google-cloud-asset-v1 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.yardopts +12 -0
- data/AUTHENTICATION.md +169 -0
- data/LICENSE.md +203 -0
- data/README.md +24 -0
- data/lib/google-cloud-asset-v1.rb +1 -0
- data/lib/google/cloud/asset/v1.rb +19 -0
- data/lib/google/cloud/asset/v1/asset_service.rb +21 -0
- data/lib/google/cloud/asset/v1/asset_service/client.rb +878 -0
- data/lib/google/cloud/asset/v1/asset_service/credentials.rb +51 -0
- data/lib/google/cloud/asset/v1/asset_service/helpers.rb +43 -0
- data/lib/google/cloud/asset/v1/asset_service/operations.rb +558 -0
- data/lib/google/cloud/asset/v1/asset_service/paths.rb +85 -0
- data/lib/google/cloud/asset/v1/asset_service_pb.rb +124 -0
- data/lib/google/cloud/asset/v1/asset_service_services_pb.rb +68 -0
- data/lib/google/cloud/asset/v1/assets_pb.rb +52 -0
- data/lib/google/cloud/asset/v1/version.rb +28 -0
- data/lib/google/cloud/common_resources_pb.rb +15 -0
- data/lib/google/cloud/orgpolicy/v1/orgpolicy_pb.rb +54 -0
- data/proto_docs/README.md +4 -0
- data/proto_docs/google/api/field_behavior.rb +59 -0
- data/proto_docs/google/api/resource.rb +247 -0
- data/proto_docs/google/cloud/asset/v1/asset_service.rb +347 -0
- data/proto_docs/google/cloud/asset/v1/assets.rb +132 -0
- data/proto_docs/google/cloud/orgpolicy/v1/orgpolicy.rb +307 -0
- data/proto_docs/google/iam/v1/policy.rb +156 -0
- data/proto_docs/google/longrunning/operations.rb +150 -0
- data/proto_docs/google/protobuf/any.rb +137 -0
- data/proto_docs/google/protobuf/empty.rb +36 -0
- data/proto_docs/google/protobuf/field_mask.rb +237 -0
- data/proto_docs/google/protobuf/struct.rb +96 -0
- data/proto_docs/google/protobuf/timestamp.rb +116 -0
- data/proto_docs/google/rpc/status.rb +46 -0
- metadata +201 -0
@@ -0,0 +1,132 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2020 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Google
