google-cloud-security_center-v1 0.13.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72289a4425a4bab619f6e06d5cef580670956ff31247cc75f96119419f6a4397
-  data.tar.gz: 63371122ef82f8e299fde1f65280308645ada1d980efb5dba034726b187ea9b7
+  metadata.gz: eb47b74e440ba1ff819ae1dabba3941f5546970e5233ed472e38308061180419
+  data.tar.gz: 866f1b03b7346308631dce5ec7343c0b585cdb6cd9923a72bbec988580f86c49
 SHA512:
-  metadata.gz: c3bf910852f449764f5867ef75c0f232cb9441302be936433de50105afa06ecd159e014514628354ac3a76eb202c91df88cc4381f79ba9ace8a5ba264b5d6e5d
-  data.tar.gz: d6377678ca210b0608cc84244de4da0f388b0a5278f43298bfb4f5e5d955bbcafa59c5eb14053c9e630f3d5bc60443908e0fb93096906c56c297f2dd6caf354a
+  metadata.gz: 30a2550657ecd729c5885e4a02f841f466eb845b30a14f48caf83fdf98fc455ef09ca88a9f1affb91e170ccf5754e550b57383562a1bf1c9160ddef99bb510b5
+  data.tar.gz: 8b11f0377d29c4bb38a52135fe29bc15566c1dde326b666e7bd323bf5bf35f8acd14e5d9b4a95da73d4edef2bd2d87bf313cb0e8f32ca0b15b2c85d37e17f33f

data/lib/google/cloud/security_center/v1/security_center/client.rb

@@ -1014,7 +1014,7 @@ module Google
             #     See the operation documentation for the appropriate value for this field.
             #   @param options [::Google::Iam::V1::GetPolicyOptions, ::Hash]
             #     OPTIONAL: A `GetPolicyOptions` object for specifying options to
-            #     `GetIamPolicy`. This field is only used by Cloud IAM.
+            #     `GetIamPolicy`.
             #
             # @yield [response, operation] Access the result along with the RPC operation
             # @yieldparam response [::Google::Iam::V1::Policy]
@@ -2918,7 +2918,7 @@ module Google
             #   @param options [::Gapic::CallOptions, ::Hash]
             #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
             #
-            # @overload set_iam_policy(resource: nil, policy: nil)
+            # @overload set_iam_policy(resource: nil, policy: nil, update_mask: nil)
             #   Pass arguments to `set_iam_policy` via keyword arguments. Note that at
             #   least one keyword argument is required. To specify no parameters, or to keep all
             #   the default parameter values, pass an empty Hash as a request object (see above).
@@ -2931,6 +2931,12 @@ module Google
             #     the policy is limited to a few 10s of KB. An empty policy is a
             #     valid policy but certain Cloud Platform services (such as Projects)
             #     might reject them.
+            #   @param update_mask [::Google::Protobuf::FieldMask, ::Hash]
+            #     OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+            #     the fields in the mask will be modified. If no mask is provided, the
+            #     following default mask is used:
+            #
+            #     `paths: "bindings, etag"`
             #
             # @yield [response, operation] Access the result along with the RPC operation
             # @yieldparam response [::Google::Iam::V1::Policy]
@@ -3661,7 +3667,7 @@ module Google
             #     The time at which the updated SecurityMarks take effect.
             #     If not set uses current server time.  Updates will be applied to the
             #     SecurityMarks that are active immediately preceding this time. Must be
-            #     smaller or equal to the server time.
+            #     earlier or equal to the server time.
             #
             # @yield [response, operation] Access the result along with the RPC operation
             # @yieldparam response [::Google::Cloud::SecurityCenter::V1::SecurityMarks]

data/lib/google/cloud/security_center/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module SecurityCenter
       module V1
-        VERSION = "0.13.0"
+        VERSION = "0.14.0"
       end
     end
   end

