google-cloud-asset-v1 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bdcc2e83db40233f1befd4a49eaefcc8413c2e63776e28b57fb8dc04e2aea242
-  data.tar.gz: f7cb4b908edd07903704e70253b5d463eef7bebcb9bc6be41c831f28c3f492a3
+  metadata.gz: e4cf188086cd7f80f9cf6ac3cfd9087be5e9f1e3c99d561755f5c6be11964a4a
+  data.tar.gz: ebf6196b50e1bfe2742f4f25cb56fc5f9f94a5ea0e7a7255b88c2da7ec64eb5d
 SHA512:
-  metadata.gz: 910dbd1ac96ef4ba986fe54a720b8fe09874cf979c26760a36c4bd2b545683deae28cf5de524ad6058a678bf3729a10085cc06b6fbeef459e44ac3663c4018ca
-  data.tar.gz: '018c465294f4b2422c00f3535f5e0fb338617fb6e1c4b4213b4748067e71920f3d419355ff3b7356f5d215b60a0cb1dbf36b626dc5fa12db845861c3ce10d8d5'
+  metadata.gz: 30c335c506ddcc5be42c1058459df6173be542f1b55b1484992ddc694b1d4417b945a8b210f45e2fe2601858090682588feec9c1d470ea666fa6945689d6c073
+  data.tar.gz: d0b11a7c2f908675d474bb85099597e70f51b6a3f3d0cc2793dd3e936c57ad5ccff4ff9a6ce478c8be79b1116bd39a9ea2eab6666955db93886ad93f5c65cd3c

data/lib/google/cloud/asset/v1/asset_service/client.rb

@@ -188,10 +188,10 @@ module Google
             #     or a folder number (such as "folders/123").
             #   @param read_time [Google::Protobuf::Timestamp | Hash]
             #     Timestamp to take an asset snapshot. This can only be set to a timestamp
-            #     between 2018-10-02 UTC (inclusive) and the current time. If not specified,
-            #     the current time will be used. Due to delays in resource data collection
-            #     and indexing, there is a volatile window during which running the same
-            #     query may get different results.
+            #     between the current time and the current time minus 35 days (inclusive).
+            #     If not specified, the current time will be used. Due to delays in resource
+            #     data collection and indexing, there is a volatile window during which
+            #     running the same query may get different results.
             #   @param asset_types [Array<String>]
             #     A list of asset types of which to take a snapshot for. For example:
             #     "compute.googleapis.com/Disk". If specified, only matching assets will be
@@ -293,11 +293,11 @@ module Google
             #     Optional. The content type.
             #   @param read_time_window [Google::Cloud::Asset::V1::TimeWindow | Hash]
             #     Optional. The time window for the asset history. Both start_time and
-            #     end_time are optional and if set, it must be after 2018-10-02 UTC. If
-            #     end_time is not set, it is default to current timestamp. If start_time is
-            #     not set, the snapshot of the assets at end_time will be returned. The
-            #     returned results contain all temporal assets whose time window overlap with
-            #     read_time_window.
+            #     end_time are optional and if set, it must be after the current time minus
+            #     35 days. If end_time is not set, it is default to current timestamp.
+            #     If start_time is not set, the snapshot of the assets at end_time will be
+            #     returned. The returned results contain all temporal assets whose time
+            #     window overlap with read_time_window.
             #
             #
             # @yield [response, operation] Access the result along with the RPC operation

data/lib/google/cloud/asset/v1/asset_service_pb.rb

@@ -12,6 +12,7 @@ require 'google/longrunning/operations_pb'
 require 'google/protobuf/empty_pb'
 require 'google/protobuf/field_mask_pb'
 require 'google/protobuf/timestamp_pb'
+require 'google/type/expr_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/asset/v1/asset_service.proto", :syntax => :proto3) do
     add_message "google.cloud.asset.v1.ExportAssetsRequest" do

data/lib/google/cloud/asset/v1/asset_service_services_pb.rb

@@ -1,7 +1,7 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # Source: google/cloud/asset/v1/asset_service.proto for package 'google.cloud.asset.v1'
 # Original file comments:
-# Copyright 2019 Google LLC.
+# Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-#
 
 require 'grpc'
 require 'google/cloud/asset/v1/asset_service_pb'

data/lib/google/cloud/asset/v1/assets_pb.rb

@@ -4,7 +4,11 @@
 require 'google/protobuf'
 