|
21
|
+
module Cloud
|
22
|
+
module Asset
|
23
|
+
module V1
|
24
|
+
# Temporal asset. In addition to the asset, the temporal asset includes the
|
25
|
+
# status of the asset and valid from and to time of it.
|
26
|
+
# @!attribute [rw] window
|
27
|
+
# @return [Google::Cloud::Asset::V1::TimeWindow]
|
28
|
+
# The time window when the asset data and state was observed.
|
29
|
+
# @!attribute [rw] deleted
|
30
|
+
# @return [Boolean]
|
31
|
+
# If the asset is deleted or not.
|
32
|
+
# @!attribute [rw] asset
|
33
|
+
# @return [Google::Cloud::Asset::V1::Asset]
|
34
|
+
# Asset.
|
35
|
+
class TemporalAsset
|
36
|
+
include Google::Protobuf::MessageExts
|
37
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
38
|
+
end
|
39
|
+
|
40
|
+
# A time window of (start_time, end_time].
|
41
|
+
# @!attribute [rw] start_time
|
42
|
+
# @return [Google::Protobuf::Timestamp]
|
43
|
+
# Start time of the time window (exclusive).
|
44
|
+
# @!attribute [rw] end_time
|
45
|
+
# @return [Google::Protobuf::Timestamp]
|
46
|
+
# End time of the time window (inclusive).
|
47
|
+
# Current timestamp if not specified.
|
48
|
+
class TimeWindow
|
49
|
+
include Google::Protobuf::MessageExts
|
50
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
51
|
+
end
|
52
|
+
|
53
|
+
# Cloud asset. This includes all Google Cloud Platform resources,
|
54
|
+
# Cloud IAM policies, and other non-GCP assets.
|
55
|
+
# @!attribute [rw] name
|
56
|
+
# @return [String]
|
57
|
+
# The full name of the asset. For example:
|
58
|
+
# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
|
59
|
+
# See [Resource
|
60
|
+
# Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
|
61
|
+
# for more information.
|
62
|
+
# @!attribute [rw] asset_type
|
63
|
+
# @return [String]
|
64
|
+
# Type of the asset. Example: "compute.googleapis.com/Disk".
|
65
|
+
# @!attribute [rw] resource
|
66
|
+
# @return [Google::Cloud::Asset::V1::Resource]
|
67
|
+
# Representation of the resource.
|
68
|
+
# @!attribute [rw] iam_policy
|
69
|
+
# @return [Google::Iam::V1::Policy]
|
70
|
+
# Representation of the actual Cloud IAM policy set on a cloud resource. For
|
71
|
+
# each resource, there must be at most one Cloud IAM policy set on it.
|
72
|
+
# @!attribute [rw] ancestors
|
73
|
+
# @return [Array<String>]
|
74
|
+
# Asset's ancestry path in Cloud Resource Manager (CRM) hierarchy,
|
75
|
+
# represented as a list of relative resource names. Ancestry path starts with
|
76
|
+
# the closest CRM ancestor and ends at root. If the asset is a CRM
|
77
|
+
# project/folder/organization, this starts from the asset itself.
|
78
|
+
#
|
79
|
+
# Example: ["projects/123456789", "folders/5432", "organizations/1234"]
|
80
|
+
class Asset
|
81
|
+
include Google::Protobuf::MessageExts
|
82
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
83
|
+
end
|
84
|
+
|
85
|
+
# Representation of a cloud resource.
|
86
|
+
# @!attribute [rw] version
|
87
|
+
# @return [String]
|
88
|
+
# The API version. Example: "v1".
|
89
|
+
# @!attribute [rw] discovery_document_uri
|
90
|
+
# @return [String]
|
91
|
+
# The URL of the discovery document containing the resource's JSON schema.
|
92
|
+
# For example:
|
93
|
+
# `"https://www.googleapis.com/discovery/v1/apis/compute/v1/rest"`.
|
94
|
+
# It will be left unspecified for resources without a discovery-based API,
|
95
|
+
# such as Cloud Bigtable.
|
96
|
+
# @!attribute [rw] discovery_name
|
97
|
+
# @return [String]
|
98
|
+
# The JSON schema name listed in the discovery document.
|
99
|
+
# Example: "Project". It will be left unspecified for resources (such as
|
100
|
+
# Cloud Bigtable) without a discovery-based API.
|
101
|
+
# @!attribute [rw] resource_url
|
102
|
+
# @return [String]
|
103
|
+
# The REST URL for accessing the resource. An HTTP GET operation using this
|
104
|
+
# URL returns the resource itself.
|
105
|
+
# Example:
|
106
|
+
# `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`.
|
107
|
+
# It will be left unspecified for resources without a REST API.
|
108
|
+
# @!attribute [rw] parent
|
109
|
+
# @return [String]
|
110
|
+
# The full name of the immediate parent of this resource. See
|
111
|
+
# [Resource
|
112
|
+
# Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
|
113
|
+
# for more information.
|
114
|
+
#
|
115
|
+
# For GCP assets, it is the parent resource defined in the [Cloud IAM policy
|
116
|
+
# hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
|
117
|
+
# For example:
|
118
|
+
# `"//cloudresourcemanager.googleapis.com/projects/my_project_123"`.
|
119
|
+
#
|
120
|
+
# For third-party assets, it is up to the users to define.
|
121
|
+
# @!attribute [rw] data
|
122
|
+
# @return [Google::Protobuf::Struct]
|
123
|
+
# The content of the resource, in which some sensitive fields are scrubbed
|
124
|
+
# away and may not be present.
|
125
|
+
class Resource
|
126
|
+
include Google::Protobuf::MessageExts
|
127
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
128
|
+
end
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
@@ -0,0 +1,307 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2020 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Google
