google-cloud-asset-v1 0.13.1 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b84592591b3ac9622dfb899c9c7afbd201810a2443909fb638a33bfb3111c773
-  data.tar.gz: 2607739a8324d78c2ae8dd23248d59c7ae7b8113301e728877a4247c1f827ca8
+  metadata.gz: ffce1027ed7b1bca718ecdc5909b466a68077773da8e05d3681787a9e86871b3
+  data.tar.gz: 41ddd69285d6e161c159066e9bc36f6a67c1d05fd551a1d27a6deb729608ced7
 SHA512:
-  metadata.gz: aa3b83337df9b54623a37e5902c73e2a6558f4d58f40c59247df7c3194313f343d846c3bd8f7060bb2c97623e08f14be096204148fe0782c8aff6074adfb92fa
-  data.tar.gz: 4eee1f606949f044829b1bd742195dab427650abc2743995fd12f2d25e2775e87e9709f1779eb766aedc4fa76f74af08a017873c75009c0918bcd9286e443d04
+  metadata.gz: 16974de7eefcdd9bd1b8f569cb742b10c93a163ce458a10fecdc725b8f5785a5d20f71370b48015aa252c5326ad48e19436967840e6c1367b4f61e36bc6b1750
+  data.tar.gz: 8a0fdf4604057cc58331ab2e1285d6050f0e1b093b51133fa38dc130312cedacd854f7e2db50dfaab89d0d84fd87e0708871318242b7bb17fb2e0fdc8ab14dd1

data/lib/google/cloud/asset/v1/asset_service/client.rb

@@ -893,7 +893,7 @@ module Google
             #   @param options [::Gapic::CallOptions, ::Hash]
             #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
             #
-            # @overload search_all_resources(scope: nil, query: nil, asset_types: nil, page_size: nil, page_token: nil, order_by: nil)
+            # @overload search_all_resources(scope: nil, query: nil, asset_types: nil, page_size: nil, page_token: nil, order_by: nil, read_mask: nil)
             #   Pass arguments to `search_all_resources` via keyword arguments. Note that at
             #   least one keyword argument is required. To specify no parameters, or to keep all
             #   the default parameter values, pass an empty Hash as a request object (see above).
@@ -935,8 +935,8 @@ module Google
             #       encryption key whose name contains the word "key".
             #     * `state:ACTIVE` to find Cloud resources whose state contains "ACTIVE" as a
             #       word.
-            #     * `NOT state:ACTIVE` to find \\{\\{gcp_name}} resources whose state
-            #       doesn't contain "ACTIVE" as a word.
+            #     * `NOT state:ACTIVE` to find Cloud resources whose state doesn't contain
+            #       "ACTIVE" as a word.
             #     * `createTime<1609459200` to find Cloud resources that were created before
             #       "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of
             #       "2021-01-01 00:00:00 UTC" in seconds.
@@ -982,6 +982,7 @@ module Google
             #     to indicate descending order. Redundant space characters are ignored.
             #     Example: "location DESC, name".
             #     Only singular primitive fields in the response are sortable:
+            #
             #       * name
             #       * assetType
             #       * project
@@ -994,9 +995,39 @@ module Google
             #       * state
             #       * parentFullResourceName
             #       * parentAssetType
+            #
             #     All the other fields such as repeated fields (e.g., `networkTags`), map
             #     fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
             #     are not supported.
+            #   @param read_mask [::Google::Protobuf::FieldMask, ::Hash]
+            #     Optional. A comma-separated list of fields specifying which fields to be returned in
+            #     ResourceSearchResult. Only '*' or combination of top level fields can be
+            #     specified. Field names of both snake_case and camelCase are supported.
+            #     Examples: `"*"`, `"name,location"`, `"name,versionedResources"`.
+            #
+            #     The read_mask paths must be valid field paths listed but not limited to
+            #     (both snake_case and camelCase are supported):
+            #
+            #       * name
+            #       * assetType
+            #       * project
+            #       * displayName
+            #       * description
+            #       * location
+            #       * labels
+            #       * networkTags
+            #       * kmsKey
+            #       * createTime
+            #       * updateTime
+            #       * state
+            #       * additionalAttributes
+            #       * versionedResources
+            #
+            #     If read_mask is not specified, all fields except versionedResources will
+            #     be returned.
+            #     If only '*' is specified, all fields including versionedResources will be
+            #     returned.
+            #     Any invalid field path will trigger INVALID_ARGUMENT error.
             #
             # @yield [response, operation] Access the result along with the RPC operation
             # @yieldparam response [::Gapic::PagedEnumerable<::Google::Cloud::Asset::V1::ResourceSearchResult>]
@@ -1293,7 +1324,7 @@ module Google
             # {::Google::Longrunning::Operation google.longrunning.Operation}, which allows you to track the operation
             # status. We recommend intervals of at least 2 seconds with exponential
             # backoff retry to poll the operation result. The metadata contains the
-            # request to help callers to map responses to requests.
+            # metadata for the long-running operation.
             #
             # @overload analyze_iam_policy_longrunning(request, options = nil)
             #   Pass arguments to `analyze_iam_policy_longrunning` via a request object, either of type
@@ -1361,6 +1392,88 @@ module Google
               raise ::Google::Cloud::Error.from_error(e)
             end
 
