSON property `displayName`
1635
+ # @return [String]
1636
+ attr_accessor :display_name
1637
+
1638
+ # A `Constraint` that allows or disallows a list of string values, which are
1639
+ # configured by an organization's policy administrator with a `Policy`.
1640
+ # Corresponds to the JSON property `listConstraint`
1641
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1ListConstraint]
1642
+ attr_accessor :list_constraint
1643
+
1644
+ # The unique name of the constraint. Format of the name should be * `constraints/
1645
+ # `constraint_name`` For example, `constraints/compute.disableSerialPortAccess`.
1646
+ # Corresponds to the JSON property `name`
1647
+ # @return [String]
1648
+ attr_accessor :name
1649
+
1650
+ def initialize(**args)
1651
+ update!(**args)
1652
+ end
1653
+
1654
+ # Update properties of this object
1655
+ def update!(**args)
1656
+ @boolean_constraint = args[:boolean_constraint] if args.key?(:boolean_constraint)
1657
+ @constraint_default = args[:constraint_default] if args.key?(:constraint_default)
1658
+ @description = args[:description] if args.key?(:description)
1659
+ @display_name = args[:display_name] if args.key?(:display_name)
1660
+ @list_constraint = args[:list_constraint] if args.key?(:list_constraint)
1661
+ @name = args[:name] if args.key?(:name)
1662
+ end
1663
+ end
1664
+
1665
+ # The definition of a custom constraint.
1666
+ class GoogleCloudAssetV1CustomConstraint
1667
+ include Google::Apis::Core::Hashable
1668
+
1669
+ # Allow or deny type.
1670
+ # Corresponds to the JSON property `actionType`
1671
+ # @return [String]
1672
+ attr_accessor :action_type
1673
+
1674
+ # Organization Policy condition/expression. For example: `resource.instanceName.
1675
+ # matches("[production|test]_.*_(\d)+")'` or, `resource.management.auto_upgrade =
1676
+ # = true`
1677
+ # Corresponds to the JSON property `condition`
1678
+ # @return [String]
1679
+ attr_accessor :condition
1680
+
1681
+ # Detailed information about this custom policy constraint.
1682
+ # Corresponds to the JSON property `description`
1683
+ # @return [String]
1684
+ attr_accessor :description
1685
+
1686
+ # One line display name for the UI.
1687
+ # Corresponds to the JSON property `displayName`
1688
+ # @return [String]
1689
+ attr_accessor :display_name
1690
+
1691
+ # All the operations being applied for this constraint.
1692
+ # Corresponds to the JSON property `methodTypes`
1693
+ # @return [Array<String>]
1694
+ attr_accessor :method_types
1695
+
1696
+ # Name of the constraint. This is unique within the organization. Format of the
1697
+ # name should be * `organizations/`organization_id`/customConstraints/`
1698
+ # custom_constraint_id`` Example : "organizations/123/customConstraints/custom.
1699
+ # createOnlyE2TypeVms"
1700
+ # Corresponds to the JSON property `name`
1701
+ # @return [String]
1702
+ attr_accessor :name
1703
+
1704
+ # The Resource Instance type on which this policy applies to. Format will be of
1705
+ # the form : "/" Example: * `compute.googleapis.com/Instance`.
1706
+ # Corresponds to the JSON property `resourceTypes`
1707
+ # @return [Array<String>]
1708
+ attr_accessor :resource_types
1709
+
1710
+ def initialize(**args)
1711
+ update!(**args)
1712
+ end
1713
+
1714
+ # Update properties of this object
1715
+ def update!(**args)
1716
+ @action_type = args[:action_type] if args.key?(:action_type)
1717
+ @condition = args[:condition] if args.key?(:condition)
1718
+ @description = args[:description] if args.key?(:description)
1719
+ @display_name = args[:display_name] if args.key?(:display_name)
1720
+ @method_types = args[:method_types] if args.key?(:method_types)
1721
+ @name = args[:name] if args.key?(:name)
1722
+ @resource_types = args[:resource_types] if args.key?(:resource_types)
1723
+ end
1724
+ end
1725
+
1236
1726
  # A directional edge.
1237
1727
  class GoogleCloudAssetV1Edge
1238
1728
  include Google::Apis::Core::Hashable
@@ -1264,7 +1754,7 @@ module Google
1264
1754
  class GoogleCloudAssetV1GcsDestination
1265
1755
  include Google::Apis::Core::Hashable
1266
1756
 
1267
- # Required. The uri of the Cloud Storage object. It's the same uri that is used
1757
+ # Required. The URI of the Cloud Storage object. It's the same URI that is used
1268
1758
  # by gsutil. Example: "gs://bucket_name/object_name". See [Viewing and Editing
1269
1759
  # Object Metadata](https://cloud.google.com/storage/docs/viewing-editing-
1270
1760
  # metadata) for more information. If the specified Cloud Storage object already
@@ -1280,7 +1770,54 @@ module Google
1280
1770
 
