google-cloud-asset-v1 0.6.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -43,12 +43,12 @@ module Google
43
43
  #
44
44
  # The ResourceDescriptor Yaml config will look like:
45
45
  #
46
- # resources:
47
- # - type: "pubsub.googleapis.com/Topic"
48
- # name_descriptor:
49
- # - pattern: "projects/\\{project}/topics/\\{topic}"
50
- # parent_type: "cloudresourcemanager.googleapis.com/Project"
51
- # parent_name_extractor: "projects/\\{project}"
46
+ # resources:
47
+ # - type: "pubsub.googleapis.com/Topic"
48
+ # name_descriptor:
49
+ # - pattern: "projects/{project}/topics/{topic}"
50
+ # parent_type: "cloudresourcemanager.googleapis.com/Project"
51
+ # parent_name_extractor: "projects/{project}"
52
52
  #
53
53
  # Sometimes, resources have multiple patterns, typically because they can
54
54
  # live under multiple parents.
@@ -183,15 +183,24 @@ module Google
183
183
  # }
184
184
  # @!attribute [rw] plural
185
185
  # @return [::String]
186
- # The plural name used in the resource name, such as 'projects' for
187
- # the name of 'projects/\\{project}'. It is the same concept of the `plural`
188
- # field in k8s CRD spec
186
+ # The plural name used in the resource name and permission names, such as
187
+ # 'projects' for the resource name of 'projects/\\{project}' and the permission
188
+ # name of 'cloudresourcemanager.googleapis.com/projects.get'. It is the same
189
+ # concept of the `plural` field in k8s CRD spec
189
190
  # https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
191
+ #
192
+ # Note: The plural form is required even for singleton resources. See
193
+ # https://aip.dev/156
190
194
  # @!attribute [rw] singular
191
195
  # @return [::String]
192
196
  # The same concept of the `singular` field in k8s CRD spec
193
197
  # https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
194
198
  # Such as "project" for the `resourcemanager.googleapis.com/Project` type.
199
+ # @!attribute [rw] style
200
+ # @return [::Array<::Google::Api::ResourceDescriptor::Style>]
201
+ # Style flag(s) for this resource.
202
+ # These indicate that a resource is expected to conform to a given
203
+ # style. See the specific style flags for additional information.
195
204
  class ResourceDescriptor
196
205
  include ::Google::Protobuf::MessageExts
197
206
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -211,6 +220,22 @@ module Google
211
220
  # that from being necessary once there are multiple patterns.)
212
221
  FUTURE_MULTI_PATTERN = 2
213
222
  end
223
+
224
+ # A flag representing a specific style that a resource claims to conform to.
225
+ module Style
226
+ # The unspecified value. Do not use.
227
+ STYLE_UNSPECIFIED = 0
228
+
229
+ # This resource is intended to be "declarative-friendly".
230
+ #
231
+ # Declarative-friendly resources must be more strictly consistent, and
232
+ # setting this to true communicates to tools that this resource should
233
+ # adhere to declarative-friendly expectations.
234
+ #
235
+ # Note: This is used by the API linter (linter.aip.dev) to enable
236
+ # additional checks.
237
+ DECLARATIVE_FRIENDLY = 1
238
+ end
214
239
  end
215
240
 
216
241
  # Defines a proto annotation that describes a string field that refers to
@@ -226,6 +251,17 @@ module Google
226
251
  # type: "pubsub.googleapis.com/Topic"
227
252
  # }];
228
253
  # }
254
+ #
255
+ # Occasionally, a field may reference an arbitrary resource. In this case,
256
+ # APIs use the special value * in their resource reference.
257
+ #
258
+ # Example:
259
+ #
260
+ # message GetIamPolicyRequest {
261
+ # string resource = 2 [(google.api.resource_reference) = {
262
+ # type: "*"
263
+ # }];
264
+ # }
229
265
  # @!attribute [rw] child_type
230
266
  # @return [::String]
231
267
  # The resource type of a child collection that the annotated field
@@ -234,11 +270,11 @@ module Google
234
270
  #
235
271
  # Example:
236
272
  #
237
- # message ListLogEntriesRequest {
238
- # string parent = 1 [(google.api.resource_reference) = {
239
- # child_type: "logging.googleapis.com/LogEntry"
240
- # };
241
- # }
273
+ # message ListLogEntriesRequest {
274
+ # string parent = 1 [(google.api.resource_reference) = {
275
+ # child_type: "logging.googleapis.com/LogEntry"
276
+ # };
277
+ # }
242
278
  class ResourceReference
243
279
  include ::Google::Protobuf::MessageExts
244
280
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -287,11 +287,91 @@ module Google
