google-cloud-assured_workloads-v1 0.2.1 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +1 -1
- data/README.md +11 -6
- data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/client.rb +398 -5
- data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/operations.rb +3 -0
- data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/paths.rb +21 -0
- data/lib/google/cloud/assured_workloads/v1/version.rb +1 -1
- data/lib/google/cloud/assured_workloads/v1.rb +2 -0
- data/lib/google/cloud/assuredworkloads/v1/assuredworkloads_pb.rb +111 -1
- data/lib/google/cloud/assuredworkloads/v1/assuredworkloads_services_pb.rb +20 -0
- data/proto_docs/google/cloud/assuredworkloads/v1/assuredworkloads.rb +339 -22
- data/proto_docs/google/protobuf/any.rb +3 -3
- data/proto_docs/google/protobuf/empty.rb +0 -2
- metadata +12 -12
@@ -1,6 +1,8 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: google/cloud/assuredworkloads/v1/assuredworkloads.proto
|
3
3
|
|
4
|
+
require 'google/protobuf'
|
5
|
+
|
4
6
|
require 'google/api/annotations_pb'
|
5
7
|
require 'google/api/client_pb'
|
6
8
|
require 'google/api/field_behavior_pb'
|
@@ -10,7 +12,6 @@ require 'google/protobuf/duration_pb'
|
|
10
12
|
require 'google/protobuf/empty_pb'
|
11
13
|
require 'google/protobuf/field_mask_pb'
|
12
14
|
require 'google/protobuf/timestamp_pb'
|
13
|
-
require 'google/protobuf'
|
14
15
|
|
15
16
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
16
17
|
add_file("google/cloud/assuredworkloads/v1/assuredworkloads.proto", :syntax => :proto3) do
|
@@ -55,6 +56,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
55
56
|
optional :kaj_enrollment_state, :enum, 17, "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState"
|
56
57
|
optional :enable_sovereign_controls, :bool, 18
|
57
58
|
optional :saa_enrollment_response, :message, 20, "google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse"
|
59
|
+
repeated :compliant_but_disallowed_services, :string, 24
|
60
|
+
optional :partner, :enum, 25, "google.cloud.assuredworkloads.v1.Workload.Partner"
|
58
61
|
end
|
59
62
|
add_message "google.cloud.assuredworkloads.v1.Workload.ResourceInfo" do
|
60
63
|
optional :resource_id, :int64, 1
|
@@ -63,6 +66,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
63
66
|
add_enum "google.cloud.assuredworkloads.v1.Workload.ResourceInfo.ResourceType" do
|
64
67
|
value :RESOURCE_TYPE_UNSPECIFIED, 0
|
65
68
|
value :CONSUMER_PROJECT, 1
|
69
|
+
value :CONSUMER_FOLDER, 4
|
66
70
|
value :ENCRYPTION_KEYS_PROJECT, 2
|
67
71
|
value :KEYRING, 3
|
68
72
|
end
|
@@ -102,18 +106,107 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
102
106
|
value :HITRUST, 7
|
103
107
|
value :EU_REGIONS_AND_SUPPORT, 8
|
104
108
|
value :CA_REGIONS_AND_SUPPORT, 9
|
109
|
+
value :ITAR, 10
|
110
|
+
value :ASSURED_WORKLOADS_FOR_PARTNERS, 12
|
105
111
|
end
|
106
112
|
add_enum "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState" do
|
107
113
|
value :KAJ_ENROLLMENT_STATE_UNSPECIFIED, 0
|
108
114
|
value :KAJ_ENROLLMENT_STATE_PENDING, 1
|
109
115
|
value :KAJ_ENROLLMENT_STATE_COMPLETE, 2
|
110
116
|
end
|
117
|
+
add_enum "google.cloud.assuredworkloads.v1.Workload.Partner" do
|
118
|
+
value :PARTNER_UNSPECIFIED, 0
|
119
|
+
value :LOCAL_CONTROLS_BY_S3NS, 1
|
120
|
+
end
|
111
121
|
add_message "google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata" do
|
112
122
|
optional :create_time, :message, 1, "google.protobuf.Timestamp"
|
113
123
|
optional :display_name, :string, 2
|
114
124
|
optional :parent, :string, 3
|
115
125
|
optional :compliance_regime, :enum, 4, "google.cloud.assuredworkloads.v1.Workload.ComplianceRegime"
|
116
126
|
end
|
127
|
+
add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest" do
|
128
|
+
optional :name, :string, 1
|
129
|
+
optional :restriction_type, :enum, 2, "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType"
|
130
|
+
end
|
131
|
+
add_enum "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType" do
|
132
|
+
value :RESTRICTION_TYPE_UNSPECIFIED, 0
|
133
|
+
value :ALLOW_ALL_GCP_RESOURCES, 1
|
134
|
+
value :ALLOW_COMPLIANT_RESOURCES, 2
|
135
|
+
end
|
136
|
+
add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse" do
|
137
|
+
end
|
138
|
+
add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest" do