+            ##
+            # Analyze moving a resource to a specified destination without kicking off
+            # the actual move. The analysis is best effort depending on the user's
+            # permissions of viewing different hierarchical policies and configurations.
+            # The policies and configuration are subject to change before the actual
+            # resource migration takes place.
+            #
+            # @overload analyze_move(request, options = nil)
+            #   Pass arguments to `analyze_move` via a request object, either of type
+            #   {::Google::Cloud::Asset::V1::AnalyzeMoveRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::Asset::V1::AnalyzeMoveRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload analyze_move(resource: nil, destination_parent: nil, view: nil)
+            #   Pass arguments to `analyze_move` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param resource [::String]
+            #     Required. Name of the resource to perform the analysis against.
+            #     Only GCP Project are supported as of today. Hence, this can only be Project
+            #     ID (such as "projects/my-project-id") or a Project Number (such as
+            #     "projects/12345").
+            #   @param destination_parent [::String]
+            #     Required. Name of the GCP Folder or Organization to reparent the target
+            #     resource. The analysis will be performed against hypothetically moving the
+            #     resource to this specified desitination parent. This can only be a Folder
+            #     number (such as "folders/123") or an Organization number (such as
+            #     "organizations/123").
+            #   @param view [::Google::Cloud::Asset::V1::AnalyzeMoveRequest::AnalysisView]
+            #     Analysis view indicating what information should be included in the
+            #     analysis response. If unspecified, the default view is FULL.
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Google::Cloud::Asset::V1::AnalyzeMoveResponse]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Google::Cloud::Asset::V1::AnalyzeMoveResponse]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            def analyze_move request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::Asset::V1::AnalyzeMoveRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.analyze_move.metadata.to_h
+
+              # Set x-goog-api-client and x-goog-user-project headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::Asset::V1::VERSION
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              header_params = {
+                "resource" => request.resource
+              }
+              request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
+              metadata[:"x-goog-request-params"] ||= request_params_header
+
+              options.apply_defaults timeout:      @config.rpcs.analyze_move.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.analyze_move.retry_policy
+              options.apply_defaults metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @asset_service_stub.call_rpc :analyze_move, request, options: options do |response, operation|
+                yield response, operation if block_given?
+                return response
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
             ##
             # Configuration class for the AssetService API.
             #
@@ -1557,6 +1670,11 @@ module Google
                 # @return [::Gapic::Config::Method]
                 #
                 attr_reader :analyze_iam_policy_longrunning
+                ##
+                # RPC-specific configuration for `analyze_move`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :analyze_move
 
                 # @private
                 def initialize parent_rpcs = nil
@@ -1584,6 +1702,8 @@ module Google
                   @analyze_iam_policy = ::Gapic::Config::Method.new analyze_iam_policy_config
                   analyze_iam_policy_longrunning_config = parent_rpcs.analyze_iam_policy_longrunning if parent_rpcs.respond_to? :analyze_iam_policy_longrunning
                   @analyze_iam_policy_longrunning = ::Gapic::Config::Method.new analyze_iam_policy_longrunning_config
+                  analyze_move_config = parent_rpcs.analyze_move if parent_rpcs.respond_to? :analyze_move
+                  @analyze_move = ::Gapic::Config::Method.new analyze_move_config
 