1281
1771
  # Update properties of this object
1282
1772
  def update!(**args)
1283
- @uri = args[:uri] if args.key?(:uri)
1773
+ @uri = args[:uri] if args.key?(:uri)
1774
+ end
1775
+ end
1776
+
1777
+ # The organization/folder/project resource governed by organization policies of
1778
+ # AnalyzeOrgPolicyGovernedContainersRequest.constraint.
1779
+ class GoogleCloudAssetV1GovernedContainer
1780
+ include Google::Apis::Core::Hashable
1781
+
1782
+ # This organization policy message is a modified version of the one defined in
1783
+ # the Organization Policy system. This message contains several fields defined
1784
+ # in the original organization policy with some new fields for analysis purpose.
1785
+ # Corresponds to the JSON property `consolidatedPolicy`
1786
+ # @return [Google::Apis::CloudassetV1::AnalyzerOrgPolicy]
1787
+ attr_accessor :consolidated_policy
1788
+
1789
+ # The [full resource name] (https://cloud.google.com/asset-inventory/docs/
1790
+ # resource-name-format) of an organization/folder/project resource.
1791
+ # Corresponds to the JSON property `fullResourceName`
1792
+ # @return [String]
1793
+ attr_accessor :full_resource_name
1794
+
1795
+ # The [full resource name] (https://cloud.google.com/asset-inventory/docs/
1796
+ # resource-name-format) of the parent of
1797
+ # AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer.
1798
+ # full_resource_name.
1799
+ # Corresponds to the JSON property `parent`
1800
+ # @return [String]
1801
+ attr_accessor :parent
1802
+
1803
+ # The ordered list of all organization policies from the
1804
+ # AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.
1805
+ # attached_resource. to the scope specified in the request. If the constraint is
1806
+ # defined with default policy, it will also appear in the list.
1807
+ # Corresponds to the JSON property `policyBundle`
1808
+ # @return [Array<Google::Apis::CloudassetV1::AnalyzerOrgPolicy>]
1809
+ attr_accessor :policy_bundle
1810
+
1811
+ def initialize(**args)
1812
+ update!(**args)
1813
+ end
1814
+
1815
+ # Update properties of this object
1816
+ def update!(**args)
1817
+ @consolidated_policy = args[:consolidated_policy] if args.key?(:consolidated_policy)
1818
+ @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
1819
+ @parent = args[:parent] if args.key?(:parent)
1820
+ @policy_bundle = args[:policy_bundle] if args.key?(:policy_bundle)
1284
1821
  end
1285
1822
  end
1286
1823
 
@@ -1344,6 +1881,77 @@ module Google
1344
1881
  end
1345
1882
  end
1346
1883
 
1884
+ # A `Constraint` that allows or disallows a list of string values, which are
1885
+ # configured by an organization's policy administrator with a `Policy`.
1886
+ class GoogleCloudAssetV1ListConstraint
1887
+ include Google::Apis::Core::Hashable
1888
+
1889
+ # Indicates whether values grouped into categories can be used in `Policy.
1890
+ # allowed_values` and `Policy.denied_values`. For example, `"in:Python"` would
1891
+ # match any value in the 'Python' group.
1892
+ # Corresponds to the JSON property `supportsIn`
1893
+ # @return [Boolean]
1894
+ attr_accessor :supports_in
1895
+ alias_method :supports_in?, :supports_in
1896
+
1897
+ # Indicates whether subtrees of Cloud Resource Manager resource hierarchy can be
1898
+ # used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"
1899
+ # under:folders/123"` would match any resource under the 'folders/123' folder.
1900
+ # Corresponds to the JSON property `supportsUnder`
1901
+ # @return [Boolean]
1902
+ attr_accessor :supports_under
1903
+ alias_method :supports_under?, :supports_under
1904
+
1905
+ def initialize(**args)
1906
+ update!(**args)
1907
+ end
1908
+
1909
+ # Update properties of this object
1910
+ def update!(**args)
1911
+ @supports_in = args[:supports_in] if args.key?(:supports_in)
1912
+ @supports_under = args[:supports_under] if args.key?(:supports_under)
1913
+ end
1914
+ end
1915
+
1916
+ # BigQuery destination.
1917
+ class GoogleCloudAssetV1QueryAssetsOutputConfigBigQueryDestination
1918
+ include Google::Apis::Core::Hashable
1919
+
1920
+ # Required. The BigQuery dataset where the query results will be saved. It has
1921
+ # the format of "projects/`projectId`/datasets/`datasetId`".
1922
+ # Corresponds to the JSON property `dataset`
1923
+ # @return [String]
1924
+ attr_accessor :dataset
1925
+
1926
+ # Required. The BigQuery table where the query results will be saved. If this
1927
+ # table does not exist, a new table with the given name will be created.
1928
+ # Corresponds to the JSON property `table`
1929
+ # @return [String]
1930
+ attr_accessor :table
1931
+
1932
+ # Specifies the action that occurs if the destination table or partition already
1933
+ # exists. The following values are supported: * WRITE_TRUNCATE: If the table or
1934
+ # partition already exists, BigQuery overwrites the entire table or all the
1935
+ # partitions data. * WRITE_APPEND: If the table or partition already exists,
1936
+ # BigQuery appends the data to the table or the latest partition. * WRITE_EMPTY:
1937
+ # If the table already exists and contains data, a 'duplicate' error is returned
1938
+ # in the job result. The default value is WRITE_EMPTY.
1939
+ # Corresponds to the JSON property `writeDisposition`
1940
+ # @return [String]
1941
+ attr_accessor :write_disposition
1942
+
1943
+ def initialize(**args)
1944
+ update!(**args)
1945
+ end
1946
+
1947
+ # Update properties of this object
1948
+ def update!(**args)
1949
+ @dataset = args[:dataset] if args.key?(:dataset)
1950
+ @table = args[:table] if args.key?(:table)
1951
+ @write_disposition = args[:write_disposition] if args.key?(:write_disposition)
1952
+ end
1953
+ end
1954
+
1347
1955
  # A Google Cloud resource under analysis.
1348
1956
  class GoogleCloudAssetV1Resource
1349
1957
  include Google::Apis::Core::Hashable
@@ -1371,12 +1979,100 @@ module Google
1371
1979
  end
1372
1980
  end
1373
1981
 