data/lib/google/cloud/securitycenter/v1/finding_pb.rb

@@ -5,6 +5,7 @@ require 'google/api/field_behavior_pb'
 require 'google/api/resource_pb'
 require 'google/cloud/securitycenter/v1/access_pb'
 require 'google/cloud/securitycenter/v1/external_system_pb'
+require 'google/cloud/securitycenter/v1/iam_binding_pb'
 require 'google/cloud/securitycenter/v1/indicator_pb'
 require 'google/cloud/securitycenter/v1/mitre_attack_pb'
 require 'google/cloud/securitycenter/v1/security_marks_pb'
@@ -37,6 +38,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :mitre_attack, :message, 25, "google.cloud.securitycenter.v1.MitreAttack"
       optional :access, :message, 26, "google.cloud.securitycenter.v1.Access"
       optional :mute_initiator, :string, 28
+      repeated :iam_bindings, :message, 39, "google.cloud.securitycenter.v1.IamBinding"
+      optional :next_steps, :string, 40
     end
     add_enum "google.cloud.securitycenter.v1.Finding.State" do
       value :STATE_UNSPECIFIED, 0

data/lib/google/cloud/securitycenter/v1/iam_binding_pb.rb

@@ -0,0 +1,30 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/securitycenter/v1/iam_binding.proto
+
+require 'google/protobuf'
+
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("google/cloud/securitycenter/v1/iam_binding.proto", :syntax => :proto3) do
+    add_message "google.cloud.securitycenter.v1.IamBinding" do
+      optional :action, :enum, 1, "google.cloud.securitycenter.v1.IamBinding.Action"
+      optional :role, :string, 2
+      optional :member, :string, 3
+    end
+    add_enum "google.cloud.securitycenter.v1.IamBinding.Action" do
+      value :ACTION_UNSPECIFIED, 0
+      value :ADD, 1
+      value :REMOVE, 2
+    end
+  end
+end
+
+module Google
+  module Cloud
+    module SecurityCenter
+      module V1
+        IamBinding = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.securitycenter.v1.IamBinding").msgclass
+        IamBinding::Action = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.securitycenter.v1.IamBinding.Action").enummodule
+      end
+    end
+  end
+end

data/lib/google/cloud/securitycenter/v1/mitre_attack_pb.rb

@@ -59,6 +59,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       value :MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE, 26
       value :EXPLOIT_PUBLIC_FACING_APPLICATION, 27
       value :MODIFY_AUTHENTICATION_PROCESS, 28
+      value :DATA_DESTRUCTION, 29
+      value :DOMAIN_POLICY_MODIFICATION, 30
     end
   end
 end

data/lib/google/cloud/securitycenter/v1/resource_pb.rb

@@ -9,13 +9,13 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/resource.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.Resource" do
       optional :name, :string, 1
+      optional :display_name, :string, 8
+      optional :type, :string, 6
       optional :project, :string, 2
       optional :project_display_name, :string, 3
       optional :parent, :string, 4
       optional :parent_display_name, :string, 5
-      optional :type, :string, 6
       repeated :folders, :message, 7, "google.cloud.securitycenter.v1.Folder"
-      optional :display_name, :string, 8
     end
   end
 end

data/lib/google/cloud/securitycenter/v1/securitycenter_service_pb.rb

@@ -185,13 +185,13 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     end
     add_message "google.cloud.securitycenter.v1.ListFindingsResponse.ListFindingsResult.Resource" do
       optional :name, :string, 1
+      optional :display_name, :string, 8
+      optional :type, :string, 6
       optional :project_name, :string, 2
       optional :project_display_name, :string, 3
       optional :parent_name, :string, 4
       optional :parent_display_name, :string, 5
-      optional :type, :string, 6
       repeated :folders, :message, 7, "google.cloud.securitycenter.v1.Folder"
-      optional :display_name, :string, 8
     end
     add_enum "google.cloud.securitycenter.v1.ListFindingsResponse.ListFindingsResult.StateChange" do
       value :UNUSED, 0

data/proto_docs/google/cloud/securitycenter/v1/bigquery_export.rb

@@ -75,13 +75,13 @@ module Google
         #     creation or update.
         # @!attribute [r] most_recent_editor
         #   @return [::String]
-        #     Output only. Email address of the user who last edited the big query
-        #     export. This field is set by the server and will be ignored if provided on
-        #     export creation or update.
+        #     Output only. Email address of the user who last edited the big query export.
+        #     This field is set by the server and will be ignored if provided on export
+        #     creation or update.
         # @!attribute [r] principal
         #   @return [::String]
-        #     Output only. The service account that needs permission to create table,
-        #     upload data to the big query dataset.
+        #     Output only. The service account that needs permission to create table, upload data to
+        #     the big query dataset.
         class BigQueryExport
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/securitycenter/v1/external_system.rb