|
139
|
+
optional :name, :string, 1
|
140
|
+
optional :comment, :string, 2
|
141
|
+
optional :non_compliant_org_policy, :string, 3
|
142
|
+
end
|
143
|
+
add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse" do
|
144
|
+
end
|
145
|
+
add_message "google.cloud.assuredworkloads.v1.TimeWindow" do
|
146
|
+
optional :start_time, :message, 1, "google.protobuf.Timestamp"
|
147
|
+
optional :end_time, :message, 2, "google.protobuf.Timestamp"
|
148
|
+
end
|
149
|
+
add_message "google.cloud.assuredworkloads.v1.ListViolationsRequest" do
|
150
|
+
optional :parent, :string, 1
|
151
|
+
optional :interval, :message, 2, "google.cloud.assuredworkloads.v1.TimeWindow"
|
152
|
+
optional :page_size, :int32, 3
|
153
|
+
optional :page_token, :string, 4
|
154
|
+
optional :filter, :string, 5
|
155
|
+
end
|
156
|
+
add_message "google.cloud.assuredworkloads.v1.ListViolationsResponse" do
|
157
|
+
repeated :violations, :message, 1, "google.cloud.assuredworkloads.v1.Violation"
|
158
|
+
optional :next_page_token, :string, 2
|
159
|
+
end
|
160
|
+
add_message "google.cloud.assuredworkloads.v1.GetViolationRequest" do
|
161
|
+
optional :name, :string, 1
|
162
|
+
end
|
163
|
+
add_message "google.cloud.assuredworkloads.v1.Violation" do
|
164
|
+
optional :name, :string, 1
|
165
|
+
optional :description, :string, 2
|
166
|
+
optional :begin_time, :message, 3, "google.protobuf.Timestamp"
|
167
|
+
optional :update_time, :message, 4, "google.protobuf.Timestamp"
|
168
|
+
optional :resolve_time, :message, 5, "google.protobuf.Timestamp"
|
169
|
+
optional :category, :string, 6
|
170
|
+
optional :state, :enum, 7, "google.cloud.assuredworkloads.v1.Violation.State"
|
171
|
+
optional :org_policy_constraint, :string, 8
|
172
|
+
optional :audit_log_link, :string, 11
|
173
|
+
optional :non_compliant_org_policy, :string, 12
|
174
|
+
optional :remediation, :message, 13, "google.cloud.assuredworkloads.v1.Violation.Remediation"
|
175
|
+
optional :acknowledged, :bool, 14
|
176
|
+
proto3_optional :acknowledgement_time, :message, 15, "google.protobuf.Timestamp"
|
177
|
+
end
|
178
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation" do
|
179
|
+
optional :instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions"
|
180
|
+
repeated :compliant_values, :string, 2
|
181
|
+
optional :remediation_type, :enum, 3, "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType"
|
182
|
+
end
|
183
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions" do
|
184
|
+
optional :gcloud_instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud"
|
185
|
+
optional :console_instructions, :message, 2, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console"
|
186
|
+
end
|
187
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud" do
|
188
|
+
repeated :gcloud_commands, :string, 1
|
189
|
+
repeated :steps, :string, 2
|
190
|
+
repeated :additional_links, :string, 3
|
191
|
+
end
|
192
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console" do
|
193
|
+
repeated :console_uris, :string, 1
|
194
|
+
repeated :steps, :string, 2
|
195
|
+
repeated :additional_links, :string, 3
|
196
|
+
end
|
197
|
+
add_enum "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType" do
|
198
|
+
value :REMEDIATION_TYPE_UNSPECIFIED, 0
|
199
|
+
value :REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION, 1
|
200
|
+
value :REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION, 2
|
201
|
+
value :REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION, 3
|
202
|
+
value :REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION, 4
|
203
|
+
end
|
204
|
+
add_enum "google.cloud.assuredworkloads.v1.Violation.State" do
|
205
|
+
value :STATE_UNSPECIFIED, 0
|
206
|
+
value :RESOLVED, 2
|
207
|
+
value :UNRESOLVED, 3
|
208
|
+
value :EXCEPTION, 4
|
209
|
+
end
|
117
210
|
end
|
118
211
|
end
|
119
212
|
|
@@ -137,7 +230,24 @@ module Google
|
|
137
230
|
Workload::SaaEnrollmentResponse::SetupError = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse.SetupError").enummodule
|
138
231
|
Workload::ComplianceRegime = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.ComplianceRegime").enummodule
|
139
232
|
Workload::KajEnrollmentState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState").enummodule
|
233
|
+
