@google-cloud/dlp 5.3.0 → 5.5.0

package/build/protos/google/privacy/dlp/v2/dlp.proto

@@ -1,4 +1,4 @@
-// Copyright 2023 Google LLC
+// Copyright 2024 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -750,7 +750,7 @@ service DlpService {
     option (google.api.method_signature) = "name";
   }
 
-  // Lists data profiles for an organization.
+  // Lists project data profiles for an organization.
   rpc ListProjectDataProfiles(ListProjectDataProfilesRequest)
       returns (ListProjectDataProfilesResponse) {
     option (google.api.http) = {
@@ -762,7 +762,7 @@ service DlpService {
     option (google.api.method_signature) = "parent";
   }
 
-  // Lists data profiles for an organization.
+  // Lists table data profiles for an organization.
   rpc ListTableDataProfiles(ListTableDataProfilesRequest)
       returns (ListTableDataProfilesResponse) {
     option (google.api.http) = {
@@ -774,7 +774,7 @@ service DlpService {
     option (google.api.method_signature) = "parent";
   }
 
-  // Lists data profiles for an organization.
+  // Lists column data profiles for an organization.
   rpc ListColumnDataProfiles(ListColumnDataProfilesRequest)
       returns (ListColumnDataProfilesResponse) {
     option (google.api.http) = {
@@ -822,6 +822,19 @@ service DlpService {
     option (google.api.method_signature) = "name";
   }
 
+  // Delete a TableDataProfile. Will not prevent the profile from being
+  // regenerated if the table is still included in a discovery configuration.
+  rpc DeleteTableDataProfile(DeleteTableDataProfileRequest)
+      returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v2/{name=organizations/*/locations/*/tableDataProfiles/*}"
+      additional_bindings {
+        delete: "/v2/{name=projects/*/locations/*/tableDataProfiles/*}"
+      }
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Inspect hybrid content and store findings to a job.
   // To review the findings, inspect the job. Inspection will occur
   // asynchronously.
@@ -842,6 +855,62 @@ service DlpService {
       body: "*"
     };
   }
+
+  // Create a Connection to an external data source.
+  rpc CreateConnection(CreateConnectionRequest) returns (Connection) {
+    option (google.api.http) = {
+      post: "/v2/{parent=projects/*/locations/*}/connections"
+      body: "*"
+    };
+    option (google.api.method_signature) = "parent, connection";
+  }
+
+  // Get a Connection by name.
+  rpc GetConnection(GetConnectionRequest) returns (Connection) {
+    option (google.api.http) = {
+      get: "/v2/{name=projects/*/locations/*/connections/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Lists Connections in a parent.
+  rpc ListConnections(ListConnectionsRequest)
+      returns (ListConnectionsResponse) {
+    option (google.api.http) = {
+      get: "/v2/{parent=projects/*/locations/*}/connections"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Searches for Connections in a parent.
+  rpc SearchConnections(SearchConnectionsRequest)
+      returns (SearchConnectionsResponse) {
+    option (google.api.http) = {
+      get: "/v2/{parent=projects/*/locations/*}/connections:search"
+      additional_bindings {
+        get: "/v2/{parent=organizations/*/locations/*}/connections:search"
+      }
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Delete a Connection.
+  rpc DeleteConnection(DeleteConnectionRequest)
+      returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v2/{name=projects/*/locations/*/connections/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Update a Connection.
+  rpc UpdateConnection(UpdateConnectionRequest) returns (Connection) {
+    option (google.api.http) = {
+      patch: "/v2/{name=projects/*/locations/*/connections/*}"
+      body: "*"
+    };
+    option (google.api.method_signature) = "name";
+  }
 }
 
 // List of excluded infoTypes.
@@ -1784,6 +1853,10 @@ message InspectDataSourceDetails {
     // inspect job.
     repeated InfoTypeStats info_type_stats = 3;
 
