google-cloud-assured_workloads-v1 0.2.1 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/AUTHENTICATION.md +1 -1
- data/README.md +11 -6
- data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/client.rb +398 -5
- data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/operations.rb +3 -0
- data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/paths.rb +21 -0
- data/lib/google/cloud/assured_workloads/v1/version.rb +1 -1
- data/lib/google/cloud/assured_workloads/v1.rb +2 -0
- data/lib/google/cloud/assuredworkloads/v1/assuredworkloads_pb.rb +111 -1
- data/lib/google/cloud/assuredworkloads/v1/assuredworkloads_services_pb.rb +20 -0
- data/proto_docs/google/cloud/assuredworkloads/v1/assuredworkloads.rb +339 -22
- data/proto_docs/google/protobuf/any.rb +3 -3
- data/proto_docs/google/protobuf/empty.rb +0 -2
- metadata +12 -12
@@ -1,6 +1,8 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: google/cloud/assuredworkloads/v1/assuredworkloads.proto
|
3
3
|
|
4
|
+
require 'google/protobuf'
|
5
|
+
|
4
6
|
require 'google/api/annotations_pb'
|
5
7
|
require 'google/api/client_pb'
|
6
8
|
require 'google/api/field_behavior_pb'
|
@@ -10,7 +12,6 @@ require 'google/protobuf/duration_pb'
|
|
10
12
|
require 'google/protobuf/empty_pb'
|
11
13
|
require 'google/protobuf/field_mask_pb'
|
12
14
|
require 'google/protobuf/timestamp_pb'
|
13
|
-
require 'google/protobuf'
|
14
15
|
|
15
16
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
16
17
|
add_file("google/cloud/assuredworkloads/v1/assuredworkloads.proto", :syntax => :proto3) do
|
@@ -55,6 +56,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
55
56
|
optional :kaj_enrollment_state, :enum, 17, "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState"
|
56
57
|
optional :enable_sovereign_controls, :bool, 18
|
57
58
|
optional :saa_enrollment_response, :message, 20, "google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse"
|
59
|
+
repeated :compliant_but_disallowed_services, :string, 24
|
60
|
+
optional :partner, :enum, 25, "google.cloud.assuredworkloads.v1.Workload.Partner"
|
58
61
|
end
|
59
62
|
add_message "google.cloud.assuredworkloads.v1.Workload.ResourceInfo" do
|
60
63
|
optional :resource_id, :int64, 1
|
@@ -63,6 +66,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
63
66
|
add_enum "google.cloud.assuredworkloads.v1.Workload.ResourceInfo.ResourceType" do
|
64
67
|
value :RESOURCE_TYPE_UNSPECIFIED, 0
|
65
68
|
value :CONSUMER_PROJECT, 1
|
69
|
+
value :CONSUMER_FOLDER, 4
|
66
70
|
value :ENCRYPTION_KEYS_PROJECT, 2
|
67
71
|
value :KEYRING, 3
|
68
72
|
end
|
@@ -102,18 +106,107 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
102
106
|
value :HITRUST, 7
|
103
107
|
value :EU_REGIONS_AND_SUPPORT, 8
|
104
108
|
value :CA_REGIONS_AND_SUPPORT, 9
|
109
|
+
value :ITAR, 10
|
110
|
+
value :ASSURED_WORKLOADS_FOR_PARTNERS, 12
|
105
111
|
end
|
106
112
|
add_enum "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState" do
|
107
113
|
value :KAJ_ENROLLMENT_STATE_UNSPECIFIED, 0
|
108
114
|
value :KAJ_ENROLLMENT_STATE_PENDING, 1
|
109
115
|
value :KAJ_ENROLLMENT_STATE_COMPLETE, 2
|
110
116
|
end
|
117
|
+
add_enum "google.cloud.assuredworkloads.v1.Workload.Partner" do
|
118
|
+
value :PARTNER_UNSPECIFIED, 0
|
119
|
+
value :LOCAL_CONTROLS_BY_S3NS, 1
|
120
|
+
end
|
111
121
|
add_message "google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata" do
|
112
122
|
optional :create_time, :message, 1, "google.protobuf.Timestamp"
|
113
123
|
optional :display_name, :string, 2
|
114
124
|
optional :parent, :string, 3
|
115
125
|
optional :compliance_regime, :enum, 4, "google.cloud.assuredworkloads.v1.Workload.ComplianceRegime"
|
116
126
|
end
|
127
|
+
add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest" do
|
128
|
+
optional :name, :string, 1
|
129
|
+
optional :restriction_type, :enum, 2, "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType"
|
130
|
+
end
|
131
|
+
add_enum "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType" do
|
132
|
+
value :RESTRICTION_TYPE_UNSPECIFIED, 0
|
133
|
+
value :ALLOW_ALL_GCP_RESOURCES, 1
|
134
|
+
value :ALLOW_COMPLIANT_RESOURCES, 2
|
135
|
+
end
|
136
|
+
add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse" do
|
137
|
+
end
|
138
|
+
add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest" do