 require 'google/api/resource_pb'
+require 'google/cloud/orgpolicy/v1/orgpolicy_pb'
 require 'google/iam/v1/policy_pb'
+require 'google/identity/accesscontextmanager/v1/access_level_pb'
+require 'google/identity/accesscontextmanager/v1/access_policy_pb'
+require 'google/identity/accesscontextmanager/v1/service_perimeter_pb'
 require 'google/protobuf/any_pb'
 require 'google/protobuf/struct_pb'
 require 'google/protobuf/timestamp_pb'
@@ -25,7 +29,13 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :asset_type, :string, 2
       optional :resource, :message, 3, "google.cloud.asset.v1.Resource"
       optional :iam_policy, :message, 4, "google.iam.v1.Policy"
+      repeated :org_policy, :message, 6, "google.cloud.orgpolicy.v1.Policy"
       repeated :ancestors, :string, 10
+      oneof :access_context_policy do
+        optional :access_policy, :message, 7, "google.identity.accesscontextmanager.v1.AccessPolicy"
+        optional :access_level, :message, 8, "google.identity.accesscontextmanager.v1.AccessLevel"
+        optional :service_perimeter, :message, 9, "google.identity.accesscontextmanager.v1.ServicePerimeter"
+      end
     end
     add_message "google.cloud.asset.v1.Resource" do
       optional :version, :string, 1

data/lib/google/cloud/asset/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module Asset
       module V1
-        VERSION = "0.1.0"
+        VERSION = "0.2.0"
       end
     end
   end

data/lib/google/identity/accesscontextmanager/type/device_resources_pb.rb

@@ -0,0 +1,43 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/identity/accesscontextmanager/type/device_resources.proto
+
+require 'google/protobuf'
+
+require 'google/api/annotations_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("google/identity/accesscontextmanager/type/device_resources.proto", :syntax => :proto3) do
+    add_enum "google.identity.accesscontextmanager.type.DeviceEncryptionStatus" do
+      value :ENCRYPTION_UNSPECIFIED, 0
+      value :ENCRYPTION_UNSUPPORTED, 1
+      value :UNENCRYPTED, 2
+      value :ENCRYPTED, 3
+    end
+    add_enum "google.identity.accesscontextmanager.type.OsType" do
+      value :OS_UNSPECIFIED, 0
+      value :DESKTOP_MAC, 1
+      value :DESKTOP_WINDOWS, 2
+      value :DESKTOP_LINUX, 3
+      value :DESKTOP_CHROME_OS, 6
+      value :ANDROID, 4
+      value :IOS, 5
+    end
+    add_enum "google.identity.accesscontextmanager.type.DeviceManagementLevel" do
+      value :MANAGEMENT_UNSPECIFIED, 0
+      value :NONE, 1
+      value :BASIC, 2
+      value :COMPLETE, 3
+    end
+  end
+end
+
+module Google
+  module Identity
+    module AccessContextManager
+      module Type
+        DeviceEncryptionStatus = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.type.DeviceEncryptionStatus").enummodule
+        OsType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.type.OsType").enummodule
+        DeviceManagementLevel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.type.DeviceManagementLevel").enummodule
+      end
+    end
+  end
+end