Workload::Partner = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.Partner").enummodule
|
140
234
|
CreateWorkloadOperationMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata").msgclass
|
235
|
+
RestrictAllowedResourcesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest").msgclass
|
236
|
+
RestrictAllowedResourcesRequest::RestrictionType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType").enummodule
|
237
|
+
RestrictAllowedResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse").msgclass
|
238
|
+
AcknowledgeViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest").msgclass
|
239
|
+
AcknowledgeViolationResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse").msgclass
|
240
|
+
TimeWindow = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.TimeWindow").msgclass
|
241
|
+
ListViolationsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsRequest").msgclass
|
242
|
+
ListViolationsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsResponse").msgclass
|
243
|
+
GetViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.GetViolationRequest").msgclass
|
244
|
+
Violation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation").msgclass
|
245
|
+
Violation::Remediation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation").msgclass
|
246
|
+
Violation::Remediation::Instructions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions").msgclass
|
247
|
+
Violation::Remediation::Instructions::Gcloud = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud").msgclass
|
248
|
+
Violation::Remediation::Instructions::Console = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console").msgclass
|
249
|
+
Violation::Remediation::RemediationType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType").enummodule
|
250
|
+
Violation::State = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.State").enummodule
|
141
251
|
end
|
142
252
|
end
|
143
253
|
end
|
@@ -40,6 +40,13 @@ module Google
|
|
40
40
|
# For force updates don't set etag field in the Workload.
|
41
41
|
# Only one update operation per workload can be in progress.
|
42
42
|
rpc :UpdateWorkload, ::Google::Cloud::AssuredWorkloads::V1::UpdateWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
|
43
|
+
# Restrict the list of resources allowed in the Workload environment.
|
44
|
+
# The current list of allowed products can be found at
|
45
|
+
# https://cloud.google.com/assured-workloads/docs/supported-products
|
46
|
+
# In addition to assuredworkloads.workload.update permission, the user should
|
47
|
+
# also have orgpolicy.policy.set permission on the folder resource
|
48
|
+
# to use this functionality.
|
49
|
+
rpc :RestrictAllowedResources, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse
|
43
50
|
# Deletes the workload. Make sure that workload's direct children are already
|
44
51
|
# in a deleted state, otherwise the request will fail with a
|
45
52
|
# FAILED_PRECONDITION error.
|
@@ -48,6 +55,19 @@ module Google
|
|
48
55
|
rpc :GetWorkload, ::Google::Cloud::AssuredWorkloads::V1::GetWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
|
49
56
|
# Lists Assured Workloads under a CRM Node.
|
50
57
|
rpc :ListWorkloads, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsResponse
|
58
|
+
# Lists the Violations in the AssuredWorkload Environment.
|
59
|
+
# Callers may also choose to read across multiple Workloads as per
|
60
|
+
# [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash
|
61
|
+
# character) as a wildcard character instead of workload-id in the parent.
|
62
|
+
# Format `organizations/{org_id}/locations/{location}/workloads/-`
|
63
|
+
rpc :ListViolations, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsResponse
|
64
|
+
# Retrieves Assured Workload Violation based on ID.
|
65
|
+
rpc :GetViolation, ::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::Violation
|
66
|
+
# Acknowledges an existing violation. By acknowledging a violation, users
|
67
|
+
# acknowledge the existence of a compliance violation in their workload and
|
68
|
+
# decide to ignore it due to a valid business justification. Acknowledgement
|
69
|
+
# is a permanent operation and it cannot be reverted.
|
70
|
+
rpc :AcknowledgeViolation, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse
|
51
71
|
end
|
52
72
|
|
53
73
|
Stub = Service.rpc_stub_class
|
@@ -31,8 +31,8 @@ module Google
|
|
31
31
|
# Required. Assured Workload to create
|
32
32
|
# @!attribute [rw] external_id
|
33
33
|
# @return [::String]
|
34
|
-
# Optional. A identifier associated with the workload and underlying projects
|
35
|
-
#
|
34
|
+
# Optional. A identifier associated with the workload and underlying projects which
|
35
|
+
# allows for the break down of billing costs for a workload. The value
|
36
36
|
# provided for the identifier will add a label to the workload and contained
|
37
37
|
# projects with the identifier as the value.
|
38
38
|
class CreateWorkloadRequest
|
@@ -44,7 +44,7 @@ module Google
|
|
44
44
|
# @!attribute [rw] workload
|
45
45
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload]
|
46
46
|
# Required. The workload to update.
|
47
|
-
# The workload
|
47
|
+
# The workload's `name` field is used to identify the workload to be updated.
|
48
48
|
# Format:
|
49
49
|
# organizations/\\{org_id}/locations/\\{location_id}/workloads/\\{workload_id}
|
50
50
|
# @!attribute [rw] update_mask
|
@@ -73,8 +73,8 @@ module Google
|
|
73
73
|
# Request for fetching a workload.
|
74
74
|
# @!attribute [rw] name
|
75
75
|
# @return [::String]
|
76
|
-
# Required. The resource name of the Workload to fetch. This is the
|
77
|
-
#
|
76
|
+
# Required. The resource name of the Workload to fetch. This is the workloads's
|
77
|
+
# relative path in the API, formatted as
|
78
78
|
# "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
|
79
79
|
# For example,
|
80
80
|
# "organizations/123/locations/us-east1/workloads/assured-workload-1".
|
@@ -148,7 +148,7 @@ module Google
|
|
148
148
|
# Output only. Immutable. The Workload creation timestamp.
|
149
149
|
# @!attribute [rw] billing_account
|
150
150
|
# @return [::String]
|
151
|
-
#
|
151
|
+
# Optional. The billing account used for the resources which are
|
152
152
|
# direct children of workload. This billing account is initially associated
|
153
153
|
# with the resources created as part of Workload creation.
|
154
154
|
# After the initial creation of these resources, the customer can change
|
@@ -165,22 +165,24 @@ module Google
|
|
165
165
|
# Optional. Labels applied to the workload.
|
166
166
|
# @!attribute [rw] provisioned_resources_parent
|
167
167
|
# @return [::String]
|
168
|
-
# Input only. The parent resource for the resources managed by this Assured
|
169
|
-
#
|
168
|
+
# Input only. The parent resource for the resources managed by this Assured Workload. May
|
169
|
+
# be either empty or a folder resource which is a child of the
|
170
170
|
# Workload parent. If not specified all resources are created under the
|
171
171
|
# parent organization.
|
172
172
|
# Format:
|
173
173
|
# folders/\\{folder_id}
|
174
174
|
# @!attribute [rw] kms_settings
|
175
175
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KMSSettings]
|
176
|
-
# Input only. Settings used to create a CMEK crypto key. When set a project
|
177
|
-
#
|
178
|
-
#
|
176
|
+
# Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS
|
177
|
+
# CMEK key is provisioned.
|
178
|
+
# This field is deprecated as of Feb 28, 2022.
|
179
|
+
# In order to create a Keyring, callers should specify,
|
180
|
+
# ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
|
179
181
|
# @!attribute [rw] resource_settings
|
180
182
|
# @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceSettings>]
|
181
|
-
# Input only. Resource properties that are used to customize workload
|
182
|
-
#
|
183
|
-
#
|
183
|
+
# Input only. Resource properties that are used to customize workload resources.
|
184
|
+
# These properties (such as custom project id) will be used to create
|
185
|
+
# workload resources if possible. This field is optional.
|
184
186
|
# @!attribute [r] kaj_enrollment_state
|
185
187
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KajEnrollmentState]
|
186
188
|
# Output only. Represents the KAJ enrollment state of the given workload.
|
@@ -193,6 +195,15 @@ module Google
|
|
193
195
|
# Output only. Represents the SAA enrollment response of the given workload.
|
194
196
|
# SAA enrollment response is queried during GetWorkload call.
|
195
197
|
# In failure cases, user friendly error message is shown in SAA details page.
|
198
|
+
# @!attribute [r] compliant_but_disallowed_services
|
199
|
+
# @return [::Array<::String>]
|
200
|
+
# Output only. Urls for services which are compliant for this Assured Workload, but which
|
201
|
+
# are currently disallowed by the ResourceUsageRestriction org policy.
|
202
|
+
# Invoke RestrictAllowedResources endpoint to allow your project developers
|
203
|
+
# to use these services in their environment."
|
204
|
+
# @!attribute [rw] partner
|
205
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::Partner]
|
206
|
+
# Optional. Compliance Regime associated with this workload.
|
196
207
|
class Workload
|
197
208
|
include ::Google::Protobuf::MessageExts
|
198
209
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -215,8 +226,15 @@ module Google