@@ -25,7 +25,8 @@ module Google
         # @!attribute [rw] name
         #   @return [::String]
         #     External System Name e.g. jira, demisto, etc.
-        #      e.g.: `organizations/1234/sources/5678/findings/123456/externalSystems/jira`
+        #      e.g.:
+        #      `organizations/1234/sources/5678/findings/123456/externalSystems/jira`
         #     `folders/1234/sources/5678/findings/123456/externalSystems/jira`
         #     `projects/1234/sources/5678/findings/123456/externalSystems/jira`
         # @!attribute [rw] assignees

data/proto_docs/google/cloud/securitycenter/v1/finding.rb

@@ -99,7 +99,7 @@ module Google
         #     finding.
         # @!attribute [rw] mute
         #   @return [::Google::Cloud::SecurityCenter::V1::Finding::Mute]
-        #     Indicates the mute state of a finding (either unspecified, muted, unmuted
+        #     Indicates the mute state of a finding (either muted, unmuted
         #     or undefined). Unlike other attributes of a finding, a finding provider
         #     shouldn't set the value of mute.
         # @!attribute [rw] finding_class
@@ -122,8 +122,8 @@ module Google
         #     Output only. The most recent time this finding was muted or unmuted.
         # @!attribute [r] external_systems
         #   @return [::Google::Protobuf::Map{::String => ::Google::Cloud::SecurityCenter::V1::ExternalSystem}]
-        #     Output only. Third party SIEM/SOAR fields within SCC, contains external
-        #     system information and external system finding fields.
+        #     Output only. Third party SIEM/SOAR fields within SCC, contains external system
+        #     information and external system finding fields.
         # @!attribute [rw] mitre_attack
         #   @return [::Google::Cloud::SecurityCenter::V1::MitreAttack]
         #     MITRE ATT&CK tactics and techniques related to this finding.
@@ -138,6 +138,12 @@ module Google
         #     mute operation e.g. mute config that muted the finding, user who muted the
         #     finding, etc. Unlike other attributes of a finding, a finding provider
         #     shouldn't set the value of mute.
+        # @!attribute [rw] iam_bindings
+        #   @return [::Array<::Google::Cloud::SecurityCenter::V1::IamBinding>]
+        #     Represents IAM bindings associated with the Finding.
+        # @!attribute [rw] next_steps
+        #   @return [::String]
+        #     Next steps associate to the finding.
         class Finding
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -221,7 +227,7 @@ module Google
             MEDIUM = 3
 
             # Vulnerability:
-            # A low risk vulnerability hampers a security organization’s ability to
+            # A low risk vulnerability hampers a security organization's ability to
             # detect vulnerabilities or active threats in their deployment, or prevents
             # the root cause investigation of security issues. An example is monitoring
             # and logs being disabled for resource configurations and access.

data/proto_docs/google/cloud/securitycenter/v1/iam_binding.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Cloud
+    module SecurityCenter
+      module V1
+        # Represents a particular IAM binding, which captures a member's role addition,
+        # removal, or state.
+        # @!attribute [rw] action
+        #   @return [::Google::Cloud::SecurityCenter::V1::IamBinding::Action]
+        #     The action that was performed on a Binding.
+        # @!attribute [rw] role
+        #   @return [::String]
+        #     Role that is assigned to "members".
+        #     For example, "roles/viewer", "roles/editor", or "roles/owner".
+        # @!attribute [rw] member
+        #   @return [::String]
+        #     A single identity requesting access for a Cloud Platform resource,
+        #     e.g. "foo@google.com".
+        class IamBinding
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # The type of action performed on a Binding in a policy.
+          module Action
+            # Unspecified.
+            ACTION_UNSPECIFIED = 0
+
+            # Addition of a Binding.
+            ADD = 1
+
+            # Removal of a Binding.
+            REMOVE = 2
+          end
+        end
+      end
+    end
+  end
+end