|
21
|
+
module Cloud
|
22
|
+
module OrgPolicy
|
23
|
+
module V1
|
24
|
+
# Defines a Cloud Organization `Policy` which is used to specify `Constraints`
|
25
|
+
# for configurations of Cloud Platform resources.
|
26
|
+
# @!attribute [rw] version
|
27
|
+
# @return [Integer]
|
28
|
+
# Version of the `Policy`. Default version is 0;
|
29
|
+
# @!attribute [rw] constraint
|
30
|
+
# @return [String]
|
31
|
+
# The name of the `Constraint` the `Policy` is configuring, for example,
|
32
|
+
# `constraints/serviceuser.services`.
|
33
|
+
#
|
34
|
+
# Immutable after creation.
|
35
|
+
# @!attribute [rw] etag
|
36
|
+
# @return [String]
|
37
|
+
# An opaque tag indicating the current version of the `Policy`, used for
|
38
|
+
# concurrency control.
|
39
|
+
#
|
40
|
+
# When the `Policy` is returned from either a `GetPolicy` or a
|
41
|
+
# `ListOrgPolicy` request, this `etag` indicates the version of the current
|
42
|
+
# `Policy` to use when executing a read-modify-write loop.
|
43
|
+
#
|
44
|
+
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
|
45
|
+
# `etag` will be unset.
|
46
|
+
#
|
47
|
+
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
|
48
|
+
# that was returned from a `GetOrgPolicy` request as part of a
|
49
|
+
# read-modify-write loop for concurrency control. Not setting the `etag`in a
|
50
|
+
# `SetOrgPolicy` request will result in an unconditional write of the
|
51
|
+
# `Policy`.
|
52
|
+
# @!attribute [rw] update_time
|
53
|
+
# @return [Google::Protobuf::Timestamp]
|
54
|
+
# The time stamp the `Policy` was previously updated. This is set by the
|
55
|
+
# server, not specified by the caller, and represents the last time a call to
|
56
|
+
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
|
57
|
+
# be ignored.
|
58
|
+
# @!attribute [rw] list_policy
|
59
|
+
# @return [Google::Cloud::OrgPolicy::V1::Policy::ListPolicy]
|
60
|
+
# List of values either allowed or disallowed.
|
61
|
+
# @!attribute [rw] boolean_policy
|
62
|
+
# @return [Google::Cloud::OrgPolicy::V1::Policy::BooleanPolicy]
|
63
|
+
# For boolean `Constraints`, whether to enforce the `Constraint` or not.
|
64
|
+
# @!attribute [rw] restore_default
|
65
|
+
# @return [Google::Cloud::OrgPolicy::V1::Policy::RestoreDefault]
|
66
|
+
# Restores the default behavior of the constraint; independent of
|
67
|
+
# `Constraint` type.
|
68
|
+
class Policy
|
69
|
+
include Google::Protobuf::MessageExts
|
70
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
71
|
+
|
72
|
+
# Used in `policy_type` to specify how `list_policy` behaves at this
|
73
|
+
# resource.
|
74
|
+
#
|
75
|
+
# `ListPolicy` can define specific values and subtrees of Cloud Resource
|
76
|
+
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
|
77
|
+
# are allowed or denied by setting the `allowed_values` and `denied_values`
|
78
|
+
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
|
79
|
+
# The `under:` prefix is used to denote resource subtree values.
|
80
|
+
# The `is:` prefix is used to denote specific values, and is required only
|
81
|
+
# if the value contains a ":". Values prefixed with "is:" are treated the
|
82
|
+
# same as values with no prefix.
|
83
|
+
# Ancestry subtrees must be in one of the following formats:
|
84
|
+
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
|
85
|
+
# - "folders/<folder-id>", e.g. "folders/1234"
|
86
|
+
# - "organizations/<organization-id>", e.g. "organizations/1234"
|
87
|
+
# The `supports_under` field of the associated `Constraint` defines whether
|
88
|
+
# ancestry prefixes can be used. You can set `allowed_values` and
|
89
|
+
# `denied_values` in the same `Policy` if `all_values` is
|
90
|
+
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
|
91
|
+