287
287
  # table will be overwritten by the contents of assets snapshot. If the flag
288
288
  # is `FALSE` or unset and the destination table already exists, the export
289
289
  # call returns an INVALID_ARGUMEMT error.
290
+ # @!attribute [rw] partition_spec
291
+ # @return [::Google::Cloud::Asset::V1::PartitionSpec]
292
+ # [partition_spec] determines whether to export to partitioned table(s) and
293
+ # how to partition the data.
294
+ #
295
+ # If [partition_spec] is unset or [partition_spec.partition_key] is unset or
296
+ # `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to
297
+ # non-partitioned table(s). [force] will decide whether to overwrite existing
298
+ # table(s).
299
+ #
300
+ # If [partition_spec] is specified. First, the snapshot results will be
301
+ # written to partitioned table(s) with two additional timestamp columns,
302
+ # readTime and requestTime, one of which will be the partition key. Secondly,
303
+ # in the case when any destination table already exists, it will first try to
304
+ # update existing table's schema as necessary by appending additional
305
+ # columns. Then, if [force] is `TRUE`, the corresponding partition will be
306
+ # overwritten by the snapshot results (data in different partitions will
307
+ # remain intact); if [force] is unset or `FALSE`, it will append the data. An
308
+ # error will be returned if the schema update or data appension fails.
309
+ # @!attribute [rw] separate_tables_per_asset_type
310
+ # @return [::Boolean]
311
+ # If this flag is `TRUE`, the snapshot results will be written to one or
312
+ # multiple tables, each of which contains results of one asset type. The
313
+ # [force] and [partition_spec] fields will apply to each of them.
314
+ #
315
+ # Field [table] will be concatenated with "_" and the asset type names (see
316
+ # https://cloud.google.com/asset-inventory/docs/supported-asset-types for
317
+ # supported asset types) to construct per-asset-type table names, in which
318
+ # all non-alphanumeric characters like "." and "/" will be substituted by
319
+ # "_". Example: if field [table] is "mytable" and snapshot results
320
+ # contain "storage.googleapis.com/Bucket" assets, the corresponding table
321
+ # name will be "mytable_storage_googleapis_com_Bucket". If any of these
322
+ # tables does not exist, a new table with the concatenated name will be
323
+ # created.
324
+ #
325
+ # When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of
326
+ # each table will include RECORD-type columns mapped to the nested fields in
327
+ # the Asset.resource.data field of that asset type (up to the 15 nested level
328
+ # BigQuery supports
329
+ # (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The
330
+ # fields in >15 nested levels will be stored in JSON format string as a child
331
+ # column of its parent RECORD column.
332
+ #
333
+ # If error occurs when exporting to any table, the whole export call will
334
+ # return an error but the export results that already succeed will persist.
335
+ # Example: if exporting to table_type_A succeeds when exporting to
336
+ # table_type_B fails during one export call, the results in table_type_A will
337
+ # persist and there will not be partial results persisting in a table.
290
338
  class BigQueryDestination
291
339
  include ::Google::Protobuf::MessageExts
292
340
  extend ::Google::Protobuf::MessageExts::ClassMethods
293
341
  end
294
342
 
343
+ # Specifications of BigQuery partitioned table as export destination.
344
+ # @!attribute [rw] partition_key
345
+ # @return [::Google::Cloud::Asset::V1::PartitionSpec::PartitionKey]
346
+ # The partition key for BigQuery partitioned table.
347
+ class PartitionSpec
348
+ include ::Google::Protobuf::MessageExts
349
+ extend ::Google::Protobuf::MessageExts::ClassMethods
350
+
351
+ # This enum is used to determine the partition key column when exporting
352
+ # assets to BigQuery partitioned table(s). Note that, if the partition key is
353
+ # a timestamp column, the actual partition is based on its date value
354
+ # (expressed in UTC. see details in
355
+ # https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables).
356
+ module PartitionKey
357
+ # Unspecified partition key. If used, it means using non-partitioned table.