|
139
|
+
optional :name, :string, 1
|
140
|
+
optional :comment, :string, 2
|
141
|
+
optional :non_compliant_org_policy, :string, 3
|
142
|
+
end
|
143
|
+
add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse" do
|
144
|
+
end
|
145
|
+
add_message "google.cloud.assuredworkloads.v1.TimeWindow" do
|
146
|
+
optional :start_time, :message, 1, "google.protobuf.Timestamp"
|
147
|
+
optional :end_time, :message, 2, "google.protobuf.Timestamp"
|
148
|
+
end
|
149
|
+
add_message "google.cloud.assuredworkloads.v1.ListViolationsRequest" do
|
150
|
+
optional :parent, :string, 1
|
151
|
+
optional :interval, :message, 2, "google.cloud.assuredworkloads.v1.TimeWindow"
|
152
|
+
optional :page_size, :int32, 3
|
153
|
+
optional :page_token, :string, 4
|
154
|
+
optional :filter, :string, 5
|
155
|
+
end
|
156
|
+
add_message "google.cloud.assuredworkloads.v1.ListViolationsResponse" do
|
157
|
+
repeated :violations, :message, 1, "google.cloud.assuredworkloads.v1.Violation"
|
158
|
+
optional :next_page_token, :string, 2
|
159
|
+
end
|
160
|
+
add_message "google.cloud.assuredworkloads.v1.GetViolationRequest" do
|
161
|
+
optional :name, :string, 1
|
162
|
+
end
|
163
|
+
add_message "google.cloud.assuredworkloads.v1.Violation" do
|
164
|
+
optional :name, :string, 1
|
165
|
+
optional :description, :string, 2
|
166
|
+
optional :begin_time, :message, 3, "google.protobuf.Timestamp"
|
167
|
+
optional :update_time, :message, 4, "google.protobuf.Timestamp"
|
168
|
+
optional :resolve_time, :message, 5, "google.protobuf.Timestamp"
|
169
|
+
optional :category, :string, 6
|
170
|
+
optional :state, :enum, 7, "google.cloud.assuredworkloads.v1.Violation.State"
|
171
|
+
optional :org_policy_constraint, :string, 8
|
172
|
+
optional :audit_log_link, :string, 11
|
173
|
+
optional :non_compliant_org_policy, :string, 12
|
174
|
+
optional :remediation, :message, 13, "google.cloud.assuredworkloads.v1.Violation.Remediation"
|
175
|
+
optional :acknowledged, :bool, 14
|
176
|
+
proto3_optional :acknowledgement_time, :message, 15, "google.protobuf.Timestamp"
|
177
|
+
end
|
178
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation" do
|
179
|
+
optional :instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions"
|
180
|
+
repeated :compliant_values, :string, 2
|
181
|
+
optional :remediation_type, :enum, 3, "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType"
|
182
|
+
end
|
183
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions" do
|
184
|
+
optional :gcloud_instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud"
|
185
|
+
optional :console_instructions, :message, 2, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console"
|
186
|
+
end
|
187
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud" do
|
188
|
+
repeated :gcloud_commands, :string, 1
|
189
|
+
repeated :steps, :string, 2
|
190
|
+
repeated :additional_links, :string, 3
|
191
|
+
end
|
192
|
+
add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console" do
|
193
|
+
repeated :console_uris, :string, 1
|
194
|
+
repeated :steps, :string, 2
|
195
|
+
repeated :additional_links, :string, 3
|
196
|
+
end
|
197
|
+
add_enum "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType" do
|
198
|
+
value :REMEDIATION_TYPE_UNSPECIFIED, 0
|
199
|
+
value :REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION, 1
|
200
|
+
value :REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION, 2
|
201
|
+
value :REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION, 3
|
202
|
+
value :REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION, 4
|
203
|
+
end
|
204
|
+
add_enum "google.cloud.assuredworkloads.v1.Violation.State" do
|
205
|
+
value :STATE_UNSPECIFIED, 0
|
206
|
+
value :RESOLVED, 2
|
207
|
+
value :UNRESOLVED, 3
|
208
|
+
value :EXCEPTION, 4
|
209
|
+
end
|
117
210
|
end
|
118
211
|
end
|
119
212
|
|
@@ -137,7 +230,24 @@ module Google
|
|
137
230
|
Workload::SaaEnrollmentResponse::SetupError = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse.SetupError").enummodule
|
138
231
|
Workload::ComplianceRegime = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.ComplianceRegime").enummodule
|
139
232
|
Workload::KajEnrollmentState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState").enummodule
|
233
|