1982
+ # Represents a rule defined in an organization policy
1983
+ class GoogleCloudAssetV1Rule
1984
+ include Google::Apis::Core::Hashable
1985
+
1986
+ # Setting this to true means that all values are allowed. This field can be set
1987
+ # only in Policies for list constraints.
1988
+ # Corresponds to the JSON property `allowAll`
1989
+ # @return [Boolean]
1990
+ attr_accessor :allow_all
1991
+ alias_method :allow_all?, :allow_all
1992
+
1993
+ # Represents a textual expression in the Common Expression Language (CEL) syntax.
1994
+ # CEL is a C-like expression language. The syntax and semantics of CEL are
1995
+ # documented at https://github.com/google/cel-spec. Example (Comparison): title:
1996
+ # "Summary size limit" description: "Determines if a summary is less than 100
1997
+ # chars" expression: "document.summary.size() < 100" Example (Equality): title: "
1998
+ # Requestor is owner" description: "Determines if requestor is the document
1999
+ # owner" expression: "document.owner == request.auth.claims.email" Example (
2000
+ # Logic): title: "Public documents" description: "Determine whether the document
2001
+ # should be publicly visible" expression: "document.type != 'private' &&
2002
+ # document.type != 'internal'" Example (Data Manipulation): title: "Notification
2003
+ # string" description: "Create a notification string with a timestamp."
2004
+ # expression: "'New message received at ' + string(document.create_time)" The
2005
+ # exact variables and functions that may be referenced within an expression are
2006
+ # determined by the service that evaluates it. See the service documentation for
2007
+ # additional information.
2008
+ # Corresponds to the JSON property `condition`
2009
+ # @return [Google::Apis::CloudassetV1::Expr]
2010
+ attr_accessor :condition
2011
+
2012
+ # Setting this to true means that all values are denied. This field can be set
2013
+ # only in Policies for list constraints.
2014
+ # Corresponds to the JSON property `denyAll`
2015
+ # @return [Boolean]
2016
+ attr_accessor :deny_all
2017
+ alias_method :deny_all?, :deny_all
2018
+
2019
+ # If `true`, then the `Policy` is enforced. If `false`, then any configuration
2020
+ # is acceptable. This field can be set only in Policies for boolean constraints.
2021
+ # Corresponds to the JSON property `enforce`
2022
+ # @return [Boolean]
2023
+ attr_accessor :enforce
2024
+ alias_method :enforce?, :enforce
2025
+
2026
+ # The string values for the list constraints.
2027
+ # Corresponds to the JSON property `values`
2028
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1StringValues]
2029
+ attr_accessor :values
2030
+
2031
+ def initialize(**args)
2032
+ update!(**args)
2033
+ end
2034
+
2035
+ # Update properties of this object
2036
+ def update!(**args)
2037
+ @allow_all = args[:allow_all] if args.key?(:allow_all)
2038
+ @condition = args[:condition] if args.key?(:condition)
2039
+ @deny_all = args[:deny_all] if args.key?(:deny_all)
2040
+ @enforce = args[:enforce] if args.key?(:enforce)
2041
+ @values = args[:values] if args.key?(:values)
2042
+ end
2043
+ end
2044
+
2045
+ # The string values for the list constraints.
2046
+ class GoogleCloudAssetV1StringValues
2047
+ include Google::Apis::Core::Hashable
2048
+
2049
+ # List of values allowed at this resource.
2050
+ # Corresponds to the JSON property `allowedValues`
2051
+ # @return [Array<String>]
2052
+ attr_accessor :allowed_values
2053
+
2054
+ # List of values denied at this resource.
2055
+ # Corresponds to the JSON property `deniedValues`
2056
+ # @return [Array<String>]
2057
+ attr_accessor :denied_values
2058
+
2059
+ def initialize(**args)
2060
+ update!(**args)
2061
+ end
2062
+
2063
+ # Update properties of this object
2064
+ def update!(**args)
2065
+ @allowed_values = args[:allowed_values] if args.key?(:allowed_values)
2066
+ @denied_values = args[:denied_values] if args.key?(:denied_values)
2067
+ end
2068
+ end
2069
+
1374
2070
  # An asset in Google Cloud. An asset can be any resource in the Google Cloud [
1375
2071
  # resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-
1376
2072
  # platform-resource-hierarchy), a resource outside the Google Cloud resource
1377
2073
  # hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy
1378
- # (e.g. Cloud IAM policy). See [Supported asset types](https://cloud.google.com/
1379
- # asset-inventory/docs/supported-asset-types) for more information.
2074
+ # (e.g. IAM policy). See [Supported asset types](https://cloud.google.com/asset-
2075
+ # inventory/docs/supported-asset-types) for more information.
1380
2076
  class GoogleCloudAssetV1p7beta1Asset
1381
2077
  include Google::Apis::Core::Hashable
1382
2078
 
@@ -1513,9 +2209,9 @@ module Google
1513
2209
  # An asset can be any resource in the Google Cloud [resource hierarchy](https://
1514
2210
  # cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), a
1515
2211
  # resource outside the Google Cloud resource hierarchy (such as Google
1516
- # Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
1517
- # See [Supported asset types](https://cloud.google.com/asset-inventory/docs/
1518
- # supported-asset-types) for more information.
2212
+ # Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See [
2213
+ # Supported asset types](https://cloud.google.com/asset-inventory/docs/supported-
2214
+ # asset-types) for more information.
1519
2215
  class GoogleCloudAssetV1p7beta1RelatedAsset
1520
2216
  include Google::Apis::Core::Hashable
1521
2217
 
@@ -1654,7 +2350,7 @@ module Google
1654
2350
  # The full name of the immediate parent of this resource. See [Resource Names](
1655
2351
  # https://cloud.google.com/apis/design/resource_names#full_resource_name) for
1656
2352
  # more information. For Google Cloud assets, this value is the parent resource
1657
- # defined in the [Cloud IAM policy hierarchy](https://cloud.google.com/iam/docs/
2353
+ # defined in the [IAM policy hierarchy](https://cloud.google.com/iam/docs/
1658
2354
  # overview#policy_hierarchy). Example: `//cloudresourcemanager.googleapis.com/
1659
2355
  # projects/my_project_123` For third-party assets, this field may be set
1660
2356
  # differently.
@@ -1992,10 +2688,10 @@ module Google
1992
2688
  # @return [String]
1993
2689
  attr_accessor :description
1994
2690
 
