google-cloud-asset-v1 0.6.0 → 0.9.1

data/proto_docs/google/api/resource.rb

@@ -43,12 +43,12 @@ module Google
     #
     # The ResourceDescriptor Yaml config will look like:
     #
-    #    resources:
-    #    - type: "pubsub.googleapis.com/Topic"
-    #      name_descriptor:
-    #        - pattern: "projects/\\{project}/topics/\\{topic}"
-    #          parent_type: "cloudresourcemanager.googleapis.com/Project"
-    #          parent_name_extractor: "projects/\\{project}"
+    #     resources:
+    #     - type: "pubsub.googleapis.com/Topic"
+    #       name_descriptor:
+    #         - pattern: "projects/{project}/topics/{topic}"
+    #           parent_type: "cloudresourcemanager.googleapis.com/Project"
+    #           parent_name_extractor: "projects/{project}"
     #
     # Sometimes, resources have multiple patterns, typically because they can
     # live under multiple parents.
@@ -183,15 +183,24 @@ module Google
     #         }
     # @!attribute [rw] plural
     #   @return [::String]
-    #     The plural name used in the resource name, such as 'projects' for
-    #     the name of 'projects/\\{project}'. It is the same concept of the `plural`
-    #     field in k8s CRD spec
+    #     The plural name used in the resource name and permission names, such as
+    #     'projects' for the resource name of 'projects/\\{project}' and the permission
+    #     name of 'cloudresourcemanager.googleapis.com/projects.get'. It is the same
+    #     concept of the `plural` field in k8s CRD spec
     #     https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
+    #
+    #     Note: The plural form is required even for singleton resources. See
+    #     https://aip.dev/156
     # @!attribute [rw] singular
     #   @return [::String]
     #     The same concept of the `singular` field in k8s CRD spec
     #     https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
     #     Such as "project" for the `resourcemanager.googleapis.com/Project` type.
+    # @!attribute [rw] style
+    #   @return [::Array<::Google::Api::ResourceDescriptor::Style>]
+    #     Style flag(s) for this resource.
+    #     These indicate that a resource is expected to conform to a given
+    #     style. See the specific style flags for additional information.
     class ResourceDescriptor
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -211,6 +220,22 @@ module Google
         # that from being necessary once there are multiple patterns.)
         FUTURE_MULTI_PATTERN = 2
       end
+
+      # A flag representing a specific style that a resource claims to conform to.
+      module Style
+        # The unspecified value. Do not use.
+        STYLE_UNSPECIFIED = 0
+
+        # This resource is intended to be "declarative-friendly".
+        #
+        # Declarative-friendly resources must be more strictly consistent, and
+        # setting this to true communicates to tools that this resource should
+        # adhere to declarative-friendly expectations.
+        #
+        # Note: This is used by the API linter (linter.aip.dev) to enable
+        # additional checks.
+        DECLARATIVE_FRIENDLY = 1
+      end
     end
 
     # Defines a proto annotation that describes a string field that refers to
@@ -226,6 +251,17 @@ module Google
     #             type: "pubsub.googleapis.com/Topic"
     #           }];
     #         }
+    #
+    #     Occasionally, a field may reference an arbitrary resource. In this case,
+    #     APIs use the special value * in their resource reference.
+    #
+    #     Example:
+    #
+    #         message GetIamPolicyRequest {
+    #           string resource = 2 [(google.api.resource_reference) = {
+    #             type: "*"
+    #           }];
+    #         }
     # @!attribute [rw] child_type
     #   @return [::String]
     #     The resource type of a child collection that the annotated field
@@ -234,11 +270,11 @@ module Google
     #
     #     Example:
     #
-    #       message ListLogEntriesRequest {
-    #         string parent = 1 [(google.api.resource_reference) = {
-    #           child_type: "logging.googleapis.com/LogEntry"
-    #         };
-    #       }
+    #         message ListLogEntriesRequest {
+    #           string parent = 1 [(google.api.resource_reference) = {
+    #             child_type: "logging.googleapis.com/LogEntry"
+    #           };
+    #         }
     class ResourceReference
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/asset/v1/asset_service.rb

@@ -287,11 +287,91 @@ module Google
         #     table will be overwritten by the contents of assets snapshot. If the flag
         #     is `FALSE` or unset and the destination table already exists, the export
         #     call returns an INVALID_ARGUMEMT error.
+        # @!attribute [rw] partition_spec
+        #   @return [::Google::Cloud::Asset::V1::PartitionSpec]
+        #     [partition_spec] determines whether to export to partitioned table(s) and
+        #     how to partition the data.