# values. If `all_values` is set to either `ALLOW` or `DENY`,
|
92
|
+
# `allowed_values` and `denied_values` must be unset.
|
93
|
+
# @!attribute [rw] allowed_values
|
94
|
+
# @return [Array<String>]
|
95
|
+
# List of values allowed at this resource. Can only be set if `all_values`
|
96
|
+
# is set to `ALL_VALUES_UNSPECIFIED`.
|
97
|
+
# @!attribute [rw] denied_values
|
98
|
+
# @return [Array<String>]
|
99
|
+
# List of values denied at this resource. Can only be set if `all_values`
|
100
|
+
# is set to `ALL_VALUES_UNSPECIFIED`.
|
101
|
+
# @!attribute [rw] all_values
|
102
|
+
# @return [Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues]
|
103
|
+
# The policy all_values state.
|
104
|
+
# @!attribute [rw] suggested_value
|
105
|
+
# @return [String]
|
106
|
+
# Optional. The Google Cloud Console will try to default to a configuration
|
107
|
+
# that matches the value specified in this `Policy`. If `suggested_value`
|
108
|
+
# is not set, it will inherit the value specified higher in the hierarchy,
|
109
|
+
# unless `inherit_from_parent` is `false`.
|
110
|
+
# @!attribute [rw] inherit_from_parent
|
111
|
+
# @return [Boolean]
|
112
|
+
# Determines the inheritance behavior for this `Policy`.
|
113
|
+
#
|
114
|
+
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
|
115
|
+
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
|
116
|
+
# set to `true`, then the values from the effective `Policy` of the parent
|
117
|
+
# resource are inherited, meaning the values set in this `Policy` are
|
118
|
+
# added to the values inherited up the hierarchy.
|
119
|
+
#
|
120
|
+
# Setting `Policy` hierarchies that inherit both allowed values and denied
|
121
|
+
# values isn't recommended in most circumstances to keep the configuration
|
122
|
+
# simple and understandable. However, it is possible to set a `Policy` with
|
123
|
+
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
|
124
|
+
# In this case, the values that are allowed must be in `allowed_values` and
|
125
|
+
# not present in `denied_values`.
|
126
|
+
#
|
127
|
+
# For example, suppose you have a `Constraint`
|
128
|
+
# `constraints/serviceuser.services`, which has a `constraint_type` of
|
129
|
+
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
|
130
|
+
# Suppose that at the Organization level, a `Policy` is applied that
|
131
|
+
# restricts the allowed API activations to \\{`E1`, `E2`}. Then, if a
|
132
|
+
# `Policy` is applied to a project below the Organization that has
|
133
|
+
# `inherit_from_parent` set to `false` and field all_values set to DENY,
|
134
|
+
# then an attempt to activate any API will be denied.
|
135
|
+
#
|
136
|
+
# The following examples demonstrate different possible layerings for
|
137
|
+
# `projects/bar` parented by `organizations/foo`:
|
138
|
+
#
|
139
|
+
# Example 1 (no inherited values):
|
140
|
+
# `organizations/foo` has a `Policy` with values:
|
141
|
+
# \\{allowed_values: "E1" allowed_values:"E2"}
|
142
|
+
# `projects/bar` has `inherit_from_parent` `false` and values:
|
143
|
+
# \\{allowed_values: "E3" allowed_values: "E4"}
|
144
|
+
# The accepted values at `organizations/foo` are `E1`, `E2`.
|
145
|
+
# The accepted values at `projects/bar` are `E3`, and `E4`.
|
146
|
+
#
|
147
|
+
# Example 2 (inherited values):
|
148
|
+
# `organizations/foo` has a `Policy` with values:
|
149
|
+
# \\{allowed_values: "E1" allowed_values:"E2"}
|
150
|
+
# `projects/bar` has a `Policy` with values:
|
151
|
+
# \\{value: "E3" value: "E4" inherit_from_parent: true}
|
152
|
+
# The accepted values at `organizations/foo` are `E1`, `E2`.
|
153
|
+
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
|
154
|
+
#
|
155
|
+
# Example 3 (inheriting both allowed and denied values):
|