1995
- # Required. Resource name for the Access Level. The `short_name` component must
1996
- # begin with a letter and only include alphanumeric and '_'. Format: `
1997
- # accessPolicies/`access_policy`/accessLevels/`access_level``. The maximum
1998
- # length of the `access_level` component is 50 characters.
2691
+ # Resource name for the `AccessLevel`. Format: `accessPolicies/`access_policy`/
2692
+ # accessLevels/`access_level``. The `access_level` component must begin with a
2693
+ # letter, followed by alphanumeric characters or `_`. Its maximum length is 50
2694
+ # characters. After you create an `AccessLevel`, you cannot change its `name`.
1999
2695
  # Corresponds to the JSON property `name`
2000
2696
  # @return [String]
2001
2697
  attr_accessor :name
@@ -2533,10 +3229,11 @@ module Google
2533
3229
 
2534
3230
  # A Google Cloud resource that is allowed to ingress the perimeter. Requests
2535
3231
  # from these resources will be allowed to access perimeter data. Currently only
2536
- # projects are allowed. Format: `projects/`project_number`` The project may be
2537
- # in any Google Cloud organization, not just the organization that the perimeter
2538
- # is defined in. `*` is not allowed, the case of allowing all Google Cloud
2539
- # resources only is not supported.
3232
+ # projects and VPCs are allowed. Project format: `projects/`project_number`` VPC
3233
+ # format: `//compute.googleapis.com/projects/`PROJECT_ID`/global/networks/`NAME``
3234
+ # . The project may be in any Google Cloud organization, not just the
3235
+ # organization that the perimeter is defined in. `*` is not allowed, the case of
3236
+ # allowing all Google Cloud resources only is not supported.
2540
3237
  # Corresponds to the JSON property `resource`
2541
3238
  # @return [String]
2542
3239
  attr_accessor :resource
@@ -2666,9 +3363,10 @@ module Google
2666
3363
  # @return [String]
2667
3364
  attr_accessor :description
2668
3365
 
2669
- # Required. Resource name for the ServicePerimeter. The `short_name` component
2670
- # must begin with a letter and only include alphanumeric and '_'. Format: `
2671
- # accessPolicies/`access_policy`/servicePerimeters/`service_perimeter``
3366
+ # Resource name for the `ServicePerimeter`. Format: `accessPolicies/`
3367
+ # access_policy`/servicePerimeters/`service_perimeter``. The `service_perimeter`
3368
+ # component must begin with a letter, followed by alphanumeric characters or `_`.
3369
+ # After you create a `ServicePerimeter`, you cannot change its `name`.
2672
3370
  # Corresponds to the JSON property `name`
2673
3371
  # @return [String]
2674
3372
  attr_accessor :name
@@ -2760,7 +3458,9 @@ module Google
2760
3458
  attr_accessor :ingress_policies
2761
3459
 
2762
3460
  # A list of Google Cloud resources that are inside of the service perimeter.
2763
- # Currently only projects are allowed. Format: `projects/`project_number``
3461
+ # Currently only projects and VPCs are allowed. Project format: `projects/`
3462
+ # project_number`` VPC format: `//compute.googleapis.com/projects/`PROJECT_ID`/
3463
+ # global/networks/`NAME``.
2764
3464
  # Corresponds to the JSON property `resources`
2765
3465
  # @return [Array<String>]
2766
3466
  attr_accessor :resources
@@ -3093,8 +3793,8 @@ module Google
3093
3793
  # @return [Google::Apis::CloudassetV1::Policy]
3094
3794
  attr_accessor :policy
3095
3795
 
3096
- # The project that the associated GCP resource belongs to, in the form of
3097
- # projects/`PROJECT_NUMBER`. If an IAM policy is set on a resource (like VM
3796
+ # The project that the associated Google Cloud resource belongs to, in the form
3797
+ # of projects/`PROJECT_NUMBER`. If an IAM policy is set on a resource (like VM
3098
3798
  # instance, Cloud Storage bucket), the project field will indicate the project
3099
3799
  # that contains the resource. If an IAM policy is set on a folder or orgnization,
3100
3800
  # this field will be empty. To search against the `project`: * specify the `
@@ -3341,7 +4041,7 @@ module Google
3341
4041
  # @return [Google::Apis::CloudassetV1::MoveAnalysisResult]
3342
4042
  attr_accessor :analysis
3343
4043
 
