google-cloud-assured_workloads-v1 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d11723ad6736cc5604664185abbdd38ec30d78074463fbcd53a26da48ef9e62
-  data.tar.gz: c25b06fced4040dfd664d413c6558cb05e0a766560422f8ba61842cd24b9fbda
+  metadata.gz: b0a15f8dcfadab73f5c5d2a5098c15c191c2eb4f4adcfd929de11a4407543049
+  data.tar.gz: ea835efc5dfb60a08c51a3f4aff40a517078180d288456980ccd492f64f85b7b
 SHA512:
-  metadata.gz: b9cc8e0f2a7344625ad4608fc46bce4d9d3eee8b8d559b658d9b81b6236c3c759a51454421e809b008cd9fef60241588e834ab7dc6e967f046c933c16cc73b79
-  data.tar.gz: 41d850e8e5521f5bba3a5498ee7e83fa748ea94f8bc1dbab07c0813c6e408edec0195fcaa1ec72a9e062445431877d3cd716898b7b3932c3e2de169543af5b71
+  metadata.gz: 9770da2b639d444a449ef7b739a28dc5ac91b9940a24c0c99e5b9c3b38d69e833a6eb44ed1b0881e83755981ec193fd8146b9d1e30600c306f8de6ce5bc095a8
+  data.tar.gz: 1223ecf3481fa693e9cc974ebea01a9e0264a1fa06d177cb06296472665daad859a8b441640ec49fd51a109ddc3fa87e2072d35ce15eee653a75c13fd9ef5e29

data/AUTHENTICATION.md

@@ -114,7 +114,7 @@ credentials are discovered.
 To configure your system for this, simply:
 
 1. [Download and install the Cloud SDK](https://cloud.google.com/sdk)
-2. Authenticate using OAuth 2.0 `$ gcloud auth login`
+2. Authenticate using OAuth 2.0 `$ gcloud auth application-default login`
 3. Write code as if already authenticated.
 
 **NOTE:** This is _not_ recommended for running in production. The Cloud SDK

data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/client.rb

@@ -183,8 +183,8 @@ module Google
             #   @param workload [::Google::Cloud::AssuredWorkloads::V1::Workload, ::Hash]
             #     Required. Assured Workload to create
             #   @param external_id [::String]
-            #     Optional. A identifier associated with the workload and underlying projects
-            #     which allows for the break down of billing costs for a workload. The value
+            #     Optional. A identifier associated with the workload and underlying projects which
+            #     allows for the break down of billing costs for a workload. The value
             #     provided for the identifier will add a label to the workload and contained
             #     projects with the identifier as the value.
             #
@@ -283,7 +283,7 @@ module Google
             #
             #   @param workload [::Google::Cloud::AssuredWorkloads::V1::Workload, ::Hash]
             #     Required. The workload to update.
-            #     The workload’s `name` field is used to identify the workload to be updated.
+            #     The workload's `name` field is used to identify the workload to be updated.
             #     Format:
             #     organizations/\\{org_id}/locations/\\{location_id}/workloads/\\{workload_id}
             #   @param update_mask [::Google::Protobuf::FieldMask, ::Hash]
@@ -353,6 +353,102 @@ module Google
               raise ::Google::Cloud::Error.from_error(e)
             end
 
+            ##
+            # Restrict the list of resources allowed in the Workload environment.
+            # The current list of allowed products can be found at
+            # https://cloud.google.com/assured-workloads/docs/supported-products
+            # In addition to assuredworkloads.workload.update permission, the user should
+            # also have orgpolicy.policy.set permission on the folder resource
+            # to use this functionality.
+            #
+            # @overload restrict_allowed_resources(request, options = nil)
+            #   Pass arguments to `restrict_allowed_resources` via a request object, either of type
+            #   {::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload restrict_allowed_resources(name: nil, restriction_type: nil)
+            #   Pass arguments to `restrict_allowed_resources` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param name [::String]
+            #     Required. The resource name of the Workload. This is the workloads's
+            #     relative path in the API, formatted as
+            #     "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
+            #     For example,
+            #     "organizations/123/locations/us-east1/workloads/assured-workload-1".
+            #   @param restriction_type [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest::RestrictionType]
+            #     Required. The type of restriction for using gcp products in the Workload environment.
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            # @example Basic example
+            #   require "google/cloud/assured_workloads/v1"
+            #
+            #   # Create a client object. The client can be reused for multiple calls.
+            #   client = Google::Cloud::AssuredWorkloads::V1::AssuredWorkloadsService::Client.new
+            #
+            #   # Create a request. To set request fields, pass in keyword arguments.
+            #   request = Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest.new
+            #
+            #   # Call the restrict_allowed_resources method.
+            #   result = client.restrict_allowed_resources request
+            #
+            #   # The returned object is of type Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse.
+            #   p result
+            #
+            def restrict_allowed_resources request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.restrict_allowed_resources.metadata.to_h
+
+              # Set x-goog-api-client and x-goog-user-project headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::AssuredWorkloads::V1::VERSION
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              header_params = {}
+              if request.name
+                header_params["name"] = request.name
+              end
+
+              request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
+              metadata[:"x-goog-request-params"] ||= request_params_header
+
+              options.apply_defaults timeout:      @config.rpcs.restrict_allowed_resources.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.restrict_allowed_resources.retry_policy
+
+              options.apply_defaults timeout:      @config.timeout,
+                                     metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @assured_workloads_service_stub.call_rpc :restrict_allowed_resources, request, options: options do |response, operation|
+                yield response, operation if block_given?
+                return response
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
             ##
             # Deletes the workload. Make sure that workload's direct children are already
             # in a deleted state, otherwise the request will fail with a
@@ -464,8 +560,8 @@ module Google
             #   the default parameter values, pass an empty Hash as a request object (see above).
             #
             #   @param name [::String]
-            #     Required. The resource name of the Workload to fetch. This is the
-            #     workloads's relative path in the API, formatted as
+            #     Required. The resource name of the Workload to fetch. This is the workloads's
+            #     relative path in the API, formatted as
             #     "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
             #     For example,
             #     "organizations/123/locations/us-east1/workloads/assured-workload-1".
@@ -636,6 +732,275 @@ module Google
               raise ::Google::Cloud::Error.from_error(e)
             end
 