                   yield self if block_given?
                 end

data/lib/google/cloud/asset/v1/asset_service_pb.rb

@@ -14,9 +14,13 @@ require 'google/protobuf/empty_pb'
 require 'google/protobuf/field_mask_pb'
 require 'google/protobuf/struct_pb'
 require 'google/protobuf/timestamp_pb'
+require 'google/rpc/status_pb'
 require 'google/type/expr_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/asset/v1/asset_service.proto", :syntax => :proto3) do
+    add_message "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningMetadata" do
+      optional :create_time, :message, 1, "google.protobuf.Timestamp"
+    end
     add_message "google.cloud.asset.v1.ExportAssetsRequest" do
       optional :parent, :string, 1
       optional :read_time, :message, 2, "google.protobuf.Timestamp"
@@ -130,6 +134,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :page_size, :int32, 4
       optional :page_token, :string, 5
       optional :order_by, :string, 6
+      optional :read_mask, :message, 8, "google.protobuf.FieldMask"
     end
     add_message "google.cloud.asset.v1.SearchAllResourcesResponse" do
       repeated :results, :message, 1, "google.cloud.asset.v1.ResourceSearchResult"
@@ -218,6 +223,33 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     end
     add_message "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse" do
     end
+    add_message "google.cloud.asset.v1.AnalyzeMoveRequest" do
+      optional :resource, :string, 1
+      optional :destination_parent, :string, 2
+      optional :view, :enum, 3, "google.cloud.asset.v1.AnalyzeMoveRequest.AnalysisView"
+    end
+    add_enum "google.cloud.asset.v1.AnalyzeMoveRequest.AnalysisView" do
+      value :ANALYSIS_VIEW_UNSPECIFIED, 0
+      value :FULL, 1
+      value :BASIC, 2
+    end
+    add_message "google.cloud.asset.v1.AnalyzeMoveResponse" do
+      repeated :move_analysis, :message, 1, "google.cloud.asset.v1.MoveAnalysis"
+    end
+    add_message "google.cloud.asset.v1.MoveAnalysis" do
+      optional :display_name, :string, 1
+      oneof :result do
+        optional :analysis, :message, 2, "google.cloud.asset.v1.MoveAnalysisResult"
+        optional :error, :message, 3, "google.rpc.Status"
+      end
+    end
+    add_message "google.cloud.asset.v1.MoveAnalysisResult" do
+      repeated :blockers, :message, 1, "google.cloud.asset.v1.MoveImpact"
+      repeated :warnings, :message, 2, "google.cloud.asset.v1.MoveImpact"
+    end
+    add_message "google.cloud.asset.v1.MoveImpact" do
+      optional :detail, :string, 1
+    end
     add_enum "google.cloud.asset.v1.ContentType" do
       value :CONTENT_TYPE_UNSPECIFIED, 0
       value :RESOURCE, 1
@@ -233,6 +265,7 @@ module Google
   module Cloud
     module Asset
       module V1
+        AnalyzeIamPolicyLongrunningMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyLongrunningMetadata").msgclass
         ExportAssetsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportAssetsRequest").msgclass
         ExportAssetsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ExportAssetsResponse").msgclass
         ListAssetsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ListAssetsRequest").msgclass
@@ -274,6 +307,12 @@ module Google
         IamPolicyAnalysisOutputConfig::BigQueryDestination::PartitionKey = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicyAnalysisOutputConfig.BigQueryDestination.PartitionKey").enummodule
         AnalyzeIamPolicyLongrunningRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyLongrunningRequest").msgclass
         AnalyzeIamPolicyLongrunningResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse").msgclass
+        AnalyzeMoveRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeMoveRequest").msgclass
+        AnalyzeMoveRequest::AnalysisView = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeMoveRequest.AnalysisView").enummodule
+        AnalyzeMoveResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AnalyzeMoveResponse").msgclass
+        MoveAnalysis = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.MoveAnalysis").msgclass
+        MoveAnalysisResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.MoveAnalysisResult").msgclass
+        MoveImpact = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.MoveImpact").msgclass
         ContentType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ContentType").enummodule
       end
     end

data/lib/google/cloud/asset/v1/asset_service_services_pb.rb

@@ -87,8 +87,14 @@ module Google
             # [google.longrunning.Operation][google.longrunning.Operation], which allows you to track the operation
             # status. We recommend intervals of at least 2 seconds with exponential
             # backoff retry to poll the operation result. The metadata contains the
-            # request to help callers to map responses to requests.
+            # metadata for the long-running operation.
             rpc :AnalyzeIamPolicyLongrunning, ::Google::Cloud::Asset::V1::AnalyzeIamPolicyLongrunningRequest, ::Google::Longrunning::Operation
+            # Analyze moving a resource to a specified destination without kicking off
+            # the actual move. The analysis is best effort depending on the user's
+            # permissions of viewing different hierarchical policies and configurations.
+            # The policies and configuration are subject to change before the actual
+            # resource migration takes place.
+            rpc :AnalyzeMove, ::Google::Cloud::Asset::V1::AnalyzeMoveRequest, ::Google::Cloud::Asset::V1::AnalyzeMoveResponse
           end
 
           Stub = Service.rpc_stub_class

data/lib/google/cloud/asset/v1/assets_pb.rb

@@ -10,11 +10,9 @@ require 'google/identity/accesscontextmanager/v1/access_level_pb'
 require 'google/identity/accesscontextmanager/v1/access_policy_pb'
 require 'google/cloud/osconfig/v1/inventory_pb'
 require 'google/identity/accesscontextmanager/v1/service_perimeter_pb'
-require 'google/protobuf/any_pb'
 require 'google/protobuf/struct_pb'
 require 'google/protobuf/timestamp_pb'
 require 'google/rpc/code_pb'
-require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/asset/v1/assets.proto", :syntax => :proto3) do
     add_message "google.cloud.asset.v1.TemporalAsset" do
@@ -76,8 +74,18 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :state, :string, 13
       optional :additional_attributes, :message, 9, "google.protobuf.Struct"
       optional :parent_full_resource_name, :string, 19
+      repeated :versioned_resources, :message, 16, "google.cloud.asset.v1.VersionedResource"
+      repeated :attached_resources, :message, 20, "google.cloud.asset.v1.AttachedResource"
       optional :parent_asset_type, :string, 103
     end
+    add_message "google.cloud.asset.v1.VersionedResource" do
+      optional :version, :string, 1
+      optional :resource, :message, 2, "google.protobuf.Struct"
+    end
+    add_message "google.cloud.asset.v1.AttachedResource" do
+      optional :asset_type, :string, 1
+      repeated :versioned_resources, :message, 3, "google.cloud.asset.v1.VersionedResource"
+    end
     add_message "google.cloud.asset.v1.IamPolicySearchResult" do
       optional :resource, :string, 1
       optional :asset_type, :string, 5
@@ -155,6 +163,8 @@ module Google
         Asset = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.Asset").msgclass
         Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.Resource").msgclass
         ResourceSearchResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.ResourceSearchResult").msgclass
+        VersionedResource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.VersionedResource").msgclass
+        AttachedResource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.AttachedResource").msgclass
         IamPolicySearchResult = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult").msgclass
         IamPolicySearchResult::Explanation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation").msgclass
         IamPolicySearchResult::Explanation::Permissions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.asset.v1.IamPolicySearchResult.Explanation.Permissions").msgclass

data/lib/google/cloud/asset/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module Asset
       module V1
-        VERSION = "0.13.1"
+        VERSION = "0.14.0"
       end
     end
   end

data/lib/google/identity/accesscontextmanager/v1/access_level_pb.rb

@@ -3,6 +3,7 @@
 
 require 'google/protobuf'
 