+        #
+        #     If [partition_spec] is unset or [partition_spec.partition_key] is unset or
+        #     `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to
+        #     non-partitioned table(s). [force] will decide whether to overwrite existing
+        #     table(s).
+        #
+        #     If [partition_spec] is specified. First, the snapshot results will be
+        #     written to partitioned table(s) with two additional timestamp columns,
+        #     readTime and requestTime, one of which will be the partition key. Secondly,
+        #     in the case when any destination table already exists, it will first try to
+        #     update existing table's schema as necessary by appending additional
+        #     columns. Then, if [force] is `TRUE`, the corresponding partition will be
+        #     overwritten by the snapshot results (data in different partitions will
+        #     remain intact); if [force] is unset or `FALSE`, it will append the data. An
+        #     error will be returned if the schema update or data appension fails.
+        # @!attribute [rw] separate_tables_per_asset_type
+        #   @return [::Boolean]
+        #     If this flag is `TRUE`, the snapshot results will be written to one or
+        #     multiple tables, each of which contains results of one asset type. The
+        #     [force] and [partition_spec] fields will apply to each of them.
+        #
+        #     Field [table] will be concatenated with "_" and the asset type names (see
+        #     https://cloud.google.com/asset-inventory/docs/supported-asset-types for
+        #     supported asset types) to construct per-asset-type table names, in which
+        #     all non-alphanumeric characters like "." and "/" will be substituted by
+        #     "_". Example: if field [table] is "mytable" and snapshot results
+        #     contain "storage.googleapis.com/Bucket" assets, the corresponding table
+        #     name will be "mytable_storage_googleapis_com_Bucket". If any of these
+        #     tables does not exist, a new table with the concatenated name will be
+        #     created.
+        #
+        #     When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of
+        #     each table will include RECORD-type columns mapped to the nested fields in
+        #     the Asset.resource.data field of that asset type (up to the 15 nested level
+        #     BigQuery supports
+        #     (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The
+        #     fields in >15 nested levels will be stored in JSON format string as a child
+        #     column of its parent RECORD column.
+        #
+        #     If error occurs when exporting to any table, the whole export call will
+        #     return an error but the export results that already succeed will persist.
+        #     Example: if exporting to table_type_A succeeds when exporting to
+        #     table_type_B fails during one export call, the results in table_type_A will
+        #     persist and there will not be partial results persisting in a table.
         class BigQueryDestination
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # Specifications of BigQuery partitioned table as export destination.
+        # @!attribute [rw] partition_key
+        #   @return [::Google::Cloud::Asset::V1::PartitionSpec::PartitionKey]
+        #     The partition key for BigQuery partitioned table.
+        class PartitionSpec
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # This enum is used to determine the partition key column when exporting
+          # assets to BigQuery partitioned table(s). Note that, if the partition key is
+          # a timestamp column, the actual partition is based on its date value
+          # (expressed in UTC. see details in
+          # https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables).
+          module PartitionKey
+            # Unspecified partition key. If used, it means using non-partitioned table.
+            PARTITION_KEY_UNSPECIFIED = 0
+
+            # The time when the snapshot is taken. If specified as partition key, the
+            # result table(s) is partitoned by the additional timestamp column,
+            # readTime. If [read_time] in ExportAssetsRequest is specified, the
+            # readTime column's value will be the same as it. Otherwise, its value will
+            # be the current time that is used to take the snapshot.
+            READ_TIME = 1
+
+            # The time when the request is received and started to be processed. If
+            # specified as partition key, the result table(s) is partitoned by the
+            # requestTime column, an additional timestamp column representing when the
+            # request was received.
