google-cloud-asset-v1 0.1.0

data/proto_docs/google/cloud/asset/v1/assets.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Cloud
+    module Asset
+      module V1
+        # Temporal asset. In addition to the asset, the temporal asset includes the
+        # status of the asset and valid from and to time of it.
+        # @!attribute [rw] window
+        #   @return [Google::Cloud::Asset::V1::TimeWindow]
+        #     The time window when the asset data and state was observed.
+        # @!attribute [rw] deleted
+        #   @return [Boolean]
+        #     If the asset is deleted or not.
+        # @!attribute [rw] asset
+        #   @return [Google::Cloud::Asset::V1::Asset]
+        #     Asset.
+        class TemporalAsset
+          include Google::Protobuf::MessageExts
+          extend Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A time window of (start_time, end_time].
+        # @!attribute [rw] start_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Start time of the time window (exclusive).
+        # @!attribute [rw] end_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     End time of the time window (inclusive).
+        #     Current timestamp if not specified.
+        class TimeWindow
+          include Google::Protobuf::MessageExts
+          extend Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Cloud asset. This includes all Google Cloud Platform resources,
+        # Cloud IAM policies, and other non-GCP assets.
+        # @!attribute [rw] name
+        #   @return [String]
+        #     The full name of the asset. For example:
+        #     `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
+        #     See [Resource
+        #     Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
+        #     for more information.
+        # @!attribute [rw] asset_type
+        #   @return [String]
+        #     Type of the asset. Example: "compute.googleapis.com/Disk".
+        # @!attribute [rw] resource
+        #   @return [Google::Cloud::Asset::V1::Resource]
+        #     Representation of the resource.
+        # @!attribute [rw] iam_policy
+        #   @return [Google::Iam::V1::Policy]
+        #     Representation of the actual Cloud IAM policy set on a cloud resource. For
+        #     each resource, there must be at most one Cloud IAM policy set on it.
+        # @!attribute [rw] ancestors
+        #   @return [Array<String>]
+        #     Asset's ancestry path in Cloud Resource Manager (CRM) hierarchy,
+        #     represented as a list of relative resource names. Ancestry path starts with
+        #     the closest CRM ancestor and ends at root. If the asset is a CRM
+        #     project/folder/organization, this starts from the asset itself.
+        #
+        #     Example: ["projects/123456789", "folders/5432", "organizations/1234"]
+        class Asset
+          include Google::Protobuf::MessageExts
+          extend Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Representation of a cloud resource.
+        # @!attribute [rw] version
+        #   @return [String]
+        #     The API version. Example: "v1".
+        # @!attribute [rw] discovery_document_uri
+        #   @return [String]
+        #     The URL of the discovery document containing the resource's JSON schema.
+        #     For example:
+        #     `"https://www.googleapis.com/discovery/v1/apis/compute/v1/rest"`.
+        #     It will be left unspecified for resources without a discovery-based API,
+        #     such as Cloud Bigtable.
+        # @!attribute [rw] discovery_name
+        #   @return [String]
+        #     The JSON schema name listed in the discovery document.
+        #     Example: "Project". It will be left unspecified for resources (such as
+        #     Cloud Bigtable) without a discovery-based API.
+        # @!attribute [rw] resource_url
+        #   @return [String]
+        #     The REST URL for accessing the resource. An HTTP GET operation using this
+        #     URL returns the resource itself.
+        #     Example:
+        #     `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`.
+        #     It will be left unspecified for resources without a REST API.
+        # @!attribute [rw] parent
+        #   @return [String]
+        #     The full name of the immediate parent of this resource. See
+        #     [Resource
+        #     Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
+        #     for more information.
+        #
+        #     For GCP assets, it is the parent resource defined in the [Cloud IAM policy
+        #     hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
+        #     For example:
+        #     `"//cloudresourcemanager.googleapis.com/projects/my_project_123"`.
+        #
+        #     For third-party assets, it is up to the users to define.
+        # @!attribute [rw] data
+        #   @return [Google::Protobuf::Struct]
+        #     The content of the resource, in which some sensitive fields are scrubbed
+        #     away and may not be present.
+        class Resource
+          include Google::Protobuf::MessageExts
+          extend Google::Protobuf::MessageExts::ClassMethods
+        end
+      end
+    end
+  end
+end

data/proto_docs/google/cloud/orgpolicy/v1/orgpolicy.rb

@@ -0,0 +1,307 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Cloud
+    module OrgPolicy
+      module V1
+        # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
+        # for configurations of Cloud Platform resources.