156
|
+
# `organizations/foo` has a `Policy` with values:
|
157
|
+
# \\{allowed_values: "E1" allowed_values: "E2"}
|
158
|
+
# `projects/bar` has a `Policy` with:
|
159
|
+
# \\{denied_values: "E1"}
|
160
|
+
# The accepted values at `organizations/foo` are `E1`, `E2`.
|
161
|
+
# The value accepted at `projects/bar` is `E2`.
|
162
|
+
#
|
163
|
+
# Example 4 (RestoreDefault):
|
164
|
+
# `organizations/foo` has a `Policy` with values:
|
165
|
+
# \\{allowed_values: "E1" allowed_values:"E2"}
|
166
|
+
# `projects/bar` has a `Policy` with values:
|
167
|
+
# \\{RestoreDefault: \\{}}
|
168
|
+
# The accepted values at `organizations/foo` are `E1`, `E2`.
|
169
|
+
# The accepted values at `projects/bar` are either all or none depending on
|
170
|
+
# the value of `constraint_default` (if `ALLOW`, all; if
|
171
|
+
# `DENY`, none).
|
172
|
+
#
|
173
|
+
# Example 5 (no policy inherits parent policy):
|
174
|
+
# `organizations/foo` has no `Policy` set.
|
175
|
+
# `projects/bar` has no `Policy` set.
|
176
|
+
# The accepted values at both levels are either all or none depending on
|
177
|
+
# the value of `constraint_default` (if `ALLOW`, all; if
|
178
|
+
# `DENY`, none).
|
179
|
+
#
|
180
|
+
# Example 6 (ListConstraint allowing all):
|
181
|
+
# `organizations/foo` has a `Policy` with values:
|
182
|
+
# \\{allowed_values: "E1" allowed_values: "E2"}
|
183
|
+
# `projects/bar` has a `Policy` with:
|
184
|
+
# \\{all: ALLOW}
|
185
|
+
# The accepted values at `organizations/foo` are `E1`, E2`.
|
186
|
+
# Any value is accepted at `projects/bar`.
|
187
|
+
#
|
188
|
+
# Example 7 (ListConstraint allowing none):
|
189
|
+
# `organizations/foo` has a `Policy` with values:
|
190
|
+
# \\{allowed_values: "E1" allowed_values: "E2"}
|
191
|
+
# `projects/bar` has a `Policy` with:
|
192
|
+
# \\{all: DENY}
|
193
|
+
# The accepted values at `organizations/foo` are `E1`, E2`.
|
194
|
+
# No value is accepted at `projects/bar`.
|
195
|
+
#
|
196
|
+
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
|
197
|
+
# Given the following resource hierarchy
|
198
|
+
# O1->\\{F1, F2}; F1->\\{P1}; F2->\\{P2, P3},
|
199
|
+
# `organizations/foo` has a `Policy` with values:
|
200
|
+
# \\{allowed_values: "under:organizations/O1"}
|
201
|
+
# `projects/bar` has a `Policy` with:
|
202
|
+
# \\{allowed_values: "under:projects/P3"}
|
203
|
+
# \\{denied_values: "under:folders/F2"}
|
204
|
+
# The accepted values at `organizations/foo` are `organizations/O1`,
|
205
|
+
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
|
206
|
+
# `projects/P3`.
|
207
|
+
# The accepted values at `projects/bar` are `organizations/O1`,
|
208
|
+
# `folders/F1`, `projects/P1`.
|
209
|
+
class ListPolicy
|
210
|
+
include Google::Protobuf::MessageExts
|
211
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
212
|
+
|
213
|
+
# This enum can be used to set `Policies` that apply to all possible
|
214
|
+
# configuration values rather than specific values in `allowed_values` or
|
215
|
+
# `denied_values`.
|
216
|
+
#
|
217
|
+
# Settting this to `ALLOW` will mean this `Policy` allows all values.
|
218
|
+
# Similarly, setting it to `DENY` will mean no values are allowed. If
|
219
|
+
# set to either `ALLOW` or `DENY, `allowed_values` and `denied_values`
|
220
|
+
# must be unset. Setting this to `ALL_VALUES_UNSPECIFIED` allows for
|
221
|
+
# setting `allowed_values` and `denied_values`.
|
222
|
+
module AllValues
|
223
|
+
# Indicates that allowed_values or denied_values must be set.
|
224
|
+
ALL_VALUES_UNSPECIFIED = 0
|
225
|
+
|
226
|
+
# A policy with this set allows all values.
|
227
|
+
ALLOW = 1
|
228
|
+
|
229
|
+
# A policy with this set denies all values.
|
230
|
+
DENY = 2
|
231
|
+
end
|