+            ##
+            # Lists the Violations in the AssuredWorkload Environment.
+            # Callers may also choose to read across multiple Workloads as per
+            # [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash
+            # character) as a wildcard character instead of workload-id in the parent.
+            # Format `organizations/{org_id}/locations/{location}/workloads/-`
+            #
+            # @overload list_violations(request, options = nil)
+            #   Pass arguments to `list_violations` via a request object, either of type
+            #   {::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload list_violations(parent: nil, interval: nil, page_size: nil, page_token: nil, filter: nil)
+            #   Pass arguments to `list_violations` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param parent [::String]
+            #     Required. The Workload name.
+            #     Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.
+            #   @param interval [::Google::Cloud::AssuredWorkloads::V1::TimeWindow, ::Hash]
+            #     Optional. Specifies the time window for retrieving active Violations.
+            #     When specified, retrieves Violations that were active between start_time
+            #     and end_time.
+            #   @param page_size [::Integer]
+            #     Optional. Page size.
+            #   @param page_token [::String]
+            #     Optional. Page token returned from previous request.
+            #   @param filter [::String]
+            #     Optional. A custom filter for filtering by the Violations properties.
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Gapic::PagedEnumerable<::Google::Cloud::AssuredWorkloads::V1::Violation>]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Gapic::PagedEnumerable<::Google::Cloud::AssuredWorkloads::V1::Violation>]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            # @example Basic example
+            #   require "google/cloud/assured_workloads/v1"
+            #
+            #   # Create a client object. The client can be reused for multiple calls.
+            #   client = Google::Cloud::AssuredWorkloads::V1::AssuredWorkloadsService::Client.new
+            #
+            #   # Create a request. To set request fields, pass in keyword arguments.
+            #   request = Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest.new
+            #
+            #   # Call the list_violations method.
+            #   result = client.list_violations request
+            #
+            #   # The returned object is of type Gapic::PagedEnumerable. You can
+            #   # iterate over all elements by calling #each, and the enumerable
+            #   # will lazily make API calls to fetch subsequent pages. Other
+            #   # methods are also available for managing paging directly.
+            #   result.each do |response|
+            #     # Each element is of type ::Google::Cloud::AssuredWorkloads::V1::Violation.
+            #     p response
+            #   end
+            #
+            def list_violations request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.list_violations.metadata.to_h
+
+              # Set x-goog-api-client and x-goog-user-project headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::AssuredWorkloads::V1::VERSION
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              options.apply_defaults timeout:      @config.rpcs.list_violations.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.list_violations.retry_policy
+
+              options.apply_defaults timeout:      @config.timeout,
+                                     metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @assured_workloads_service_stub.call_rpc :list_violations, request, options: options do |response, operation|
+                response = ::Gapic::PagedEnumerable.new @assured_workloads_service_stub, :list_violations, request, response, operation, options
+                yield response, operation if block_given?
+                return response
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
+            ##
+            # Retrieves Assured Workload Violation based on ID.
+            #
+            # @overload get_violation(request, options = nil)
+            #   Pass arguments to `get_violation` via a request object, either of type
+            #   {::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload get_violation(name: nil)
+            #   Pass arguments to `get_violation` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param name [::String]
+            #     Required. The resource name of the Violation to fetch (ie. Violation.name).
+            #     Format:
+            #     organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Google::Cloud::AssuredWorkloads::V1::Violation]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Google::Cloud::AssuredWorkloads::V1::Violation]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            # @example Basic example
+            #   require "google/cloud/assured_workloads/v1"
+            #
+            #   # Create a client object. The client can be reused for multiple calls.
+            #   client = Google::Cloud::AssuredWorkloads::V1::AssuredWorkloadsService::Client.new
+            #
+            #   # Create a request. To set request fields, pass in keyword arguments.
+            #   request = Google::Cloud::AssuredWorkloads::V1::GetViolationRequest.new
+            #
+            #   # Call the get_violation method.
+            #   result = client.get_violation request
+            #
+            #   # The returned object is of type Google::Cloud::AssuredWorkloads::V1::Violation.
+            #   p result
+            #
+            def get_violation request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.get_violation.metadata.to_h
+
+              # Set x-goog-api-client and x-goog-user-project headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::AssuredWorkloads::V1::VERSION
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              options.apply_defaults timeout:      @config.rpcs.get_violation.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.get_violation.retry_policy
+
+              options.apply_defaults timeout:      @config.timeout,
+                                     metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @assured_workloads_service_stub.call_rpc :get_violation, request, options: options do |response, operation|
+                yield response, operation if block_given?
+                return response
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
+            ##
+            # Acknowledges an existing violation. By acknowledging a violation, users
+            # acknowledge the existence of a compliance violation in their workload and
+            # decide to ignore it due to a valid business justification. Acknowledgement
+            # is a permanent operation and it cannot be reverted.
+            #
+            # @overload acknowledge_violation(request, options = nil)
+            #   Pass arguments to `acknowledge_violation` via a request object, either of type
+            #   {::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload acknowledge_violation(name: nil, comment: nil, non_compliant_org_policy: nil)
+            #   Pass arguments to `acknowledge_violation` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param name [::String]
+            #     Required. The resource name of the Violation to acknowledge.
+            #     Format:
+            #     organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
+            #   @param comment [::String]
+            #     Required. Business justification explaining the need for violation acknowledgement
+            #   @param non_compliant_org_policy [::String]
+            #     Optional. Name of the OrgPolicy which was modified with non-compliant change and
+            #     resulted in this violation.
+            #     Format:
+            #     projects/\\{project_number}/policies/\\{constraint_name}
+            #     folders/\\{folder_id}/policies/\\{constraint_name}
+            #     organizations/\\{organization_id}/policies/\\{constraint_name}
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            # @example Basic example
+            #   require "google/cloud/assured_workloads/v1"
+            #
+            #   # Create a client object. The client can be reused for multiple calls.
+            #   client = Google::Cloud::AssuredWorkloads::V1::AssuredWorkloadsService::Client.new
+            #
+            #   # Create a request. To set request fields, pass in keyword arguments.
+            #   request = Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest.new
+            #
+            #   # Call the acknowledge_violation method.
+            #   result = client.acknowledge_violation request
+            #
+            #   # The returned object is of type Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse.
+            #   p result
+            #
+            def acknowledge_violation request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.acknowledge_violation.metadata.to_h
+
+              # Set x-goog-api-client and x-goog-user-project headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::AssuredWorkloads::V1::VERSION
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              options.apply_defaults timeout:      @config.rpcs.acknowledge_violation.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.acknowledge_violation.retry_policy
+
+              options.apply_defaults timeout:      @config.timeout,
+                                     metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @assured_workloads_service_stub.call_rpc :acknowledge_violation, request, options: options do |response, operation|
+                yield response, operation if block_given?
+                return response
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
             ##
             # Configuration class for the AssuredWorkloadsService API.
             #
@@ -782,6 +1147,11 @@ module Google
                 #
                 attr_reader :update_workload
                 ##
+                # RPC-specific configuration for `restrict_allowed_resources`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :restrict_allowed_resources
+                ##
                 # RPC-specific configuration for `delete_workload`
                 # @return [::Gapic::Config::Method]
                 #
@@ -796,6 +1166,21 @@ module Google
                 # @return [::Gapic::Config::Method]
                 #
                 attr_reader :list_workloads
+                ##
+                # RPC-specific configuration for `list_violations`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :list_violations
+                ##
+                # RPC-specific configuration for `get_violation`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :get_violation
+                ##
+                # RPC-specific configuration for `acknowledge_violation`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :acknowledge_violation
 