data/lib/google/identity/accesscontextmanager/v1/access_level_pb.rb

@@ -0,0 +1,72 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/identity/accesscontextmanager/v1/access_level.proto
+
+require 'google/protobuf'
+
+require 'google/identity/accesscontextmanager/type/device_resources_pb'
+require 'google/protobuf/timestamp_pb'
+require 'google/type/expr_pb'
+require 'google/api/annotations_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("google/identity/accesscontextmanager/v1/access_level.proto", :syntax => :proto3) do
+    add_message "google.identity.accesscontextmanager.v1.AccessLevel" do
+      optional :name, :string, 1
+      optional :title, :string, 2
+      optional :description, :string, 3
+      optional :create_time, :message, 6, "google.protobuf.Timestamp"
+      optional :update_time, :message, 7, "google.protobuf.Timestamp"
+      oneof :level do
+        optional :basic, :message, 4, "google.identity.accesscontextmanager.v1.BasicLevel"
+        optional :custom, :message, 5, "google.identity.accesscontextmanager.v1.CustomLevel"
+      end
+    end
+    add_message "google.identity.accesscontextmanager.v1.BasicLevel" do
+      repeated :conditions, :message, 1, "google.identity.accesscontextmanager.v1.Condition"
+      optional :combining_function, :enum, 2, "google.identity.accesscontextmanager.v1.BasicLevel.ConditionCombiningFunction"
+    end
+    add_enum "google.identity.accesscontextmanager.v1.BasicLevel.ConditionCombiningFunction" do
+      value :AND, 0
+      value :OR, 1
+    end
+    add_message "google.identity.accesscontextmanager.v1.Condition" do
+      repeated :ip_subnetworks, :string, 1
+      optional :device_policy, :message, 2, "google.identity.accesscontextmanager.v1.DevicePolicy"
+      repeated :required_access_levels, :string, 3
+      optional :negate, :bool, 5
+      repeated :members, :string, 6
+      repeated :regions, :string, 7
+    end
+    add_message "google.identity.accesscontextmanager.v1.CustomLevel" do
+      optional :expr, :message, 1, "google.type.Expr"
+    end
+    add_message "google.identity.accesscontextmanager.v1.DevicePolicy" do
+      optional :require_screenlock, :bool, 1
+      repeated :allowed_encryption_statuses, :enum, 2, "google.identity.accesscontextmanager.type.DeviceEncryptionStatus"
+      repeated :os_constraints, :message, 3, "google.identity.accesscontextmanager.v1.OsConstraint"
+      repeated :allowed_device_management_levels, :enum, 6, "google.identity.accesscontextmanager.type.DeviceManagementLevel"
+      optional :require_admin_approval, :bool, 7
+      optional :require_corp_owned, :bool, 8
+    end
+    add_message "google.identity.accesscontextmanager.v1.OsConstraint" do
+      optional :os_type, :enum, 1, "google.identity.accesscontextmanager.type.OsType"
+      optional :minimum_version, :string, 2
+      optional :require_verified_chrome_os, :bool, 3
+    end
+  end
+end
+
+module Google
+  module Identity
+    module AccessContextManager
+      module V1
+        AccessLevel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.AccessLevel").msgclass
+        BasicLevel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.BasicLevel").msgclass
+        BasicLevel::ConditionCombiningFunction = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.BasicLevel.ConditionCombiningFunction").enummodule
+        Condition = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.Condition").msgclass
+        CustomLevel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.CustomLevel").msgclass
+        DevicePolicy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.DevicePolicy").msgclass
+        OsConstraint = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.OsConstraint").msgclass
+      end
+    end
+  end
+end

data/lib/google/identity/accesscontextmanager/v1/access_policy_pb.rb

@@ -0,0 +1,29 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/identity/accesscontextmanager/v1/access_policy.proto
+
+require 'google/protobuf'
+
+require 'google/protobuf/timestamp_pb'
+require 'google/api/annotations_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("google/identity/accesscontextmanager/v1/access_policy.proto", :syntax => :proto3) do
+    add_message "google.identity.accesscontextmanager.v1.AccessPolicy" do
+      optional :name, :string, 1
+      optional :parent, :string, 2
+      optional :title, :string, 3
+      optional :create_time, :message, 4, "google.protobuf.Timestamp"
+      optional :update_time, :message, 5, "google.protobuf.Timestamp"
+      optional :etag, :string, 6
+    end
+  end
+end
+
+module Google
+  module Identity
+    module AccessContextManager
+      module V1
+        AccessPolicy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.AccessPolicy").msgclass
+      end
+    end
+  end
+end