3344
- # The user friendly display name of the analysis. E.g. IAM, Organization Policy
4044
+ # The user friendly display name of the analysis. E.g. IAM, organization policy
3345
4045
  # etc.
3346
4046
  # Corresponds to the JSON property `displayName`
3347
4047
  # @return [String]
@@ -3485,19 +4185,19 @@ module Google
3485
4185
  # Optional. If true, the response will include access analysis from identities
3486
4186
  # to resources via service account impersonation. This is a very expensive
3487
4187
  # operation, because many derived queries will be executed. We highly recommend
3488
- # you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if
4188
+ # you use AssetService.AnalyzeIamPolicyLongrunning RPC instead. For example, if
3489
4189
  # the request analyzes for which resources user A has permission P, and there's
3490
4190
  # an IAM policy states user A has iam.serviceAccounts.getAccessToken permission
3491
4191
  # to a service account SA, and there's another IAM policy states service account
3492
- # SA has permission P to a GCP folder F, then user A potentially has access to
3493
- # the GCP folder F. And those advanced analysis results will be included in
3494
- # AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another
3495
- # example, if the request analyzes for who has permission P to a GCP folder F,
3496
- # and there's an IAM policy states user A has iam.serviceAccounts.actAs
3497
- # permission to a service account SA, and there's another IAM policy states
3498
- # service account SA has permission P to the GCP folder F, then user A
3499
- # potentially has access to the GCP folder F. And those advanced analysis
3500
- # results will be included in AnalyzeIamPolicyResponse.
4192
+ # SA has permission P to a Google Cloud folder F, then user A potentially has
4193
+ # access to the Google Cloud folder F. And those advanced analysis results will
4194
+ # be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
4195
+ # Another example, if the request analyzes for who has permission P to a Google
4196
+ # Cloud folder F, and there's an IAM policy states user A has iam.
4197
+ # serviceAccounts.actAs permission to a service account SA, and there's another
4198
+ # IAM policy states service account SA has permission P to the Google Cloud
4199
+ # folder F, then user A potentially has access to the Google Cloud folder F. And
4200
+ # those advanced analysis results will be included in AnalyzeIamPolicyResponse.
3501
4201
  # service_account_impersonation_analysis. Only the following permissions are
3502
4202
  # considered in this analysis: * `iam.serviceAccounts.actAs` * `iam.
3503
4203
  # serviceAccounts.signBlob` * `iam.serviceAccounts.signJwt` * `iam.
@@ -3523,17 +4223,18 @@ module Google
3523
4223
  # specified, the resource section of the result will expand any resource
3524
4224
  # attached to an IAM policy to include resources lower in the resource hierarchy.
3525
4225
  # For example, if the request analyzes for which resources user A has
3526
- # permission P, and the results include an IAM policy with P on a GCP folder,
3527
- # the results will also include resources in that folder with permission P. If
3528
- # true and IamPolicyAnalysisQuery.resource_selector is specified, the resource
3529
- # section of the result will expand the specified resource to include resources
3530
- # lower in the resource hierarchy. Only project or lower resources are supported.
3531
- # Folder and organization resource cannot be used together with this option.
3532
- # For example, if the request analyzes for which users have permission P on a
3533
- # GCP project with this option enabled, the results will include all users who
3534
- # have permission P on that project or any lower resource. If true, the default
3535
- # max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and
3536
- # 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.
4226
+ # permission P, and the results include an IAM policy with P on a Google Cloud
4227
+ # folder, the results will also include resources in that folder with permission
4228
+ # P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the
4229
+ # resource section of the result will expand the specified resource to include
4230
+ # resources lower in the resource hierarchy. Only project or lower resources are
4231
+ # supported. Folder and organization resources cannot be used together with this
4232
+ # option. For example, if the request analyzes for which users have permission P
4233
+ # on a Google Cloud project with this option enabled, the results will include
4234
+ # all users who have permission P on that project or any lower resource. If true,
4235
+ # the default max expansion per resource is 1000 for AssetService.
4236
+ # AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][].
4237
+ # Default is false.
3537
4238
  # Corresponds to the JSON property `expandResources`
3538
4239
  # @return [Boolean]
3539
4240
  attr_accessor :expand_resources
@@ -3579,6 +4280,36 @@ module Google
3579
4280
  end
3580
4281
  end
3581
4282
 
4283
+ # The organization policy result to the query.
4284
+ class OrgPolicyResult
4285
+ include Google::Apis::Core::Hashable
4286
+
4287
+ # This organization policy message is a modified version of the one defined in
4288
+ # the Organization Policy system. This message contains several fields defined
4289
+ # in the original organization policy with some new fields for analysis purpose.
4290
+ # Corresponds to the JSON property `consolidatedPolicy`
4291
+ # @return [Google::Apis::CloudassetV1::AnalyzerOrgPolicy]
4292
+ attr_accessor :consolidated_policy
4293
+
4294
+ # The ordered list of all organization policies from the
4295
+ # AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.
4296
+ # attached_resource. to the scope specified in the request. If the constraint is
4297
+ # defined with default policy, it will also appear in the list.
4298
+ # Corresponds to the JSON property `policyBundle`
4299
+ # @return [Array<Google::Apis::CloudassetV1::AnalyzerOrgPolicy>]
4300
+ attr_accessor :policy_bundle
4301
+
4302
+ def initialize(**args)
4303
+ update!(**args)
4304
+ end
4305
+
4306
+ # Update properties of this object
4307
+ def update!(**args)
4308
+ @consolidated_policy = args[:consolidated_policy] if args.key?(:consolidated_policy)
4309
+ @policy_bundle = args[:policy_bundle] if args.key?(:policy_bundle)
4310
+ end
4311
+ end
4312
+
3582
4313
  # Operating system information for the VM.
3583
4314
  class OsInfo
3584
4315
  include Google::Apis::Core::Hashable
@@ -3870,6 +4601,154 @@ module Google
3870
4601
  end
3871
4602
  end
3872
4603
 