+    // Number of rows scanned post sampling and time filtering (Applicable for
+    // row based stores such as BigQuery).
+    int64 num_rows_processed = 5;
+
     // Statistics related to the processing of hybrid inspect.
     HybridInspectStatistics hybrid_stats = 7;
   }
@@ -1970,6 +2043,9 @@ message InfoTypeCategory {
     // The infoType is typically used in Japan.
     JAPAN = 20;
 
+    // The infoType is typically used in Kazakhstan.
+    KAZAKHSTAN = 47;
+
     // The infoType is typically used in Korea.
     KOREA = 21;
 
@@ -1997,6 +2073,9 @@ message InfoTypeCategory {
     // The infoType is typically used in Portugal.
     PORTUGAL = 28;
 
+    // The infoType is typically used in Russia.
+    RUSSIA = 44;
+
     // The infoType is typically used in Singapore.
     SINGAPORE = 29;
 
@@ -2021,6 +2100,9 @@ message InfoTypeCategory {
     // The infoType is typically used in Turkey.
     TURKEY = 35;
 
+    // The infoType is typically used in Ukraine.
+    UKRAINE = 45;
+
     // The infoType is typically used in the United Kingdom.
     UNITED_KINGDOM = 36;
 
@@ -2030,6 +2112,9 @@ message InfoTypeCategory {
     // The infoType is typically used in Uruguay.
     URUGUAY = 38;
 
+    // The infoType is typically used in Uzbekistan.
+    UZBEKISTAN = 46;
+
     // The infoType is typically used in Venezuela.
     VENEZUELA = 39;
 
@@ -3853,7 +3938,7 @@ message Error {
   repeated google.protobuf.Timestamp timestamps = 2;
 }
 
-// Contains a configuration to make dlp api calls on a repeating basis.
+// Contains a configuration to make api calls on a repeating basis.
 // See
 // https://cloud.google.com/sensitive-data-protection/docs/concepts-job-triggers
 // to learn more.
@@ -4635,8 +4720,14 @@ message DataProfileAction {
   // of your choice whenever updated.
   message Export {
     // Store all table and column profiles in an existing table or a new table
-    // in an existing dataset. Each re-generation will result in a new row in
-    // BigQuery.
+    // in an existing dataset. Each re-generation will result in new rows in
+    // BigQuery. Data is inserted using [streaming
+    // insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
+    // and so data may be in the buffer for a period of time after the profile
+    // has finished. The Pub/Sub notification is sent before the streaming
+    // buffer is guaranteed to be written, so data may not be instantly
+    // visible to queries by the time your topic receives the Pub/Sub
+    // notification.
     BigQueryTable profile_table = 1;
   }
 
@@ -4652,7 +4743,7 @@ message DataProfileAction {
       // The full table data profile.
       TABLE_PROFILE = 1;
 
-      // The resource name of the table.
+      // The name of the profiled resource.
       RESOURCE_NAME = 2;
     }
 
@@ -4683,12 +4774,12 @@ message DataProfileAction {
     NEW_PROFILE = 1;
 
     // Changed one of the following profile metrics:
-    // * Table data risk score
-    // * Table sensitivity score
-    // * Table resource visibility
-    // * Table encryption type
-    // * Table predicted infoTypes
-    // * Table other infoTypes
+    // * Data risk score
+    // * Sensitivity score
+    // * Resource visibility
+    // * Encryption type
+    // * Predicted infoTypes
+    // * Other infoTypes
     CHANGED_PROFILE = 2;
 
     // Table data risk score or sensitivity score increased.
@@ -4941,6 +5032,10 @@ message DiscoveryTarget {
     // BigQuery target for Discovery. The first target to match a table will be
     // the one applied.
     BigQueryDiscoveryTarget big_query_target = 1;
+
+    // Cloud SQL target for Discovery. The first target to match a table will be
+    // the one applied.
+    CloudSqlDiscoveryTarget cloud_sql_target = 2;
   }
 }
 
@@ -5104,6 +5199,187 @@ enum BigQuerySchemaModification {
   SCHEMA_REMOVED_COLUMNS = 2;
 }
 