+
Workload::Partner = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.Partner").enummodule
|
140
234
|
CreateWorkloadOperationMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata").msgclass
|
235
|
+
RestrictAllowedResourcesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest").msgclass
|
236
|
+
RestrictAllowedResourcesRequest::RestrictionType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType").enummodule
|
237
|
+
RestrictAllowedResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse").msgclass
|
238
|
+
AcknowledgeViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest").msgclass
|
239
|
+
AcknowledgeViolationResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse").msgclass
|
240
|
+
TimeWindow = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.TimeWindow").msgclass
|
241
|
+
ListViolationsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsRequest").msgclass
|
242
|
+
ListViolationsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsResponse").msgclass
|
243
|
+
GetViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.GetViolationRequest").msgclass
|
244
|
+
Violation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation").msgclass
|
245
|
+
Violation::Remediation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation").msgclass
|
246
|
+
Violation::Remediation::Instructions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions").msgclass
|
247
|
+
Violation::Remediation::Instructions::Gcloud = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud").msgclass
|
248
|
+
Violation::Remediation::Instructions::Console = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console").msgclass
|
249
|
+
Violation::Remediation::RemediationType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType").enummodule
|
250
|
+
Violation::State = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.State").enummodule
|
141
251
|
end
|
142
252
|
end
|
143
253
|
end
|
@@ -40,6 +40,13 @@ module Google
|
|
40
40
|
# For force updates don't set etag field in the Workload.
|
41
41
|
# Only one update operation per workload can be in progress.
|
42
42
|
rpc :UpdateWorkload, ::Google::Cloud::AssuredWorkloads::V1::UpdateWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
|
43
|
+
# Restrict the list of resources allowed in the Workload environment.
|
44
|
+
# The current list of allowed products can be found at
|
45
|
+
# https://cloud.google.com/assured-workloads/docs/supported-products
|
46
|
+
# In addition to assuredworkloads.workload.update permission, the user should
|
47
|
+
# also have orgpolicy.policy.set permission on the folder resource
|
48
|
+
# to use this functionality.
|
49
|
+
rpc :RestrictAllowedResources, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse
|
43
50
|
# Deletes the workload. Make sure that workload's direct children are already
|
44
51
|
# in a deleted state, otherwise the request will fail with a
|
45
52
|
# FAILED_PRECONDITION error.
|
@@ -48,6 +55,19 @@ module Google
|
|
48
55
|
rpc :GetWorkload, ::Google::Cloud::AssuredWorkloads::V1::GetWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
|
49
56
|
# Lists Assured Workloads under a CRM Node.
|
50
57
|
rpc :ListWorkloads, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsResponse
|
58
|
+
# Lists the Violations in the AssuredWorkload Environment.
|
59
|
+
# Callers may also choose to read across multiple Workloads as per
|
60
|
+
# [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash
|
61
|
+
# character) as a wildcard character instead of workload-id in the parent.
|
62
|
+
# Format `organizations/{org_id}/locations/{location}/workloads/-`
|
63
|
+
rpc :ListViolations, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsResponse
|
64
|
+
# Retrieves Assured Workload Violation based on ID.
|
65
|
+
rpc :GetViolation, ::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::Violation
|
66
|
+
# Acknowledges an existing violation. By acknowledging a violation, users
|
67
|
+
# acknowledge the existence of a compliance violation in their workload and
|
68
|
+
# decide to ignore it due to a valid business justification. Acknowledgement
|
69
|
+
# is a permanent operation and it cannot be reverted.
|
70
|
+
rpc :AcknowledgeViolation, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse
|
51
71
|
end
|
52
72
|
|
53
73
|
Stub = Service.rpc_stub_class
|
@@ -31,8 +31,8 @@ module Google
|
|
31
31
|
# Required. Assured Workload to create
|
32
32
|
# @!attribute [rw] external_id
|
33
33
|
# @return [::String]
|
34
|
-
# Optional. A identifier associated with the workload and underlying projects
|
35
|
-
#
|
34
|
+
# Optional. A identifier associated with the workload and underlying projects which
|
35
|
+
# allows for the break down of billing costs for a workload. The value
|
36
36
|
# provided for the identifier will add a label to the workload and contained
|
37
37
|
# projects with the identifier as the value.
|
38
38
|
class CreateWorkloadRequest
|
@@ -44,7 +44,7 @@ module Google
|
|
44
44
|
# @!attribute [rw] workload
|
45
45
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload]
|
46
46
|
# Required. The workload to update.
|
47
|
-
# The workload
|
47
|
+
# The workload's `name` field is used to identify the workload to be updated.
|
48
48
|
# Format:
|
49
49
|
# organizations/\\{org_id}/locations/\\{location_id}/workloads/\\{workload_id}
|
50
50
|
# @!attribute [rw] update_mask
|
@@ -73,8 +73,8 @@ module Google
|
|
73
73
|
# Request for fetching a workload.
|
74
74
|
# @!attribute [rw] name
|
75
75
|
# @return [::String]
|
76
|
-
# Required. The resource name of the Workload to fetch. This is the
|
77
|
-
#
|
76
|
+
# Required. The resource name of the Workload to fetch. This is the workloads's
|
77
|
+
# relative path in the API, formatted as
|
78
78
|
# "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
|
79
79
|
# For example,
|
80
80
|
# "organizations/123/locations/us-east1/workloads/assured-workload-1".
|
@@ -148,7 +148,7 @@ module Google
|
|
148
148
|
# Output only. Immutable. The Workload creation timestamp.
|
149
149
|
# @!attribute [rw] billing_account
|
150
150
|
# @return [::String]
|
151
|
-
#
|
151
|
+
# Optional. The billing account used for the resources which are
|
152
152
|
# direct children of workload. This billing account is initially associated
|
153
153
|
# with the resources created as part of Workload creation.
|
154
154
|
# After the initial creation of these resources, the customer can change
|
@@ -165,22 +165,24 @@ module Google
|
|
165
165
|
# Optional. Labels applied to the workload.
|
166
166
|
# @!attribute [rw] provisioned_resources_parent
|
167
167
|
# @return [::String]
|
168
|
-
# Input only. The parent resource for the resources managed by this Assured
|
169
|
-
#
|
168
|
+
# Input only. The parent resource for the resources managed by this Assured Workload. May
|
169
|
+
# be either empty or a folder resource which is a child of the
|
170
170
|
# Workload parent. If not specified all resources are created under the
|
171
171
|
# parent organization.
|
172
172
|
# Format:
|
173
173
|
# folders/\\{folder_id}
|
174
174
|
# @!attribute [rw] kms_settings
|
175
175
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KMSSettings]
|
176
|
-
# Input only. Settings used to create a CMEK crypto key. When set a project
|
177
|
-
#
|
178
|
-
#
|
176
|
+
# Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS
|
177
|
+
# CMEK key is provisioned.
|
178
|
+
# This field is deprecated as of Feb 28, 2022.
|
179
|
+
# In order to create a Keyring, callers should specify,
|
180
|
+
# ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
|
179
181
|
# @!attribute [rw] resource_settings
|
180
182
|
# @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceSettings>]
|
181
|
-
# Input only. Resource properties that are used to customize workload
|
182
|
-
#
|
183
|
-
#
|
183
|
+
# Input only. Resource properties that are used to customize workload resources.
|
184
|
+
# These properties (such as custom project id) will be used to create
|
185
|
+
# workload resources if possible. This field is optional.
|
184
186
|
# @!attribute [r] kaj_enrollment_state
|
185
187
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KajEnrollmentState]
|
186
188
|
# Output only. Represents the KAJ enrollment state of the given workload.
|
@@ -193,6 +195,15 @@ module Google
|
|
193
195
|
# Output only. Represents the SAA enrollment response of the given workload.
|
194
196
|
# SAA enrollment response is queried during GetWorkload call.
|
195
197
|
# In failure cases, user friendly error message is shown in SAA details page.
|
198
|
+
# @!attribute [r] compliant_but_disallowed_services
|
199
|
+
# @return [::Array<::String>]
|
200
|
+
# Output only. Urls for services which are compliant for this Assured Workload, but which
|
201
|
+
# are currently disallowed by the ResourceUsageRestriction org policy.
|
202
|
+
# Invoke RestrictAllowedResources endpoint to allow your project developers
|
203
|
+
# to use these services in their environment."
|
204
|
+
# @!attribute [rw] partner
|
205
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::Partner]
|
206
|
+
# Optional. Compliance Regime associated with this workload.
|
196
207
|
class Workload
|
197
208
|
include ::Google::Protobuf::MessageExts
|
198
209
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -215,8 +226,15 @@ module Google