4604
+ # Output configuration query assets.
4605
+ class QueryAssetsOutputConfig
4606
+ include Google::Apis::Core::Hashable
4607
+
4608
+ # BigQuery destination.
4609
+ # Corresponds to the JSON property `bigqueryDestination`
4610
+ # @return [Google::Apis::CloudassetV1::GoogleCloudAssetV1QueryAssetsOutputConfigBigQueryDestination]
4611
+ attr_accessor :bigquery_destination
4612
+
4613
+ def initialize(**args)
4614
+ update!(**args)
4615
+ end
4616
+
4617
+ # Update properties of this object
4618
+ def update!(**args)
4619
+ @bigquery_destination = args[:bigquery_destination] if args.key?(:bigquery_destination)
4620
+ end
4621
+ end
4622
+
4623
+ # QueryAssets request.
4624
+ class QueryAssetsRequest
4625
+ include Google::Apis::Core::Hashable
4626
+
4627
+ # Optional. Reference to the query job, which is from the `QueryAssetsResponse`
4628
+ # of previous `QueryAssets` call.
4629
+ # Corresponds to the JSON property `jobReference`
4630
+ # @return [String]
4631
+ attr_accessor :job_reference
4632
+
4633
+ # Output configuration query assets.
4634
+ # Corresponds to the JSON property `outputConfig`
4635
+ # @return [Google::Apis::CloudassetV1::QueryAssetsOutputConfig]
4636
+ attr_accessor :output_config
4637
+
4638
+ # Optional. The maximum number of rows to return in the results. Responses are
4639
+ # limited to 10 MB and 1000 rows. By default, the maximum row count is 1000.
4640
+ # When the byte or row count limit is reached, the rest of the query results
4641
+ # will be paginated. The field will be ignored when [output_config] is specified.
4642
+ # Corresponds to the JSON property `pageSize`
4643
+ # @return [Fixnum]
4644
+ attr_accessor :page_size
4645
+
4646
+ # Optional. A page token received from previous `QueryAssets`. The field will be
4647
+ # ignored when [output_config] is specified.
4648
+ # Corresponds to the JSON property `pageToken`
4649
+ # @return [String]
4650
+ attr_accessor :page_token
4651
+
4652
+ # Optional. Queries cloud assets as they appeared at the specified point in time.
4653
+ # Corresponds to the JSON property `readTime`
4654
+ # @return [String]
4655
+ attr_accessor :read_time
4656
+
4657
+ # A time window specified by its `start_time` and `end_time`.
4658
+ # Corresponds to the JSON property `readTimeWindow`
4659
+ # @return [Google::Apis::CloudassetV1::TimeWindow]
4660
+ attr_accessor :read_time_window
4661
+
4662
+ # Optional. A SQL statement that's compatible with [BigQuery Standard SQL](http:/
4663
+ # /cloud/bigquery/docs/reference/standard-sql/enabling-standard-sql).
4664
+ # Corresponds to the JSON property `statement`
4665
+ # @return [String]
4666
+ attr_accessor :statement
4667
+
4668
+ # Optional. Specifies the maximum amount of time that the client is willing to
4669
+ # wait for the query to complete. By default, this limit is 5 min for the first
4670
+ # query, and 1 minute for the following queries. If the query is complete, the `
4671
+ # done` field in the `QueryAssetsResponse` is true, otherwise false. Like
4672
+ # BigQuery [jobs.query API](https://cloud.google.com/bigquery/docs/reference/
4673
+ # rest/v2/jobs/query#queryrequest) The call is not guaranteed to wait for the
4674
+ # specified timeout; it typically returns after around 200 seconds (200,000
4675
+ # milliseconds), even if the query is not complete. The field will be ignored
4676
+ # when [output_config] is specified.
4677
+ # Corresponds to the JSON property `timeout`
4678
+ # @return [String]
4679
+ attr_accessor :timeout
4680
+
4681
+ def initialize(**args)
4682
+ update!(**args)
4683
+ end
4684
+
4685
+ # Update properties of this object
4686
+ def update!(**args)
4687
+ @job_reference = args[:job_reference] if args.key?(:job_reference)
4688
+ @output_config = args[:output_config] if args.key?(:output_config)
4689
+ @page_size = args[:page_size] if args.key?(:page_size)
4690
+ @page_token = args[:page_token] if args.key?(:page_token)
4691
+ @read_time = args[:read_time] if args.key?(:read_time)
4692
+ @read_time_window = args[:read_time_window] if args.key?(:read_time_window)
4693
+ @statement = args[:statement] if args.key?(:statement)
4694
+ @timeout = args[:timeout] if args.key?(:timeout)
4695
+ end
4696
+ end
4697
+
4698
+ # QueryAssets response.
4699
+ class QueryAssetsResponse
4700
+ include Google::Apis::Core::Hashable
4701
+
4702
+ # The query response, which can be either an `error` or a valid `response`. If `
4703
+ # done` == `false` and the query result is being saved in a output, the
4704
+ # output_config field will be set. If `done` == `true`, exactly one of `error`, `
4705
+ # query_result` or `output_config` will be set.
4706
+ # Corresponds to the JSON property `done`
4707
+ # @return [Boolean]
4708
+ attr_accessor :done
4709
+ alias_method :done?, :done
4710
+
4711
+ # The `Status` type defines a logical error model that is suitable for different
4712
+ # programming environments, including REST APIs and RPC APIs. It is used by [
4713
+ # gRPC](https://github.com/grpc). Each `Status` message contains three pieces of
4714
+ # data: error code, error message, and error details. You can find out more
4715
+ # about this error model and how to work with it in the [API Design Guide](https:
4716
+ # //cloud.google.com/apis/design/errors).
4717
+ # Corresponds to the JSON property `error`
4718
+ # @return [Google::Apis::CloudassetV1::Status]
4719
+ attr_accessor :error
4720
+
4721
+ # Reference to a query job.
4722
+ # Corresponds to the JSON property `jobReference`
4723
+ # @return [String]
4724
+ attr_accessor :job_reference
4725
+
4726
+ # Output configuration query assets.
4727
+ # Corresponds to the JSON property `outputConfig`
4728
+ # @return [Google::Apis::CloudassetV1::QueryAssetsOutputConfig]
4729
+ attr_accessor :output_config
4730
+
4731
+ # Execution results of the query. The result is formatted as rows represented by
4732
+ # BigQuery compatible [schema]. When pagination is necessary, it will contains
4733
+ # the page token to retrieve the results of following pages.
4734
+ # Corresponds to the JSON property `queryResult`
4735
+ # @return [Google::Apis::CloudassetV1::QueryResult]
4736
+ attr_accessor :query_result
4737
+
4738
+ def initialize(**args)
4739
+ update!(**args)
4740
+ end
4741
+
4742
+ # Update properties of this object
4743
+ def update!(**args)
4744
+ @done = args[:done] if args.key?(:done)
4745
+ @error = args[:error] if args.key?(:error)
4746
+ @job_reference = args[:job_reference] if args.key?(:job_reference)
4747
+ @output_config = args[:output_config] if args.key?(:output_config)
4748
+ @query_result = args[:query_result] if args.key?(:query_result)
4749
+ end
4750
+ end
4751
+
3873
4752
  # The query content.
3874
4753
  class QueryContent
3875
4754
  include Google::Apis::Core::Hashable
@@ -3889,13 +4768,52 @@ module Google
3889
4768
  end
3890
4769
  end
3891
4770
 
