strongdm 11.0.0 → 11.3.0

data/lib/grpc/policies_pb.rb

@@ -0,0 +1,91 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: policies.proto
+
+require "google/protobuf"
+
+require "options_pb"
+require "spec_pb"
+
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("policies.proto", :syntax => :proto3) do
+    add_message "v1.PolicyCreateRequest" do
+      optional :meta, :message, 1, "v1.CreateRequestMetadata"
+      optional :policy, :message, 2, "v1.Policy"
+    end
+    add_message "v1.PolicyCreateResponse" do
+      optional :meta, :message, 1, "v1.CreateResponseMetadata"
+      optional :policy, :message, 2, "v1.Policy"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.PolicyUpdateRequest" do
+      optional :meta, :message, 1, "v1.UpdateRequestMetadata"
+      optional :id, :string, 2
+      optional :policy, :message, 3, "v1.Policy"
+    end
+    add_message "v1.PolicyUpdateResponse" do
+      optional :meta, :message, 1, "v1.UpdateResponseMetadata"
+      optional :policy, :message, 2, "v1.Policy"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.PolicyDeleteRequest" do
+      optional :meta, :message, 1, "v1.DeleteRequestMetadata"
+      optional :id, :string, 2
+    end
+    add_message "v1.PolicyDeleteResponse" do
+      optional :meta, :message, 1, "v1.DeleteResponseMetadata"
+      optional :rate_limit, :message, 2, "v1.RateLimitMetadata"
+    end
+    add_message "v1.PolicyGetRequest" do
+      optional :meta, :message, 1, "v1.GetRequestMetadata"
+      optional :id, :string, 2
+    end
+    add_message "v1.PolicyGetResponse" do
+      optional :meta, :message, 1, "v1.GetResponseMetadata"
+      optional :policy, :message, 2, "v1.Policy"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.PolicyListRequest" do
+      optional :meta, :message, 1, "v1.ListRequestMetadata"
+      optional :filter, :string, 2
+    end
+    add_message "v1.PolicyListResponse" do
+      optional :meta, :message, 1, "v1.ListResponseMetadata"
+      repeated :policies, :message, 2, "v1.Policy"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.Policy" do
+      optional :id, :string, 1
+      optional :name, :string, 2
+      optional :description, :string, 3
+      optional :policy, :string, 4
+    end
+  end
+end
+
+module V1
+  PolicyCreateRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyCreateRequest").msgclass
+  PolicyCreateResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyCreateResponse").msgclass
+  PolicyUpdateRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyUpdateRequest").msgclass
+  PolicyUpdateResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyUpdateResponse").msgclass
+  PolicyDeleteRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyDeleteRequest").msgclass
+  PolicyDeleteResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyDeleteResponse").msgclass
+  PolicyGetRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyGetRequest").msgclass
+  PolicyGetResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyGetResponse").msgclass
+  PolicyListRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyListRequest").msgclass
+  PolicyListResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.PolicyListResponse").msgclass
+  Policy = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.Policy").msgclass
+end

data/lib/grpc/policies_services_pb.rb

@@ -0,0 +1,46 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# Source: policies.proto for package 'v1'
+
+require "grpc"
+require "policies_pb"
+
+module V1
+  module Policies
+    # Policies are the collection of one or more statements that enforce fine-grained access
+    # control for the users of an organization.
+    class Service
+      include ::GRPC::GenericService
+
+      self.marshal_class_method = :encode
+      self.unmarshal_class_method = :decode
+      self.service_name = "v1.Policies"
+
+      # Create creates a new Policy.
+      rpc :Create, ::V1::PolicyCreateRequest, ::V1::PolicyCreateResponse
+      # Delete removes a Policy by ID.
+      rpc :Delete, ::V1::PolicyDeleteRequest, ::V1::PolicyDeleteResponse
+      # Update replaces all the fields of a Policy by ID.
+      rpc :Update, ::V1::PolicyUpdateRequest, ::V1::PolicyUpdateResponse
+      # Get reads one Policy by ID.
+      rpc :Get, ::V1::PolicyGetRequest, ::V1::PolicyGetResponse
+      # List gets a list of Policy matching a given set of criteria
+      rpc :List, ::V1::PolicyListRequest, ::V1::PolicyListResponse
+    end
+
+    Stub = Service.rpc_stub_class
+  end
+end