358
+ PARTITION_KEY_UNSPECIFIED = 0
359
+
360
+ # The time when the snapshot is taken. If specified as partition key, the
361
+ # result table(s) is partitoned by the additional timestamp column,
362
+ # readTime. If [read_time] in ExportAssetsRequest is specified, the
363
+ # readTime column's value will be the same as it. Otherwise, its value will
364
+ # be the current time that is used to take the snapshot.
365
+ READ_TIME = 1
366
+
367
+ # The time when the request is received and started to be processed. If
368
+ # specified as partition key, the result table(s) is partitoned by the
369
+ # requestTime column, an additional timestamp column representing when the
370
+ # request was received.
371
+ REQUEST_TIME = 2
372
+ end
373
+ end
374
+
295
375
  # A Pub/Sub destination.
296
376
  # @!attribute [rw] topic
297
377
  # @return [::String]
@@ -548,7 +628,7 @@ module Google
548
628
  # IAM policy analysis query message.
549
629
  # @!attribute [rw] scope
550
630
  # @return [::String]
551
- # The relative name of the root asset. Only resources and IAM policies within
631
+ # Required. The relative name of the root asset. Only resources and IAM policies within
552
632
  # the scope will be analyzed.
553
633
  #
554
634
  # This can only be an organization number (such as "organizations/123"), a
@@ -562,16 +642,16 @@ module Google
562
642
  # ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects).
563
643
  # @!attribute [rw] resource_selector
564
644
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector]
565
- # Specifies a resource for analysis.
645
+ # Optional. Specifies a resource for analysis.
566
646
  # @!attribute [rw] identity_selector
567
647
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector]
568
- # Specifies an identity for analysis.
648
+ # Optional. Specifies an identity for analysis.
569
649
  # @!attribute [rw] access_selector
570
650
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector]
571
- # Specifies roles or permissions for analysis. This is optional.
651
+ # Optional. Specifies roles or permissions for analysis. This is optional.
572
652
  # @!attribute [rw] options
573
653
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options]
574
- # The query options.
654
+ # Optional. The query options.
575
655
  class IamPolicyAnalysisQuery
576
656
  include ::Google::Protobuf::MessageExts
577
657
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -581,7 +661,7 @@ module Google
581
661
  # projects.
582
662
  # @!attribute [rw] full_resource_name
583
663
  # @return [::String]
584
- # The [full resource name]
664
+ # Required. The [full resource name]
585
665
  # (https://cloud.google.com/asset-inventory/docs/resource-name-format)
586
666
  # of a resource of [supported resource
587
667
  # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types).
@@ -595,7 +675,7 @@ module Google
595
675
  # directly or indirectly.
596
676
  # @!attribute [rw] identity
597
677
  # @return [::String]
598
- # The identity appear in the form of members in
678
+ # Required. The identity appear in the form of members in
599
679
  # [IAM policy
600
680
  # binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
601
681
  #
@@ -615,13 +695,14 @@ module Google
615
695
  # Specifies roles and/or permissions to analyze, to determine both the
616
696
  # identities possessing them and the resources they control. If multiple
617
697
  # values are specified, results will include roles or permissions matching
618
- # any of them.
698
+ # any of them. The total number of roles and permissions should be equal or
699
+ # less than 10.
619
700
  # @!attribute [rw] roles
620
701
  # @return [::Array<::String>]
621
- # The roles to appear in result.
702
+ # Optional. The roles to appear in result.
622
703
  # @!attribute [rw] permissions
623
704
  # @return [::Array<::String>]
624
- # The permissions to appear in result.
705
+ # Optional. The permissions to appear in result.
625
706
  class AccessSelector
626
707
  include ::Google::Protobuf::MessageExts
627
708
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -630,67 +711,64 @@ module Google
630
711
  # Contains query options.
631
712
  # @!attribute [rw] expand_groups
632
713
  # @return [::Boolean]
633
- # If true, the identities section of the result will expand any
714
+ # Optional. If true, the identities section of the result will expand any
634
715
  # Google groups appearing in an IAM policy binding.
635
716
  #
636
- # If
637
- # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector}
638
- # is specified, the identity in the result will be determined by the
639
- # selector, and this flag is not allowed to set.
717
+ # If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} is specified, the
718
+ # identity in the result will be determined by the selector, and this flag
719
+ # is not allowed to set.