                 # @private
                 def initialize parent_rpcs = nil
@@ -803,12 +1188,20 @@ module Google
                   @create_workload = ::Gapic::Config::Method.new create_workload_config
                   update_workload_config = parent_rpcs.update_workload if parent_rpcs.respond_to? :update_workload
                   @update_workload = ::Gapic::Config::Method.new update_workload_config
+                  restrict_allowed_resources_config = parent_rpcs.restrict_allowed_resources if parent_rpcs.respond_to? :restrict_allowed_resources
+                  @restrict_allowed_resources = ::Gapic::Config::Method.new restrict_allowed_resources_config
                   delete_workload_config = parent_rpcs.delete_workload if parent_rpcs.respond_to? :delete_workload
                   @delete_workload = ::Gapic::Config::Method.new delete_workload_config
                   get_workload_config = parent_rpcs.get_workload if parent_rpcs.respond_to? :get_workload
                   @get_workload = ::Gapic::Config::Method.new get_workload_config
                   list_workloads_config = parent_rpcs.list_workloads if parent_rpcs.respond_to? :list_workloads
                   @list_workloads = ::Gapic::Config::Method.new list_workloads_config
+                  list_violations_config = parent_rpcs.list_violations if parent_rpcs.respond_to? :list_violations
+                  @list_violations = ::Gapic::Config::Method.new list_violations_config
+                  get_violation_config = parent_rpcs.get_violation if parent_rpcs.respond_to? :get_violation
+                  @get_violation = ::Gapic::Config::Method.new get_violation_config
+                  acknowledge_violation_config = parent_rpcs.acknowledge_violation if parent_rpcs.respond_to? :acknowledge_violation
+                  @acknowledge_violation = ::Gapic::Config::Method.new acknowledge_violation_config
 
                   yield self if block_given?
                 end

data/lib/google/cloud/assured_workloads/v1/assured_workloads_service/paths.rb

@@ -41,6 +41,27 @@ module Google
               "organizations/#{organization}/locations/#{location}"
             end
 