data/lib/google/identity/accesscontextmanager/v1/service_perimeter_pb.rb

@@ -0,0 +1,49 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/identity/accesscontextmanager/v1/service_perimeter.proto
+
+require 'google/protobuf'
+
+require 'google/protobuf/timestamp_pb'
+require 'google/api/annotations_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("google/identity/accesscontextmanager/v1/service_perimeter.proto", :syntax => :proto3) do
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeter" do
+      optional :name, :string, 1
+      optional :title, :string, 2
+      optional :description, :string, 3
+      optional :create_time, :message, 4, "google.protobuf.Timestamp"
+      optional :update_time, :message, 5, "google.protobuf.Timestamp"
+      optional :perimeter_type, :enum, 6, "google.identity.accesscontextmanager.v1.ServicePerimeter.PerimeterType"
+      optional :status, :message, 7, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig"
+      optional :spec, :message, 8, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig"
+      optional :use_explicit_dry_run_spec, :bool, 9
+    end
+    add_enum "google.identity.accesscontextmanager.v1.ServicePerimeter.PerimeterType" do
+      value :PERIMETER_TYPE_REGULAR, 0
+      value :PERIMETER_TYPE_BRIDGE, 1
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig" do
+      repeated :resources, :string, 1
+      repeated :access_levels, :string, 2
+      repeated :restricted_services, :string, 4
+      optional :vpc_accessible_services, :message, 10, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.VpcAccessibleServices"
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.VpcAccessibleServices" do
+      optional :enable_restriction, :bool, 1
+      repeated :allowed_services, :string, 2
+    end
+  end
+end
+
+module Google
+  module Identity
+    module AccessContextManager
+      module V1
+        ServicePerimeter = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeter").msgclass
+        ServicePerimeter::PerimeterType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeter.PerimeterType").enummodule
+        ServicePerimeterConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig").msgclass
+        ServicePerimeterConfig::VpcAccessibleServices = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.VpcAccessibleServices").msgclass
+      end
+    end
+  end
+end

data/proto_docs/google/cloud/asset/v1/asset_service.rb

@@ -31,10 +31,10 @@ module Google
         # @!attribute [rw] read_time
         #   @return [Google::Protobuf::Timestamp]
         #     Timestamp to take an asset snapshot. This can only be set to a timestamp
-        #     between 2018-10-02 UTC (inclusive) and the current time. If not specified,
-        #     the current time will be used. Due to delays in resource data collection
-        #     and indexing, there is a volatile window during which running the same
-        #     query may get different results.
+        #     between the current time and the current time minus 35 days (inclusive).
+        #     If not specified, the current time will be used. Due to delays in resource
+        #     data collection and indexing, there is a volatile window during which
+        #     running the same query may get different results.
         # @!attribute [rw] asset_types
         #   @return [Array<String>]
         #     A list of asset types of which to take a snapshot for. For example:
@@ -94,11 +94,11 @@ module Google
         # @!attribute [rw] read_time_window
         #   @return [Google::Cloud::Asset::V1::TimeWindow]
         #     Optional. The time window for the asset history. Both start_time and
-        #     end_time are optional and if set, it must be after 2018-10-02 UTC. If
-        #     end_time is not set, it is default to current timestamp. If start_time is
-        #     not set, the snapshot of the assets at end_time will be returned. The
-        #     returned results contain all temporal assets whose time window overlap with
-        #     read_time_window.
+        #     end_time are optional and if set, it must be after the current time minus
+        #     35 days. If end_time is not set, it is default to current timestamp.
+        #     If start_time is not set, the snapshot of the assets at end_time will be
+        #     returned. The returned results contain all temporal assets whose time
+        #     window overlap with read_time_window.
         class BatchGetAssetsHistoryRequest
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods
@@ -242,7 +242,7 @@ module Google
         #     Required. The BigQuery dataset in format
         #     "projects/projectId/datasets/datasetId", to which the snapshot result
         #     should be exported. If this dataset does not exist, the export call returns
-        #     an error.
+        #     an INVALID_ARGUMENT error.
         # @!attribute [rw] table
         #   @return [String]
         #     Required. The BigQuery table to which the snapshot result should be
@@ -252,17 +252,17 @@ module Google
         #   @return [Boolean]
         #     If the destination table already exists and this flag is `TRUE`, the
         #     table will be overwritten by the contents of assets snapshot. If the flag
-        #     is not set and the destination table already exists, the export call
-        #     returns an error.
+        #     is `FALSE` or unset and the destination table already exists, the export
+        #     call returns an INVALID_ARGUMEMT error.
         class BigQueryDestination
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # A Cloud Pubsub destination.
+        # A Pub/Sub destination.
         # @!attribute [rw] topic
         #   @return [String]
-        #     The name of the Cloud Pub/Sub topic to publish to.
+        #     The name of the Pub/Sub topic to publish to.
         #     For example: `projects/PROJECT_ID/topics/TOPIC_ID`.
         class PubsubDestination
           include Google::Protobuf::MessageExts
@@ -272,7 +272,7 @@ module Google
         # Output configuration for asset feed destination.
         # @!attribute [rw] pubsub_destination
         #   @return [Google::Cloud::Asset::V1::PubsubDestination]
-        #     Destination on Cloud Pubsub.
+        #     Destination on Pub/Sub.
         class FeedOutputConfig
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods
@@ -282,7 +282,7 @@ module Google
         # An asset feed filter controls what updates are exported.
         # The asset feed must be created within a project, organization, or
         # folder. Supported destinations are:
-        # Cloud Pub/Sub topics.
+        # Pub/Sub topics.
         # @!attribute [rw] name
         #   @return [String]
         #     Required. The format will be
@@ -307,10 +307,11 @@ module Google
         #     A list of types of the assets to receive updates. You must specify either
         #     or both of asset_names and asset_types. Only asset updates matching
         #     specified asset_names and asset_types are exported to the feed.
-        #     For example:
-        #     "compute.googleapis.com/Disk" See [Introduction to Cloud Asset
-        #     Inventory](https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview)
-        #     for all supported asset types.
+        #     For example: `"compute.googleapis.com/Disk"`
+        #
+        #     See [this
+        #     topic](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
+        #     for a list of all supported asset types.
         # @!attribute [rw] content_type
         #   @return [Google::Cloud::Asset::V1::ContentType]
         #     Asset content type. If not specified, no content but the asset name and