+            REQUEST_TIME = 2
+          end
+        end
+
         # A Pub/Sub destination.
         # @!attribute [rw] topic
         #   @return [::String]
@@ -548,7 +628,7 @@ module Google
         # IAM policy analysis query message.
         # @!attribute [rw] scope
         #   @return [::String]
-        #     The relative name of the root asset. Only resources and IAM policies within
+        #     Required. The relative name of the root asset. Only resources and IAM policies within
         #     the scope will be analyzed.
         #
         #     This can only be an organization number (such as "organizations/123"), a
@@ -562,16 +642,16 @@ module Google
         #     ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
         # @!attribute [rw] resource_selector
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
-        #     Specifies a resource for analysis.
+        #     Optional. Specifies a resource for analysis.
         # @!attribute [rw] identity_selector
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
-        #     Specifies an identity for analysis.
+        #     Optional. Specifies an identity for analysis.
         # @!attribute [rw] access_selector
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
-        #     Specifies roles or permissions for analysis. This is optional.
+        #     Optional. Specifies roles or permissions for analysis. This is optional.
         # @!attribute [rw] options
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
-        #     The query options.
+        #     Optional. The query options.
         class IamPolicyAnalysisQuery
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -581,7 +661,7 @@ module Google
           # projects.
           # @!attribute [rw] full_resource_name
           #   @return [::String]
-          #     The [full resource name]
+          #     Required. The [full resource name]
           #     (https://cloud.google.com/asset-inventory/docs/resource-name-format)
           #     of a resource of [supported resource
           #     types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
@@ -595,7 +675,7 @@ module Google
           # directly or indirectly.
           # @!attribute [rw] identity
           #   @return [::String]
-          #     The identity appear in the form of members in
+          #     Required. The identity appear in the form of members in
           #     [IAM policy
           #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
           #
@@ -615,13 +695,14 @@ module Google
           # Specifies roles and/or permissions to analyze, to determine both the
           # identities possessing them and the resources they control. If multiple
           # values are specified, results will include roles or permissions matching
-          # any of them.
+          # any of them. The total number of roles and permissions should be equal or
+          # less than 10.
           # @!attribute [rw] roles
           #   @return [::Array<::String>]
-          #     The roles to appear in result.
+          #     Optional. The roles to appear in result.
           # @!attribute [rw] permissions
           #   @return [::Array<::String>]
-          #     The permissions to appear in result.
+          #     Optional. The permissions to appear in result.
           class AccessSelector
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -630,67 +711,64 @@ module Google
           # Contains query options.
           # @!attribute [rw] expand_groups
           #   @return [::Boolean]
-          #     If true, the identities section of the result will expand any
+          #     Optional. If true, the identities section of the result will expand any
           #     Google groups appearing in an IAM policy binding.
           #
-          #     If
-          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector}
-          #     is specified, the identity in the result will be determined by the
-          #     selector, and this flag is not allowed to set.
+          #     If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} is specified, the
+          #     identity in the result will be determined by the selector, and this flag
+          #     is not allowed to set.
           #
           #     Default is false.
           # @!attribute [rw] expand_roles
           #   @return [::Boolean]
-          #     If true, the access section of result will expand any roles
+          #     Optional. If true, the access section of result will expand any roles
           #     appearing in IAM policy bindings to include their permissions.
           #
-          #     If
-          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector}
-          #     is specified, the access section of the result will be determined by the
-          #     selector, and this flag is not allowed to set.
+          #     If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} is specified, the access
+          #     section of the result will be determined by the selector, and this flag
+          #     is not allowed to set.
           #
           #     Default is false.
           # @!attribute [rw] expand_resources
           #   @return [::Boolean]
-          #     If true and
-          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
-          #     is not specified, the resource section of the result will expand any
-          #     resource attached to an IAM policy to include resources lower in the
-          #     resource hierarchy.
+          #     Optional. If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is not
+          #     specified, the resource section of the result will expand any resource
+          #     attached to an IAM policy to include resources lower in the resource
+          #     hierarchy.
           #
           #     For example, if the request analyzes for which resources user A has
           #     permission P, and the results include an IAM policy with P on a GCP
           #     folder, the results will also include resources in that folder with
           #     permission P.
           #
-          #     If true and
-          #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
-          #     is specified, the resource section of the result will expand the
-          #     specified resource to include resources lower in the resource hierarchy.
+          #     If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is specified,
+          #     the resource section of the result will expand the specified resource to
+          #     include resources lower in the resource hierarchy. Only project or
+          #     lower resources are supported. Folder and organization resource cannot be
+          #     used together with this option.