232
|
+
end
|
233
|
+
|
234
|
+
# Used in `policy_type` to specify how `boolean_policy` will behave at this
|
235
|
+
# resource.
|
236
|
+
# @!attribute [rw] enforced
|
237
|
+
# @return [Boolean]
|
238
|
+
# If `true`, then the `Policy` is enforced. If `false`, then any
|
239
|
+
# configuration is acceptable.
|
240
|
+
#
|
241
|
+
# Suppose you have a `Constraint`
|
242
|
+
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
|
243
|
+
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
|
244
|
+
# behavior:
|
245
|
+
# - If the `Policy` at this resource has enforced set to `false`, serial
|
246
|
+
# port connection attempts will be allowed.
|
247
|
+
# - If the `Policy` at this resource has enforced set to `true`, serial
|
248
|
+
# port connection attempts will be refused.
|
249
|
+
# - If the `Policy` at this resource is `RestoreDefault`, serial port
|
250
|
+
# connection attempts will be allowed.
|
251
|
+
# - If no `Policy` is set at this resource or anywhere higher in the
|
252
|
+
# resource hierarchy, serial port connection attempts will be allowed.
|
253
|
+
# - If no `Policy` is set at this resource, but one exists higher in the
|
254
|
+
# resource hierarchy, the behavior is as if the`Policy` were set at
|
255
|
+
# this resource.
|
256
|
+
#
|
257
|
+
# The following examples demonstrate the different possible layerings:
|
258
|
+
#
|
259
|
+
# Example 1 (nearest `Constraint` wins):
|
260
|
+
# `organizations/foo` has a `Policy` with:
|
261
|
+
# \\{enforced: false}
|
262
|
+
# `projects/bar` has no `Policy` set.
|
263
|
+
# The constraint at `projects/bar` and `organizations/foo` will not be
|
264
|
+
# enforced.
|
265
|
+
#
|
266
|
+
# Example 2 (enforcement gets replaced):
|
267
|
+
# `organizations/foo` has a `Policy` with:
|
268
|
+
# \\{enforced: false}
|
269
|
+
# `projects/bar` has a `Policy` with:
|
270
|
+
# \\{enforced: true}
|
271
|
+
# The constraint at `organizations/foo` is not enforced.
|
272
|
+
# The constraint at `projects/bar` is enforced.
|
273
|
+
#
|
274
|
+
# Example 3 (RestoreDefault):
|
275
|
+
# `organizations/foo` has a `Policy` with:
|
276
|
+
# \\{enforced: true}
|
277
|
+
# `projects/bar` has a `Policy` with:
|
278
|
+
# \\{RestoreDefault: \\{}}
|
279
|
+
# The constraint at `organizations/foo` is enforced.
|
280
|
+
# The constraint at `projects/bar` is not enforced, because
|
281
|
+
# `constraint_default` for the `Constraint` is `ALLOW`.
|
282
|
+
class BooleanPolicy
|
283
|
+
include Google::Protobuf::MessageExts
|
284
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
285
|
+
end
|
286
|
+
|
287
|
+
# Ignores policies set above this resource and restores the
|
288
|
+
# `constraint_default` enforcement behavior of the specific `Constraint` at
|
289
|
+
# this resource.
|
290
|
+
#
|
291
|
+
# Suppose that `constraint_default` is set to `ALLOW` for the
|
292
|
+
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
|
293
|
+
# foo.com sets a `Policy` at their Organization resource node that restricts
|
294
|
+
# the allowed service activations to deny all service activations. They
|
295
|
+
# could then set a `Policy` with the `policy_type` `restore_default` on
|
296
|
+
# several experimental projects, restoring the `constraint_default`
|
297
|
+
# enforcement of the `Constraint` for only those projects, allowing those
|
298
|
+
# projects to have all services activated.
|
299
|
+
class RestoreDefault
|
300
|
+
include Google::Protobuf::MessageExts
|
301
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
302
|
+
end
|
303
|
+
end
|
304
|
+
end
|
305
|
+
end
|
306
|
+
end
|
307
|
+
end
|
@@ -0,0 +1,156 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2020 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Google