640
720
  #
641
721
  # Default is false.
642
722
  # @!attribute [rw] expand_roles
643
723
  # @return [::Boolean]
644
- # If true, the access section of result will expand any roles
724
+ # Optional. If true, the access section of result will expand any roles
645
725
  # appearing in IAM policy bindings to include their permissions.
646
726
  #
647
- # If
648
- # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector}
649
- # is specified, the access section of the result will be determined by the
650
- # selector, and this flag is not allowed to set.
727
+ # If {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} is specified, the access
728
+ # section of the result will be determined by the selector, and this flag
729
+ # is not allowed to set.
651
730
  #
652
731
  # Default is false.
653
732
  # @!attribute [rw] expand_resources
654
733
  # @return [::Boolean]
655
- # If true and
656
- # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
657
- # is not specified, the resource section of the result will expand any
658
- # resource attached to an IAM policy to include resources lower in the
659
- # resource hierarchy.
734
+ # Optional. If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is not
735
+ # specified, the resource section of the result will expand any resource
736
+ # attached to an IAM policy to include resources lower in the resource
737
+ # hierarchy.
660
738
  #
661
739
  # For example, if the request analyzes for which resources user A has
662
740
  # permission P, and the results include an IAM policy with P on a GCP
663
741
  # folder, the results will also include resources in that folder with
664
742
  # permission P.
665
743
  #
666
- # If true and
667
- # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector}
668
- # is specified, the resource section of the result will expand the
669
- # specified resource to include resources lower in the resource hierarchy.
744
+ # If true and {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} is specified,
745
+ # the resource section of the result will expand the specified resource to
746
+ # include resources lower in the resource hierarchy. Only project or
747
+ # lower resources are supported. Folder and organization resource cannot be
748
+ # used together with this option.
670
749
  #
671
750
  # For example, if the request analyzes for which users have permission P on
672
- # a GCP folder with this option enabled, the results will include all users
673
- # who have permission P on that folder or any lower resource(ex. project).
751
+ # a GCP project with this option enabled, the results will include all
752
+ # users who have permission P on that project or any lower resource.
674
753
  #
675
754
  # Default is false.
676
755
  # @!attribute [rw] output_resource_edges
677
756
  # @return [::Boolean]
678
- # If true, the result will output resource edges, starting
757
+ # Optional. If true, the result will output resource edges, starting
679
758
  # from the policy attached resource, to any expanded resources.
680
759
  # Default is false.
681
760
  # @!attribute [rw] output_group_edges
682
761
  # @return [::Boolean]
683
- # If true, the result will output group identity edges, starting
762
+ # Optional. If true, the result will output group identity edges, starting
684
763
  # from the binding's group members, to any expanded identities.
685
764
  # Default is false.
686
765
  # @!attribute [rw] analyze_service_account_impersonation
687
766
  # @return [::Boolean]
688
- # If true, the response will include access analysis from identities to
767
+ # Optional. If true, the response will include access analysis from identities to
689
768
  # resources via service account impersonation. This is a very expensive
690
769
  # operation, because many derived queries will be executed. We highly
691
- # recommend you use
692
- # {::Google::Cloud::Asset::V1::AssetService::Client#export_iam_policy_analysis google.cloud.asset.v1.AssetService.ExportIamPolicyAnalysis}
693
- # rpc instead.
770
+ # recommend you use {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} rpc
771
+ # instead.
694
772
  #
695
773
  # For example, if the request analyzes for which resources user A has
696
774
  # permission P, and there's an IAM policy states user A has
@@ -698,7 +776,7 @@ module Google
698
776
  # and there's another IAM policy states service account SA has permission P
699
777
  # to a GCP folder F, then user A potentially has access to the GCP folder
700
778
  # F. And those advanced analysis results will be included in
701
- # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
779
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
702
780
  #
703
781
  # Another example, if the request analyzes for who has
704
782
  # permission P to a GCP folder F, and there's an IAM policy states user A
@@ -706,34 +784,22 @@ module Google
706
784
  # there's another IAM policy states service account SA has permission P to
707
785
  # the GCP folder F, then user A potentially has access to the GCP folder
708
786
  # F. And those advanced analysis results will be included in
709
- # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
787
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}.