|
|
215
226
|
RESOURCE_TYPE_UNSPECIFIED = 0
|
216
227
|
|
217
228
|
# Consumer project.
|
229
|
+
# AssuredWorkloads Projects are no longer supported. This field will be
|
230
|
+
# ignored only in CreateWorkload requests. ListWorkloads and GetWorkload
|
231
|
+
# will continue to provide projects information.
|
232
|
+
# Use CONSUMER_FOLDER instead.
|
218
233
|
CONSUMER_PROJECT = 1
|
219
234
|
|
235
|
+
# Consumer Folder.
|
236
|
+
CONSUMER_FOLDER = 4
|
237
|
+
|
220
238
|
# Consumer project containing encryption keys.
|
221
239
|
ENCRYPTION_KEYS_PROJECT = 2
|
222
240
|
|
@@ -228,14 +246,13 @@ module Google
|
|
228
246
|
# Settings specific to the Key Management Service.
|
229
247
|
# @!attribute [rw] next_rotation_time
|
230
248
|
# @return [::Google::Protobuf::Timestamp]
|
231
|
-
# Required. Input only. Immutable. The time at which the Key Management
|
232
|
-
#
|
233
|
-
# mark it as the primary.
|
249
|
+
# Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
|
250
|
+
# new version of the crypto key and mark it as the primary.
|
234
251
|
# @!attribute [rw] rotation_period
|
235
252
|
# @return [::Google::Protobuf::Duration]
|
236
|
-
# Required. Input only. Immutable. [next_rotation_time] will be advanced by
|
237
|
-
#
|
238
|
-
#
|
253
|
+
# Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
|
254
|
+
# Management Service automatically rotates a key. Must be at least 24 hours
|
255
|
+
# and at most 876,000 hours.
|
239
256
|
class KMSSettings
|
240
257
|
include ::Google::Protobuf::MessageExts
|
241
258
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -247,6 +264,8 @@ module Google
|
|
247
264
|
# Resource identifier.
|
248
265
|
# For a project this represents project_id. If the project is already
|
249
266
|
# taken, the workload creation will fail.
|
267
|
+
# For KeyRing, this represents the keyring_id.
|
268
|
+
# For a folder, don't set this value as folder_id is assigned by Google.
|
250
269
|
# @!attribute [rw] resource_type
|
251
270
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceInfo::ResourceType]
|
252
271
|
# Indicates the type of resource. This field should be specified to
|
@@ -347,6 +366,12 @@ module Google
|
|
347
366
|
|
348
367
|
# Assured Workloads For Canada Regions and Support controls
|
349
368
|
CA_REGIONS_AND_SUPPORT = 9
|
369
|
+
|
370
|
+
# International Traffic in Arms Regulations
|
371
|
+
ITAR = 10
|
372
|
+
|
373
|
+
# Assured Workloads for Partners;
|
374
|
+
ASSURED_WORKLOADS_FOR_PARTNERS = 12
|
350
375
|
end
|
351
376
|
|
352
377
|
# Key Access Justifications(KAJ) Enrollment State.
|
@@ -360,6 +385,15 @@ module Google
|
|
360
385
|
# Complete State for KAJ Enrollment.
|
361
386
|
KAJ_ENROLLMENT_STATE_COMPLETE = 2
|
362
387
|
end
|
388
|
+
|
389
|
+
# Supported Assured Workloads Partners.
|
390
|
+
module Partner
|
391
|
+
# Unknown compliance regime.
|
392
|
+
PARTNER_UNSPECIFIED = 0
|
393
|
+
|
394
|
+
# S3NS regime
|
395
|
+
LOCAL_CONTROLS_BY_S3NS = 1
|
396
|
+
end
|
363
397
|
end
|
364
398
|
|
365
399
|
# Operation metadata to give request details of CreateWorkload.
|
@@ -374,12 +408,295 @@ module Google
|
|
374
408
|
# Optional. The parent of the workload.
|
375
409
|
# @!attribute [rw] compliance_regime
|
376
410
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ComplianceRegime]