data/lib/models/porcelain.rb

@@ -17,6 +17,9 @@
 
 module SDM
   class AKS
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # The CA to authenticate TLS connections with.
@@ -58,6 +61,7 @@ module SDM
     attr_accessor :tags
 
     def initialize(
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       certificate_authority: nil,
       client_certificate: nil,
@@ -78,6 +82,7 @@ module SDM
       subdomain: nil,
       tags: nil
     )
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @certificate_authority = certificate_authority == nil ? "" : certificate_authority
       @client_certificate = client_certificate == nil ? "" : client_certificate
@@ -180,6 +185,9 @@ module SDM
   end
 
   class AKSServiceAccount
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # If true, configures discovery of a cluster to be run from a node.
@@ -217,6 +225,7 @@ module SDM
     attr_accessor :token
 
     def initialize(
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       discovery_enabled: nil,
       discovery_username: nil,
@@ -235,6 +244,7 @@ module SDM
       tags: nil,
       token: nil
     )
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @discovery_enabled = discovery_enabled == nil ? false : discovery_enabled
       @discovery_username = discovery_username == nil ? "" : discovery_username
@@ -1717,6 +1727,9 @@ module SDM
   class AmazonEKS
     # The Access Key ID to use to authenticate.
     attr_accessor :access_key
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # The CA to authenticate TLS connections with.
@@ -1763,6 +1776,7 @@ module SDM
 
     def initialize(
       access_key: nil,
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       certificate_authority: nil,
       cluster_name: nil,
@@ -1786,6 +1800,7 @@ module SDM
       tags: nil
     )
       @access_key = access_key == nil ? "" : access_key
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @certificate_authority = certificate_authority == nil ? "" : certificate_authority
       @cluster_name = cluster_name == nil ? "" : cluster_name
@@ -1819,6 +1834,9 @@ module SDM
   end
 
   class AmazonEKSInstanceProfile
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # The CA to authenticate TLS connections with.
@@ -1862,6 +1880,7 @@ module SDM
     attr_accessor :tags
 
     def initialize(
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       certificate_authority: nil,
       cluster_name: nil,
@@ -1883,6 +1902,7 @@ module SDM
       subdomain: nil,
       tags: nil
     )
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @certificate_authority = certificate_authority == nil ? "" : certificate_authority
       @cluster_name = cluster_name == nil ? "" : cluster_name
@@ -4851,6 +4871,9 @@ module SDM
   end
 
   class GoogleGKE
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # The CA to authenticate TLS connections with.
@@ -4888,6 +4911,7 @@ module SDM
     attr_accessor :tags
 
     def initialize(
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       certificate_authority: nil,
       discovery_enabled: nil,
@@ -4906,6 +4930,7 @@ module SDM
       subdomain: nil,
       tags: nil
     )
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @certificate_authority = certificate_authority == nil ? "" : certificate_authority
       @discovery_enabled = discovery_enabled == nil ? false : discovery_enabled
@@ -5774,6 +5799,9 @@ module SDM
   end
 
   class Kubernetes
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # The CA to authenticate TLS connections with.
@@ -5815,6 +5843,7 @@ module SDM
     attr_accessor :tags
 
     def initialize(
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       certificate_authority: nil,
       client_certificate: nil,
@@ -5835,6 +5864,7 @@ module SDM
       subdomain: nil,
       tags: nil
     )
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @certificate_authority = certificate_authority == nil ? "" : certificate_authority
       @client_certificate = client_certificate == nil ? "" : client_certificate
@@ -5937,6 +5967,9 @@ module SDM
   end
 
   class KubernetesServiceAccount
+    # If true, allows users to fallback to the existing authentication mode (Leased Credential or Identity Set)
+    # when a resource role is not provided.
+    attr_accessor :allow_resource_role_bypass
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface
     # If true, configures discovery of a cluster to be run from a node.
@@ -5974,6 +6007,7 @@ module SDM
     attr_accessor :token
 
     def initialize(
+      allow_resource_role_bypass: nil,
       bind_interface: nil,
       discovery_enabled: nil,
       discovery_username: nil,
@@ -5992,6 +6026,7 @@ module SDM
       tags: nil,
       token: nil
     )
+      @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @discovery_enabled = discovery_enabled == nil ? false : discovery_enabled
       @discovery_username = discovery_username == nil ? "" : discovery_username
@@ -6566,7 +6601,6 @@ module SDM
     end
   end
 