data/proto_docs/google/cloud/asset/v1/assets.rb

@@ -21,90 +21,122 @@ module Google
   module Cloud
     module Asset
       module V1
-        # Temporal asset. In addition to the asset, the temporal asset includes the
-        # status of the asset and valid from and to time of it.
+        # An asset in Google Cloud and its temporal metadata, including the time window
+        # when it was observed and its status during that window.
         # @!attribute [rw] window
         #   @return [Google::Cloud::Asset::V1::TimeWindow]
         #     The time window when the asset data and state was observed.
         # @!attribute [rw] deleted
         #   @return [Boolean]
-        #     If the asset is deleted or not.
+        #     Whether the asset has been deleted or not.
         # @!attribute [rw] asset
         #   @return [Google::Cloud::Asset::V1::Asset]
-        #     Asset.
+        #     An asset in Google Cloud.
         class TemporalAsset
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # A time window of (start_time, end_time].
+        # A time window specified by its "start_time" and "end_time".
         # @!attribute [rw] start_time
         #   @return [Google::Protobuf::Timestamp]
         #     Start time of the time window (exclusive).
         # @!attribute [rw] end_time
         #   @return [Google::Protobuf::Timestamp]
-        #     End time of the time window (inclusive).
-        #     Current timestamp if not specified.
+        #     End time of the time window (inclusive). If not specified, the current
+        #     timestamp is used instead.
         class TimeWindow
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Cloud asset. This includes all Google Cloud Platform resources,
-        # Cloud IAM policies, and other non-GCP assets.
+        # An asset in Google Cloud. An asset can be any resource in the Google Cloud
+        # [resource
+        # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
+        # a resource outside the Google Cloud resource hierarchy (such as Google
+        # Kubernetes Engine clusters and objects), or a Cloud IAM policy.
         # @!attribute [rw] name
         #   @return [String]
         #     The full name of the asset. For example:
-        #     `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
+        #     "//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1"
+        #
         #     See [Resource
-        #     Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
+        #     names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
         #     for more information.
         # @!attribute [rw] asset_type
         #   @return [String]
-        #     Type of the asset. Example: "compute.googleapis.com/Disk".
+        #     The type of the asset. For example: "compute.googleapis.com/Disk"
+        #
+        #     See [Supported asset
+        #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
+        #     for more information.
         # @!attribute [rw] resource
         #   @return [Google::Cloud::Asset::V1::Resource]
-        #     Representation of the resource.
+        #     A representation of the resource.
         # @!attribute [rw] iam_policy
         #   @return [Google::Iam::V1::Policy]
-        #     Representation of the actual Cloud IAM policy set on a cloud resource. For
-        #     each resource, there must be at most one Cloud IAM policy set on it.
+        #     A representation of the Cloud IAM policy set on a Google Cloud resource.
+        #     There can be a maximum of one Cloud IAM policy set on any given resource.
+        #     In addition, Cloud IAM policies inherit their granted access scope from any
+        #     policies set on parent resources in the resource hierarchy. Therefore, the
+        #     effectively policy is the union of both the policy set on this resource
+        #     and each policy set on all of the resource's ancestry resource levels in
+        #     the hierarchy. See
+        #     [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for
+        #     more information.
+        # @!attribute [rw] org_policy
+        #   @return [Array<Google::Cloud::OrgPolicy::V1::Policy>]
+        #     A representation of an [organization
+        #     policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).
+        #     There can be more than one organization policy with different constraints
+        #     set on a given resource.
+        # @!attribute [rw] access_policy
+        #   @return [Google::Identity::AccessContextManager::V1::AccessPolicy]
+        # @!attribute [rw] access_level
+        #   @return [Google::Identity::AccessContextManager::V1::AccessLevel]
+        # @!attribute [rw] service_perimeter