|
377
|
-
# Optional. Compliance controls that should be applied to the resources
|
378
|
-
#
|
411
|
+
# Optional. Compliance controls that should be applied to the resources managed by
|
412
|
+
# the workload.
|
379
413
|
class CreateWorkloadOperationMetadata
|
380
414
|
include ::Google::Protobuf::MessageExts
|
381
415
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
382
416
|
end
|
417
|
+
|
418
|
+
# Request for restricting list of available resources in Workload environment.
|
419
|
+
# @!attribute [rw] name
|
420
|
+
# @return [::String]
|
421
|
+
# Required. The resource name of the Workload. This is the workloads's
|
422
|
+
# relative path in the API, formatted as
|
423
|
+
# "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
|
424
|
+
# For example,
|
425
|
+
# "organizations/123/locations/us-east1/workloads/assured-workload-1".
|
426
|
+
# @!attribute [rw] restriction_type
|
427
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest::RestrictionType]
|
428
|
+
# Required. The type of restriction for using gcp products in the Workload environment.
|
429
|
+
class RestrictAllowedResourcesRequest
|
430
|
+
include ::Google::Protobuf::MessageExts
|
431
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
432
|
+
|
433
|
+
# The type of restriction.
|
434
|
+
module RestrictionType
|
435
|
+
# Unknown restriction type.
|
436
|
+
RESTRICTION_TYPE_UNSPECIFIED = 0
|
437
|
+
|
438
|
+
# Allow the use all of all gcp products, irrespective of the compliance
|
439
|
+
# posture. This effectively removes gcp.restrictServiceUsage OrgPolicy
|
440
|
+
# on the AssuredWorkloads Folder.
|
441
|
+
ALLOW_ALL_GCP_RESOURCES = 1
|
442
|
+
|
443
|
+
# Based on Workload's compliance regime, allowed list changes.
|
444
|
+
# See - https://cloud.google.com/assured-workloads/docs/supported-products
|
445
|
+
# for the list of supported resources.
|
446
|
+
ALLOW_COMPLIANT_RESOURCES = 2
|
447
|
+
end
|
448
|
+
end
|
449
|
+
|
450
|
+
# Response for restricting the list of allowed resources.
|
451
|
+
class RestrictAllowedResourcesResponse
|
452
|
+
include ::Google::Protobuf::MessageExts
|
453
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
454
|
+
end
|
455
|
+
|
456
|
+
# Request for acknowledging the violation
|
457
|
+
# Next Id: 4
|
458
|
+
# @!attribute [rw] name
|
459
|
+
# @return [::String]
|
460
|
+
# Required. The resource name of the Violation to acknowledge.
|
461
|
+
# Format:
|
462
|
+
# organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
|
463
|
+
# @!attribute [rw] comment
|
464
|
+
# @return [::String]
|
465
|
+
# Required. Business justification explaining the need for violation acknowledgement
|
466
|
+
# @!attribute [rw] non_compliant_org_policy
|
467
|
+
# @return [::String]
|
468
|
+
# Optional. Name of the OrgPolicy which was modified with non-compliant change and
|
469
|
+
# resulted in this violation.
|
470
|
+
# Format:
|
471
|
+
# projects/\\{project_number}/policies/\\{constraint_name}
|
472
|
+
# folders/\\{folder_id}/policies/\\{constraint_name}
|
473
|
+
# organizations/\\{organization_id}/policies/\\{constraint_name}
|
474
|
+
class AcknowledgeViolationRequest
|
475
|
+
include ::Google::Protobuf::MessageExts
|
476
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
477
|
+
end
|
478
|
+
|
479
|
+
# Response for violation acknowledgement
|
480
|
+
class AcknowledgeViolationResponse
|
481
|
+
include ::Google::Protobuf::MessageExts
|
482
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
483
|
+
end
|
484
|
+
|
485
|
+
# Interval defining a time window.
|
486
|
+
# @!attribute [rw] start_time
|
487
|
+
# @return [::Google::Protobuf::Timestamp]
|
488
|
+
# The start of the time window.
|
489
|
+
# @!attribute [rw] end_time
|
490
|
+
# @return [::Google::Protobuf::Timestamp]
|
491
|
+
# The end of the time window.
|
492
|
+
class TimeWindow
|
493
|
+
include ::Google::Protobuf::MessageExts
|
494
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
495
|
+
end
|
496
|
+
|
497
|
+
# Request for fetching violations in an organization.
|
498
|
+
# @!attribute [rw] parent
|
499
|
+
# @return [::String]
|
500
|
+
# Required. The Workload name.
|
501
|
+
# Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.