data/proto_docs/google/cloud/securitycenter/v1/mitre_attack.rb

@@ -99,6 +99,7 @@ module Google
 
           # MITRE ATT&CK techniques that can be referenced by SCC findings.
           # See: https://attack.mitre.org/techniques/enterprise/
+          # Next ID: 31
           module Technique
             # Unspecified value.
             TECHNIQUE_UNSPECIFIED = 0
@@ -186,6 +187,12 @@ module Google
 
             # T1556
             MODIFY_AUTHENTICATION_PROCESS = 28
+
+            # T1485
+            DATA_DESTRUCTION = 29
+
+            # T1484
+            DOMAIN_POLICY_MODIFICATION = 30
           end
         end
       end

data/proto_docs/google/cloud/securitycenter/v1/resource.rb

@@ -26,29 +26,29 @@ module Google
         #   @return [::String]
         #     The full resource name of the resource. See:
         #     https://cloud.google.com/apis/design/resource_names#full_resource_name
+        # @!attribute [rw] display_name
+        #   @return [::String]
+        #     The human readable name of the resource.
+        # @!attribute [rw] type
+        #   @return [::String]
+        #     The full resource type of the resource.
         # @!attribute [rw] project
         #   @return [::String]
         #     The full resource name of project that the resource belongs to.
         # @!attribute [rw] project_display_name
         #   @return [::String]
-        #     The project id that the resource belongs to.
+        #     The project ID that the resource belongs to.
         # @!attribute [rw] parent
         #   @return [::String]
         #     The full resource name of resource's parent.
         # @!attribute [rw] parent_display_name
         #   @return [::String]
         #     The human readable name of resource's parent.
-        # @!attribute [rw] type
-        #   @return [::String]
-        #     The full resource type of the resource.
         # @!attribute [r] folders
         #   @return [::Array<::Google::Cloud::SecurityCenter::V1::Folder>]
         #     Output only. Contains a Folder message for each folder in the assets ancestry.
         #     The first folder is the deepest nested folder, and the last folder is the
         #     folder directly under the Organization.
-        # @!attribute [rw] display_name
-        #   @return [::String]
-        #     The human readable name of the resource.
         class Resource
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/securitycenter/v1/securitycenter_service.rb

@@ -1048,29 +1048,29 @@ module Google
             #   @return [::String]
             #     The full resource name of the resource. See:
             #     https://cloud.google.com/apis/design/resource_names#full_resource_name
+            # @!attribute [rw] display_name
+            #   @return [::String]
+            #     The human readable name of the resource.
+            # @!attribute [rw] type
+            #   @return [::String]
+            #     The full resource type of the resource.
             # @!attribute [rw] project_name
             #   @return [::String]
             #     The full resource name of project that the resource belongs to.
             # @!attribute [rw] project_display_name
             #   @return [::String]
-            #     The project id that the resource belongs to.
+            #     The project ID that the resource belongs to.
             # @!attribute [rw] parent_name
             #   @return [::String]
             #     The full resource name of resource's parent.
             # @!attribute [rw] parent_display_name
             #   @return [::String]
             #     The human readable name of resource's parent.
-            # @!attribute [rw] type
-            #   @return [::String]
-            #     The full resource type of the resource.
             # @!attribute [rw] folders
             #   @return [::Array<::Google::Cloud::SecurityCenter::V1::Folder>]
             #     Contains a Folder message for each folder in the assets ancestry.
             #     The first folder is the deepest nested folder, and the last folder is
             #     the folder directly under the Organization.
-            # @!attribute [rw] display_name
-            #   @return [::String]
-            #     The human readable name of the resource.
             class Resource
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -1259,7 +1259,7 @@ module Google
         #     The time at which the updated SecurityMarks take effect.
         #     If not set uses current server time.  Updates will be applied to the
         #     SecurityMarks that are active immediately preceding this time. Must be
-        #     smaller or equal to the server time.
+        #     earlier or equal to the server time.
         class UpdateSecurityMarksRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/iam/v1/iam_policy.rb