+        # @!attribute [rw] version
+        #   @return [Integer]
+        #     Version of the `Policy`. Default version is 0;
+        # @!attribute [rw] constraint
+        #   @return [String]
+        #     The name of the `Constraint` the `Policy` is configuring, for example,
+        #     `constraints/serviceuser.services`.
+        #
+        #     Immutable after creation.
+        # @!attribute [rw] etag
+        #   @return [String]
+        #     An opaque tag indicating the current version of the `Policy`, used for
+        #     concurrency control.
+        #
+        #     When the `Policy` is returned from either a `GetPolicy` or a
+        #     `ListOrgPolicy` request, this `etag` indicates the version of the current
+        #     `Policy` to use when executing a read-modify-write loop.
+        #
+        #     When the `Policy` is returned from a `GetEffectivePolicy` request, the
+        #     `etag` will be unset.
+        #
+        #     When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+        #     that was returned from a `GetOrgPolicy` request as part of a
+        #     read-modify-write loop for concurrency control. Not setting the `etag`in a
+        #     `SetOrgPolicy` request will result in an unconditional write of the
+        #     `Policy`.
+        # @!attribute [rw] update_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     The time stamp the `Policy` was previously updated. This is set by the
+        #     server, not specified by the caller, and represents the last time a call to
+        #     `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+        #     be ignored.
+        # @!attribute [rw] list_policy
+        #   @return [Google::Cloud::OrgPolicy::V1::Policy::ListPolicy]
+        #     List of values either allowed or disallowed.
+        # @!attribute [rw] boolean_policy
+        #   @return [Google::Cloud::OrgPolicy::V1::Policy::BooleanPolicy]
+        #     For boolean `Constraints`, whether to enforce the `Constraint` or not.
+        # @!attribute [rw] restore_default
+        #   @return [Google::Cloud::OrgPolicy::V1::Policy::RestoreDefault]
+        #     Restores the default behavior of the constraint; independent of
+        #     `Constraint` type.
+        class Policy
+          include Google::Protobuf::MessageExts
+          extend Google::Protobuf::MessageExts::ClassMethods
+
+          # Used in `policy_type` to specify how `list_policy` behaves at this
+          # resource.
+          #
+          # `ListPolicy` can define specific values and subtrees of Cloud Resource
+          # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
+          # are allowed or denied by setting the `allowed_values` and `denied_values`
+          # fields. This is achieved by using the `under:` and optional `is:` prefixes.
+          # The `under:` prefix is used to denote resource subtree values.
+          # The `is:` prefix is used to denote specific values, and is required only
+          # if the value contains a ":". Values prefixed with "is:" are treated the
+          # same as values with no prefix.
+          # Ancestry subtrees must be in one of the following formats:
+          #     - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
+          #     - "folders/<folder-id>", e.g. "folders/1234"
+          #     - "organizations/<organization-id>", e.g. "organizations/1234"
+          # The `supports_under` field of the associated `Constraint`  defines whether
+          # ancestry prefixes can be used. You can set `allowed_values` and
+          # `denied_values` in the same `Policy` if `all_values` is
+          # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
+          # values. If `all_values` is set to either `ALLOW` or `DENY`,
+          # `allowed_values` and `denied_values` must be unset.
+          # @!attribute [rw] allowed_values
+          #   @return [Array<String>]
+          #     List of values allowed  at this resource. Can only be set if `all_values`
+          #     is set to `ALL_VALUES_UNSPECIFIED`.
+          # @!attribute [rw] denied_values
+          #   @return [Array<String>]
+          #     List of values denied at this resource. Can only be set if `all_values`
+          #     is set to `ALL_VALUES_UNSPECIFIED`.
+          # @!attribute [rw] all_values
+          #   @return [Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues]
+          #     The policy all_values state.
+          # @!attribute [rw] suggested_value
+          #   @return [String]
+          #     Optional. The Google Cloud Console will try to default to a configuration
+          #     that matches the value specified in this `Policy`. If `suggested_value`
+          #     is not set, it will inherit the value specified higher in the hierarchy,
+          #     unless `inherit_from_parent` is `false`.
+          # @!attribute [rw] inherit_from_parent
+          #   @return [Boolean]
+          #     Determines the inheritance behavior for this `Policy`.
+          #
+          #     By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+          #     anywhere up the resource hierarchy. However, if `inherit_from_parent` is
+          #     set to `true`, then the values from the effective `Policy` of the parent
+          #     resource are inherited, meaning the values set in this `Policy` are
+          #     added to the values inherited up the hierarchy.