4771
+ # Execution results of the query. The result is formatted as rows represented by
4772
+ # BigQuery compatible [schema]. When pagination is necessary, it will contains
4773
+ # the page token to retrieve the results of following pages.
4774
+ class QueryResult
4775
+ include Google::Apis::Core::Hashable
4776
+
4777
+ # Token to retrieve the next page of the results.
4778
+ # Corresponds to the JSON property `nextPageToken`
4779
+ # @return [String]
4780
+ attr_accessor :next_page_token
4781
+
4782
+ # Each row hold a query result in the format of `Struct`.
4783
+ # Corresponds to the JSON property `rows`
4784
+ # @return [Array<Hash<String,Object>>]
4785
+ attr_accessor :rows
4786
+
4787
+ # BigQuery Compatible table schema.
4788
+ # Corresponds to the JSON property `schema`
4789
+ # @return [Google::Apis::CloudassetV1::TableSchema]
4790
+ attr_accessor :schema
4791
+
4792
+ # Total rows of the whole query results.
4793
+ # Corresponds to the JSON property `totalRows`
4794
+ # @return [Fixnum]
4795
+ attr_accessor :total_rows
4796
+
4797
+ def initialize(**args)
4798
+ update!(**args)
4799
+ end
4800
+
4801
+ # Update properties of this object
4802
+ def update!(**args)
4803
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
4804
+ @rows = args[:rows] if args.key?(:rows)
4805
+ @schema = args[:schema] if args.key?(:schema)
4806
+ @total_rows = args[:total_rows] if args.key?(:total_rows)
4807
+ end
4808
+ end
4809
+
3892
4810
  # An asset identifier in Google Cloud which contains its name, type and
3893
4811
  # ancestors. An asset can be any resource in the Google Cloud [resource
3894
4812
  # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-
3895
4813
  # resource-hierarchy), a resource outside the Google Cloud resource hierarchy (
3896
- # such as Google Kubernetes Engine clusters and objects), or a policy (e.g.
3897
- # Cloud IAM policy). See [Supported asset types](https://cloud.google.com/asset-
3898
- # inventory/docs/supported-asset-types) for more information.
4814
+ # such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM
4815
+ # policy). See [Supported asset types](https://cloud.google.com/asset-inventory/
4816
+ # docs/supported-asset-types) for more information.
3899
4817
  class RelatedAsset
3900
4818
  include Google::Apis::Core::Hashable
3901
4819
 
@@ -4092,7 +5010,7 @@ module Google
4092
5010
  # The full name of the immediate parent of this resource. See [Resource Names](
4093
5011
  # https://cloud.google.com/apis/design/resource_names#full_resource_name) for
4094
5012
  # more information. For Google Cloud assets, this value is the parent resource
4095
- # defined in the [Cloud IAM policy hierarchy](https://cloud.google.com/iam/docs/
5013
+ # defined in the [IAM policy hierarchy](https://cloud.google.com/iam/docs/
4096
5014
  # overview#policy_hierarchy). Example: `//cloudresourcemanager.googleapis.com/
4097
5015
  # projects/my_project_123` For third-party assets, this field may be set
4098
5016
  # differently.
@@ -4138,14 +5056,14 @@ module Google
4138
5056
  # from one resource type to another. Examples: `projectId` for Project, `dnsName`
4139
5057
  # for DNS ManagedZone. This field contains a subset of the resource metadata
4140
5058
  # fields that are returned by the List or Get APIs provided by the corresponding
4141
- # GCP service (e.g., Compute Engine). see [API references and supported
5059
+ # Google Cloud service (e.g., Compute Engine). see [API references and supported
4142
5060
  # searchable attributes](https://cloud.google.com/asset-inventory/docs/supported-
4143
5061
  # asset-types#searchable_asset_types) to see which fields are included. You can
4144
5062
  # search values of these fields through free text search. However, you should
4145
5063
  # not consume the field programically as the field names and values may change
4146
- # as the GCP service updates to a new incompatible API version. To search
4147
- # against the `additional_attributes`: * Use a free text query to match the
4148
- # attributes values. Example: to search `additional_attributes = ` dnsName: "
5064
+ # as the Google Cloud service updates to a new incompatible API version. To
5065
+ # search against the `additional_attributes`: * Use a free text query to match
5066
+ # the attributes values. Example: to search `additional_attributes = ` dnsName: "
4149
5067
  # foobar" ``, you can issue a query `foobar`.
4150
5068
  # Corresponds to the JSON property `additionalAttributes`
4151
5069
  # @return [Hash<String,Object>]
@@ -4208,8 +5126,8 @@ module Google
4208
5126
  # projects.locations.keyRings.cryptoKeys) name or [CryptoKeyVersion](https://
4209
5127
  # cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.
4210
5128
  # cryptoKeys.cryptoKeyVersions) name. This field only presents for the purpose
4211
- # of backward compatibility. Please use the `kms_keys` field to retrieve KMS key
4212
- # information. This field is available only when the resource's Protobuf
5129
+ # of backward compatibility. Please use the `kms_keys` field to retrieve Cloud
5130
+ # KMS key information. This field is available only when the resource's Protobuf
4213
5131
  # contains it and will only be populated for [these resource types](https://
4214
5132
  # cloud.google.com/asset-inventory/docs/legacy-field-names#
4215
5133
  # resource_types_with_the_to_be_deprecated_kmskey_field) for backward compatible
@@ -4229,7 +5147,7 @@ module Google
4229
5147
  # @return [Array<String>]
4230
5148
  attr_accessor :kms_keys
4231
5149
 
4232
- # Labels associated with this resource. See [Labelling and grouping GCP
5150
+ # Labels associated with this resource. See [Labelling and grouping Google Cloud
4233
5151
  # resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-
4234
5152
  # your-google-cloud-platform-resources) for more information. This field is
4235
5153
  # available only when the resource's Protobuf contains it. To search against the
@@ -4260,12 +5178,12 @@ module Google
4260
5178
  attr_accessor :name
4261
5179
 