|
|
215
226
|
RESOURCE_TYPE_UNSPECIFIED = 0
|
216
227
|
|
217
228
|
# Consumer project.
|
229
|
+
# AssuredWorkloads Projects are no longer supported. This field will be
|
230
|
+
# ignored only in CreateWorkload requests. ListWorkloads and GetWorkload
|
231
|
+
# will continue to provide projects information.
|
232
|
+
# Use CONSUMER_FOLDER instead.
|
218
233
|
CONSUMER_PROJECT = 1
|
219
234
|
|
235
|
+
# Consumer Folder.
|
236
|
+
CONSUMER_FOLDER = 4
|
237
|
+
|
220
238
|
# Consumer project containing encryption keys.
|
221
239
|
ENCRYPTION_KEYS_PROJECT = 2
|
222
240
|
|
@@ -228,14 +246,13 @@ module Google
|
|
228
246
|
# Settings specific to the Key Management Service.
|
229
247
|
# @!attribute [rw] next_rotation_time
|
230
248
|
# @return [::Google::Protobuf::Timestamp]
|
231
|
-
# Required. Input only. Immutable. The time at which the Key Management
|
232
|
-
#
|
233
|
-
# mark it as the primary.
|
249
|
+
# Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
|
250
|
+
# new version of the crypto key and mark it as the primary.
|
234
251
|
# @!attribute [rw] rotation_period
|
235
252
|
# @return [::Google::Protobuf::Duration]
|
236
|
-
# Required. Input only. Immutable. [next_rotation_time] will be advanced by
|
237
|
-
#
|
238
|
-
#
|
253
|
+
# Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
|
254
|
+
# Management Service automatically rotates a key. Must be at least 24 hours
|
255
|
+
# and at most 876,000 hours.
|
239
256
|
class KMSSettings
|
240
257
|
include ::Google::Protobuf::MessageExts
|
241
258
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -247,6 +264,8 @@ module Google
|
|
247
264
|
# Resource identifier.
|
248
265
|
# For a project this represents project_id. If the project is already
|
249
266
|
# taken, the workload creation will fail.
|
267
|
+
# For KeyRing, this represents the keyring_id.
|
268
|
+
# For a folder, don't set this value as folder_id is assigned by Google.
|
250
269
|
# @!attribute [rw] resource_type
|
251
270
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceInfo::ResourceType]