+          #
+          #     Setting `Policy` hierarchies that inherit both allowed values and denied
+          #     values isn't recommended in most circumstances to keep the configuration
+          #     simple and understandable. However, it is possible to set a `Policy` with
+          #     `allowed_values` set that inherits a `Policy` with `denied_values` set.
+          #     In this case, the values that are allowed must be in `allowed_values` and
+          #     not present in `denied_values`.
+          #
+          #     For example, suppose you have a `Constraint`
+          #     `constraints/serviceuser.services`, which has a `constraint_type` of
+          #     `list_constraint`, and with `constraint_default` set to `ALLOW`.
+          #     Suppose that at the Organization level, a `Policy` is applied that
+          #     restricts the allowed API activations to \\{`E1`, `E2`}. Then, if a
+          #     `Policy` is applied to a project below the Organization that has
+          #     `inherit_from_parent` set to `false` and field all_values set to DENY,
+          #     then an attempt to activate any API will be denied.
+          #
+          #     The following examples demonstrate different possible layerings for
+          #     `projects/bar` parented by `organizations/foo`:
+          #
+          #     Example 1 (no inherited values):
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "E1" allowed_values:"E2"}
+          #       `projects/bar` has `inherit_from_parent` `false` and values:
+          #         \\{allowed_values: "E3" allowed_values: "E4"}
+          #     The accepted values at `organizations/foo` are `E1`, `E2`.
+          #     The accepted values at `projects/bar` are `E3`, and `E4`.
+          #
+          #     Example 2 (inherited values):
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "E1" allowed_values:"E2"}
+          #       `projects/bar` has a `Policy` with values:
+          #         \\{value: "E3" value: "E4" inherit_from_parent: true}
+          #     The accepted values at `organizations/foo` are `E1`, `E2`.
+          #     The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
+          #
+          #     Example 3 (inheriting both allowed and denied values):
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "E1" allowed_values: "E2"}
+          #       `projects/bar` has a `Policy` with:
+          #         \\{denied_values: "E1"}
+          #     The accepted values at `organizations/foo` are `E1`, `E2`.
+          #     The value accepted at `projects/bar` is `E2`.
+          #
+          #     Example 4 (RestoreDefault):
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "E1" allowed_values:"E2"}
+          #       `projects/bar` has a `Policy` with values:
+          #         \\{RestoreDefault: \\{}}
+          #     The accepted values at `organizations/foo` are `E1`, `E2`.
+          #     The accepted values at `projects/bar` are either all or none depending on
+          #     the value of `constraint_default` (if `ALLOW`, all; if
+          #     `DENY`, none).
+          #
+          #     Example 5 (no policy inherits parent policy):
+          #       `organizations/foo` has no `Policy` set.
+          #       `projects/bar` has no `Policy` set.
+          #     The accepted values at both levels are either all or none depending on
+          #     the value of `constraint_default` (if `ALLOW`, all; if
+          #     `DENY`, none).
+          #
+          #     Example 6 (ListConstraint allowing all):
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "E1" allowed_values: "E2"}
+          #       `projects/bar` has a `Policy` with:
+          #         \\{all: ALLOW}
+          #     The accepted values at `organizations/foo` are `E1`, E2`.
+          #     Any value is accepted at `projects/bar`.
+          #
+          #     Example 7 (ListConstraint allowing none):
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "E1" allowed_values: "E2"}
+          #       `projects/bar` has a `Policy` with:
+          #         \\{all: DENY}
+          #     The accepted values at `organizations/foo` are `E1`, E2`.
+          #     No value is accepted at `projects/bar`.
+          #
+          #     Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
+          #     Given the following resource hierarchy
+          #       O1->\\{F1, F2}; F1->\\{P1}; F2->\\{P2, P3},
+          #       `organizations/foo` has a `Policy` with values:
+          #         \\{allowed_values: "under:organizations/O1"}
+          #       `projects/bar` has a `Policy` with:
+          #         \\{allowed_values: "under:projects/P3"}
+          #         \\{denied_values: "under:folders/F2"}
+          #     The accepted values at `organizations/foo` are `organizations/O1`,
+          #       `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
+          #       `projects/P3`.
+          #     The accepted values at `projects/bar` are `organizations/O1`,
+          #       `folders/F1`, `projects/P1`.
+          class ListPolicy
+            include Google::Protobuf::MessageExts
+            extend Google::Protobuf::MessageExts::ClassMethods
+
+            # This enum can be used to set `Policies` that apply to all possible
+            # configuration values rather than specific values in `allowed_values` or
+            # `denied_values`.