           #
           #     For example, if the request analyzes for which users have permission P on
-          #     a GCP folder with this option enabled, the results will include all users
-          #     who have permission P on that folder or any lower resource(ex. project).
+          #     a GCP project with this option enabled, the results will include all
+          #     users who have permission P on that project or any lower resource.
           #
           #     Default is false.
           # @!attribute [rw] output_resource_edges
           #   @return [::Boolean]
-          #     If true, the result will output resource edges, starting
+          #     Optional. If true, the result will output resource edges, starting
           #     from the policy attached resource, to any expanded resources.
           #     Default is false.
           # @!attribute [rw] output_group_edges
           #   @return [::Boolean]
-          #     If true, the result will output group identity edges, starting
+          #     Optional. If true, the result will output group identity edges, starting
           #     from the binding's group members, to any expanded identities.
           #     Default is false.
           # @!attribute [rw] analyze_service_account_impersonation
           #   @return [::Boolean]
-          #     If true, the response will include access analysis from identities to
+          #     Optional. If true, the response will include access analysis from identities to
           #     resources via service account impersonation. This is a very expensive
           #     operation, because many derived queries will be executed. We highly
-          #     recommend you use
-          #     {::Google::Cloud::Asset::V1::AssetService::Client#export_iam_policy_analysis google.cloud.asset.v1.AssetService.ExportIamPolicyAnalysis}
-          #     rpc instead.
+          #     recommend you use {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} rpc
+          #     instead.
           #
           #     For example, if the request analyzes for which resources user A has
           #     permission P, and there's an IAM policy states user A has
@@ -698,7 +776,7 @@ module Google
           #     and there's another IAM policy states service account SA has permission P
           #     to a GCP folder F, then user A potentially has access to the GCP folder
           #     F. And those advanced analysis results will be included in
-          #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
+          #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
           #
           #     Another example, if the request analyzes for who has
           #     permission P to a GCP folder F, and there's an IAM policy states user A
@@ -706,34 +784,22 @@ module Google
           #     there's another IAM policy states service account SA has permission P to
           #     the GCP folder F, then user A potentially has access to the GCP folder
           #     F. And those advanced analysis results will be included in
-          #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
+          #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
           #
           #     Default is false.
-          # @!attribute [rw] max_fanouts_per_group
-          #   @return [::Integer]
-          #     The maximum number of fanouts per group when [expand_groups][expand_groups]
-          #     is enabled. This internal field is to help load testing and determine a
-          #     proper value, and won't be public in the future.
-          # @!attribute [rw] max_fanouts_per_resource
-          #   @return [::Integer]
-          #     The maximum number of fanouts per parent resource, such as
-          #     GCP Project etc., when [expand_resources][] is enabled. This internal
-          #     field is to help load testing and determine a proper value, and won't be
-          #     public in the future.
           class Options
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
         end
 
-        # A request message for
-        # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
+        # A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
         # @!attribute [rw] analysis_query
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
-        #     The request query.
+        #     Required. The request query.
         # @!attribute [rw] execution_timeout
         #   @return [::Google::Protobuf::Duration]
-        #     Amount of time executable has to complete.  See JSON representation of
+        #     Optional. Amount of time executable has to complete.  See JSON representation of
         #     [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
         #
         #     If this field is set with a value less than the RPC deadline, and the
@@ -743,40 +809,24 @@ module Google
         #     If it's not finished until then, you will get a  DEADLINE_EXCEEDED error.
         #
         #     Default is empty.
-        #
-        #     (-- We had discussion of whether we should have this field in the    --)
-        #     (-- request or use the RPC deadline instead. We finally choose this  --)
-        #     (-- approach for the following reasons (detailed in                  --)
-        #     (-- go/analyze-iam-policy-deadlines):                                --)
-        #     (-- * HTTP clients have very limited support of the RPC deadline.    --)
-        #     (--   There is an X-Server-Timeout header introduced in 2019/09, but --)
-        #     (--   only implemented in the C++ HTTP server library.               --)
-        #     (-- * The purpose of the RPC deadline is for RPC clients to          --)
-        #     (--   communicate its max waiting time to the server. This deadline  --)
-        #     (--   could be further propagated to the downstream servers. It is   --)
-        #     (--   mainly used for servers to cancel the request processing       --)
-        #     (--   to avoid resource wasting. Overloading the RPC deadline for    --)
-        #     (--   other purposes could make our backend system harder to reason  --)
-        #     (--   about.                                                         --)
         class AnalyzeIamPolicyRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # A response message for
-        # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
+        # A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
         # @!attribute [rw] main_analysis
         #   @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
         #     The main analysis that matches the original request.
         # @!attribute [rw] service_account_impersonation_analysis
         #   @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
         #     The service account impersonation analysis if
-        #     [google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation][google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation]
-        #     is enabled.