710
788
  #
711
789
  # Default is false.
712
- # @!attribute [rw] max_fanouts_per_group
713
- # @return [::Integer]
714
- # The maximum number of fanouts per group when [expand_groups][expand_groups]
715
- # is enabled. This internal field is to help load testing and determine a
716
- # proper value, and won't be public in the future.
717
- # @!attribute [rw] max_fanouts_per_resource
718
- # @return [::Integer]
719
- # The maximum number of fanouts per parent resource, such as
720
- # GCP Project etc., when [expand_resources][] is enabled. This internal
721
- # field is to help load testing and determine a proper value, and won't be
722
- # public in the future.
723
790
  class Options
724
791
  include ::Google::Protobuf::MessageExts
725
792
  extend ::Google::Protobuf::MessageExts::ClassMethods
726
793
  end
727
794
  end
728
795
 
729
- # A request message for
730
- # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
796
+ # A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
731
797
  # @!attribute [rw] analysis_query
732
798
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
733
- # The request query.
799
+ # Required. The request query.
734
800
  # @!attribute [rw] execution_timeout
735
801
  # @return [::Google::Protobuf::Duration]
736
- # Amount of time executable has to complete. See JSON representation of
802
+ # Optional. Amount of time executable has to complete. See JSON representation of
737
803
  # [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
738
804
  #
739
805
  # If this field is set with a value less than the RPC deadline, and the
@@ -743,40 +809,24 @@ module Google
743
809
  # If it's not finished until then, you will get a DEADLINE_EXCEEDED error.
744
810
  #
745
811
  # Default is empty.
746
- #
747
- # (-- We had discussion of whether we should have this field in the --)
748
- # (-- request or use the RPC deadline instead. We finally choose this --)
749
- # (-- approach for the following reasons (detailed in --)
750
- # (-- go/analyze-iam-policy-deadlines): --)
751
- # (-- * HTTP clients have very limited support of the RPC deadline. --)
752
- # (-- There is an X-Server-Timeout header introduced in 2019/09, but --)
753
- # (-- only implemented in the C++ HTTP server library. --)
754
- # (-- * The purpose of the RPC deadline is for RPC clients to --)
755
- # (-- communicate its max waiting time to the server. This deadline --)
756
- # (-- could be further propagated to the downstream servers. It is --)
757
- # (-- mainly used for servers to cancel the request processing --)
758
- # (-- to avoid resource wasting. Overloading the RPC deadline for --)
759
- # (-- other purposes could make our backend system harder to reason --)
760
- # (-- about. --)
761
812
  class AnalyzeIamPolicyRequest
762
813
  include ::Google::Protobuf::MessageExts
763
814
  extend ::Google::Protobuf::MessageExts::ClassMethods
764
815
  end
765
816
 
766
- # A response message for
767
- # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy google.cloud.asset.v1.AssetService.AnalyzeIamPolicy}.
817
+ # A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy AssetService.AnalyzeIamPolicy}.
768
818
  # @!attribute [rw] main_analysis
769
819
  # @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis]
770
820
  # The main analysis that matches the original request.
771
821
  # @!attribute [rw] service_account_impersonation_analysis
772
822
  # @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis>]
773
823
  # The service account impersonation analysis if
774
- # [google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation][google.cloud.asset.v1.AnalyzeIamPolicyRequest.analyze_service_account_impersonation]
775
- # is enabled.
824
+ # [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
825
+ # enabled.
776
826
  # @!attribute [rw] fully_explored
777
827
  # @return [::Boolean]
778
- # Represents whether all entries in the [main_analysis][main_analysis] and
779
- # [service_account_impersonation_analysis][] have been fully explored to
828
+ # Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#main_analysis main_analysis} and
829
+ # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis service_account_impersonation_analysis} have been fully explored to
780
830
  # answer the query in the request.
781
831
  class AnalyzeIamPolicyResponse
782
832
  include ::Google::Protobuf::MessageExts
@@ -788,87 +838,18 @@ module Google
788
838
  # The analysis query.
789
839
  # @!attribute [rw] analysis_results
790
840
  # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult>]
791
- # A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult google.cloud.asset.v1.IamPolicyAnalysisResult}
792
- # that matches the analysis query, or empty if no result is found.
841
+ # A list of {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult} that matches the analysis query, or
842
+ # empty if no result is found.