+        #   @return [Google::Identity::AccessContextManager::V1::ServicePerimeter]
         # @!attribute [rw] ancestors
         #   @return [Array<String>]
-        #     Asset's ancestry path in Cloud Resource Manager (CRM) hierarchy,
-        #     represented as a list of relative resource names. Ancestry path starts with
-        #     the closest CRM ancestor and ends at root. If the asset is a CRM
-        #     project/folder/organization, this starts from the asset itself.
+        #     The ancestry path of an asset in Google Cloud [resource
+        #     hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
+        #     represented as a list of relative resource names. An ancestry path starts
+        #     with the closest ancestor in the hierarchy and ends at root. If the asset
+        #     is a project, folder, or organization, the ancestry path starts from the
+        #     asset itself.
         #
-        #     Example: ["projects/123456789", "folders/5432", "organizations/1234"]
+        #     For example: `["projects/123456789", "folders/5432", "organizations/1234"]`
         class Asset
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Representation of a cloud resource.
+        # A representation of a Google Cloud resource.
         # @!attribute [rw] version
         #   @return [String]
-        #     The API version. Example: "v1".
+        #     The API version. For example: "v1"
         # @!attribute [rw] discovery_document_uri
         #   @return [String]
         #     The URL of the discovery document containing the resource's JSON schema.
         #     For example:
-        #     `"https://www.googleapis.com/discovery/v1/apis/compute/v1/rest"`.
-        #     It will be left unspecified for resources without a discovery-based API,
-        #     such as Cloud Bigtable.
+        #     "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest"
+        #
+        #     This value is unspecified for resources that do not have an API based on a
+        #     discovery document, such as Cloud Bigtable.
         # @!attribute [rw] discovery_name
         #   @return [String]
-        #     The JSON schema name listed in the discovery document.
-        #     Example: "Project". It will be left unspecified for resources (such as
-        #     Cloud Bigtable) without a discovery-based API.
+        #     The JSON schema name listed in the discovery document. For example:
+        #     "Project"
+        #
+        #     This value is unspecified for resources that do not have an API based on a
+        #     discovery document, such as Cloud Bigtable.
         # @!attribute [rw] resource_url
         #   @return [String]
-        #     The REST URL for accessing the resource. An HTTP GET operation using this
-        #     URL returns the resource itself.
-        #     Example:
-        #     `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`.
-        #     It will be left unspecified for resources without a REST API.
+        #     The REST URL for accessing the resource. An HTTP `GET` request using this
+        #     URL returns the resource itself. For example:
+        #     "https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123"
+        #
+        #     This value is unspecified for resources without a REST API.
         # @!attribute [rw] parent
         #   @return [String]
         #     The full name of the immediate parent of this resource. See
@@ -112,16 +144,17 @@ module Google
         #     Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
         #     for more information.
         #
-        #     For GCP assets, it is the parent resource defined in the [Cloud IAM policy
+        #     For Google Cloud assets, this value is the parent resource defined in the
+        #     [Cloud IAM policy
         #     hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
         #     For example:
-        #     `"//cloudresourcemanager.googleapis.com/projects/my_project_123"`.
+        #     "//cloudresourcemanager.googleapis.com/projects/my_project_123"
         #
-        #     For third-party assets, it is up to the users to define.
+        #     For third-party assets, this field may be set differently.
         # @!attribute [rw] data
         #   @return [Google::Protobuf::Struct]
-        #     The content of the resource, in which some sensitive fields are scrubbed
-        #     away and may not be present.
+        #     The content of the resource, in which some sensitive fields are removed
+        #     and may not be present.
         class Resource
           include Google::Protobuf::MessageExts
           extend Google::Protobuf::MessageExts::ClassMethods