|
502
|
+
# @!attribute [rw] interval
|
503
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::TimeWindow]
|
504
|
+
# Optional. Specifies the time window for retrieving active Violations.
|
505
|
+
# When specified, retrieves Violations that were active between start_time
|
506
|
+
# and end_time.
|
507
|
+
# @!attribute [rw] page_size
|
508
|
+
# @return [::Integer]
|
509
|
+
# Optional. Page size.
|
510
|
+
# @!attribute [rw] page_token
|
511
|
+
# @return [::String]
|
512
|
+
# Optional. Page token returned from previous request.
|
513
|
+
# @!attribute [rw] filter
|
514
|
+
# @return [::String]
|
515
|
+
# Optional. A custom filter for filtering by the Violations properties.
|
516
|
+
class ListViolationsRequest
|
517
|
+
include ::Google::Protobuf::MessageExts
|
518
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
519
|
+
end
|
520
|
+
|
521
|
+
# Response of ListViolations endpoint.
|
522
|
+
# @!attribute [rw] violations
|
523
|
+
# @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Violation>]
|
524
|
+
# List of Violations under a Workload.
|
525
|
+
# @!attribute [rw] next_page_token
|
526
|
+
# @return [::String]
|
527
|
+
# The next page token. Returns empty if reached the last page.
|
528
|
+
class ListViolationsResponse
|
529
|
+
include ::Google::Protobuf::MessageExts
|
530
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
531
|
+
end
|
532
|
+
|
533
|
+
# Request for fetching a Workload Violation.
|
534
|
+
# @!attribute [rw] name
|
535
|
+
# @return [::String]
|
536
|
+
# Required. The resource name of the Violation to fetch (ie. Violation.name).
|
537
|
+
# Format:
|
538
|
+
# organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
|
539
|
+
class GetViolationRequest
|
540
|
+
include ::Google::Protobuf::MessageExts
|
541
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
542
|
+
end
|
543
|
+
|
544
|
+
# Workload monitoring Violation.
|
545
|
+
# @!attribute [r] name
|
546
|
+
# @return [::String]
|
547
|
+
# Output only. Immutable. Name of the Violation.
|
548
|
+
# Format:
|
549
|
+
# organizations/\\{organization}/locations/\\{location}/workloads/\\{workload_id}/violations/\\{violations_id}
|
550
|
+
# @!attribute [r] description
|
551
|
+
# @return [::String]
|
552
|
+
# Output only. Description for the Violation.
|
553
|
+
# e.g. OrgPolicy gcp.resourceLocations has non compliant value.
|
554
|
+
# @!attribute [r] begin_time
|
555
|
+
# @return [::Google::Protobuf::Timestamp]
|
556
|
+
# Output only. Time of the event which triggered the Violation.
|
557
|
+
# @!attribute [r] update_time
|
558
|
+
# @return [::Google::Protobuf::Timestamp]
|
559
|
+
# Output only. The last time when the Violation record was updated.
|
560
|
+
# @!attribute [r] resolve_time
|
561
|
+
# @return [::Google::Protobuf::Timestamp]
|
562
|
+
# Output only. Time of the event which fixed the Violation.
|
563
|
+
# If the violation is ACTIVE this will be empty.
|
564
|
+
# @!attribute [r] category
|
565
|
+
# @return [::String]
|
566
|
+
# Output only. Category under which this violation is mapped.
|
567
|
+
# e.g. Location, Service Usage, Access, Encryption, etc.
|
568
|
+
# @!attribute [r] state
|
569
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::State]
|
570
|
+
# Output only. State of the violation
|
571
|
+
# @!attribute [r] org_policy_constraint
|
572
|
+
# @return [::String]
|
573
|
+
# Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in
|
574
|
+
# this violation.
|
575
|
+
# @!attribute [r] audit_log_link
|
576
|
+
# @return [::String]
|
577
|
+
# Output only. Immutable. Audit Log Link for violated resource
|
578
|
+
# Format:
|
579
|
+
# https://console.cloud.google.com/logs/query;query=\\{logName}\\{protoPayload.resourceName}\\{timeRange}\\{folder}
|
580
|
+
# @!attribute [r] non_compliant_org_policy
|
581
|
+
# @return [::String]
|
582
|
+
# Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and
|
583
|
+
# resulted this violation.
|
584
|
+
# Format:
|
585
|
+
# projects/\\{project_number}/policies/\\{constraint_name}
|
586
|
+
# folders/\\{folder_id}/policies/\\{constraint_name}
|
587
|
+
# organizations/\\{organization_id}/policies/\\{constraint_name}
|
588
|
+
# @!attribute [r] remediation
|
589
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation]