+// Target used to match against for discovery with Cloud SQL tables.
+message CloudSqlDiscoveryTarget {
+  // Required. The tables the discovery cadence applies to. The first target
+  // with a matching filter will be the one to apply to a table.
+  DiscoveryCloudSqlFilter filter = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // In addition to matching the filter, these conditions must be true
+  // before a profile is generated.
+  DiscoveryCloudSqlConditions conditions = 2;
+
+  // Type of schedule.
+  oneof cadence {
+    // How often and when to update profiles. New tables that match both the
+    // filter and conditions are scanned as quickly as possible depending on
+    // system capacity.
+    DiscoveryCloudSqlGenerationCadence generation_cadence = 3;
+
+    // Disable profiling for database resources that match this filter.
+    Disabled disabled = 4;
+  }
+}
+
+// Determines what tables will have profiles generated within an organization
+// or project. Includes the ability to filter by regular expression patterns
+// on project ID, location, instance, database, and database resource name.
+message DiscoveryCloudSqlFilter {
+  // Whether the filter applies to a specific set of database resources or all
+  // other database resources within the location being profiled. The first
+  // filter to match will be applied, regardless of the condition. If none is
+  // set, will default to `others`.
+  oneof filter {
+    // A specific set of database resources for this filter to apply to.
+    DatabaseResourceCollection collection = 1;
+
+    // Catch-all. This should always be the last target in the list because
+    // anything above it will apply first. Should only appear once in a
+    // configuration. If none is specified, a default one will be added
+    // automatically.
+    AllOtherDatabaseResources others = 2;
+
+    // The database resource to scan. Targets including this can only include
+    // one target (the target with this database resource reference).
+    DatabaseResourceReference database_resource_reference = 3;
+  }
+}
+
+// Match database resources using regex filters. Examples of database
+// resources are tables, views, and stored procedures.
+message DatabaseResourceCollection {
+  // The first filter containing a pattern that matches a database resource will
+  // be used.
+  oneof pattern {
+    // A collection of regular expressions to match a database resource against.
+    DatabaseResourceRegexes include_regexes = 1;
+  }
+}
+
+// A collection of regular expressions to determine what database resources to
+// match against.
+message DatabaseResourceRegexes {
+  // A group of regular expression patterns to match against one or more
+  // database resources.
+  // Maximum of 100 entries. The sum of all regular expression's length can't
+  // exceed 10 KiB.
+  repeated DatabaseResourceRegex patterns = 1;
+}
+
+// A pattern to match against one or more database resources. At least one
+// pattern must be specified. Regular expressions use RE2
+// [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
+// under the google/re2 repository on GitHub.
+message DatabaseResourceRegex {
+  // For organizations, if unset, will match all projects. Has no effect
+  // for Data Profile configurations created within a project.
+  string project_id_regex = 1;
+
+  // Regex to test the instance name against. If empty, all instances match.
+  string instance_regex = 2;
+
+  // Regex to test the database name against. If empty, all databases match.
+  string database_regex = 3;
+
+  // Regex to test the database resource's name against. An example of a
+  // database resource name is a table's name. Other database resource names
+  // like view names could be included in the future. If empty, all database
+  // resources match.
+  string database_resource_name_regex = 4;
+}
+
+// Match database resources not covered by any other filter.
+message AllOtherDatabaseResources {}
+
+// Identifies a single database resource, like a table within a database.
+message DatabaseResourceReference {
+  // Required. If within a project-level config, then this must match the
+  // config's project id.
+  string project_id = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The instance where this resource is located. For example: Cloud
+  // SQL's instance id.
