google-cloud-asset-v1 0.13.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -140,6 +140,10 @@ module Google
140
140
  # A representation of runtime OS Inventory information. See [this
141
141
  # topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
142
142
  # for more information.
143
+ # @!attribute [rw] related_assets
144
+ # @return [::Google::Cloud::Asset::V1::RelatedAssets]
145
+ # The related assets of the asset of one relationship type.
146
+ # One asset only represents one type of relationship.
143
147
  # @!attribute [rw] ancestors
144
148
  # @return [::Array<::String>]
145
149
  # The ancestry path of an asset in Google Cloud [resource
@@ -208,6 +212,74 @@ module Google
208
212
  extend ::Google::Protobuf::MessageExts::ClassMethods
209
213
  end
210
214
 
215
+ # The detailed related assets with the `relationship_type`.
216
+ # @!attribute [rw] relationship_attributes
217
+ # @return [::Google::Cloud::Asset::V1::RelationshipAttributes]
218
+ # The detailed relationship attributes.
219
+ # @!attribute [rw] assets
220
+ # @return [::Array<::Google::Cloud::Asset::V1::RelatedAsset>]
221
+ # The peer resources of the relationship.
222
+ class RelatedAssets
223
+ include ::Google::Protobuf::MessageExts
224
+ extend ::Google::Protobuf::MessageExts::ClassMethods
225
+ end
226
+
227
+ # The relationship attributes which include `type`, `source_resource_type`,
228
+ # `target_resource_type` and `action`.
229
+ # @!attribute [rw] type
230
+ # @return [::String]
231
+ # The unique identifier of the relationship type. Example:
232
+ # `INSTANCE_TO_INSTANCEGROUP`
233
+ # @!attribute [rw] source_resource_type
234
+ # @return [::String]
235
+ # The source asset type. Example: `compute.googleapis.com/Instance`
236
+ # @!attribute [rw] target_resource_type
237
+ # @return [::String]
238
+ # The target asset type. Example: `compute.googleapis.com/Disk`
239
+ # @!attribute [rw] action
240
+ # @return [::String]
241
+ # The detail of the relationship, e.g. `contains`, `attaches`
242
+ class RelationshipAttributes
243
+ include ::Google::Protobuf::MessageExts
244
+ extend ::Google::Protobuf::MessageExts::ClassMethods
245
+ end
246
+
247
+ # An asset identify in Google Cloud which contains its name, type and
248
+ # ancestors. An asset can be any resource in the Google Cloud [resource
249
+ # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
250
+ # a resource outside the Google Cloud resource hierarchy (such as Google
251
+ # Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
252
+ # See [Supported asset
253
+ # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
254
+ # for more information.
255
+ # @!attribute [rw] asset
256
+ # @return [::String]
257
+ # The full name of the asset. Example:
258
+ # `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
259
+ #
260
+ # See [Resource
261
+ # names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
262
+ # for more information.
263
+ # @!attribute [rw] asset_type
264
+ # @return [::String]
265
+ # The type of the asset. Example: `compute.googleapis.com/Disk`
266
+ #
267
+ # See [Supported asset
268
+ # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
269
+ # for more information.
270
+ # @!attribute [rw] ancestors
271
+ # @return [::Array<::String>]
272
+ # The ancestors of an asset in Google Cloud [resource
273
+ # hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
274
+ # represented as a list of relative resource names. An ancestry path starts
275
+ # with the closest ancestor in the hierarchy and ends at root.
276
+ #
277
+ # Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
278
+ class RelatedAsset
279
+ include ::Google::Protobuf::MessageExts
280
+ extend ::Google::Protobuf::MessageExts::ClassMethods
281
+ end
282
+
211
283
  # A result of Resource Search, containing information of a cloud resource.
212
284
  # @!attribute [rw] name
213
285
  # @return [::String]
@@ -406,6 +478,24 @@ module Google
406
478
  # `parentFullResourceName:"project-name"`
407
479
  # * use a free text query. Example:
408
480
  # `project-name`
481
+ # @!attribute [rw] versioned_resources
482
+ # @return [::Array<::Google::Cloud::Asset::V1::VersionedResource>]
483
+ # Versioned resource representations of this resource. This is repeated
484
+ # because there could be multiple versions of resource representations during
485
+ # version migration.
486
+ #
487
+ # This `versioned_resources` field is not searchable. Some attributes of the
488
+ # resource representations are exposed in `additional_attributes` field, so
489
+ # as to allow users to search on them.