|
21
|
+
module Iam
|
22
|
+
module V1
|
23
|
+
# Defines an Identity and Access Management (IAM) policy. It is used to
|
24
|
+
# specify access control policies for Cloud Platform resources.
|
25
|
+
#
|
26
|
+
#
|
27
|
+
# A `Policy` consists of a list of `bindings`. A `Binding` binds a list of
|
28
|
+
# `members` to a `role`, where the members can be user accounts, Google groups,
|
29
|
+
# Google domains, and service accounts. A `role` is a named list of permissions
|
30
|
+
# defined by IAM.
|
31
|
+
#
|
32
|
+
# **Example**
|
33
|
+
#
|
34
|
+
# {
|
35
|
+
# "bindings": [
|
36
|
+
# {
|
37
|
+
# "role": "roles/owner",
|
38
|
+
# "members": [
|
39
|
+
# "user:mike@example.com",
|
40
|
+
# "group:admins@example.com",
|
41
|
+
# "domain:google.com",
|
42
|
+
# "serviceAccount:my-other-app@appspot.gserviceaccount.com",
|
43
|
+
# ]
|
44
|
+
# },
|
45
|
+
# {
|
46
|
+
# "role": "roles/viewer",
|
47
|
+
# "members": ["user:sean@example.com"]
|
48
|
+
# }
|
49
|
+
# ]
|
50
|
+
# }
|
51
|
+
#
|
52
|
+
# For a description of IAM and its features, see the
|
53
|
+
# [IAM developer's guide](https://cloud.google.com/iam).
|
54
|
+
# @!attribute [rw] version
|
55
|
+
# @return [Integer]
|
56
|
+
# Version of the `Policy`. The default version is 0.
|
57
|
+
# @!attribute [rw] bindings
|
58
|
+
# @return [Array<Google::Iam::V1::Binding>]
|
59
|
+
# Associates a list of `members` to a `role`.
|
60
|
+
# Multiple `bindings` must not be specified for the same `role`.
|
61
|
+
# `bindings` with no members will result in an error.
|
62
|
+
# @!attribute [rw] etag
|
63
|
+
# @return [String]
|
64
|
+
# `etag` is used for optimistic concurrency control as a way to help
|
65
|
+
# prevent simultaneous updates of a policy from overwriting each other.
|
66
|
+
# It is strongly suggested that systems make use of the `etag` in the
|
67
|
+
# read-modify-write cycle to perform policy updates in order to avoid race
|
68
|
+
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
|
69
|
+
# systems are expected to put that etag in the request to `setIamPolicy` to
|
70
|
+
# ensure that their change will be applied to the same version of the policy.
|
71
|
+
#
|
72
|
+
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
|
73
|
+
# policy is overwritten blindly.
|
74
|
+
class Policy
|
75
|
+
include Google::Protobuf::MessageExts
|
76
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
77
|
+
end
|
78
|
+
|
79
|
+
# Associates `members` with a `role`.
|
80
|
+
# @!attribute [rw] role
|
81
|
+
# @return [String]
|
82
|
+
# Role that is assigned to `members`.
|
83
|
+
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
84
|
+
# Required
|
85
|
+
# @!attribute [rw] members
|
86
|
+
# @return [Array<String>]
|
87
|
+
# Specifies the identities requesting access for a Cloud Platform resource.
|