|
252
271
|
# Indicates the type of resource. This field should be specified to
|
@@ -347,6 +366,12 @@ module Google
|
|
347
366
|
|
348
367
|
# Assured Workloads For Canada Regions and Support controls
|
349
368
|
CA_REGIONS_AND_SUPPORT = 9
|
369
|
+
|
370
|
+
# International Traffic in Arms Regulations
|
371
|
+
ITAR = 10
|
372
|
+
|
373
|
+
# Assured Workloads for Partners;
|
374
|
+
ASSURED_WORKLOADS_FOR_PARTNERS = 12
|
350
375
|
end
|
351
376
|
|
352
377
|
# Key Access Justifications(KAJ) Enrollment State.
|
@@ -360,6 +385,15 @@ module Google
|
|
360
385
|
# Complete State for KAJ Enrollment.
|
361
386
|
KAJ_ENROLLMENT_STATE_COMPLETE = 2
|
362
387
|
end
|
388
|
+
|
389
|
+
# Supported Assured Workloads Partners.
|
390
|
+
module Partner
|
391
|
+
# Unknown compliance regime.
|
392
|
+
PARTNER_UNSPECIFIED = 0
|
393
|
+
|
394
|
+
# S3NS regime
|
395
|
+
LOCAL_CONTROLS_BY_S3NS = 1
|
396
|
+
end
|
363
397
|
end
|
364
398
|
|
365
399
|
# Operation metadata to give request details of CreateWorkload.
|
@@ -374,12 +408,295 @@ module Google
|
|
374
408
|
# Optional. The parent of the workload.
|
375
409
|
# @!attribute [rw] compliance_regime
|
376
410
|
# @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ComplianceRegime]
|
377
|
-
# Optional. Compliance controls that should be applied to the resources
|
378
|
-
#
|
411
|
+
# Optional. Compliance controls that should be applied to the resources managed by
|
412
|
+
# the workload.
|
379
413
|
class CreateWorkloadOperationMetadata
|
380
414
|
include ::Google::Protobuf::MessageExts
|
381
415
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
382
416
|
end
|
417
|
+
|
418
|
+
# Request for restricting list of available resources in Workload environment.
|
419
|
+
# @!attribute [rw] name
|
420
|
+
# @return [::String]
|
421
|
+
# Required. The resource name of the Workload. This is the workloads's
|
422
|
+
# relative path in the API, formatted as
|
423
|
+
# "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
|
424
|
+
# For example,
|
425
|
+
# "organizations/123/locations/us-east1/workloads/assured-workload-1".
|
426
|
+
# @!attribute [rw] restriction_type
|
427
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest::RestrictionType]
|
428
|
+
# Required. The type of restriction for using gcp products in the Workload environment.
|
429
|
+
class RestrictAllowedResourcesRequest
|
430
|
+
include ::Google::Protobuf::MessageExts
|
431
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
432
|
+
|
433
|
+
# The type of restriction.
|
434
|
+
module RestrictionType
|
435
|
+
# Unknown restriction type.
|
436
|
+
RESTRICTION_TYPE_UNSPECIFIED = 0
|
437
|
+
|
438
|
+
# Allow the use all of all gcp products, irrespective of the compliance
|
439
|
+
# posture. This effectively removes gcp.restrictServiceUsage OrgPolicy
|
440
|
+
# on the AssuredWorkloads Folder.
|
441
|
+
ALLOW_ALL_GCP_RESOURCES = 1
|
442
|
+
|
443
|
+
# Based on Workload's compliance regime, allowed list changes.
|
444
|
+
# See - https://cloud.google.com/assured-workloads/docs/supported-products
|
445
|
+
# for the list of supported resources.
|
446
|
+
ALLOW_COMPLIANT_RESOURCES = 2
|
447
|
+
end
|
448
|
+
end
|
449
|
+
|
450
|
+
# Response for restricting the list of allowed resources.
|
451
|
+
class RestrictAllowedResourcesResponse
|
452
|
+
include ::Google::Protobuf::MessageExts
|
453
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
454
|
+
end
|
455
|
+
|
456
|
+
# Request for acknowledging the violation
|
457
|
+
# Next Id: 4
|
458
|
+
# @!attribute [rw] name
|
459
|
+
# @return [::String]
|
460
|
+
# Required. The resource name of the Violation to acknowledge.
|
461
|
+
# Format:
|
462
|
+
# organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
|
463
|
+
# @!attribute [rw] comment
|
464
|
+
# @return [::String]
|
465
|
+
# Required. Business justification explaining the need for violation acknowledgement
|
466
|
+
# @!attribute [rw] non_compliant_org_policy
|
467
|
+
# @return [::String]
|
468
|
+
# Optional. Name of the OrgPolicy which was modified with non-compliant change and
|
469
|
+
# resulted in this violation.
|
470
|
+
# Format:
|
471
|
+
# projects/\\{project_number}/policies/\\{constraint_name}
|
472
|
+
# folders/\\{folder_id}/policies/\\{constraint_name}
|
473
|
+
# organizations/\\{organization_id}/policies/\\{constraint_name}
|
474
|
+
class AcknowledgeViolationRequest
|
475
|
+
include ::Google::Protobuf::MessageExts
|
476
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
477
|
+
end
|
478
|
+
|
479
|
+
# Response for violation acknowledgement
|
480
|
+
class AcknowledgeViolationResponse
|
481
|
+
include ::Google::Protobuf::MessageExts
|
482
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
483
|
+
end
|
484
|
+
|
485
|
+
# Interval defining a time window.
|
486
|
+
# @!attribute [rw] start_time
|
487
|
+
# @return [::Google::Protobuf::Timestamp]
|
488
|
+
# The start of the time window.
|
489
|
+
# @!attribute [rw] end_time
|
490
|
+
# @return [::Google::Protobuf::Timestamp]
|
491
|
+
# The end of the time window.
|
492
|
+
class TimeWindow
|
493
|
+
include ::Google::Protobuf::MessageExts
|
494
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
495
|
+
end
|
496
|
+
|
497
|
+
# Request for fetching violations in an organization.
|
498
|
+
# @!attribute [rw] parent
|
499
|
+
# @return [::String]
|
500
|
+
# Required. The Workload name.
|
501
|
+
# Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.