490
+ # @!attribute [rw] attached_resources
491
+ # @return [::Array<::Google::Cloud::Asset::V1::AttachedResource>]
492
+ # Attached resources of this resource. For example, an OSConfig
493
+ # Inventory is an attached resource of a Compute Instance. This field is
494
+ # repeated because a resource could have multiple attached resources.
495
+ #
496
+ # This `attached_resources` field is not searchable. Some attributes
497
+ # of the attached resources are exposed in `additional_attributes` field, so
498
+ # as to allow users to search on them.
409
499
  # @!attribute [rw] parent_asset_type
410
500
  # @return [::String]
411
501
  # The type of this resource's immediate parent, if there is one.
@@ -430,6 +520,56 @@ module Google
430
520
  end
431
521
  end
432
522
 
523
+ # Resource representation as defined by the corresponding service providing the
524
+ # resource for a given API version.
525
+ # @!attribute [rw] version
526
+ # @return [::String]
527
+ # API version of the resource.
528
+ #
529
+ # Example:
530
+ # If the resource is an instance provided by Compute Engine v1 API as defined
531
+ # in `https://cloud.google.com/compute/docs/reference/rest/v1/instances`,
532
+ # version will be "v1".
533
+ # @!attribute [rw] resource
534
+ # @return [::Google::Protobuf::Struct]
535
+ # JSON representation of the resource as defined by the corresponding
536
+ # service providing this resource.
537
+ #
538
+ # Example:
539
+ # If the resource is an instance provided by Compute Engine, this field will
540
+ # contain the JSON representation of the instance as defined by Compute
541
+ # Engine:
542
+ # `https://cloud.google.com/compute/docs/reference/rest/v1/instances`.
543
+ #
544
+ # You can find the resource definition for each supported resource type in
545
+ # this table:
546
+ # `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
547
+ class VersionedResource
548
+ include ::Google::Protobuf::MessageExts
549
+ extend ::Google::Protobuf::MessageExts::ClassMethods
550
+ end
551
+
552
+ # Attached resource representation, which is defined by the corresponding
553
+ # service provider. It represents an attached resource's payload.
554
+ # @!attribute [rw] asset_type
555
+ # @return [::String]
556
+ # The type of this attached resource.
557
+ #
558
+ # Example: `osconfig.googleapis.com/Inventory`
559
+ #
560
+ # You can find the supported attached asset types of each resource in this
561
+ # table:
562
+ # `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
563
+ # @!attribute [rw] versioned_resources
564
+ # @return [::Array<::Google::Cloud::Asset::V1::VersionedResource>]
565
+ # Versioned resource representations of this attached resource. This is
566
+ # repeated because there could be multiple versions of the attached resource
567
+ # representations during version migration.
568
+ class AttachedResource
569
+ include ::Google::Protobuf::MessageExts
570
+ extend ::Google::Protobuf::MessageExts::ClassMethods
571
+ end
572
+
433
573
  # A result of IAM Policy search, containing information of an IAM policy.
434
574
  # @!attribute [rw] resource
435
575
  # @return [::String]
@@ -28,8 +28,8 @@ module Google
28
28
  # @return [::String]
29
29
  # Required. Resource name for the Access Level. The `short_name` component
30
30
  # must begin with a letter and only include alphanumeric and '_'. Format:
31
- # `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length
32
- # of the `short_name` component is 50 characters.
31
+ # `accessPolicies/{access_policy}/accessLevels/{access_level}`. The maximum
32
+ # length of the `access_level` component is 50 characters.
33
33
  # @!attribute [rw] title
34
34
  # @return [::String]
35
35
  # Human readable title. Must be unique within the Policy.
@@ -29,7 +29,7 @@ module Google
29
29
  # @!attribute [rw] name
30
30
  # @return [::String]
31
31
  # Output only. Resource name of the `AccessPolicy`. Format:
32
- # `accessPolicies/{policy_id}`
32
+ # `accessPolicies/{access_policy}`
33
33
  # @!attribute [rw] parent
34
34
  # @return [::String]
35
35
  # Required. The parent of this `AccessPolicy` in the Cloud Resource
@@ -35,7 +35,8 @@ module Google
35
35
  # @return [::String]
36
36
  # Required. Resource name for the ServicePerimeter. The `short_name`
37
37
  # component must begin with a letter and only include alphanumeric and '_'.
38
- # Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`
38
+ # Format:
39
+ # `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`
39
40
  # @!attribute [rw] title
40
41
  # @return [::String]
41
42
  # Human readable title. Must be unique within the Policy.
@@ -133,6 +134,26 @@ module Google
133
134
  # @!attribute [rw] vpc_accessible_services
134
135
  # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::VpcAccessibleServices]
135
136
  # Configuration for APIs allowed within Perimeter.
137
+ # @!attribute [rw] ingress_policies
138
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressPolicy>]
139
+ # List of [IngressPolicies]
140
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
141
+ # to apply to the perimeter. A perimeter may have multiple [IngressPolicies]
142
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy],
143
+ # each of which is evaluated separately. Access is granted if any [Ingress
144
+ # Policy]
145
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
146
+ # grants it. Must be empty for a perimeter bridge.