4262
5180
  # Network tags associated with this resource. Like labels, network tags are a
4263
- # type of annotations used to group GCP resources. See [Labelling GCP resources](
4264
- # https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-
4265
- # cloud-platform-resources) for more information. This field is available only
4266
- # when the resource's Protobuf contains it. To search against the `network_tags`:
4267
- # * Use a field query. Example: `networkTags:internal` * Use a free text query.
4268
- # Example: `internal`
5181
+ # type of annotations used to group Google Cloud resources. See [Labelling
5182
+ # Google Cloud resources](https://cloud.google.com/blog/products/gcp/labelling-
5183
+ # and-grouping-your-google-cloud-platform-resources) for more information. This
5184
+ # field is available only when the resource's Protobuf contains it. To search
5185
+ # against the `network_tags`: * Use a field query. Example: `networkTags:
5186
+ # internal` * Use a free text query. Example: `internal`
4269
5187
  # Corresponds to the JSON property `networkTags`
4270
5188
  # @return [Array<String>]
4271
5189
  attr_accessor :network_tags
@@ -4320,7 +5238,7 @@ module Google
4320
5238
  # include PROVISIONING, STAGING, RUNNING, STOPPING, SUSPENDING, SUSPENDED,
4321
5239
  # REPAIRING, and TERMINATED. See `status` definition in [API Reference](https://
4322
5240
  # cloud.google.com/compute/docs/reference/rest/v1/instances). If the resource is
4323
- # a project provided by Cloud Resource Manager, its state will include
5241
+ # a project provided by Resource Manager, its state will include
4324
5242
  # LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and DELETE_IN_PROGRESS.
4325
5243
  # See `lifecycleState` definition in [API Reference](https://cloud.google.com/
4326
5244
  # resource-manager/reference/rest/v1/projects). To search against the `state`: *
@@ -4510,8 +5428,8 @@ module Google
4510
5428
  # @return [String]
4511
5429
  attr_accessor :next_page_token
4512
5430
 
4513
- # A list of IamPolicy that match the search query. Related information such as
4514
- # the associated resource is returned along with the policy.
5431
+ # A list of IAM policies that match the search query. Related information such
5432
+ # as the associated resource is returned along with the policy.
4515
5433
  # Corresponds to the JSON property `results`
4516
5434
  # @return [Array<Google::Apis::CloudassetV1::IamPolicySearchResult>]
4517
5435
  attr_accessor :results
@@ -4673,6 +5591,68 @@ module Google
4673
5591
  end
4674
5592
  end
4675
5593
 
5594
+ # A field in TableSchema.
5595
+ class TableFieldSchema
5596
+ include Google::Apis::Core::Hashable
5597
+
5598
+ # The field name. The name must contain only letters (a-z, A-Z), numbers (0-9),
5599
+ # or underscores (_), and must start with a letter or underscore. The maximum
5600
+ # length is 128 characters.
5601
+ # Corresponds to the JSON property `field`
5602
+ # @return [String]
5603
+ attr_accessor :field
5604
+
5605
+ # Describes the nested schema fields if the type property is set to RECORD.
5606
+ # Corresponds to the JSON property `fields`
5607
+ # @return [Array<Google::Apis::CloudassetV1::TableFieldSchema>]
5608
+ attr_accessor :fields
5609
+
5610
+ # The field mode. Possible values include NULLABLE, REQUIRED and REPEATED. The
5611
+ # default value is NULLABLE.
5612
+ # Corresponds to the JSON property `mode`
5613
+ # @return [String]
5614
+ attr_accessor :mode
5615
+
5616
+ # The field data type. Possible values include * STRING * BYTES * INTEGER *
5617
+ # FLOAT * BOOLEAN * TIMESTAMP * DATE * TIME * DATETIME * GEOGRAPHY, * NUMERIC, *
5618
+ # BIGNUMERIC, * RECORD (where RECORD indicates that the field contains a nested
5619
+ # schema).
5620
+ # Corresponds to the JSON property `type`
5621
+ # @return [String]
5622
+ attr_accessor :type
5623
+
5624
+ def initialize(**args)
5625
+ update!(**args)
5626
+ end
5627
+
5628
+ # Update properties of this object
5629
+ def update!(**args)
5630
+ @field = args[:field] if args.key?(:field)
5631
+ @fields = args[:fields] if args.key?(:fields)
5632
+ @mode = args[:mode] if args.key?(:mode)
5633
+ @type = args[:type] if args.key?(:type)
5634
+ end
5635
+ end
5636
+
5637
+ # BigQuery Compatible table schema.
5638
+ class TableSchema
5639
+ include Google::Apis::Core::Hashable
5640
+
5641
+ # Describes the fields in a table.
5642
+ # Corresponds to the JSON property `fields`
5643
+ # @return [Array<Google::Apis::CloudassetV1::TableFieldSchema>]
5644
+ attr_accessor :fields
5645
+
5646
+ def initialize(**args)
5647
+ update!(**args)
5648
+ end
5649
+
5650
+ # Update properties of this object
5651
+ def update!(**args)
5652
+ @fields = args[:fields] if args.key?(:fields)
5653
+ end
5654
+ end
5655
+
4676
5656
  # An asset in Google Cloud and its temporal metadata, including the time window
4677
5657
  # when it was observed and its status during that window.
4678
5658
  class TemporalAsset
@@ -4682,7 +5662,7 @@ module Google
4682
5662
  # resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-
4683
5663
  # platform-resource-hierarchy), a resource outside the Google Cloud resource
4684
5664
  # hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy
4685
- # (e.g. Cloud IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP
5665
+ # (e.g. IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP
4686
5666
  # relationship). See [Supported asset types](https://cloud.google.com/asset-
4687
5667
  # inventory/docs/supported-asset-types) for more information.
4688
5668
  # Corresponds to the JSON property `asset`
@@ -4699,7 +5679,7 @@ module Google
4699
5679
  # resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-
4700
5680
  # platform-resource-hierarchy), a resource outside the Google Cloud resource
4701
5681
  # hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy
4702
- # (e.g. Cloud IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP
5682
+ # (e.g. IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP
4703
5683
  # relationship). See [Supported asset types](https://cloud.google.com/asset-
4704
5684
  # inventory/docs/supported-asset-types) for more information.
4705
5685
  # Corresponds to the JSON property `priorAsset`