88
|
+
# `members` can have the following values:
|
89
|
+
#
|
90
|
+
# * `allUsers`: A special identifier that represents anyone who is
|
91
|
+
# on the internet; with or without a Google account.
|
92
|
+
#
|
93
|
+
# * `allAuthenticatedUsers`: A special identifier that represents anyone
|
94
|
+
# who is authenticated with a Google account or a service account.
|
95
|
+
#
|
96
|
+
# * `user:{emailid}`: An email address that represents a specific Google
|
97
|
+
# account. For example, `alice@gmail.com` or `joe@example.com`.
|
98
|
+
#
|
99
|
+
#
|
100
|
+
# * `serviceAccount:{emailid}`: An email address that represents a service
|
101
|
+
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
102
|
+
#
|
103
|
+
# * `group:{emailid}`: An email address that represents a Google group.
|
104
|
+
# For example, `admins@example.com`.
|
105
|
+
#
|
106
|
+
# * `domain:{domain}`: A Google Apps domain name that represents all the
|
107
|
+
# users of that domain. For example, `google.com` or `example.com`.
|
108
|
+
class Binding
|
109
|
+
include Google::Protobuf::MessageExts
|
110
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
111
|
+
end
|
112
|
+
|
113
|
+
# The difference delta between two policies.
|
114
|
+
# @!attribute [rw] binding_deltas
|
115
|
+
# @return [Array<Google::Iam::V1::BindingDelta>]
|
116
|
+
# The delta for Bindings between two policies.
|
117
|
+
class PolicyDelta
|
118
|
+
include Google::Protobuf::MessageExts
|
119
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
120
|
+
end
|
121
|
+
|
122
|
+
# One delta entry for Binding. Each individual change (only one member in each
|
123
|
+
# entry) to a binding will be a separate entry.
|
124
|
+
# @!attribute [rw] action
|
125
|
+
# @return [Google::Iam::V1::BindingDelta::Action]
|
126
|
+
# The action that was performed on a Binding.
|
127
|
+
# Required
|
128
|
+
# @!attribute [rw] role
|
129
|
+
# @return [String]
|
130
|
+
# Role that is assigned to `members`.
|
131
|
+
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
132
|
+
# Required
|
133
|
+
# @!attribute [rw] member
|
134
|
+
# @return [String]
|
135
|
+
# A single identity requesting access for a Cloud Platform resource.
|
136
|
+
# Follows the same format of Binding.members.
|
137
|
+
# Required
|
138
|
+
class BindingDelta
|
139
|
+
include Google::Protobuf::MessageExts
|
140
|
+
extend Google::Protobuf::MessageExts::ClassMethods
|
141
|
+
|
142
|
+
# The type of action performed on a Binding in a policy.
|
143
|
+
module Action
|
144
|
+
# Unspecified.
|
145
|
+
ACTION_UNSPECIFIED = 0
|
146
|
+
|
147
|
+
# Addition of a Binding.
|
148
|
+
ADD = 1
|
149
|
+
|
150
|
+
# Removal of a Binding.
|
151
|
+
REMOVE = 2
|
152
|
+
end
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
156
|
+
end
|