147
+ # @!attribute [rw] egress_policies
148
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressPolicy>]
149
+ # List of [EgressPolicies]
150
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
151
+ # to apply to the perimeter. A perimeter may have multiple [EgressPolicies]
152
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy],
153
+ # each of which is evaluated separately. Access is granted if any
154
+ # [EgressPolicy]
155
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
156
+ # grants it. Must be empty for a perimeter bridge.
136
157
  class ServicePerimeterConfig
137
158
  include ::Google::Protobuf::MessageExts
138
159
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -146,11 +167,316 @@ module Google
146
167
  # @!attribute [rw] allowed_services
147
168
  # @return [::Array<::String>]
148
169
  # The list of APIs usable within the Service Perimeter. Must be empty
149
- # unless 'enable_restriction' is True.
170
+ # unless 'enable_restriction' is True. You can specify a list of individual
171
+ # services, as well as include the 'RESTRICTED-SERVICES' value, which
172
+ # automatically includes all of the services protected by the perimeter.
150
173
  class VpcAccessibleServices
151
174
  include ::Google::Protobuf::MessageExts
152
175
  extend ::Google::Protobuf::MessageExts::ClassMethods
153
176
  end
177
+
178
+ # An allowed method or permission of a service specified in [ApiOperation]
179
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
180
+ # @!attribute [rw] method
181
+ # @return [::String]
182
+ # Value for `method` should be a valid method name for the corresponding
183
+ # `service_name` in [ApiOperation]
184
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
185
+ # If `*` used as value for `method`, then ALL methods and permissions are
186
+ # allowed.
187
+ # @!attribute [rw] permission
188
+ # @return [::String]
189
+ # Value for `permission` should be a valid Cloud IAM permission for the
190
+ # corresponding `service_name` in [ApiOperation]
191
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
192
+ class MethodSelector
193
+ include ::Google::Protobuf::MessageExts
194
+ extend ::Google::Protobuf::MessageExts::ClassMethods
195
+ end
196
+
197
+ # Identification for an API Operation.
198
+ # @!attribute [rw] service_name
199
+ # @return [::String]
200
+ # The name of the API whose methods or permissions the [IngressPolicy]
201
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
202
+ # or [EgressPolicy]
203
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
204
+ # want to allow. A single [ApiOperation]
205
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
206
+ # with `service_name` field set to `*` will allow all methods AND
207
+ # permissions for all services.
208
+ # @!attribute [rw] method_selectors
209
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::MethodSelector>]
210
+ # API methods or permissions to allow. Method or permission must belong to
211
+ # the service specified by `service_name` field. A single [MethodSelector]
212
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector]
213
+ # entry with `*` specified for the `method` field will allow all methods
214
+ # AND permissions for the service specified in `service_name`.
215
+ class ApiOperation
216
+ include ::Google::Protobuf::MessageExts
217
+ extend ::Google::Protobuf::MessageExts::ClassMethods
218
+ end
219
+
220
+ # The source that [IngressPolicy]
221
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
222
+ # authorizes access from.
223
+ # @!attribute [rw] access_level
224
+ # @return [::String]
225
+ # An [AccessLevel]
226
+ # [google.identity.accesscontextmanager.v1.AccessLevel] resource
227
+ # name that allow resources within the [ServicePerimeters]
228
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] to be
229
+ # accessed from the internet. [AccessLevels]
230
+ # [google.identity.accesscontextmanager.v1.AccessLevel] listed must
231
+ # be in the same policy as this [ServicePerimeter]
232
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter].
233
+ # Referencing a nonexistent [AccessLevel]
234
+ # [google.identity.accesscontextmanager.v1.AccessLevel] will cause
235
+ # an error. If no [AccessLevel]
236
+ # [google.identity.accesscontextmanager.v1.AccessLevel] names are
237
+ # listed, resources within the perimeter can only be accessed via Google
238
+ # Cloud calls with request origins within the perimeter. Example:
239
+ # `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is
240
+ # specified for `access_level`, then all [IngressSources]
241
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource]
242
+ # will be allowed.
243
+ # @!attribute [rw] resource
244
+ # @return [::String]
245
+ # A Google Cloud resource that is allowed to ingress the perimeter.