+        #     [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
+        #     enabled.
         # @!attribute [rw] fully_explored
         #   @return [::Boolean]
-        #     Represents whether all entries in the [main_analysis][main_analysis] and
-        #     [service_account_impersonation_analysis][] have been fully explored to
+        #     Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#main_analysis main_analysis} and
+        #     {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis service_account_impersonation_analysis} have been fully explored to
         #     answer the query in the request.
         class AnalyzeIamPolicyResponse
           include ::Google::Protobuf::MessageExts
@@ -788,87 +838,18 @@ module Google
           #     The analysis query.
           # @!attribute [rw] analysis_results
           #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
-          #     A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult google.cloud.asset.v1.IamPolicyAnalysisResult}
-          #     that matches the analysis query, or empty if no result is found.
+          #     A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult} that matches the analysis query, or
+          #     empty if no result is found.
           # @!attribute [rw] fully_explored
           #   @return [::Boolean]
-          #     Represents whether all entries in the
-          #     [analysis_results][analysis_results] have been fully explored to answer
-          #     the query.
-          # @!attribute [rw] stats
-          #   @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
-          #     The stats of how the analysis has been explored.
+          #     Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis#analysis_results analysis_results} have been
+          #     fully explored to answer the query.
           # @!attribute [rw] non_critical_errors
           #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
           #     A list of non-critical errors happened during the query handling.
           class IamPolicyAnalysis
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
-
-            # A stats message that contains a set of analysis metrics.
-            #
-            # Here are some equations to show relationships of the explicitly specified
-            # metrics with other implicit metrics:
-            # * node_count = discovered_node_count + undiscovered_node_count(implicit)
-            # * discovered_node_count = explored_node_count +
-            # unexplored_node_count(implicit)
-            # * explored_node_count = capped_node_count + uncapped_node_count(implicit)
-            # * unexplored_node_count(implicit) = permission_denied_node_count +
-            # execution_timeout_node_count + other_unexplored_node_count(implicit)
-            # * discovered_node_count = matched_node_count +
-            # unmatched_node_count(implicit)
-            # @!attribute [rw] node_type
-            #   @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
-            #     Node type.
-            # @!attribute [rw] node_subtype
-            #   @return [::String]
-            #     The subtype of a node, such as:
-            #     * For Identity: Group, User, ServiceAccount etc.
-            #     * For Resource: resource type name, such as
-            #     cloudresourcemanager.googleapis.com/Organization, etc.
-            #     * For Access: Role or Permission
-            # @!attribute [rw] discovered_node_count
-            #   @return [::Integer]
-            #     The count of discovered nodes.
-            # @!attribute [rw] matched_node_count
-            #   @return [::Integer]
-            #     The count of nodes that match the query. These nodes form a sub-graph
-            #     of discovered nodes.
-            # @!attribute [rw] explored_node_count
-            #   @return [::Integer]
-            #     The count of explored nodes.
-            # @!attribute [rw] capped_node_count
-            #   @return [::Integer]
-            #     The count of nodes that get explored, but are capped by max fanout
-            #     setting.
-            # @!attribute [rw] permision_denied_node_count
-            #   @return [::Integer]
-            #     The count of unexplored nodes caused by permission denied error.
-            # @!attribute [rw] execution_timeout_node_count
-            #   @return [::Integer]
-            #     The count of unexplored nodes caused by execution timeout.
-            class Stats
-              include ::Google::Protobuf::MessageExts
-              extend ::Google::Protobuf::MessageExts::ClassMethods
-
-              # Type of the node.
-              module NodeType
-                # Unspecified node type.
-                NODE_TYPE_UNSPECIFIED = 0
-
-                # IAM Policy Binding node type.