+            ##
+            # Create a fully-qualified Violation resource string.
+            #
+            # The resource will be in the following format:
+            #
+            # `organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}`
+            #
+            # @param organization [String]
+            # @param location [String]
+            # @param workload [String]
+            # @param violation [String]
+            #
+            # @return [::String]
+            def violation_path organization:, location:, workload:, violation:
+              raise ::ArgumentError, "organization cannot contain /" if organization.to_s.include? "/"
+              raise ::ArgumentError, "location cannot contain /" if location.to_s.include? "/"
+              raise ::ArgumentError, "workload cannot contain /" if workload.to_s.include? "/"
+
+              "organizations/#{organization}/locations/#{location}/workloads/#{workload}/violations/#{violation}"
+            end
+
             ##
             # Create a fully-qualified Workload resource string.
             #

data/lib/google/cloud/assured_workloads/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module AssuredWorkloads
       module V1
-        VERSION = "0.3.0"
+        VERSION = "0.4.0"
       end
     end
   end

data/lib/google/cloud/assuredworkloads/v1/assuredworkloads_pb.rb

@@ -56,6 +56,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :kaj_enrollment_state, :enum, 17, "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState"
       optional :enable_sovereign_controls, :bool, 18
       optional :saa_enrollment_response, :message, 20, "google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse"
+      repeated :compliant_but_disallowed_services, :string, 24
+      optional :partner, :enum, 25, "google.cloud.assuredworkloads.v1.Workload.Partner"
     end
     add_message "google.cloud.assuredworkloads.v1.Workload.ResourceInfo" do
       optional :resource_id, :int64, 1
@@ -64,6 +66,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     add_enum "google.cloud.assuredworkloads.v1.Workload.ResourceInfo.ResourceType" do
       value :RESOURCE_TYPE_UNSPECIFIED, 0
       value :CONSUMER_PROJECT, 1
+      value :CONSUMER_FOLDER, 4
       value :ENCRYPTION_KEYS_PROJECT, 2
       value :KEYRING, 3
     end
@@ -104,18 +107,106 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       value :EU_REGIONS_AND_SUPPORT, 8
       value :CA_REGIONS_AND_SUPPORT, 9
       value :ITAR, 10
+      value :ASSURED_WORKLOADS_FOR_PARTNERS, 12
     end
     add_enum "google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState" do
       value :KAJ_ENROLLMENT_STATE_UNSPECIFIED, 0
       value :KAJ_ENROLLMENT_STATE_PENDING, 1
       value :KAJ_ENROLLMENT_STATE_COMPLETE, 2
     end
+    add_enum "google.cloud.assuredworkloads.v1.Workload.Partner" do
+      value :PARTNER_UNSPECIFIED, 0
+      value :LOCAL_CONTROLS_BY_S3NS, 1
+    end
     add_message "google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata" do
       optional :create_time, :message, 1, "google.protobuf.Timestamp"
       optional :display_name, :string, 2
       optional :parent, :string, 3
       optional :compliance_regime, :enum, 4, "google.cloud.assuredworkloads.v1.Workload.ComplianceRegime"
     end
+    add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest" do
+      optional :name, :string, 1
+      optional :restriction_type, :enum, 2, "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType"
+    end
+    add_enum "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType" do
+      value :RESTRICTION_TYPE_UNSPECIFIED, 0
+      value :ALLOW_ALL_GCP_RESOURCES, 1
+      value :ALLOW_COMPLIANT_RESOURCES, 2
+    end
+    add_message "google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse" do
+    end
+    add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest" do
+      optional :name, :string, 1
+      optional :comment, :string, 2
+      optional :non_compliant_org_policy, :string, 3
+    end
+    add_message "google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse" do
+    end
+    add_message "google.cloud.assuredworkloads.v1.TimeWindow" do
+      optional :start_time, :message, 1, "google.protobuf.Timestamp"
+      optional :end_time, :message, 2, "google.protobuf.Timestamp"
+    end
+    add_message "google.cloud.assuredworkloads.v1.ListViolationsRequest" do
+      optional :parent, :string, 1
+      optional :interval, :message, 2, "google.cloud.assuredworkloads.v1.TimeWindow"
+      optional :page_size, :int32, 3
+      optional :page_token, :string, 4
+      optional :filter, :string, 5
+    end
+    add_message "google.cloud.assuredworkloads.v1.ListViolationsResponse" do
+      repeated :violations, :message, 1, "google.cloud.assuredworkloads.v1.Violation"
+      optional :next_page_token, :string, 2
+    end
+    add_message "google.cloud.assuredworkloads.v1.GetViolationRequest" do
+      optional :name, :string, 1
+    end
+    add_message "google.cloud.assuredworkloads.v1.Violation" do
+      optional :name, :string, 1
+      optional :description, :string, 2
+      optional :begin_time, :message, 3, "google.protobuf.Timestamp"
+      optional :update_time, :message, 4, "google.protobuf.Timestamp"
+      optional :resolve_time, :message, 5, "google.protobuf.Timestamp"
+      optional :category, :string, 6
+      optional :state, :enum, 7, "google.cloud.assuredworkloads.v1.Violation.State"
+      optional :org_policy_constraint, :string, 8
+      optional :audit_log_link, :string, 11
+      optional :non_compliant_org_policy, :string, 12
+      optional :remediation, :message, 13, "google.cloud.assuredworkloads.v1.Violation.Remediation"
+      optional :acknowledged, :bool, 14
+      proto3_optional :acknowledgement_time, :message, 15, "google.protobuf.Timestamp"
+    end
+    add_message "google.cloud.assuredworkloads.v1.Violation.Remediation" do
+      optional :instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions"
+      repeated :compliant_values, :string, 2
+      optional :remediation_type, :enum, 3, "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType"
+    end
+    add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions" do
+      optional :gcloud_instructions, :message, 1, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud"
+      optional :console_instructions, :message, 2, "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console"
+    end
+    add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud" do
+      repeated :gcloud_commands, :string, 1
+      repeated :steps, :string, 2
+      repeated :additional_links, :string, 3
+    end
+    add_message "google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console" do
+      repeated :console_uris, :string, 1
+      repeated :steps, :string, 2
+      repeated :additional_links, :string, 3
+    end
+    add_enum "google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType" do
+      value :REMEDIATION_TYPE_UNSPECIFIED, 0
+      value :REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION, 1
+      value :REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION, 2
+      value :REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION, 3
+      value :REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION, 4
+    end
+    add_enum "google.cloud.assuredworkloads.v1.Violation.State" do
+      value :STATE_UNSPECIFIED, 0
+      value :RESOLVED, 2
+      value :UNRESOLVED, 3
+      value :EXCEPTION, 4
+    end
   end
 end
 