246
+ # Requests from these resources will be allowed to access perimeter data.
247
+ # Currently only projects are allowed.
248
+ # Format: `projects/{project_number}`
249
+ # The project may be in any Google Cloud organization, not just the
250
+ # organization that the perimeter is defined in. `*` is not allowed, the
251
+ # case of allowing all Google Cloud resources only is not supported.
252
+ class IngressSource
253
+ include ::Google::Protobuf::MessageExts
254
+ extend ::Google::Protobuf::MessageExts::ClassMethods
255
+ end
256
+
257
+ # Defines the conditions under which an [EgressPolicy]
258
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
259
+ # matches a request. Conditions are based on information about the
260
+ # [ApiOperation]
261
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
262
+ # intended to be performed on the `resources` specified. Note that if the
263
+ # destination of the request is also protected by a [ServicePerimeter]
264
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
265
+ # [ServicePerimeter]
266
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
267
+ # an [IngressPolicy]
268
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
269
+ # which allows access in order for this request to succeed. The request must
270
+ # match `operations` AND `resources` fields in order to be allowed egress out
271
+ # of the perimeter.
272
+ # @!attribute [rw] resources
273
+ # @return [::Array<::String>]
274
+ # A list of resources, currently only projects in the form
275
+ # `projects/<projectnumber>`, that are allowed to be accessed by sources
276
+ # defined in the corresponding [EgressFrom]
277
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
278
+ # A request matches if it contains a resource in this list. If `*` is
279
+ # specified for `resources`, then this [EgressTo]
280
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
281
+ # rule will authorize access to all resources outside the perimeter.
282
+ # @!attribute [rw] operations
283
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
284
+ # A list of [ApiOperations]
285
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
286
+ # allowed to be performed by the sources specified in the corresponding
287
+ # [EgressFrom]
288
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
289
+ # A request matches if it uses an operation/service in this list.
290
+ class EgressTo
291
+ include ::Google::Protobuf::MessageExts
292
+ extend ::Google::Protobuf::MessageExts::ClassMethods
293
+ end
294
+
295
+ # Defines the conditions under which an [IngressPolicy]
296
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
297
+ # matches a request. Conditions are based on information about the source of
298
+ # the request. The request must satisfy what is defined in `sources` AND
299
+ # identity related fields in order to match.
300
+ # @!attribute [rw] sources
301
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressSource>]
302
+ # Sources that this [IngressPolicy]
303
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
304
+ # authorizes access from.
305
+ # @!attribute [rw] identities
306
+ # @return [::Array<::String>]
307
+ # A list of identities that are allowed access through this ingress
308
+ # policy. Should be in the format of email address. The email address
309
+ # should represent individual user or service account only.
310
+ # @!attribute [rw] identity_type
311
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
312
+ # Specifies the type of identities that are allowed access from outside the
313
+ # perimeter. If left unspecified, then members of `identities` field will
314
+ # be allowed access.
315
+ class IngressFrom
316
+ include ::Google::Protobuf::MessageExts
317
+ extend ::Google::Protobuf::MessageExts::ClassMethods
318
+ end
319
+
320
+ # Defines the conditions under which an [IngressPolicy]
321
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
322
+ # matches a request. Conditions are based on information about the
323
+ # [ApiOperation]
324
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
325
+ # intended to be performed on the target resource of the request. The request
326
+ # must satisfy what is defined in `operations` AND `resources` in order to
327
+ # match.
328
+ # @!attribute [rw] operations
329
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
330
+ # A list of [ApiOperations]
331
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
332
+ # allowed to be performed by the sources specified in corresponding
333
+ # [IngressFrom]
334
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
335
+ # in this [ServicePerimeter]
336
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter].
337
+ # @!attribute [rw] resources
338
+ # @return [::Array<::String>]
339
+ # A list of resources, currently only projects in the form
340
+ # `projects/<projectnumber>`, protected by this [ServicePerimeter]
341
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
342
+ # allowed to be accessed by sources defined in the corresponding
343
+ # [IngressFrom]
344
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
345
+ # If a single `*` is specified, then access to all resources inside the
346
+ # perimeter are allowed.
347
+ class IngressTo
348
+ include ::Google::Protobuf::MessageExts
349
+ extend ::Google::Protobuf::MessageExts::ClassMethods
350
+ end
351
+
352
+ # Policy for ingress into [ServicePerimeter]
353
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter].
354
+ #
355
+ # [IngressPolicies]
356
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
357
+ # match requests based on `ingress_from` and `ingress_to` stanzas. For an
358
+ # ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
359
+ # must be matched. If an [IngressPolicy]
360
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
361
+ # matches a request, the request is allowed through the perimeter boundary
362
+ # from outside the perimeter.