+require 'google/api/resource_pb'
 require 'google/identity/accesscontextmanager/type/device_resources_pb'
 require 'google/protobuf/timestamp_pb'
 require 'google/type/expr_pb'

data/lib/google/identity/accesscontextmanager/v1/access_policy_pb.rb

@@ -3,6 +3,7 @@
 
 require 'google/protobuf'
 
+require 'google/api/resource_pb'
 require 'google/protobuf/timestamp_pb'
 require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do

data/lib/google/identity/accesscontextmanager/v1/service_perimeter_pb.rb

@@ -3,6 +3,7 @@
 
 require 'google/protobuf'
 
+require 'google/api/resource_pb'
 require 'google/protobuf/timestamp_pb'
 require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
@@ -27,11 +28,60 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       repeated :access_levels, :string, 2
       repeated :restricted_services, :string, 4
       optional :vpc_accessible_services, :message, 10, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.VpcAccessibleServices"
+      repeated :ingress_policies, :message, 8, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy"
+      repeated :egress_policies, :message, 9, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy"
     end
     add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.VpcAccessibleServices" do
       optional :enable_restriction, :bool, 1
       repeated :allowed_services, :string, 2
     end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector" do
+      oneof :kind do
+        optional :method, :string, 1
+        optional :permission, :string, 2
+      end
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation" do
+      optional :service_name, :string, 1
+      repeated :method_selectors, :message, 2, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector"
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource" do
+      oneof :source do
+        optional :access_level, :string, 1
+        optional :resource, :string, 2
+      end
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo" do
+      repeated :resources, :string, 1
+      repeated :operations, :message, 2, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation"
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom" do
+      repeated :sources, :message, 1, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource"
+      repeated :identities, :string, 2
+      optional :identity_type, :enum, 3, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType"
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo" do
+      repeated :operations, :message, 1, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation"
+      repeated :resources, :string, 2
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy" do
+      optional :ingress_from, :message, 1, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom"
+      optional :ingress_to, :message, 2, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo"
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy" do
+      optional :egress_from, :message, 1, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom"
+      optional :egress_to, :message, 2, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo"
+    end
+    add_message "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom" do
+      repeated :identities, :string, 1
+      optional :identity_type, :enum, 2, "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType"
+    end
+    add_enum "google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType" do
+      value :IDENTITY_TYPE_UNSPECIFIED, 0
+      value :ANY_IDENTITY, 1
+      value :ANY_USER_ACCOUNT, 2
+      value :ANY_SERVICE_ACCOUNT, 3
+    end
   end
 end
 
@@ -43,6 +93,16 @@ module Google
         ServicePerimeter::PerimeterType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeter.PerimeterType").enummodule
         ServicePerimeterConfig = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig").msgclass
         ServicePerimeterConfig::VpcAccessibleServices = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.VpcAccessibleServices").msgclass
+        ServicePerimeterConfig::MethodSelector = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector").msgclass
+        ServicePerimeterConfig::ApiOperation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation").msgclass
+        ServicePerimeterConfig::IngressSource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource").msgclass
+        ServicePerimeterConfig::EgressTo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo").msgclass
+        ServicePerimeterConfig::IngressFrom = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom").msgclass
+        ServicePerimeterConfig::IngressTo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressTo").msgclass
+        ServicePerimeterConfig::IngressPolicy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy").msgclass
+        ServicePerimeterConfig::EgressPolicy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy").msgclass
+        ServicePerimeterConfig::EgressFrom = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom").msgclass
+        ServicePerimeterConfig::IdentityType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IdentityType").enummodule
       end
     end
   end