-  # MongoHost is currently unstable, and its API may change, or it may be removed, without a major version bump.
   class MongoHost
     # The authentication database to use.
     attr_accessor :auth_database
@@ -6642,6 +6676,7 @@ module SDM
     end
   end
 
+  # MongoLegacyHost is currently unstable, and its API may change, or it may be removed, without a major version bump.
   class MongoLegacyHost
     # The authentication database to use.
     attr_accessor :auth_database
@@ -6717,6 +6752,7 @@ module SDM
     end
   end
 
+  # MongoLegacyReplicaset is currently unstable, and its API may change, or it may be removed, without a major version bump.
   class MongoLegacyReplicaset
     # The authentication database to use.
     attr_accessor :auth_database
@@ -6800,7 +6836,6 @@ module SDM
     end
   end
 
-  # MongoReplicaSet is currently unstable, and its API may change, or it may be removed, without a major version bump.
   class MongoReplicaSet
     # The authentication database to use.
     attr_accessor :auth_database
@@ -8010,6 +8045,192 @@ module SDM
     end
   end
 
+  # Policy is a collection of one or more statements that enforce fine-grained access control
+  # for the users of an organization.
+  class Policy
+    # Optional description of the Policy.
+    attr_accessor :description
+    # Unique identifier of the Policy.
+    attr_accessor :id
+    # Unique human-readable name of the Policy.
+    attr_accessor :name
+    # The content of the Policy, in Cedar policy language.
+    attr_accessor :policy
+
+    def initialize(
+      description: nil,
+      id: nil,
+      name: nil,
+      policy: nil
+    )
+      @description = description == nil ? "" : description
+      @id = id == nil ? "" : id
+      @name = name == nil ? "" : name
+      @policy = policy == nil ? "" : policy
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  # PolicyCreateResponse reports how the Policy was created in the system.
+  class PolicyCreateResponse
+    # The created Policy.
+    attr_accessor :policy
+    # Rate limit information.
+    attr_accessor :rate_limit
+
+    def initialize(
+      policy: nil,
+      rate_limit: nil
+    )
+      @policy = policy == nil ? nil : policy
+      @rate_limit = rate_limit == nil ? nil : rate_limit
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  # PolicyDeleteResponse returns information about a Policy that was deleted.
+  class PolicyDeleteResponse
+    # Rate limit information.
+    attr_accessor :rate_limit
+
+    def initialize(
+      rate_limit: nil
+    )
+      @rate_limit = rate_limit == nil ? nil : rate_limit
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  # PolicyGetResponse returns a requested Policy.
+  class PolicyGetResponse
+    # Reserved for future use.
+    attr_accessor :meta
+    # The requested Policy.
+    attr_accessor :policy
+    # Rate limit information.
+    attr_accessor :rate_limit
+
+    def initialize(
+      meta: nil,
+      policy: nil,
+      rate_limit: nil
+    )
+      @meta = meta == nil ? nil : meta
+      @policy = policy == nil ? nil : policy
+      @rate_limit = rate_limit == nil ? nil : rate_limit
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  # PolicyHistory records the state of a Policy at a given point in time,
+  # where every change (create, update and delete) to a Policy produces a
+  # PolicyHistory record.
+  class PolicyHistory
+    # The unique identifier of the Activity that produced this change to the Policy.
+    # May be empty for some system-initiated updates.
+    attr_accessor :activity_id
+    # If this Policy was deleted, the time it was deleted.
+    attr_accessor :deleted_at
+    # The complete Policy state at this time.
+    attr_accessor :policy
+    # The time at which the Policy state was recorded.
+    attr_accessor :timestamp
+
+    def initialize(
+      activity_id: nil,
+      deleted_at: nil,
+      policy: nil,
+      timestamp: nil
+    )
+      @activity_id = activity_id == nil ? "" : activity_id
+      @deleted_at = deleted_at == nil ? nil : deleted_at
+      @policy = policy == nil ? nil : policy
+      @timestamp = timestamp == nil ? nil : timestamp
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  # PolicyListResponse returns a list of Policy records that meet
+  # the criteria of a PolicyListRequest.
+  class PolicyListResponse
+    # Rate limit information.
+    attr_accessor :rate_limit
+
+    def initialize(
+      rate_limit: nil
+    )
+      @rate_limit = rate_limit == nil ? nil : rate_limit
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  # PolicyUpdateResponse returns the fields of a Policy after it has been updated by
+  # a PolicyUpdateRequest.
+  class PolicyUpdateResponse
+    # The updated Policy.
+    attr_accessor :policy
+    # Rate limit information.
+    attr_accessor :rate_limit
+
+    def initialize(
+      policy: nil,
+      rate_limit: nil
+    )
+      @policy = policy == nil ? nil : policy
+      @rate_limit = rate_limit == nil ? nil : rate_limit
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
   class Postgres
     # The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
     attr_accessor :bind_interface