@@ -31,6 +31,13 @@ module Google
       #     the policy is limited to a few 10s of KB. An empty policy is a
       #     valid policy but certain Cloud Platform services (such as Projects)
       #     might reject them.
+      # @!attribute [rw] update_mask
+      #   @return [::Google::Protobuf::FieldMask]
+      #     OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+      #     the fields in the mask will be modified. If no mask is provided, the
+      #     following default mask is used:
+      #
+      #     `paths: "bindings, etag"`
       class SetIamPolicyRequest
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -44,7 +51,7 @@ module Google
       # @!attribute [rw] options
       #   @return [::Google::Iam::V1::GetPolicyOptions]
       #     OPTIONAL: A `GetPolicyOptions` object for specifying options to
-      #     `GetIamPolicy`. This field is only used by Cloud IAM.
+      #     `GetIamPolicy`.
       class GetIamPolicyRequest
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/iam/v1/options.rb

@@ -23,14 +23,24 @@ module Google
       # Encapsulates settings provided to GetIamPolicy.
       # @!attribute [rw] requested_policy_version
       #   @return [::Integer]
-      #     Optional. The policy format version to be returned.
+      #     Optional. The maximum policy version that will be used to format the
+      #     policy.
       #
       #     Valid values are 0, 1, and 3. Requests specifying an invalid value will be
       #     rejected.
       #
-      #     Requests for policies with any conditional bindings must specify version 3.
-      #     Policies without any conditional bindings may specify any valid value or
-      #     leave the field unset.
+      #     Requests for policies with any conditional role bindings must specify
+      #     version 3. Policies with no conditional role bindings may specify any valid
+      #     value or leave the field unset.
+      #
+      #     The policy in the response might use the policy version that you specified,
+      #     or it might use a lower policy version. For example, if you specify version
+      #     3, but the policy has no conditional role bindings, the response uses
+      #     version 1.
+      #
+      #     To learn which resources support conditions in their IAM policies, see the
+      #     [IAM
+      #     documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
       class GetPolicyOptions
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/iam/v1/policy.rb