+  string instance = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Requirements that must be true before a table is profiled for the
+// first time.
+message DiscoveryCloudSqlConditions {
+  // The database engines that should be profiled.
+  enum DatabaseEngine {
+    // Unused.
+    DATABASE_ENGINE_UNSPECIFIED = 0;
+
+    // Include all supported database engines.
+    ALL_SUPPORTED_DATABASE_ENGINES = 1;
+
+    // MySql database.
+    MYSQL = 2;
+
+    // PostGres database.
+    POSTGRES = 3;
+  }
+
+  // Cloud SQL database resource types. New values can be added at a later time.
+  enum DatabaseResourceType {
+    // Unused.
+    DATABASE_RESOURCE_TYPE_UNSPECIFIED = 0;
+
+    // Includes database resource types that become supported at a later time.
+    DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES = 1;
+
+    // Tables.
+    DATABASE_RESOURCE_TYPE_TABLE = 2;
+  }
+
+  // Optional. Database engines that should be profiled.
+  // Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
+  repeated DatabaseEngine database_engines = 1
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Data profiles will only be generated for the database resource types
+  // specified in this field.
+  // If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
+  repeated DatabaseResourceType types = 3;
+}
+
+// How often existing tables should have their profiles refreshed.
+// New tables are scanned as quickly as possible depending on system
+// capacity.
+message DiscoveryCloudSqlGenerationCadence {
+  // How frequency to modify the profile when the table's schema is modified.
+  message SchemaModifiedCadence {
+    // The type of modification that causes a profile update.
+    enum CloudSqlSchemaModification {
+      // Unused.
+      SQL_SCHEMA_MODIFICATION_UNSPECIFIED = 0;
+
+      // New columns has appeared.
+      NEW_COLUMNS = 1;
+
+      // Columns have been removed from the table.
+      REMOVED_COLUMNS = 2;
+    }
+
+    // The types of schema modifications to consider.
+    // Defaults to NEW_COLUMNS.
+    repeated CloudSqlSchemaModification types = 1;
+
+    // Frequency to regenerate data profiles when the schema is modified.
+    // Defaults to monthly.
+    DataProfileUpdateFrequency frequency = 2;
+  }
+
+  // When to reprofile if the schema has changed.
+  SchemaModifiedCadence schema_modified_cadence = 1;
+
+  // Data changes (non-schema changes) in Cloud SQL tables can't trigger
+  // reprofiling. If you set this field, profiles are refreshed at this
+  // frequency regardless of whether the underlying tables have changes.
+  // Defaults to never.
+  DataProfileUpdateFrequency refresh_frequency = 2;
+}
+
 // The location to begin a discovery scan. Denotes an organization ID or folder
 // ID within an organization.
 message DiscoveryStartingLocation {
@@ -5978,7 +6254,7 @@ message ListProjectDataProfilesRequest {
   //
   // Supported fields are:
   //
-  // - `project_id`: GCP project ID
+  // - `project_id`: Google Cloud project ID
   // - `sensitivity_level`: How sensitive the data in a project is, at most.
   // - `data_risk_level`: How much risk is associated with this data.
   // - `profile_last_generated`: When the profile was last updated in epoch
@@ -6049,7 +6325,7 @@ message ListTableDataProfilesRequest {
   //
   // Supported fields are:
   //
-  // - `project_id`: The GCP project ID.
+  // - `project_id`: The Google Cloud project ID.
   // - `dataset_id`: The ID of a BigQuery dataset.
   // - `table_id`: The ID of a BigQuery table.
   // - `sensitivity_level`: How sensitive the data in a table is, at most.
@@ -6070,7 +6346,7 @@ message ListTableDataProfilesRequest {
   // sequence of restrictions implicitly uses `AND`.
   // * A restriction has the form of `{field} {operator} {value}`.
   // * Supported fields/values:
-  //     - `project_id` - The GCP project ID.
+  //     - `project_id` - The Google Cloud project ID.
   //     - `dataset_id` - The BigQuery dataset ID.
   //     - `table_id` - The ID of the BigQuery table.
   //     - `sensitivity_level` - HIGH|MODERATE|LOW
@@ -6217,6 +6493,7 @@ message ProjectDataProfile {
     pattern: "organizations/{organization}/locations/{location}/projectDataProfiles/{project_data_profile}"
     pattern: "projects/{project}/locations/{location}/projectDataProfiles/{project_data_profile}"
   };
+
   // The resource name of the profile.
   string name = 1;
 