@@ -139,7 +230,24 @@ module Google
         Workload::SaaEnrollmentResponse::SetupError = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.SaaEnrollmentResponse.SetupError").enummodule
         Workload::ComplianceRegime = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.ComplianceRegime").enummodule
         Workload::KajEnrollmentState = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.KajEnrollmentState").enummodule
+        Workload::Partner = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Workload.Partner").enummodule
         CreateWorkloadOperationMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.CreateWorkloadOperationMetadata").msgclass
+        RestrictAllowedResourcesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest").msgclass
+        RestrictAllowedResourcesRequest::RestrictionType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesRequest.RestrictionType").enummodule
+        RestrictAllowedResourcesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.RestrictAllowedResourcesResponse").msgclass
+        AcknowledgeViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationRequest").msgclass
+        AcknowledgeViolationResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.AcknowledgeViolationResponse").msgclass
+        TimeWindow = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.TimeWindow").msgclass
+        ListViolationsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsRequest").msgclass
+        ListViolationsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.ListViolationsResponse").msgclass
+        GetViolationRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.GetViolationRequest").msgclass
+        Violation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation").msgclass
+        Violation::Remediation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation").msgclass
+        Violation::Remediation::Instructions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions").msgclass
+        Violation::Remediation::Instructions::Gcloud = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Gcloud").msgclass
+        Violation::Remediation::Instructions::Console = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.Instructions.Console").msgclass
+        Violation::Remediation::RemediationType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.Remediation.RemediationType").enummodule
+        Violation::State = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.assuredworkloads.v1.Violation.State").enummodule
       end
     end
   end

data/lib/google/cloud/assuredworkloads/v1/assuredworkloads_services_pb.rb

@@ -40,6 +40,13 @@ module Google
             # For force updates don't set etag field in the Workload.
             # Only one update operation per workload can be in progress.
             rpc :UpdateWorkload, ::Google::Cloud::AssuredWorkloads::V1::UpdateWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
+            # Restrict the list of resources allowed in the Workload environment.
+            # The current list of allowed products can be found at
+            # https://cloud.google.com/assured-workloads/docs/supported-products
+            # In addition to assuredworkloads.workload.update permission, the user should
+            # also have orgpolicy.policy.set permission on the folder resource
+            # to use this functionality.
+            rpc :RestrictAllowedResources, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest, ::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesResponse
             # Deletes the workload. Make sure that workload's direct children are already
             # in a deleted state, otherwise the request will fail with a
             # FAILED_PRECONDITION error.
@@ -48,6 +55,19 @@ module Google
             rpc :GetWorkload, ::Google::Cloud::AssuredWorkloads::V1::GetWorkloadRequest, ::Google::Cloud::AssuredWorkloads::V1::Workload
             # Lists Assured Workloads under a CRM Node.
             rpc :ListWorkloads, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListWorkloadsResponse
+            # Lists the Violations in the AssuredWorkload Environment.
+            # Callers may also choose to read across multiple Workloads as per
+            # [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash
+            # character) as a wildcard character instead of workload-id in the parent.
+            # Format `organizations/{org_id}/locations/{location}/workloads/-`
+            rpc :ListViolations, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsRequest, ::Google::Cloud::AssuredWorkloads::V1::ListViolationsResponse
+            # Retrieves Assured Workload Violation based on ID.
+            rpc :GetViolation, ::Google::Cloud::AssuredWorkloads::V1::GetViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::Violation
+            # Acknowledges an existing violation. By acknowledging a violation, users
+            # acknowledge the existence of a compliance violation in their workload and
+            # decide to ignore it due to a valid business justification. Acknowledgement
+            # is a permanent operation and it cannot be reverted.
+            rpc :AcknowledgeViolation, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationRequest, ::Google::Cloud::AssuredWorkloads::V1::AcknowledgeViolationResponse
           end
 