-                BINDING = 1
-
-                # Identity node type.
-                IDENTITY = 2
-
-                # Resource node type.
-                RESOURCE = 3
-
-                # Access node type.
-                ACCESS = 4
-              end
-            end
           end
         end
 
@@ -886,11 +867,10 @@ module Google
           # A Cloud Storage location.
           # @!attribute [rw] uri
           #   @return [::String]
-          #     The uri of the Cloud Storage object. It's the same uri that is used by
-          #     gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
-          #     Editing Object
-          #     Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
-          #     for more information.
+          #     Required. The uri of the Cloud Storage object. It's the same uri that is used by
+          #     gsutil. For example: "gs://bucket_name/object_name". See
+          #     [Quickstart: Using the gsutil tool]
+          #     (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
           class GcsDestination
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -899,25 +879,36 @@ module Google
           # A BigQuery destination.
           # @!attribute [rw] dataset
           #   @return [::String]
-          #     The BigQuery dataset in format "projects/projectId/datasets/datasetId",
+          #     Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId",
           #     to which the analysis results should be exported. If this dataset does
           #     not exist, the export call will return an INVALID_ARGUMENT error.
           # @!attribute [rw] table_prefix
           #   @return [::String]
-          #     The prefix of the BigQuery tables to which the analysis results will be
+          #     Required. The prefix of the BigQuery tables to which the analysis results will be
           #     written. Tables will be created based on this table_prefix if not exist:
           #     * <table_prefix>_analysis table will contain export operation's metadata.
           #     * <table_prefix>_analysis_result will contain all the
-          #       [IamPolicyAnalysisResult][].
+          #       {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult}.
           #     When [partition_key] is specified, both tables will be partitioned based
           #     on the [partition_key].
           # @!attribute [rw] partition_key
           #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
           #     The partition key for BigQuery partitioned table.
-          # @!attribute [rw] write_mode
-          #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode]
-          #     The write mode when table exists. WriteMode is ignored when no existing
-          #     tables, or no existing partitions are found.
+          # @!attribute [rw] write_disposition
+          #   @return [::String]
+          #     Optional. Specifies the action that occurs if the destination table or partition
+          #     already exists. The following values are supported:
+          #
+          #     * WRITE_TRUNCATE: If the table or partition already exists, BigQuery
+          #     overwrites the entire table or all the partitions data.
+          #     * WRITE_APPEND: If the table or partition already exists, BigQuery
+          #     appends the data to the table or the latest partition.
+          #     * WRITE_EMPTY: If the table already exists and contains data, an error is
+          #     returned.
+          #
+          #     The default value is WRITE_APPEND. Each action is atomic and only occurs
+          #     if BigQuery is able to complete the job successfully. Details are at
+          #     https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file.
           class BigQueryDestination
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -936,37 +927,23 @@ module Google
               # additional timestamp column representing when the request was received.
               REQUEST_TIME = 1
             end
-
-            # Write mode types if table exists.
-            module WriteMode
-              # Unspecified write mode. We expect one of the following valid modes must
-              # be specified when table or partition exists.
-              WRITE_MODE_UNSPECIFIED = 0
-
-              # Abort the export when table or partition exists.
-              ABORT = 1
-
-              # Overwrite the table when table exists. When partitioned, overwrite
-              # the existing partition.
-              OVERWRITE = 2
-            end
           end
         end
 
-        # A request message for [AssetService.ExportIamPolicyAnalysis][].
+        # A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
         # @!attribute [rw] analysis_query
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
-        #     The request query.
+        #     Required. The request query.
         # @!attribute [rw] output_config
         #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
-        #     Output configuration indicating where the results will be output to.
-        class ExportIamPolicyAnalysisRequest
+        #     Required. Output configuration indicating where the results will be output to.
+        class AnalyzeIamPolicyLongrunningRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # The export IAM policy analysis response.
-        class ExportIamPolicyAnalysisResponse
+        # A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
+        class AnalyzeIamPolicyLongrunningResponse
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
@@ -987,6 +964,9 @@ module Google
 
           # The Cloud Access context manager Policy set on an asset.
           ACCESS_POLICY = 5
+
+          # The runtime OS Inventory information.
+          OS_INVENTORY = 6
         end
       end
     end