+            #
+            # Settting this to `ALLOW` will mean this `Policy` allows all values.
+            # Similarly, setting it to `DENY` will mean no values are allowed. If
+            # set to either `ALLOW` or `DENY,  `allowed_values` and `denied_values`
+            # must be unset. Setting this to `ALL_VALUES_UNSPECIFIED` allows for
+            # setting `allowed_values` and `denied_values`.
+            module AllValues
+              # Indicates that allowed_values or denied_values must be set.
+              ALL_VALUES_UNSPECIFIED = 0
+
+              # A policy with this set allows all values.
+              ALLOW = 1
+
+              # A policy with this set denies all values.
+              DENY = 2
+            end
+          end
+
+          # Used in `policy_type` to specify how `boolean_policy` will behave at this
+          # resource.
+          # @!attribute [rw] enforced
+          #   @return [Boolean]
+          #     If `true`, then the `Policy` is enforced. If `false`, then any
+          #     configuration is acceptable.
+          #
+          #     Suppose you have a `Constraint`
+          #     `constraints/compute.disableSerialPortAccess` with `constraint_default`
+          #     set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+          #     behavior:
+          #       - If the `Policy` at this resource has enforced set to `false`, serial
+          #         port connection attempts will be allowed.
+          #       - If the `Policy` at this resource has enforced set to `true`, serial
+          #         port connection attempts will be refused.
+          #       - If the `Policy` at this resource is `RestoreDefault`, serial port
+          #         connection attempts will be allowed.
+          #       - If no `Policy` is set at this resource or anywhere higher in the
+          #         resource hierarchy, serial port connection attempts will be allowed.
+          #       - If no `Policy` is set at this resource, but one exists higher in the
+          #         resource hierarchy, the behavior is as if the`Policy` were set at
+          #         this resource.
+          #
+          #     The following examples demonstrate the different possible layerings:
+          #
+          #     Example 1 (nearest `Constraint` wins):
+          #       `organizations/foo` has a `Policy` with:
+          #         \\{enforced: false}
+          #       `projects/bar` has no `Policy` set.
+          #     The constraint at `projects/bar` and `organizations/foo` will not be
+          #     enforced.
+          #
+          #     Example 2 (enforcement gets replaced):
+          #       `organizations/foo` has a `Policy` with:
+          #         \\{enforced: false}
+          #       `projects/bar` has a `Policy` with:
+          #         \\{enforced: true}
+          #     The constraint at `organizations/foo` is not enforced.
+          #     The constraint at `projects/bar` is enforced.
+          #
+          #     Example 3 (RestoreDefault):
+          #       `organizations/foo` has a `Policy` with:
+          #         \\{enforced: true}
+          #       `projects/bar` has a `Policy` with:
+          #         \\{RestoreDefault: \\{}}
+          #     The constraint at `organizations/foo` is enforced.
+          #     The constraint at `projects/bar` is not enforced, because
+          #     `constraint_default` for the `Constraint` is `ALLOW`.
+          class BooleanPolicy
+            include Google::Protobuf::MessageExts
+            extend Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Ignores policies set above this resource and restores the
+          # `constraint_default` enforcement behavior of the specific `Constraint` at
+          # this resource.
+          #
+          # Suppose that `constraint_default` is set to `ALLOW` for the
+          # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+          # foo.com sets a `Policy` at their Organization resource node that restricts
+          # the allowed service activations to deny all service activations. They
+          # could then set a `Policy` with the `policy_type` `restore_default` on
+          # several experimental projects, restoring the `constraint_default`
+          # enforcement of the `Constraint` for only those projects, allowing those
+          # projects to have all services activated.
+          class RestoreDefault
+            include Google::Protobuf::MessageExts
+            extend Google::Protobuf::MessageExts::ClassMethods
+          end
+        end
+      end
+    end
+  end
+end

data/proto_docs/google/iam/v1/policy.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Iam
+    module V1
+      # Defines an Identity and Access Management (IAM) policy. It is used to
+      # specify access control policies for Cloud Platform resources.
+      #
+      #
+      # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
+      # `members` to a `role`, where the members can be user accounts, Google groups,
+      # Google domains, and service accounts. A `role` is a named list of permissions
+      # defined by IAM.