|
502
|
+
# @!attribute [rw] interval
|
503
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::TimeWindow]
|
504
|
+
# Optional. Specifies the time window for retrieving active Violations.
|
505
|
+
# When specified, retrieves Violations that were active between start_time
|
506
|
+
# and end_time.
|
507
|
+
# @!attribute [rw] page_size
|
508
|
+
# @return [::Integer]
|
509
|
+
# Optional. Page size.
|
510
|
+
# @!attribute [rw] page_token
|
511
|
+
# @return [::String]
|
512
|
+
# Optional. Page token returned from previous request.
|
513
|
+
# @!attribute [rw] filter
|
514
|
+
# @return [::String]
|
515
|
+
# Optional. A custom filter for filtering by the Violations properties.
|
516
|
+
class ListViolationsRequest
|
517
|
+
include ::Google::Protobuf::MessageExts
|
518
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
519
|
+
end
|
520
|
+
|
521
|
+
# Response of ListViolations endpoint.
|
522
|
+
# @!attribute [rw] violations
|
523
|
+
# @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Violation>]
|
524
|
+
# List of Violations under a Workload.
|
525
|
+
# @!attribute [rw] next_page_token
|
526
|
+
# @return [::String]
|
527
|
+
# The next page token. Returns empty if reached the last page.
|
528
|
+
class ListViolationsResponse
|
529
|
+
include ::Google::Protobuf::MessageExts
|
530
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
531
|
+
end
|
532
|
+
|
533
|
+
# Request for fetching a Workload Violation.
|
534
|
+
# @!attribute [rw] name
|
535
|
+
# @return [::String]
|
536
|
+
# Required. The resource name of the Violation to fetch (ie. Violation.name).
|
537
|
+
# Format:
|
538
|
+
# organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
|
539
|
+
class GetViolationRequest
|
540
|
+
include ::Google::Protobuf::MessageExts
|
541
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
542
|
+
end
|
543
|
+
|
544
|
+
# Workload monitoring Violation.
|
545
|
+
# @!attribute [r] name
|
546
|
+
# @return [::String]
|
547
|
+
# Output only. Immutable. Name of the Violation.
|
548
|
+
# Format:
|
549
|
+
# organizations/\\{organization}/locations/\\{location}/workloads/\\{workload_id}/violations/\\{violations_id}
|
550
|
+
# @!attribute [r] description
|
551
|
+
# @return [::String]
|
552
|
+
# Output only. Description for the Violation.
|
553
|
+
# e.g. OrgPolicy gcp.resourceLocations has non compliant value.
|
554
|
+
# @!attribute [r] begin_time
|
555
|
+
# @return [::Google::Protobuf::Timestamp]
|
556
|
+
# Output only. Time of the event which triggered the Violation.
|
557
|
+
# @!attribute [r] update_time
|
558
|
+
# @return [::Google::Protobuf::Timestamp]
|
559
|
+
# Output only. The last time when the Violation record was updated.
|
560
|
+
# @!attribute [r] resolve_time
|
561
|
+
# @return [::Google::Protobuf::Timestamp]
|
562
|
+
# Output only. Time of the event which fixed the Violation.
|
563
|
+
# If the violation is ACTIVE this will be empty.
|
564
|
+
# @!attribute [r] category
|
565
|
+
# @return [::String]
|
566
|
+
# Output only. Category under which this violation is mapped.
|
567
|
+
# e.g. Location, Service Usage, Access, Encryption, etc.
|
568
|
+
# @!attribute [r] state
|
569
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::State]
|
570
|
+
# Output only. State of the violation
|
571
|
+
# @!attribute [r] org_policy_constraint
|
572
|
+
# @return [::String]
|
573
|
+
# Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in
|
574
|
+
# this violation.
|
575
|
+
# @!attribute [r] audit_log_link
|
576
|
+
# @return [::String]
|
577
|
+
# Output only. Immutable. Audit Log Link for violated resource
|
578
|
+
# Format:
|
579
|
+
# https://console.cloud.google.com/logs/query;query=\\{logName}\\{protoPayload.resourceName}\\{timeRange}\\{folder}
|
580
|
+
# @!attribute [r] non_compliant_org_policy
|
581
|
+
# @return [::String]
|
582
|
+
# Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and
|
583
|
+
# resulted this violation.
|
584
|
+
# Format:
|
585
|
+
# projects/\\{project_number}/policies/\\{constraint_name}
|
586
|
+
# folders/\\{folder_id}/policies/\\{constraint_name}
|
587
|
+
# organizations/\\{organization_id}/policies/\\{constraint_name}
|
588
|
+
# @!attribute [r] remediation
|
589
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation]