data/proto_docs/google/cloud/asset/v1/asset_service.rb

@@ -21,6 +21,16 @@ module Google
   module Cloud
     module Asset
       module V1
+        # Represents the metadata of the longrunning operation for the
+        # AnalyzeIamPolicyLongrunning rpc.
+        # @!attribute [r] create_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     The time the operation was created.
+        class AnalyzeIamPolicyLongrunningMetadata
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # Export asset request.
         # @!attribute [rw] parent
         #   @return [::String]
@@ -518,7 +528,7 @@ module Google
         #     optional.
         #
         #     See our [user
-        #     guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes#feed_with_condition)
+        #     guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes-with-condition)
         #     for detailed instructions.
         class Feed
           include ::Google::Protobuf::MessageExts
@@ -565,8 +575,8 @@ module Google
         #       encryption key whose name contains the word "key".
         #     * `state:ACTIVE` to find Cloud resources whose state contains "ACTIVE" as a
         #       word.
-        #     * `NOT state:ACTIVE` to find \\{\\{gcp_name}} resources whose state
-        #       doesn't contain "ACTIVE" as a word.
+        #     * `NOT state:ACTIVE` to find Cloud resources whose state doesn't contain
+        #       "ACTIVE" as a word.
         #     * `createTime<1609459200` to find Cloud resources that were created before
         #       "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of
         #       "2021-01-01 00:00:00 UTC" in seconds.
@@ -616,6 +626,7 @@ module Google
         #     to indicate descending order. Redundant space characters are ignored.
         #     Example: "location DESC, name".
         #     Only singular primitive fields in the response are sortable:
+        #
         #       * name
         #       * assetType
         #       * project
@@ -628,9 +639,40 @@ module Google
         #       * state
         #       * parentFullResourceName
         #       * parentAssetType
+        #
         #     All the other fields such as repeated fields (e.g., `networkTags`), map
         #     fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`)
         #     are not supported.
+        # @!attribute [rw] read_mask
+        #   @return [::Google::Protobuf::FieldMask]
+        #     Optional. A comma-separated list of fields specifying which fields to be returned in
+        #     ResourceSearchResult. Only '*' or combination of top level fields can be
+        #     specified. Field names of both snake_case and camelCase are supported.
+        #     Examples: `"*"`, `"name,location"`, `"name,versionedResources"`.
+        #
+        #     The read_mask paths must be valid field paths listed but not limited to
+        #     (both snake_case and camelCase are supported):
+        #
+        #       * name
+        #       * assetType
+        #       * project
+        #       * displayName
+        #       * description
+        #       * location
+        #       * labels
+        #       * networkTags
+        #       * kmsKey
+        #       * createTime
+        #       * updateTime
+        #       * state
+        #       * additionalAttributes
+        #       * versionedResources
+        #
+        #     If read_mask is not specified, all fields except versionedResources will
+        #     be returned.
+        #     If only '*' is specified, all fields including versionedResources will be
+        #     returned.
+        #     Any invalid field path will trigger INVALID_ARGUMENT error.
         class SearchAllResourcesRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -1114,6 +1156,94 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # The request message for performing resource move analysis.
+        # @!attribute [rw] resource
+        #   @return [::String]
+        #     Required. Name of the resource to perform the analysis against.
+        #     Only GCP Project are supported as of today. Hence, this can only be Project
+        #     ID (such as "projects/my-project-id") or a Project Number (such as
+        #     "projects/12345").
+        # @!attribute [rw] destination_parent
+        #   @return [::String]
+        #     Required. Name of the GCP Folder or Organization to reparent the target
+        #     resource. The analysis will be performed against hypothetically moving the
+        #     resource to this specified desitination parent. This can only be a Folder
+        #     number (such as "folders/123") or an Organization number (such as
+        #     "organizations/123").
+        # @!attribute [rw] view
+        #   @return [::Google::Cloud::Asset::V1::AnalyzeMoveRequest::AnalysisView]
+        #     Analysis view indicating what information should be included in the
+        #     analysis response. If unspecified, the default view is FULL.
+        class AnalyzeMoveRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # View enum for supporting partial analysis responses.
+          module AnalysisView
+            # The default/unset value.
+            # The API will default to the FULL view.
+            ANALYSIS_VIEW_UNSPECIFIED = 0
+
+            # Full analysis including all level of impacts of the specified resource
+            # move.
+            FULL = 1
+
+            # Basic analysis only including blockers which will prevent the specified
+            # resource move at runtime.
+            BASIC = 2
+          end
+        end
+
+        # The response message for resource move analysis.
+        # @!attribute [rw] move_analysis
+        #   @return [::Array<::Google::Cloud::Asset::V1::MoveAnalysis>]
+        #     The list of analyses returned from performing the intended resource move
+        #     analysis. The analysis is grouped by different Cloud services.
+        class AnalyzeMoveResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A message to group the analysis information.
+        # @!attribute [rw] display_name
+        #   @return [::String]
+        #     The user friendly display name of the analysis. E.g. IAM, Organization
+        #     Policy etc.
+        # @!attribute [rw] analysis
+        #   @return [::Google::Cloud::Asset::V1::MoveAnalysisResult]
+        #     Analysis result of moving the target resource.
+        # @!attribute [rw] error
+        #   @return [::Google::Rpc::Status]
+        #     Description of error encountered when performing the analysis.
+        class MoveAnalysis
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # An analysis result including blockers and warnings.
+        # @!attribute [rw] blockers
+        #   @return [::Array<::Google::Cloud::Asset::V1::MoveImpact>]
+        #     Blocking information that would prevent the target resource from moving
+        #     to the specified destination at runtime.
+        # @!attribute [rw] warnings
+        #   @return [::Array<::Google::Cloud::Asset::V1::MoveImpact>]
+        #     Warning information indicating that moving the target resource to the
+        #     specified destination might be unsafe. This can include important policy
+        #     information and configuration changes, but will not block moves at runtime.
+        class MoveAnalysisResult
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A message to group impacts of moving the target resource.
+        # @!attribute [rw] detail
+        #   @return [::String]
+        #     User friendly impact detail in a free form message.
+        class MoveImpact
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # Asset content type.
         module ContentType
           # Unspecified content type.