+      #
+      # **Example**
+      #
+      #     {
+      #       "bindings": [
+      #         {
+      #           "role": "roles/owner",
+      #           "members": [
+      #             "user:mike@example.com",
+      #             "group:admins@example.com",
+      #             "domain:google.com",
+      #             "serviceAccount:my-other-app@appspot.gserviceaccount.com",
+      #           ]
+      #         },
+      #         {
+      #           "role": "roles/viewer",
+      #           "members": ["user:sean@example.com"]
+      #         }
+      #       ]
+      #     }
+      #
+      # For a description of IAM and its features, see the
+      # [IAM developer's guide](https://cloud.google.com/iam).
+      # @!attribute [rw] version
+      #   @return [Integer]
+      #     Version of the `Policy`. The default version is 0.
+      # @!attribute [rw] bindings
+      #   @return [Array<Google::Iam::V1::Binding>]
+      #     Associates a list of `members` to a `role`.
+      #     Multiple `bindings` must not be specified for the same `role`.
+      #     `bindings` with no members will result in an error.
+      # @!attribute [rw] etag
+      #   @return [String]
+      #     `etag` is used for optimistic concurrency control as a way to help
+      #     prevent simultaneous updates of a policy from overwriting each other.
+      #     It is strongly suggested that systems make use of the `etag` in the
+      #     read-modify-write cycle to perform policy updates in order to avoid race
+      #     conditions: An `etag` is returned in the response to `getIamPolicy`, and
+      #     systems are expected to put that etag in the request to `setIamPolicy` to
+      #     ensure that their change will be applied to the same version of the policy.
+      #
+      #     If no `etag` is provided in the call to `setIamPolicy`, then the existing
+      #     policy is overwritten blindly.
+      class Policy
+        include Google::Protobuf::MessageExts
+        extend Google::Protobuf::MessageExts::ClassMethods
+      end
+
+      # Associates `members` with a `role`.
+      # @!attribute [rw] role
+      #   @return [String]
+      #     Role that is assigned to `members`.
+      #     For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+      #     Required
+      # @!attribute [rw] members
+      #   @return [Array<String>]
+      #     Specifies the identities requesting access for a Cloud Platform resource.
+      #     `members` can have the following values:
+      #
+      #     * `allUsers`: A special identifier that represents anyone who is
+      #        on the internet; with or without a Google account.
+      #
+      #     * `allAuthenticatedUsers`: A special identifier that represents anyone
+      #        who is authenticated with a Google account or a service account.
+      #
+      #     * `user:{emailid}`: An email address that represents a specific Google
+      #        account. For example, `alice@gmail.com` or `joe@example.com`.
+      #
+      #
+      #     * `serviceAccount:{emailid}`: An email address that represents a service
+      #        account. For example, `my-other-app@appspot.gserviceaccount.com`.
+      #
+      #     * `group:{emailid}`: An email address that represents a Google group.
+      #        For example, `admins@example.com`.
+      #
+      #     * `domain:{domain}`: A Google Apps domain name that represents all the
+      #        users of that domain. For example, `google.com` or `example.com`.
+      class Binding
+        include Google::Protobuf::MessageExts
+        extend Google::Protobuf::MessageExts::ClassMethods
+      end
+
+      # The difference delta between two policies.
+      # @!attribute [rw] binding_deltas
+      #   @return [Array<Google::Iam::V1::BindingDelta>]
+      #     The delta for Bindings between two policies.
+      class PolicyDelta
+        include Google::Protobuf::MessageExts
+        extend Google::Protobuf::MessageExts::ClassMethods
+      end
+
+      # One delta entry for Binding. Each individual change (only one member in each
+      # entry) to a binding will be a separate entry.
+      # @!attribute [rw] action
+      #   @return [Google::Iam::V1::BindingDelta::Action]
+      #     The action that was performed on a Binding.
+      #     Required
+      # @!attribute [rw] role
+      #   @return [String]
+      #     Role that is assigned to `members`.
+      #     For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+      #     Required
+      # @!attribute [rw] member
+      #   @return [String]
+      #     A single identity requesting access for a Cloud Platform resource.
+      #     Follows the same format of Binding.members.
+      #     Required
+      class BindingDelta
+        include Google::Protobuf::MessageExts
+        extend Google::Protobuf::MessageExts::ClassMethods
+
+        # The type of action performed on a Binding in a policy.
+        module Action
+          # Unspecified.
+          ACTION_UNSPECIFIED = 0
+
+          # Addition of a Binding.
+          ADD = 1
+
+          # Removal of a Binding.
+          REMOVE = 2
+        end
+      end
+    end
+  end
+end