@@ -20,19 +20,24 @@
 module Google
   module Iam
     module V1
-      # Defines an Identity and Access Management (IAM) policy. It is used to
-      # specify access control policies for Cloud Platform resources.
+      # An Identity and Access Management (IAM) policy, which specifies access
+      # controls for Google Cloud resources.
       #
       #
       # A `Policy` is a collection of `bindings`. A `binding` binds one or more
-      # `members` to a single `role`. Members can be user accounts, service accounts,
-      # Google groups, and domains (such as G Suite). A `role` is a named list of
-      # permissions (defined by IAM or configured by users). A `binding` can
-      # optionally specify a `condition`, which is a logic expression that further
-      # constrains the role binding based on attributes about the request and/or
-      # target resource.
+      # `members`, or principals, to a single `role`. Principals can be user
+      # accounts, service accounts, Google groups, and domains (such as G Suite). A
+      # `role` is a named list of permissions; each `role` can be an IAM predefined
+      # role or a user-created custom role.
       #
-      # **JSON Example**
+      # For some types of Google Cloud resources, a `binding` can also specify a
+      # `condition`, which is a logical expression that allows access to a resource
+      # only if the expression evaluates to `true`. A condition can add constraints
+      # based on attributes of the request, the resource, or both. To learn which
+      # resources support conditions in their IAM policies, see the
+      # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+      #
+      # **JSON example:**
       #
       #     {
       #       "bindings": [
@@ -47,18 +52,21 @@ module Google
       #         },
       #         {
       #           "role": "roles/resourcemanager.organizationViewer",
-      #           "members": ["user:eve@example.com"],
+      #           "members": [
+      #             "user:eve@example.com"
+      #           ],
       #           "condition": {
       #             "title": "expirable access",
       #             "description": "Does not grant access after Sep 2020",
-      #             "expression": "request.time <
-      #             timestamp('2020-10-01T00:00:00.000Z')",
+      #             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
       #           }
       #         }
-      #       ]
+      #       ],
+      #       "etag": "BwWWja0YfJA=",
+      #       "version": 3
       #     }
       #
-      # **YAML Example**
+      # **YAML example:**
       #
       #     bindings:
       #     - members:
@@ -74,30 +82,52 @@ module Google
       #         title: expirable access
       #         description: Does not grant access after Sep 2020
       #         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+      #     etag: BwWWja0YfJA=
+      #     version: 3
       #
       # For a description of IAM and its features, see the
-      # [IAM developer's guide](https://cloud.google.com/iam/docs).
+      # [IAM documentation](https://cloud.google.com/iam/docs/).
       # @!attribute [rw] version
       #   @return [::Integer]
       #     Specifies the format of the policy.
       #
-      #     Valid values are 0, 1, and 3. Requests specifying an invalid value will be
-      #     rejected.
+      #     Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+      #     are rejected.
+      #
+      #     Any operation that affects conditional role bindings must specify version
+      #     `3`. This requirement applies to the following operations:
       #
-      #     Operations affecting conditional bindings must specify version 3. This can
-      #     be either setting a conditional policy, modifying a conditional binding,
-      #     or removing a binding (conditional or unconditional) from the stored
-      #     conditional policy.
-      #     Operations on non-conditional policies may specify any valid value or
-      #     leave the field unset.
+      #     * Getting a policy that includes a conditional role binding
+      #     * Adding a conditional role binding to a policy
+      #     * Changing a conditional role binding in a policy
+      #     * Removing any role binding, with or without a condition, from a policy
+      #       that includes conditions
       #
-      #     If no etag is provided in the call to `setIamPolicy`, version compliance
-      #     checks against the stored policy is skipped.
+      #     **Important:** If you use IAM Conditions, you must include the `etag` field
+      #     whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+      #     you to overwrite a version `3` policy with a version `1` policy, and all of
+      #     the conditions in the version `3` policy are lost.
+      #
+      #     If a policy does not include any conditions, operations on that policy may
+      #     specify any valid version or leave the field unset.
+      #
+      #     To learn which resources support conditions in their IAM policies, see the
+      #     [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
       # @!attribute [rw] bindings
       #   @return [::Array<::Google::Iam::V1::Binding>]
-      #     Associates a list of `members` to a `role`. Optionally may specify a
-      #     `condition` that determines when binding is in effect.
-      #     `bindings` with no members will result in an error.
+      #     Associates a list of `members`, or principals, with a `role`. Optionally,
+      #     may specify a `condition` that determines how and when the `bindings` are
+      #     applied. Each of the `bindings` must contain at least one principal.
+      #
+      #     The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+      #     of these principals can be Google groups. Each occurrence of a principal
+      #     counts towards these limits. For example, if the `bindings` grant 50
+      #     different roles to `user:alice@example.com`, and not to any other
+      #     principal, then you can add another 1,450 principals to the `bindings` in
+      #     the `Policy`.
+      # @!attribute [rw] audit_configs
+      #   @return [::Array<::Google::Iam::V1::AuditConfig>]
+      #     Specifies cloud audit logging configuration for this policy.
       # @!attribute [rw] etag
       #   @return [::String]
       #     `etag` is used for optimistic concurrency control as a way to help
@@ -108,23 +138,23 @@ module Google
       #     systems are expected to put that etag in the request to `setIamPolicy` to
       #     ensure that their change will be applied to the same version of the policy.
       #
-      #     If no `etag` is provided in the call to `setIamPolicy`, then the existing
-      #     policy is overwritten. Due to blind-set semantics of an etag-less policy,
-      #     'setIamPolicy' will not fail even if the incoming policy version does not
-      #     meet the requirements for modifying the stored policy.
+      #     **Important:** If you use IAM Conditions, you must include the `etag` field
+      #     whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+      #     you to overwrite a version `3` policy with a version `1` policy, and all of
+      #     the conditions in the version `3` policy are lost.
       class Policy
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods
       end
 