|
590
|
+
# Output only. Compliance violation remediation
|
591
|
+
# @!attribute [r] acknowledged
|
592
|
+
# @return [::Boolean]
|
593
|
+
# Output only. A boolean that indicates if the violation is acknowledged
|
594
|
+
# @!attribute [rw] acknowledgement_time
|
595
|
+
# @return [::Google::Protobuf::Timestamp]
|
596
|
+
# Optional. Timestamp when this violation was acknowledged last.
|
597
|
+
# This will be absent when acknowledged field is marked as false.
|
598
|
+
class Violation
|
599
|
+
include ::Google::Protobuf::MessageExts
|
600
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
601
|
+
|
602
|
+
# Represents remediation guidance to resolve compliance violation for
|
603
|
+
# AssuredWorkload
|
604
|
+
# @!attribute [rw] instructions
|
605
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions]
|
606
|
+
# Required. Remediation instructions to resolve violations
|
607
|
+
# @!attribute [rw] compliant_values
|
608
|
+
# @return [::Array<::String>]
|
609
|
+
# Values that can resolve the violation
|
610
|
+
# For example: for list org policy violations, this will either be the list
|
611
|
+
# of allowed or denied values
|
612
|
+
# @!attribute [r] remediation_type
|
613
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::RemediationType]
|
614
|
+
# Output only. Reemediation type based on the type of org policy values violated
|
615
|
+
class Remediation
|
616
|
+
include ::Google::Protobuf::MessageExts
|
617
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
618
|
+
|
619
|
+
# Instructions to remediate violation
|
620
|
+
# @!attribute [rw] gcloud_instructions
|
621
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Gcloud]
|
622
|
+
# Remediation instructions to resolve violation via gcloud cli
|
623
|
+
# @!attribute [rw] console_instructions
|
624
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Console]
|
625
|
+
# Remediation instructions to resolve violation via cloud console
|
626
|
+
class Instructions
|
627
|
+
include ::Google::Protobuf::MessageExts
|
628
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
629
|
+
|
630
|
+
# Remediation instructions to resolve violation via gcloud cli
|
631
|
+
# @!attribute [rw] gcloud_commands
|
632
|
+
# @return [::Array<::String>]
|
633
|
+
# Gcloud command to resolve violation
|
634
|
+
# @!attribute [rw] steps
|
635
|
+
# @return [::Array<::String>]
|
636
|
+
# Steps to resolve violation via gcloud cli
|
637
|
+
# @!attribute [rw] additional_links
|
638
|
+
# @return [::Array<::String>]
|
639
|
+
# Additional urls for more information about steps
|
640
|
+
class Gcloud
|
641
|
+
include ::Google::Protobuf::MessageExts
|
642
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
643
|
+
end
|
644
|
+
|
645
|
+
# Remediation instructions to resolve violation via cloud console
|
646
|
+
# @!attribute [rw] console_uris
|
647
|
+
# @return [::Array<::String>]
|
648
|
+
# Link to console page where violations can be resolved
|
649
|
+
# @!attribute [rw] steps
|
650
|
+
# @return [::Array<::String>]
|
651
|
+
# Steps to resolve violation via cloud console
|
652
|
+
# @!attribute [rw] additional_links
|
653
|
+
# @return [::Array<::String>]
|
654
|
+
# Additional urls for more information about steps
|
655
|
+
class Console
|
656
|
+
include ::Google::Protobuf::MessageExts
|
657
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
658
|
+
end
|
659
|
+
end
|
660
|
+
|
661
|
+
# Classifying remediation into various types based on the kind of
|
662
|
+
# violation. For example, violations caused due to changes in boolean org
|
663
|
+
# policy requires different remediation instructions compared to violation
|
664
|
+
# caused due to changes in allowed values of list org policy.
|
665
|
+
module RemediationType
|
666
|
+
# Unspecified remediation type
|
667
|
+
REMEDIATION_TYPE_UNSPECIFIED = 0
|
668
|
+
|
669
|
+
# Remediation type for boolean org policy
|
670
|
+
REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1
|
671
|
+
|
672
|
+
# Remediation type for list org policy which have allowed values in the
|
673
|
+
# monitoring rule
|
674
|
+
REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2
|
675
|
+
|
676
|
+
# Remediation type for list org policy which have denied values in the
|
677
|
+
# monitoring rule
|
678
|
+
REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3
|
679
|
+
|
680
|
+
# Remediation type for gcp.restrictCmekCryptoKeyProjects
|
681
|
+
REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4
|
682
|
+
end
|
683
|
+
end
|
684
|
+
|
685
|
+
# Violation State Values
|
686
|
+
module State
|
687
|
+
# Unspecified state.
|
688
|
+
STATE_UNSPECIFIED = 0
|
689
|
+
|
690
|
+
# Violation is resolved.
|
691
|
+
RESOLVED = 2
|
692
|
+
|
693
|
+
# Violation is Unresolved
|
694
|
+
UNRESOLVED = 3
|
695
|
+
|
696
|
+
# Violation is Exception
|
697
|
+
EXCEPTION = 4
|
698
|
+
end
|
699
|
+
end
|
383
700
|
end
|
384
701
|
end
|
385
702
|
end
|