793
843
  # @!attribute [rw] fully_explored
794
844
  # @return [::Boolean]
795
- # Represents whether all entries in the
796
- # [analysis_results][analysis_results] have been fully explored to answer
797
- # the query.
798
- # @!attribute [rw] stats
799
- # @return [::Array<::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats>]
800
- # The stats of how the analysis has been explored.
845
+ # Represents whether all entries in the {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis#analysis_results analysis_results} have been
846
+ # fully explored to answer the query.
801
847
  # @!attribute [rw] non_critical_errors
802
848
  # @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisState>]
803
849
  # A list of non-critical errors happened during the query handling.
804
850
  class IamPolicyAnalysis
805
851
  include ::Google::Protobuf::MessageExts
806
852
  extend ::Google::Protobuf::MessageExts::ClassMethods
807
-
808
- # A stats message that contains a set of analysis metrics.
809
- #
810
- # Here are some equations to show relationships of the explicitly specified
811
- # metrics with other implicit metrics:
812
- # * node_count = discovered_node_count + undiscovered_node_count(implicit)
813
- # * discovered_node_count = explored_node_count +
814
- # unexplored_node_count(implicit)
815
- # * explored_node_count = capped_node_count + uncapped_node_count(implicit)
816
- # * unexplored_node_count(implicit) = permission_denied_node_count +
817
- # execution_timeout_node_count + other_unexplored_node_count(implicit)
818
- # * discovered_node_count = matched_node_count +
819
- # unmatched_node_count(implicit)
820
- # @!attribute [rw] node_type
821
- # @return [::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse::IamPolicyAnalysis::Stats::NodeType]
822
- # Node type.
823
- # @!attribute [rw] node_subtype
824
- # @return [::String]
825
- # The subtype of a node, such as:
826
- # * For Identity: Group, User, ServiceAccount etc.
827
- # * For Resource: resource type name, such as
828
- # cloudresourcemanager.googleapis.com/Organization, etc.
829
- # * For Access: Role or Permission
830
- # @!attribute [rw] discovered_node_count
831
- # @return [::Integer]
832
- # The count of discovered nodes.
833
- # @!attribute [rw] matched_node_count
834
- # @return [::Integer]
835
- # The count of nodes that match the query. These nodes form a sub-graph
836
- # of discovered nodes.
837
- # @!attribute [rw] explored_node_count
838
- # @return [::Integer]
839
- # The count of explored nodes.
840
- # @!attribute [rw] capped_node_count
841
- # @return [::Integer]
842
- # The count of nodes that get explored, but are capped by max fanout
843
- # setting.
844
- # @!attribute [rw] permision_denied_node_count
845
- # @return [::Integer]
846
- # The count of unexplored nodes caused by permission denied error.
847
- # @!attribute [rw] execution_timeout_node_count
848
- # @return [::Integer]
849
- # The count of unexplored nodes caused by execution timeout.
850
- class Stats
851
- include ::Google::Protobuf::MessageExts
852
- extend ::Google::Protobuf::MessageExts::ClassMethods
853
-
854
- # Type of the node.
855
- module NodeType
856
- # Unspecified node type.
857
- NODE_TYPE_UNSPECIFIED = 0
858
-
859
- # IAM Policy Binding node type.
860
- BINDING = 1
861
-
862
- # Identity node type.
863
- IDENTITY = 2
864
-
865
- # Resource node type.
866
- RESOURCE = 3
867
-
868
- # Access node type.
869
- ACCESS = 4
870
- end
871
- end
872
853
  end
873
854
  end
874
855
 
@@ -886,11 +867,10 @@ module Google
886
867
  # A Cloud Storage location.
887
868
  # @!attribute [rw] uri
888
869
  # @return [::String]
889
- # The uri of the Cloud Storage object. It's the same uri that is used by
890
- # gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
891
- # Editing Object
892
- # Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
893
- # for more information.
870
+ # Required. The uri of the Cloud Storage object. It's the same uri that is used by
871
+ # gsutil. For example: "gs://bucket_name/object_name". See
872
+ # [Quickstart: Using the gsutil tool]
873
+ # (https://cloud.google.com/storage/docs/quickstart-gsutil) for examples.