data/proto_docs/google/cloud/asset/v1/assets.rb

@@ -406,6 +406,24 @@ module Google
         #     `parentFullResourceName:"project-name"`
         #     * use a free text query. Example:
         #     `project-name`
+        # @!attribute [rw] versioned_resources
+        #   @return [::Array<::Google::Cloud::Asset::V1::VersionedResource>]
+        #     Versioned resource representations of this resource. This is repeated
+        #     because there could be multiple versions of resource representations during
+        #     version migration.
+        #
+        #     This `versioned_resources` field is not searchable. Some attributes of the
+        #     resource representations are exposed in `additional_attributes` field, so
+        #     as to allow users to search on them.
+        # @!attribute [rw] attached_resources
+        #   @return [::Array<::Google::Cloud::Asset::V1::AttachedResource>]
+        #     Attached resources of this resource. For example, an OSConfig
+        #     Inventory is an attached resource of a Compute Instance. This field is
+        #     repeated because a resource could have multiple attached resources.
+        #
+        #     This `attached_resources` field is not searchable. Some attributes
+        #     of the attached resources are exposed in `additional_attributes` field, so
+        #     as to allow users to search on them.
         # @!attribute [rw] parent_asset_type
         #   @return [::String]
         #     The type of this resource's immediate parent, if there is one.
@@ -430,6 +448,56 @@ module Google
           end
         end
 
+        # Resource representation as defined by the corresponding service providing the
+        # resource for a given API version.
+        # @!attribute [rw] version
+        #   @return [::String]
+        #     API version of the resource.
+        #
+        #     Example:
+        #     If the resource is an instance provided by Compute Engine v1 API as defined
+        #     in `https://cloud.google.com/compute/docs/reference/rest/v1/instances`,
+        #     version will be "v1".
+        # @!attribute [rw] resource
+        #   @return [::Google::Protobuf::Struct]
+        #     JSON representation of the resource as defined by the corresponding
+        #     service providing this resource.
+        #
+        #     Example:
+        #     If the resource is an instance provided by Compute Engine, this field will
+        #     contain the JSON representation of the instance as defined by Compute
+        #     Engine:
+        #     `https://cloud.google.com/compute/docs/reference/rest/v1/instances`.
+        #
+        #     You can find the resource definition for each supported resource type in
+        #     this table:
+        #     `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
+        class VersionedResource
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Attached resource representation, which is defined by the corresponding
+        # service provider. It represents an attached resource's payload.
+        # @!attribute [rw] asset_type
+        #   @return [::String]
+        #     The type of this attached resource.
+        #
+        #     Example: `osconfig.googleapis.com/Inventory`
+        #
+        #     You can find the supported attached asset types of each resource in this
+        #     table:
+        #     `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
+        # @!attribute [rw] versioned_resources
+        #   @return [::Array<::Google::Cloud::Asset::V1::VersionedResource>]
+        #     Versioned resource representations of this attached resource. This is
+        #     repeated because there could be multiple versions of the attached resource
+        #     representations during version migration.
+        class AttachedResource
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # A result of IAM Policy search, containing information of an IAM policy.
         # @!attribute [rw] resource
         #   @return [::String]

data/proto_docs/google/identity/accesscontextmanager/v1/access_level.rb

@@ -28,8 +28,8 @@ module Google
         #   @return [::String]
         #     Required. Resource name for the Access Level. The `short_name` component
         #     must begin with a letter and only include alphanumeric and '_'. Format:
-        #     `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length
-        #     of the `short_name` component is 50 characters.
+        #     `accessPolicies/{access_policy}/accessLevels/{access_level}`. The maximum
+        #     length of the `access_level` component is 50 characters.
         # @!attribute [rw] title
         #   @return [::String]
         #     Human readable title. Must be unique within the Policy.

data/proto_docs/google/identity/accesscontextmanager/v1/access_policy.rb

@@ -29,7 +29,7 @@ module Google
         # @!attribute [rw] name
         #   @return [::String]
         #     Output only. Resource name of the `AccessPolicy`. Format:
-        #     `accessPolicies/{policy_id}`
+        #     `accessPolicies/{access_policy}`
         # @!attribute [rw] parent
         #   @return [::String]
         #     Required. The parent of this `AccessPolicy` in the Cloud Resource