-      # Associates `members` with a `role`.
+      # Associates `members`, or principals, with a `role`.
       # @!attribute [rw] role
       #   @return [::String]
-      #     Role that is assigned to `members`.
+      #     Role that is assigned to the list of `members`, or principals.
       #     For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
       # @!attribute [rw] members
       #   @return [::Array<::String>]
-      #     Specifies the identities requesting access for a Cloud Platform resource.
+      #     Specifies the principals requesting access for a Cloud Platform resource.
       #     `members` can have the following values:
       #
       #     * `allUsers`: A special identifier that represents anyone who is
@@ -143,20 +173,160 @@ module Google
       #     * `group:{emailid}`: An email address that represents a Google group.
       #        For example, `admins@example.com`.
       #
+      #     * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+      #        identifier) representing a user that has been recently deleted. For
+      #        example, `alice@example.com?uid=123456789012345678901`. If the user is
+      #        recovered, this value reverts to `user:{emailid}` and the recovered user
+      #        retains the role in the binding.
+      #
+      #     * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+      #        unique identifier) representing a service account that has been recently
+      #        deleted. For example,
+      #        `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+      #        If the service account is undeleted, this value reverts to
+      #        `serviceAccount:{emailid}` and the undeleted service account retains the
+      #        role in the binding.
+      #
+      #     * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+      #        identifier) representing a Google group that has been recently
+      #        deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+      #        the group is recovered, this value reverts to `group:{emailid}` and the
+      #        recovered group retains the role in the binding.
+      #
       #
       #     * `domain:{domain}`: The G Suite domain (primary) that represents all the
       #        users of that domain. For example, `google.com` or `example.com`.
       # @!attribute [rw] condition
       #   @return [::Google::Type::Expr]
       #     The condition that is associated with this binding.
-      #     NOTE: An unsatisfied condition will not allow user access via current
-      #     binding. Different bindings, including their conditions, are examined
-      #     independently.
+      #
+      #     If the condition evaluates to `true`, then this binding applies to the
+      #     current request.
+      #
+      #     If the condition evaluates to `false`, then this binding does not apply to
+      #     the current request. However, a different role binding might grant the same
+      #     role to one or more of the principals in this binding.
+      #
+      #     To learn which resources support conditions in their IAM policies, see the
+      #     [IAM
+      #     documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
       class Binding
         include ::Google::Protobuf::MessageExts
         extend ::Google::Protobuf::MessageExts::ClassMethods
       end
 