894
874
  class GcsDestination
895
875
  include ::Google::Protobuf::MessageExts
896
876
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -899,25 +879,36 @@ module Google
899
879
  # A BigQuery destination.
900
880
  # @!attribute [rw] dataset
901
881
  # @return [::String]
902
- # The BigQuery dataset in format "projects/projectId/datasets/datasetId",
882
+ # Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId",
903
883
  # to which the analysis results should be exported. If this dataset does
904
884
  # not exist, the export call will return an INVALID_ARGUMENT error.
905
885
  # @!attribute [rw] table_prefix
906
886
  # @return [::String]
907
- # The prefix of the BigQuery tables to which the analysis results will be
887
+ # Required. The prefix of the BigQuery tables to which the analysis results will be
908
888
  # written. Tables will be created based on this table_prefix if not exist:
909
889
  # * <table_prefix>_analysis table will contain export operation's metadata.
910
890
  # * <table_prefix>_analysis_result will contain all the
911
- # [IamPolicyAnalysisResult][].
891
+ # {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult IamPolicyAnalysisResult}.
912
892
  # When [partition_key] is specified, both tables will be partitioned based
913
893
  # on the [partition_key].
914
894
  # @!attribute [rw] partition_key
915
895
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey]
916
896
  # The partition key for BigQuery partitioned table.
917
- # @!attribute [rw] write_mode
918
- # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig::BigQueryDestination::WriteMode]
919
- # The write mode when table exists. WriteMode is ignored when no existing
920
- # tables, or no existing partitions are found.
897
+ # @!attribute [rw] write_disposition
898
+ # @return [::String]
899
+ # Optional. Specifies the action that occurs if the destination table or partition
900
+ # already exists. The following values are supported:
901
+ #
902
+ # * WRITE_TRUNCATE: If the table or partition already exists, BigQuery
903
+ # overwrites the entire table or all the partitions data.
904
+ # * WRITE_APPEND: If the table or partition already exists, BigQuery
905
+ # appends the data to the table or the latest partition.
906
+ # * WRITE_EMPTY: If the table already exists and contains data, an error is
907
+ # returned.
908
+ #
909
+ # The default value is WRITE_APPEND. Each action is atomic and only occurs
910
+ # if BigQuery is able to complete the job successfully. Details are at
911
+ # https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file.
921
912
  class BigQueryDestination
922
913
  include ::Google::Protobuf::MessageExts
923
914
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -936,37 +927,23 @@ module Google
936
927
  # additional timestamp column representing when the request was received.
937
928
  REQUEST_TIME = 1
938
929
  end
939
-
940
- # Write mode types if table exists.
941
- module WriteMode
942
- # Unspecified write mode. We expect one of the following valid modes must
943
- # be specified when table or partition exists.
944
- WRITE_MODE_UNSPECIFIED = 0
945
-
946
- # Abort the export when table or partition exists.
947
- ABORT = 1
948
-
949
- # Overwrite the table when table exists. When partitioned, overwrite
950
- # the existing partition.
951
- OVERWRITE = 2
952
- end
953
930
  end
954
931
  end
955
932
 
956
- # A request message for [AssetService.ExportIamPolicyAnalysis][].
933
+ # A request message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
957
934
  # @!attribute [rw] analysis_query
958
935
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery]
959
- # The request query.
936
+ # Required. The request query.
960
937
  # @!attribute [rw] output_config
961
938
  # @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisOutputConfig]
962
- # Output configuration indicating where the results will be output to.
963
- class ExportIamPolicyAnalysisRequest
939
+ # Required. Output configuration indicating where the results will be output to.
940
+ class AnalyzeIamPolicyLongrunningRequest
964
941
  include ::Google::Protobuf::MessageExts
965
942
  extend ::Google::Protobuf::MessageExts::ClassMethods
966
943
  end
967
944
 
968
- # The export IAM policy analysis response.
969
- class ExportIamPolicyAnalysisResponse
945
+ # A response message for {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning}.
946
+ class AnalyzeIamPolicyLongrunningResponse
970
947
  include ::Google::Protobuf::MessageExts
971
948
  extend ::Google::Protobuf::MessageExts::ClassMethods
972
949
  end
@@ -987,6 +964,9 @@ module Google
987
964
 
988
965
  # The Cloud Access context manager Policy set on an asset.
989
966
  ACCESS_POLICY = 5
967
+
968
+ # The runtime OS Inventory information.
969
+ OS_INVENTORY = 6
990
970
  end
991
971
  end
992
972
  end