data/proto_docs/google/identity/accesscontextmanager/v1/service_perimeter.rb

@@ -35,7 +35,8 @@ module Google
         #   @return [::String]
         #     Required. Resource name for the ServicePerimeter.  The `short_name`
         #     component must begin with a letter and only include alphanumeric and '_'.
-        #     Format: `accessPolicies/{policy_id}/servicePerimeters/{short_name}`
+        #     Format:
+        #     `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`
         # @!attribute [rw] title
         #   @return [::String]
         #     Human readable title. Must be unique within the Policy.
@@ -133,6 +134,26 @@ module Google
         # @!attribute [rw] vpc_accessible_services
         #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::VpcAccessibleServices]
         #     Configuration for APIs allowed within Perimeter.
+        # @!attribute [rw] ingress_policies
+        #   @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressPolicy>]
+        #     List of [IngressPolicies]
+        #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+        #     to apply to the perimeter. A perimeter may have multiple [IngressPolicies]
+        #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy],
+        #     each of which is evaluated separately. Access is granted if any [Ingress
+        #     Policy]
+        #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+        #     grants it. Must be empty for a perimeter bridge.
+        # @!attribute [rw] egress_policies
+        #   @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressPolicy>]
+        #     List of [EgressPolicies]
+        #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+        #     to apply to the perimeter. A perimeter may have multiple [EgressPolicies]
+        #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy],
+        #     each of which is evaluated separately. Access is granted if any
+        #     [EgressPolicy]
+        #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+        #     grants it. Must be empty for a perimeter bridge.
         class ServicePerimeterConfig
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -146,11 +167,316 @@ module Google
           # @!attribute [rw] allowed_services
           #   @return [::Array<::String>]
           #     The list of APIs usable within the Service Perimeter. Must be empty
-          #     unless 'enable_restriction' is True.
+          #     unless 'enable_restriction' is True. You can specify a list of individual
+          #     services, as well as include the 'RESTRICTED-SERVICES' value, which
+          #     automatically includes all of the services protected by the perimeter.
           class VpcAccessibleServices
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
           end
+
+          # An allowed method or permission of a service specified in [ApiOperation]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
+          # @!attribute [rw] method
+          #   @return [::String]
+          #     Value for `method` should be a valid method name for the corresponding
+          #     `service_name` in [ApiOperation]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
+          #     If `*` used as value for `method`, then ALL methods and permissions are
+          #     allowed.
+          # @!attribute [rw] permission
+          #   @return [::String]
+          #     Value for `permission` should be a valid Cloud IAM permission for the
+          #     corresponding `service_name` in [ApiOperation]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
+          class MethodSelector
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Identification for an API Operation.
+          # @!attribute [rw] service_name
+          #   @return [::String]
+          #     The name of the API whose methods or permissions the [IngressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          #     or [EgressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          #     want to allow. A single [ApiOperation]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          #     with `service_name` field set to `*` will allow all methods AND
+          #     permissions for all services.
+          # @!attribute [rw] method_selectors
+          #   @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::MethodSelector>]
+          #     API methods or permissions to allow. Method or permission must belong to
+          #     the service specified by `service_name` field. A single [MethodSelector]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector]
+          #     entry with `*` specified for the `method` field will allow all methods
+          #     AND permissions for the service specified in `service_name`.
+          class ApiOperation
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # The source that [IngressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # authorizes access from.
+          # @!attribute [rw] access_level
+          #   @return [::String]
+          #     An [AccessLevel]
+          #     [google.identity.accesscontextmanager.v1.AccessLevel] resource
+          #     name that allow resources within the [ServicePerimeters]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeter] to be
+          #     accessed from the internet. [AccessLevels]
+          #     [google.identity.accesscontextmanager.v1.AccessLevel] listed must
+          #     be in the same policy as this [ServicePerimeter]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeter].
+          #     Referencing a nonexistent [AccessLevel]
+          #     [google.identity.accesscontextmanager.v1.AccessLevel] will cause
+          #     an error. If no [AccessLevel]
+          #     [google.identity.accesscontextmanager.v1.AccessLevel] names are
+          #     listed, resources within the perimeter can only be accessed via Google
+          #     Cloud calls with request origins within the perimeter. Example:
+          #     `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is
+          #     specified for `access_level`, then all [IngressSources]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource]
+          #     will be allowed.
+          # @!attribute [rw] resource
+          #   @return [::String]
+          #     A Google Cloud resource that is allowed to ingress the perimeter.
+          #     Requests from these resources will be allowed to access perimeter data.
+          #     Currently only projects are allowed.
+          #     Format: `projects/{project_number}`
+          #     The project may be in any Google Cloud organization, not just the
+          #     organization that the perimeter is defined in. `*` is not allowed, the
+          #     case of allowing all Google Cloud resources only is not supported.
+          class IngressSource
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Defines the conditions under which an [EgressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # matches a request. Conditions are based on information about the
+          # [ApiOperation]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          # intended to be performed on the `resources` specified. Note that if the
+          # destination of the request is also protected by a [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+          # [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+          # an [IngressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # which allows access in order for this request to succeed. The request must
+          # match `operations` AND `resources` fields in order to be allowed egress out
+          # of the perimeter.
+          # @!attribute [rw] resources
+          #   @return [::Array<::String>]
+          #     A list of resources, currently only projects in the form
+          #     `projects/<projectnumber>`, that are allowed to be accessed by sources
+          #     defined in the corresponding [EgressFrom]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+          #     A request matches if it contains a resource in this list.  If `*` is
+          #     specified for `resources`, then this [EgressTo]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
+          #     rule will authorize access to all resources outside the perimeter.
+          # @!attribute [rw] operations
+          #   @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
+          #     A list of [ApiOperations]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          #     allowed to be performed by the sources specified in the corresponding
+          #     [EgressFrom]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
+          #     A request matches if it uses an operation/service in this list.
+          class EgressTo
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Defines the conditions under which an [IngressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # matches a request. Conditions are based on information about the source of