+      # Specifies the audit configuration for a service.
+      # The configuration determines which permission types are logged, and what
+      # identities, if any, are exempted from logging.
+      # An AuditConfig must have one or more AuditLogConfigs.
+      #
+      # If there are AuditConfigs for both `allServices` and a specific service,
+      # the union of the two AuditConfigs is used for that service: the log_types
+      # specified in each AuditConfig are enabled, and the exempted_members in each
+      # AuditLogConfig are exempted.
+      #
+      # Example Policy with multiple AuditConfigs:
+      #
+      #     {
+      #       "audit_configs": [
+      #         {
+      #           "service": "allServices",
+      #           "audit_log_configs": [
+      #             {
+      #               "log_type": "DATA_READ",
+      #               "exempted_members": [
+      #                 "user:jose@example.com"
+      #               ]
+      #             },
+      #             {
+      #               "log_type": "DATA_WRITE"
+      #             },
+      #             {
+      #               "log_type": "ADMIN_READ"
+      #             }
+      #           ]
+      #         },
+      #         {
+      #           "service": "sampleservice.googleapis.com",
+      #           "audit_log_configs": [
+      #             {
+      #               "log_type": "DATA_READ"
+      #             },
+      #             {
+      #               "log_type": "DATA_WRITE",
+      #               "exempted_members": [
+      #                 "user:aliya@example.com"
+      #               ]
+      #             }
+      #           ]
+      #         }
+      #       ]
+      #     }
+      #
+      # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+      # logging. It also exempts jose@example.com from DATA_READ logging, and
+      # aliya@example.com from DATA_WRITE logging.
+      # @!attribute [rw] service
+      #   @return [::String]
+      #     Specifies a service that will be enabled for audit logging.
+      #     For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+      #     `allServices` is a special value that covers all services.
+      # @!attribute [rw] audit_log_configs
+      #   @return [::Array<::Google::Iam::V1::AuditLogConfig>]
+      #     The configuration for logging of each type of permission.
+      class AuditConfig
+        include ::Google::Protobuf::MessageExts
+        extend ::Google::Protobuf::MessageExts::ClassMethods
+      end
+
+      # Provides the configuration for logging a type of permissions.
+      # Example:
+      #
+      #     {
+      #       "audit_log_configs": [
+      #         {
+      #           "log_type": "DATA_READ",
+      #           "exempted_members": [
+      #             "user:jose@example.com"
+      #           ]
+      #         },
+      #         {
+      #           "log_type": "DATA_WRITE"
+      #         }
+      #       ]
+      #     }
+      #
+      # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+      # jose@example.com from DATA_READ logging.
+      # @!attribute [rw] log_type
+      #   @return [::Google::Iam::V1::AuditLogConfig::LogType]
+      #     The log type that this config enables.
+      # @!attribute [rw] exempted_members
+      #   @return [::Array<::String>]
+      #     Specifies the identities that do not cause logging for this type of
+      #     permission.
+      #     Follows the same format of {::Google::Iam::V1::Binding#members Binding.members}.
+      class AuditLogConfig
+        include ::Google::Protobuf::MessageExts
+        extend ::Google::Protobuf::MessageExts::ClassMethods
+
+        # The list of valid permission types for which logging can be configured.
+        # Admin writes are always logged, and are not configurable.
+        module LogType
+          # Default case. Should never be this.
+          LOG_TYPE_UNSPECIFIED = 0
+
+          # Admin reads. Example: CloudIAM getIamPolicy
+          ADMIN_READ = 1
+
+          # Data writes. Example: CloudSQL Users create
+          DATA_WRITE = 2
+
+          # Data reads. Example: CloudSQL Users list
+          DATA_READ = 3
+        end
+      end
+
       # The difference delta between two policies.
       # @!attribute [rw] binding_deltas
       #   @return [::Array<::Google::Iam::V1::BindingDelta>]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-security_center-v1
 version: !ruby/object:Gem::Version
-  version: 0.13.0
+  version: 0.14.0
 platform: ruby
 authors:
 - Google LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-04 00:00:00.000000000 Z
+date: 2022-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gapic-common
@@ -48,22 +48,16 @@ dependencies:
   name: grpc-google-iam-v1
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.6.10
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.a
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.6.10
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.a
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: google-style
   requirement: !ruby/object:Gem::Requirement
@@ -203,6 +197,7 @@ files:
 - lib/google/cloud/securitycenter/v1/external_system_pb.rb
 - lib/google/cloud/securitycenter/v1/finding_pb.rb
 - lib/google/cloud/securitycenter/v1/folder_pb.rb
+- lib/google/cloud/securitycenter/v1/iam_binding_pb.rb
 - lib/google/cloud/securitycenter/v1/indicator_pb.rb
 - lib/google/cloud/securitycenter/v1/mitre_attack_pb.rb
 - lib/google/cloud/securitycenter/v1/mute_config_pb.rb
@@ -225,6 +220,7 @@ files:
 - proto_docs/google/cloud/securitycenter/v1/external_system.rb
 - proto_docs/google/cloud/securitycenter/v1/finding.rb
 - proto_docs/google/cloud/securitycenter/v1/folder.rb
+- proto_docs/google/cloud/securitycenter/v1/iam_binding.rb
 - proto_docs/google/cloud/securitycenter/v1/indicator.rb
 - proto_docs/google/cloud/securitycenter/v1/mitre_attack.rb
 - proto_docs/google/cloud/securitycenter/v1/mute_config.rb