           Stub = Service.rpc_stub_class

data/proto_docs/google/cloud/assuredworkloads/v1/assuredworkloads.rb

@@ -31,8 +31,8 @@ module Google
         #     Required. Assured Workload to create
         # @!attribute [rw] external_id
         #   @return [::String]
-        #     Optional. A identifier associated with the workload and underlying projects
-        #     which allows for the break down of billing costs for a workload. The value
+        #     Optional. A identifier associated with the workload and underlying projects which
+        #     allows for the break down of billing costs for a workload. The value
         #     provided for the identifier will add a label to the workload and contained
         #     projects with the identifier as the value.
         class CreateWorkloadRequest
@@ -44,7 +44,7 @@ module Google
         # @!attribute [rw] workload
         #   @return [::Google::Cloud::AssuredWorkloads::V1::Workload]
         #     Required. The workload to update.
-        #     The workload’s `name` field is used to identify the workload to be updated.
+        #     The workload's `name` field is used to identify the workload to be updated.
         #     Format:
         #     organizations/\\{org_id}/locations/\\{location_id}/workloads/\\{workload_id}
         # @!attribute [rw] update_mask
@@ -73,8 +73,8 @@ module Google
         # Request for fetching a workload.
         # @!attribute [rw] name
         #   @return [::String]
-        #     Required. The resource name of the Workload to fetch. This is the
-        #     workloads's relative path in the API, formatted as
+        #     Required. The resource name of the Workload to fetch. This is the workloads's
+        #     relative path in the API, formatted as
         #     "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
         #     For example,
         #     "organizations/123/locations/us-east1/workloads/assured-workload-1".
@@ -148,7 +148,7 @@ module Google
         #     Output only. Immutable. The Workload creation timestamp.
         # @!attribute [rw] billing_account
         #   @return [::String]
-        #     Required. Input only. The billing account used for the resources which are
+        #     Optional. The billing account used for the resources which are
         #     direct children of workload. This billing account is initially associated
         #     with the resources created as part of Workload creation.
         #     After the initial creation of these resources, the customer can change
@@ -165,22 +165,24 @@ module Google
         #     Optional. Labels applied to the workload.
         # @!attribute [rw] provisioned_resources_parent
         #   @return [::String]
-        #     Input only. The parent resource for the resources managed by this Assured
-        #     Workload. May be either empty or a folder resource which is a child of the
+        #     Input only. The parent resource for the resources managed by this Assured Workload. May
+        #     be either empty or a folder resource which is a child of the
         #     Workload parent. If not specified all resources are created under the
         #     parent organization.
         #     Format:
         #     folders/\\{folder_id}
         # @!attribute [rw] kms_settings
         #   @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KMSSettings]
-        #     Input only. Settings used to create a CMEK crypto key. When set a project
-        #     with a KMS CMEK key is provisioned. This field is mandatory for a subset of
-        #     Compliance Regimes.
+        #     Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS
+        #     CMEK key is provisioned.
+        #     This field is deprecated as of Feb 28, 2022.
+        #     In order to create a Keyring, callers should specify,
+        #     ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
         # @!attribute [rw] resource_settings
         #   @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceSettings>]
-        #     Input only. Resource properties that are used to customize workload
-        #     resources. These properties (such as custom project id) will be used to
-        #     create workload resources if possible. This field is optional.
+        #     Input only. Resource properties that are used to customize workload resources.
+        #     These properties (such as custom project id) will be used to create
+        #     workload resources if possible. This field is optional.
         # @!attribute [r] kaj_enrollment_state
         #   @return [::Google::Cloud::AssuredWorkloads::V1::Workload::KajEnrollmentState]
         #     Output only. Represents the KAJ enrollment state of the given workload.
@@ -193,6 +195,15 @@ module Google
         #     Output only. Represents the SAA enrollment response of the given workload.
         #     SAA enrollment response is queried during GetWorkload call.
         #     In failure cases, user friendly error message is shown in SAA details page.
+        # @!attribute [r] compliant_but_disallowed_services
+        #   @return [::Array<::String>]
+        #     Output only. Urls for services which are compliant for this Assured Workload, but which
+        #     are currently disallowed by the ResourceUsageRestriction org policy.
+        #     Invoke RestrictAllowedResources endpoint to allow your project developers
+        #     to use these services in their environment."
+        # @!attribute [rw] partner
+        #   @return [::Google::Cloud::AssuredWorkloads::V1::Workload::Partner]
+        #     Optional. Compliance Regime associated with this workload.
         class Workload
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -215,8 +226,15 @@ module Google
               RESOURCE_TYPE_UNSPECIFIED = 0
 
               # Consumer project.
+              # AssuredWorkloads Projects are no longer supported. This field will be
+              # ignored only in CreateWorkload requests. ListWorkloads and GetWorkload
+              # will continue to provide projects information.
+              # Use CONSUMER_FOLDER instead.
               CONSUMER_PROJECT = 1
 
+              # Consumer Folder.
+              CONSUMER_FOLDER = 4
+
               # Consumer project containing encryption keys.
               ENCRYPTION_KEYS_PROJECT = 2
 
@@ -228,14 +246,13 @@ module Google
           # Settings specific to the Key Management Service.
           # @!attribute [rw] next_rotation_time
           #   @return [::Google::Protobuf::Timestamp]
-          #     Required. Input only. Immutable. The time at which the Key Management
-          #     Service will automatically create a new version of the crypto key and
-          #     mark it as the primary.
+          #     Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
+          #     new version of the crypto key and mark it as the primary.
           # @!attribute [rw] rotation_period
           #   @return [::Google::Protobuf::Duration]
-          #     Required. Input only. Immutable. [next_rotation_time] will be advanced by
-          #     this period when the Key Management Service automatically rotates a key.
-          #     Must be at least 24 hours and at most 876,000 hours.
+          #     Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
+          #     Management Service automatically rotates a key. Must be at least 24 hours
+          #     and at most 876,000 hours.
           class KMSSettings
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -247,6 +264,8 @@ module Google
           #     Resource identifier.
           #     For a project this represents project_id. If the project is already
           #     taken, the workload creation will fail.
+          #     For KeyRing, this represents the keyring_id.
+          #     For a folder, don't set this value as folder_id is assigned by Google.
           # @!attribute [rw] resource_type
           #   @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ResourceInfo::ResourceType]
           #     Indicates the type of resource. This field should be specified to
@@ -350,6 +369,9 @@ module Google
 