data/lib/strongdm.rb

@@ -29,7 +29,7 @@ module SDM #:nodoc:
     DEFAULT_BASE_RETRY_DELAY = 0.0030 # 30 ms
     DEFAULT_MAX_RETRY_DELAY = 300 # 300 seconds
     API_VERSION = "2024-03-28"
-    USER_AGENT = "strongdm-sdk-ruby/11.0.0"
+    USER_AGENT = "strongdm-sdk-ruby/11.3.0"
     private_constant :DEFAULT_MAX_RETRIES, :DEFAULT_BASE_RETRY_DELAY, :DEFAULT_MAX_RETRY_DELAY, :API_VERSION, :USER_AGENT
 
     # Creates a new strongDM API client.
@@ -86,6 +86,8 @@ module SDM #:nodoc:
       @peering_group_peers = PeeringGroupPeers.new(@channel, self)
       @peering_group_resources = PeeringGroupResources.new(@channel, self)
       @peering_groups = PeeringGroups.new(@channel, self)
+      @policies = Policies.new(@channel, self)
+      @policies_history = PoliciesHistory.new(@channel, self)
       @queries = Queries.new(@channel, self)
       @remote_identities = RemoteIdentities.new(@channel, self)
       @remote_identities_history = RemoteIdentitiesHistory.new(@channel, self)
@@ -335,6 +337,15 @@ module SDM #:nodoc:
     #
     # See {PeeringGroups}.
     attr_reader :peering_groups
+    # Policies are the collection of one or more statements that enforce fine-grained access
+    # control for the users of an organization.
+    #
+    # See {Policies}.
+    attr_reader :policies
+    # PoliciesHistory records all changes to the state of a Policy.
+    #
+    # See {PoliciesHistory}.
+    attr_reader :policies_history
     # A Query is a record of a single client request to a resource, such as a SQL query.
     # Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries.
     # The Queries service is read-only.
@@ -478,6 +489,8 @@ module SDM #:nodoc:
       @peering_group_peers = PeeringGroupPeers.new(@channel, self)
       @peering_group_resources = PeeringGroupResources.new(@channel, self)
       @peering_groups = PeeringGroups.new(@channel, self)
+      @policies = Policies.new(@channel, self)
+      @policies_history = PoliciesHistory.new(@channel, self)
       @queries = Queries.new(@channel, self)
       @remote_identities = RemoteIdentities.new(@channel, self)
       @remote_identities_history = RemoteIdentitiesHistory.new(@channel, self)
@@ -519,6 +532,7 @@ module SDM #:nodoc:
       @identity_aliases = SnapshotIdentityAliases.new(client.identity_aliases)
       @identity_sets = SnapshotIdentitySets.new(client.identity_sets)
       @nodes = SnapshotNodes.new(client.nodes)
+      @policies = SnapshotPolicies.new(client.policies)
       @remote_identities = SnapshotRemoteIdentities.new(client.remote_identities)
       @remote_identity_groups = SnapshotRemoteIdentityGroups.new(client.remote_identity_groups)
       @resources = SnapshotResources.new(client.resources)
@@ -589,6 +603,11 @@ module SDM #:nodoc:
     #
     # See {SnapshotNodes}.
     attr_reader :nodes
+    # Policies are the collection of one or more statements that enforce fine-grained access
+    # control for the users of an organization.
+    #
+    # See {SnapshotPolicies}.
+    attr_reader :policies
     # RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
     #
     # See {SnapshotRemoteIdentities}.