363
+ #
364
+ # For example, access from the internet can be allowed either
365
+ # based on an [AccessLevel]
366
+ # [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
367
+ # hosted on Google Cloud, the project of the source network. For access from
368
+ # private networks, using the project of the hosting network is required.
369
+ #
370
+ # Individual ingress policies can be limited by restricting which
371
+ # services and/or actions they match using the `ingress_to` field.
372
+ # @!attribute [rw] ingress_from
373
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressFrom]
374
+ # Defines the conditions on the source of a request causing this
375
+ # [IngressPolicy]
376
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
377
+ # to apply.
378
+ # @!attribute [rw] ingress_to
379
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressTo]
380
+ # Defines the conditions on the [ApiOperation]
381
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
382
+ # and request destination that cause this [IngressPolicy]
383
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
384
+ # to apply.
385
+ class IngressPolicy
386
+ include ::Google::Protobuf::MessageExts
387
+ extend ::Google::Protobuf::MessageExts::ClassMethods
388
+ end
389
+
390
+ # Policy for egress from perimeter.
391
+ #
392
+ # [EgressPolicies]
393
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
394
+ # match requests based on `egress_from` and `egress_to` stanzas. For an
395
+ # [EgressPolicy]
396
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
397
+ # to match, both `egress_from` and `egress_to` stanzas must be matched. If an
398
+ # [EgressPolicy]
399
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
400
+ # matches a request, the request is allowed to span the [ServicePerimeter]
401
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
402
+ # For example, an [EgressPolicy]
403
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
404
+ # can be used to allow VMs on networks within the [ServicePerimeter]
405
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
406
+ # defined set of projects outside the perimeter in certain contexts (e.g. to
407
+ # read data from a Cloud Storage bucket or query against a BigQuery dataset).
408
+ #
409
+ # [EgressPolicies]
410
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
411
+ # are concerned with the *resources* that a request relates as well as the
412
+ # API services and API actions being used. They do not related to the
413
+ # direction of data movement. More detailed documentation for this concept
414
+ # can be found in the descriptions of [EgressFrom]
415
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
416
+ # and [EgressTo]
417
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
418
+ # @!attribute [rw] egress_from
419
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressFrom]
420
+ # Defines conditions on the source of a request causing this [EgressPolicy]
421
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
422
+ # to apply.
423
+ # @!attribute [rw] egress_to
424
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressTo]
425
+ # Defines the conditions on the [ApiOperation]
426
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
427
+ # and destination resources that cause this [EgressPolicy]
428
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
429
+ # to apply.
430
+ class EgressPolicy
431
+ include ::Google::Protobuf::MessageExts
432
+ extend ::Google::Protobuf::MessageExts::ClassMethods
433
+ end
434
+
435
+ # Defines the conditions under which an [EgressPolicy]
436
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
437
+ # matches a request. Conditions based on information about the source of the
438
+ # request. Note that if the destination of the request is also protected by a
439
+ # [ServicePerimeter]
440
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
441
+ # [ServicePerimeter]
442
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
443
+ # an [IngressPolicy]
444
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
445
+ # which allows access in order for this request to succeed.
446
+ # @!attribute [rw] identities
447
+ # @return [::Array<::String>]
448
+ # A list of identities that are allowed access through this [EgressPolicy].
449
+ # Should be in the format of email address. The email address should
450
+ # represent individual user or service account only.
451
+ # @!attribute [rw] identity_type
452
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
453
+ # Specifies the type of identities that are allowed access to outside the
454
+ # perimeter. If left unspecified, then members of `identities` field will
455
+ # be allowed access.
456
+ class EgressFrom
457
+ include ::Google::Protobuf::MessageExts
458
+ extend ::Google::Protobuf::MessageExts::ClassMethods
459
+ end
460
+
461
+ # Specifies the types of identities that are allowed access in either
462
+ # [IngressFrom]
463
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
464
+ # or [EgressFrom]
465
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
466
+ # rules.
467
+ module IdentityType
468
+ # No blanket identity group specified.
469
+ IDENTITY_TYPE_UNSPECIFIED = 0
470
+
471
+ # Authorize access from all identities outside the perimeter.
472
+ ANY_IDENTITY = 1
473
+
474
+ # Authorize access from all human users outside the perimeter.
475
+ ANY_USER_ACCOUNT = 2
476
+
477
+ # Authorize access from all service accounts outside the perimeter.
478
+ ANY_SERVICE_ACCOUNT = 3
479
+ end
154
480
  end
155
481
  end
156
482
  end