             # International Traffic in Arms Regulations
             ITAR = 10
+
+            # Assured Workloads for Partners;
+            ASSURED_WORKLOADS_FOR_PARTNERS = 12
           end
 
           # Key Access Justifications(KAJ) Enrollment State.
@@ -363,6 +385,15 @@ module Google
             # Complete State for KAJ Enrollment.
             KAJ_ENROLLMENT_STATE_COMPLETE = 2
           end
+
+          # Supported Assured Workloads Partners.
+          module Partner
+            # Unknown compliance regime.
+            PARTNER_UNSPECIFIED = 0
+
+            # S3NS regime
+            LOCAL_CONTROLS_BY_S3NS = 1
+          end
         end
 
         # Operation metadata to give request details of CreateWorkload.
@@ -377,12 +408,295 @@ module Google
         #     Optional. The parent of the workload.
         # @!attribute [rw] compliance_regime
         #   @return [::Google::Cloud::AssuredWorkloads::V1::Workload::ComplianceRegime]
-        #     Optional. Compliance controls that should be applied to the resources
-        #     managed by the workload.
+        #     Optional. Compliance controls that should be applied to the resources managed by
+        #     the workload.
         class CreateWorkloadOperationMetadata
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
+
+        # Request for restricting list of available resources in Workload environment.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the Workload. This is the workloads's
+        #     relative path in the API, formatted as
+        #     "organizations/\\{organization_id}/locations/\\{location_id}/workloads/\\{workload_id}".
+        #     For example,
+        #     "organizations/123/locations/us-east1/workloads/assured-workload-1".
+        # @!attribute [rw] restriction_type
+        #   @return [::Google::Cloud::AssuredWorkloads::V1::RestrictAllowedResourcesRequest::RestrictionType]
+        #     Required. The type of restriction for using gcp products in the Workload environment.
+        class RestrictAllowedResourcesRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # The type of restriction.
+          module RestrictionType
+            # Unknown restriction type.
+            RESTRICTION_TYPE_UNSPECIFIED = 0
+
+            # Allow the use all of all gcp products, irrespective of the compliance
+            # posture. This effectively removes gcp.restrictServiceUsage OrgPolicy
+            # on the AssuredWorkloads Folder.
+            ALLOW_ALL_GCP_RESOURCES = 1
+
+            # Based on Workload's compliance regime, allowed list changes.
+            # See - https://cloud.google.com/assured-workloads/docs/supported-products
+            # for the list of supported resources.
+            ALLOW_COMPLIANT_RESOURCES = 2
+          end
+        end
+
+        # Response for restricting the list of allowed resources.
+        class RestrictAllowedResourcesResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request for acknowledging the violation
+        # Next Id: 4
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the Violation to acknowledge.
+        #     Format:
+        #     organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
+        # @!attribute [rw] comment
+        #   @return [::String]
+        #     Required. Business justification explaining the need for violation acknowledgement
+        # @!attribute [rw] non_compliant_org_policy
+        #   @return [::String]
+        #     Optional. Name of the OrgPolicy which was modified with non-compliant change and
+        #     resulted in this violation.
+        #     Format:
+        #     projects/\\{project_number}/policies/\\{constraint_name}
+        #     folders/\\{folder_id}/policies/\\{constraint_name}
+        #     organizations/\\{organization_id}/policies/\\{constraint_name}
+        class AcknowledgeViolationRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Response for violation acknowledgement
+        class AcknowledgeViolationResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Interval defining a time window.
+        # @!attribute [rw] start_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     The start of the time window.
+        # @!attribute [rw] end_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     The end of the time window.
+        class TimeWindow
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request for fetching violations in an organization.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. The Workload name.
+        #     Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.
+        # @!attribute [rw] interval
+        #   @return [::Google::Cloud::AssuredWorkloads::V1::TimeWindow]
+        #     Optional. Specifies the time window for retrieving active Violations.
+        #     When specified, retrieves Violations that were active between start_time
+        #     and end_time.
+        # @!attribute [rw] page_size
+        #   @return [::Integer]
+        #     Optional. Page size.
+        # @!attribute [rw] page_token
+        #   @return [::String]
+        #     Optional. Page token returned from previous request.
+        # @!attribute [rw] filter
+        #   @return [::String]
+        #     Optional. A custom filter for filtering by the Violations properties.
+        class ListViolationsRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Response of ListViolations endpoint.
+        # @!attribute [rw] violations
+        #   @return [::Array<::Google::Cloud::AssuredWorkloads::V1::Violation>]
+        #     List of Violations under a Workload.
+        # @!attribute [rw] next_page_token
+        #   @return [::String]
+        #     The next page token. Returns empty if reached the last page.
+        class ListViolationsResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request for fetching a Workload Violation.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. The resource name of the Violation to fetch (ie. Violation.name).
+        #     Format:
+        #     organizations/\\{organization}/locations/\\{location}/workloads/\\{workload}/violations/\\{violation}
+        class GetViolationRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Workload monitoring Violation.
+        # @!attribute [r] name
+        #   @return [::String]
+        #     Output only. Immutable. Name of the Violation.
+        #     Format:
+        #     organizations/\\{organization}/locations/\\{location}/workloads/\\{workload_id}/violations/\\{violations_id}
+        # @!attribute [r] description
+        #   @return [::String]
+        #     Output only. Description for the Violation.
+        #     e.g. OrgPolicy gcp.resourceLocations has non compliant value.
+        # @!attribute [r] begin_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. Time of the event which triggered the Violation.
+        # @!attribute [r] update_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. The last time when the Violation record was updated.
+        # @!attribute [r] resolve_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. Time of the event which fixed the Violation.