+          # the request. The request must satisfy what is defined in `sources` AND
+          # identity related fields in order to match.
+          # @!attribute [rw] sources
+          #   @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressSource>]
+          #     Sources that this [IngressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          #     authorizes access from.
+          # @!attribute [rw] identities
+          #   @return [::Array<::String>]
+          #     A list of identities that are allowed access through this ingress
+          #     policy. Should be in the format of email address. The email address
+          #     should represent individual user or service account only.
+          # @!attribute [rw] identity_type
+          #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
+          #     Specifies the type of identities that are allowed access from outside the
+          #     perimeter. If left unspecified, then members of `identities` field will
+          #     be allowed access.
+          class IngressFrom
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Defines the conditions under which an [IngressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # matches a request. Conditions are based on information about the
+          # [ApiOperation]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          # intended to be performed on the target resource of the request. The request
+          # must satisfy what is defined in `operations` AND `resources` in order to
+          # match.
+          # @!attribute [rw] operations
+          #   @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
+          #     A list of [ApiOperations]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          #     allowed to be performed by the sources specified in corresponding
+          #     [IngressFrom]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+          #     in this [ServicePerimeter]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeter].
+          # @!attribute [rw] resources
+          #   @return [::Array<::String>]
+          #     A list of resources, currently only projects in the form
+          #     `projects/<projectnumber>`, protected by this [ServicePerimeter]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
+          #     allowed to be accessed by sources defined in the corresponding
+          #     [IngressFrom]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
+          #     If a single `*` is specified, then access to all resources inside the
+          #     perimeter are allowed.
+          class IngressTo
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Policy for ingress into [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter].
+          #
+          # [IngressPolicies]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # match requests based on `ingress_from` and `ingress_to` stanzas.  For an
+          # ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
+          # must be matched. If an [IngressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # matches a request, the request is allowed through the perimeter boundary
+          # from outside the perimeter.
+          #
+          # For example, access from the internet can be allowed either
+          # based on an [AccessLevel]
+          # [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
+          # hosted on Google Cloud, the project of the source network. For access from
+          # private networks, using the project of the hosting network is required.
+          #
+          # Individual ingress policies can be limited by restricting which
+          # services and/or actions they match using the `ingress_to` field.
+          # @!attribute [rw] ingress_from
+          #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressFrom]
+          #     Defines the conditions on the source of a request causing this
+          #     [IngressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          #     to apply.
+          # @!attribute [rw] ingress_to
+          #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressTo]
+          #     Defines the conditions on the [ApiOperation]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          #     and request destination that cause this [IngressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          #     to apply.
+          class IngressPolicy
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Policy for egress from perimeter.
+          #
+          # [EgressPolicies]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # match requests based on `egress_from` and `egress_to` stanzas.  For an
+          # [EgressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # to match, both `egress_from` and `egress_to` stanzas must be matched. If an
+          # [EgressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # matches a request, the request is allowed to span the [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
+          # For example, an [EgressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # can be used to allow VMs on networks within the [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
+          # defined set of projects outside the perimeter in certain contexts (e.g. to
+          # read data from a Cloud Storage bucket or query against a BigQuery dataset).
+          #
+          # [EgressPolicies]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # are concerned with the *resources* that a request relates as well as the
+          # API services and API actions being used.  They do not related to the
+          # direction of data movement.  More detailed documentation for this concept
+          # can be found in the descriptions of [EgressFrom]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
+          # and [EgressTo]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
+          # @!attribute [rw] egress_from
+          #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressFrom]
+          #     Defines conditions on the source of a request causing this [EgressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          #     to apply.
+          # @!attribute [rw] egress_to
+          #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressTo]
+          #     Defines the conditions on the [ApiOperation]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
+          #     and destination resources that cause this [EgressPolicy]
+          #     [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          #     to apply.
+          class EgressPolicy
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Defines the conditions under which an [EgressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
+          # matches a request. Conditions based on information about the source of the
+          # request. Note that if the destination of the request is also protected by a
+          # [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
+          # [ServicePerimeter]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
+          # an [IngressPolicy]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
+          # which allows access in order for this request to succeed.
+          # @!attribute [rw] identities
+          #   @return [::Array<::String>]
+          #     A list of identities that are allowed access through this [EgressPolicy].
+          #     Should be in the format of email address. The email address should
+          #     represent individual user or service account only.
+          # @!attribute [rw] identity_type
+          #   @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
+          #     Specifies the type of identities that are allowed access to outside the
+          #     perimeter. If left unspecified, then members of `identities` field will
+          #     be allowed access.
+          class EgressFrom
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Specifies the types of identities that are allowed access in either
+          # [IngressFrom]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
+          # or [EgressFrom]
+          # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
+          # rules.
+          module IdentityType
+            # No blanket identity group specified.
+            IDENTITY_TYPE_UNSPECIFIED = 0
+
+            # Authorize access from all identities outside the perimeter.
+            ANY_IDENTITY = 1
+
+            # Authorize access from all human users outside the perimeter.
+            ANY_USER_ACCOUNT = 2
+
+            # Authorize access from all service accounts outside the perimeter.
+            ANY_SERVICE_ACCOUNT = 3
+          end
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-asset-v1
 version: !ruby/object:Gem::Version
-  version: 0.13.1
+  version: 0.14.0
 platform: ruby
 authors:
 - Google LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-12 00:00:00.000000000 Z
+date: 2021-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gapic-common