|
590
|
+
# Output only. Compliance violation remediation
|
591
|
+
# @!attribute [r] acknowledged
|
592
|
+
# @return [::Boolean]
|
593
|
+
# Output only. A boolean that indicates if the violation is acknowledged
|
594
|
+
# @!attribute [rw] acknowledgement_time
|
595
|
+
# @return [::Google::Protobuf::Timestamp]
|
596
|
+
# Optional. Timestamp when this violation was acknowledged last.
|
597
|
+
# This will be absent when acknowledged field is marked as false.
|
598
|
+
class Violation
|
599
|
+
include ::Google::Protobuf::MessageExts
|
600
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
601
|
+
|
602
|
+
# Represents remediation guidance to resolve compliance violation for
|
603
|
+
# AssuredWorkload
|
604
|
+
# @!attribute [rw] instructions
|
605
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions]
|
606
|
+
# Required. Remediation instructions to resolve violations
|
607
|
+
# @!attribute [rw] compliant_values
|
608
|
+
# @return [::Array<::String>]
|
609
|
+
# Values that can resolve the violation
|
610
|
+
# For example: for list org policy violations, this will either be the list
|
611
|
+
# of allowed or denied values
|
612
|
+
# @!attribute [r] remediation_type
|
613
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::RemediationType]
|
614
|
+
# Output only. Reemediation type based on the type of org policy values violated
|
615
|
+
class Remediation
|
616
|
+
include ::Google::Protobuf::MessageExts
|
617
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
618
|
+
|
619
|
+
# Instructions to remediate violation
|
620
|
+
# @!attribute [rw] gcloud_instructions
|
621
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Gcloud]
|
622
|
+
# Remediation instructions to resolve violation via gcloud cli
|
623
|
+
# @!attribute [rw] console_instructions
|
624
|
+
# @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Console]
|
625
|
+
# Remediation instructions to resolve violation via cloud console
|
626
|
+
class Instructions
|
627
|
+
include ::Google::Protobuf::MessageExts
|
628
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
629
|
+
|
630
|
+
# Remediation instructions to resolve violation via gcloud cli
|
631
|
+
# @!attribute [rw] gcloud_commands
|
632
|
+
# @return [::Array<::String>]
|
633
|
+
# Gcloud command to resolve violation
|
634
|
+
# @!attribute [rw] steps
|
635
|
+
# @return [::Array<::String>]
|
636
|
+
# Steps to resolve violation via gcloud cli
|
637
|
+
# @!attribute [rw] additional_links
|
638
|
+
# @return [::Array<::String>]
|
639
|
+
# Additional urls for more information about steps
|
640
|
+
class Gcloud
|
641
|
+
include ::Google::Protobuf::MessageExts
|
642
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
643
|
+
end
|
644
|
+
|
645
|
+
# Remediation instructions to resolve violation via cloud console
|
646
|
+
# @!attribute [rw] console_uris
|
647
|
+
# @return [::Array<::String>]
|
648
|
+
# Link to console page where violations can be resolved
|
649
|
+
# @!attribute [rw] steps
|
650
|
+
# @return [::Array<::String>]
|
651
|
+
# Steps to resolve violation via cloud console
|
652
|
+
# @!attribute [rw] additional_links
|
653
|
+
# @return [::Array<::String>]
|
654
|
+
# Additional urls for more information about steps
|
655
|
+
class Console
|
656
|
+
include ::Google::Protobuf::MessageExts
|
657
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
658
|
+
end
|
659
|
+
end
|
660
|
+
|
661
|
+
# Classifying remediation into various types based on the kind of
|
662
|
+
# violation. For example, violations caused due to changes in boolean org
|
663
|
+
# policy requires different remediation instructions compared to violation
|
664
|
+
# caused due to changes in allowed values of list org policy.
|
665
|
+
module RemediationType
|
666
|
+
# Unspecified remediation type
|
667
|
+
REMEDIATION_TYPE_UNSPECIFIED = 0
|
668
|
+
|
669
|
+
# Remediation type for boolean org policy
|
670
|
+
REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1
|
671
|
+
|
672
|
+
# Remediation type for list org policy which have allowed values in the
|
673
|
+
# monitoring rule
|
674
|
+
REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2
|
675
|
+
|
676
|
+
# Remediation type for list org policy which have denied values in the
|
677
|
+
# monitoring rule
|
678
|
+
REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3
|
679
|
+
|
680
|
+
# Remediation type for gcp.restrictCmekCryptoKeyProjects
|
681
|
+
REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4
|
682
|
+
end
|
683
|
+
end
|
684
|
+
|
685
|
+
# Violation State Values
|
686
|
+
module State
|
687
|
+
# Unspecified state.
|
688
|
+
STATE_UNSPECIFIED = 0
|
689
|
+
|
690
|
+
# Violation is resolved.
|
691
|
+
RESOLVED = 2
|
692
|
+
|
693
|
+
# Violation is Unresolved
|
694
|
+
UNRESOLVED = 3
|
695
|
+
|
696
|
+
# Violation is Exception
|
697
|
+
EXCEPTION = 4
|
698
|
+
end
|
699
|
+
end
|
383
700
|
end
|
384
701
|
end
|
385
702
|
end
|