+        #     If the violation is ACTIVE this will be empty.
+        # @!attribute [r] category
+        #   @return [::String]
+        #     Output only. Category under which this violation is mapped.
+        #     e.g. Location, Service Usage, Access, Encryption, etc.
+        # @!attribute [r] state
+        #   @return [::Google::Cloud::AssuredWorkloads::V1::Violation::State]
+        #     Output only. State of the violation
+        # @!attribute [r] org_policy_constraint
+        #   @return [::String]
+        #     Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in
+        #     this violation.
+        # @!attribute [r] audit_log_link
+        #   @return [::String]
+        #     Output only. Immutable. Audit Log Link for violated resource
+        #     Format:
+        #     https://console.cloud.google.com/logs/query;query=\\{logName}\\{protoPayload.resourceName}\\{timeRange}\\{folder}
+        # @!attribute [r] non_compliant_org_policy
+        #   @return [::String]
+        #     Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and
+        #     resulted this violation.
+        #      Format:
+        #      projects/\\{project_number}/policies/\\{constraint_name}
+        #      folders/\\{folder_id}/policies/\\{constraint_name}
+        #      organizations/\\{organization_id}/policies/\\{constraint_name}
+        # @!attribute [r] remediation
+        #   @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation]
+        #     Output only. Compliance violation remediation
+        # @!attribute [r] acknowledged
+        #   @return [::Boolean]
+        #     Output only. A boolean that indicates if the violation is acknowledged
+        # @!attribute [rw] acknowledgement_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Optional. Timestamp when this violation was acknowledged last.
+        #     This will be absent when acknowledged field is marked as false.
+        class Violation
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Represents remediation guidance to resolve compliance violation for
+          # AssuredWorkload
+          # @!attribute [rw] instructions
+          #   @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions]
+          #     Required. Remediation instructions to resolve violations
+          # @!attribute [rw] compliant_values
+          #   @return [::Array<::String>]
+          #     Values that can resolve the violation
+          #     For example: for list org policy violations, this will either be the list
+          #     of allowed or denied values
+          # @!attribute [r] remediation_type
+          #   @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::RemediationType]
+          #     Output only. Reemediation type based on the type of org policy values violated
+          class Remediation
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # Instructions to remediate violation
+            # @!attribute [rw] gcloud_instructions
+            #   @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Gcloud]
+            #     Remediation instructions to resolve violation via gcloud cli
+            # @!attribute [rw] console_instructions
+            #   @return [::Google::Cloud::AssuredWorkloads::V1::Violation::Remediation::Instructions::Console]
+            #     Remediation instructions to resolve violation via cloud console
+            class Instructions
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+
+              # Remediation instructions to resolve violation via gcloud cli
+              # @!attribute [rw] gcloud_commands
+              #   @return [::Array<::String>]
+              #     Gcloud command to resolve violation
+              # @!attribute [rw] steps
+              #   @return [::Array<::String>]
+              #     Steps to resolve violation via gcloud cli
+              # @!attribute [rw] additional_links
+              #   @return [::Array<::String>]
+              #     Additional urls for more information about steps
+              class Gcloud
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # Remediation instructions to resolve violation via cloud console
+              # @!attribute [rw] console_uris
+              #   @return [::Array<::String>]
+              #     Link to console page where violations can be resolved
+              # @!attribute [rw] steps
+              #   @return [::Array<::String>]
+              #     Steps to resolve violation via cloud console
+              # @!attribute [rw] additional_links
+              #   @return [::Array<::String>]
+              #     Additional urls for more information about steps
+              class Console
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+            end
+
+            # Classifying remediation into various types based on the kind of
+            # violation. For example, violations caused due to changes in boolean org
+            # policy requires different remediation instructions compared to violation
+            # caused due to changes in allowed values of list org policy.
+            module RemediationType
+              # Unspecified remediation type
+              REMEDIATION_TYPE_UNSPECIFIED = 0
+
+              # Remediation type for boolean org policy
+              REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1
+
+              # Remediation type for list org policy which have allowed values in the
+              # monitoring rule
+              REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2
+
+              # Remediation type for list org policy which have denied values in the
+              # monitoring rule
+              REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3
+
+              # Remediation type for gcp.restrictCmekCryptoKeyProjects
+              REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4
+            end
+          end
+
+          # Violation State Values
+          module State
+            # Unspecified state.
+            STATE_UNSPECIFIED = 0
+
+            # Violation is resolved.
+            RESOLVED = 2
+
+            # Violation is Unresolved
+            UNRESOLVED = 3
+
+            # Violation is Exception
+            EXCEPTION = 4
+          end
+        end
       end
     end
   end

data/proto_docs/google/protobuf/empty.rb

@@ -26,8 +26,6 @@ module Google
     #     service Foo {
     #       rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
     #     }
-    #
-    # The JSON representation for `Empty` is empty JSON object `{}`.
     class Empty
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-assured_workloads-v1
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Google LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-01 00:00:00.000000000 Z
+date: 2022-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gapic-common
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: '0.12'
     - - "<"
       - !ruby/object:Gem::Version
         version: 2.a
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: '0.12'
     - - "<"
       - !ruby/object:Gem::Version
         version: 2.a