@@ -6245,6 +6522,11 @@ enum ResourceVisibility {
   // Visible to any user.
   RESOURCE_VISIBILITY_PUBLIC = 10;
 
+  // May contain public items.
+  // For example, if a GCS bucket has uniform bucket level access disabled, some
+  // objects inside it may be public.
+  RESOURCE_VISIBILITY_INCONCLUSIVE = 15;
+
   // Visible only to specific users.
   RESOURCE_VISIBILITY_RESTRICTED = 20;
 }
@@ -6279,6 +6561,7 @@ message TableDataProfile {
     pattern: "organizations/{organization}/locations/{location}/tableDataProfiles/{table_data_profile}"
     pattern: "projects/{project}/locations/{location}/tableDataProfiles/{table_data_profile}"
   };
+
   // Possible states of a profile. New items may be added.
   enum State {
     // Unused.
@@ -6468,6 +6751,7 @@ message ColumnDataProfile {
     pattern: "organizations/{organization}/locations/{location}/columnDataProfiles/{column_data_profile}"
     pattern: "projects/{project}/locations/{location}/columnDataProfiles/{column_data_profile}"
   };
+
   // Possible states of a profile. New items may be added.
   enum State {
     // Unused.
@@ -6530,6 +6814,18 @@ message ColumnDataProfile {
 
     // Json type.
     TYPE_JSON = 14;
+
+    // Interval type.
+    TYPE_INTERVAL = 15;
+
+    // `Range<Date>` type.
+    TYPE_RANGE_DATE = 16;
+
+    // `Range<Datetime>` type.
+    TYPE_RANGE_DATETIME = 17;
+
+    // `Range<Timestamp>` type.
+    TYPE_RANGE_TIMESTAMP = 18;
   }
 
   // The possible policy states for a column.
@@ -6710,6 +7006,254 @@ message DataProfilePubSubMessage {
   DataProfileAction.EventType event = 2;
 }
 
+// Request message for CreateConnection.
+message CreateConnectionRequest {
+  // Required. Parent resource name in the format:
+  // `projects/{project}/locations/{location}`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "dlp.googleapis.com/Connection"
+    }
+  ];
+
+  // Required. The connection resource.
+  Connection connection = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Request message for GetConnection.
+message GetConnectionRequest {
+  // Required. Resource name in the format:
+  // `projects/{project}/locations/{location}/connections/{connection}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = { type: "dlp.googleapis.com/Connection" }
+  ];
+}
+
+// Request message for ListConnections.
+message ListConnectionsRequest {
+  // Required. Parent name, for example:
+  // `projects/project-id/locations/global`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "dlp.googleapis.com/Connection"
+    }
+  ];
+
+  // Optional. Number of results per page, max 1000.
+  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Page token from a previous page to return the next set of
+  // results. If set, all other request fields must match the original request.
+  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. * Supported fields/values
+  //     - `state` - MISSING|AVAILABLE|ERROR
+  string filter = 4 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Request message for SearchConnections.
+message SearchConnectionsRequest {
+  // Required. Parent name, typically an organization, without location.
+  // For example: `organizations/12345678`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "dlp.googleapis.com/Connection"
+    }
+  ];
+
+  // Optional. Number of results per page, max 1000.
+  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Page token from a previous page to return the next set of
+  // results. If set, all other request fields must match the original request.
+  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. * Supported fields/values
+  //     - `state` - MISSING|AVAILABLE|ERROR
+  string filter = 4 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Response message for ListConnections.
+message ListConnectionsResponse {
+  // List of connections.
+  repeated Connection connections = 1;
+
+  // Token to retrieve the next page of results. An empty value means there are
+  // no more results.
+  string next_page_token = 2;
+}
+
+// Response message for SearchConnections.
+message SearchConnectionsResponse {
+  // List of connections that match the search query. Note that only a subset
+  // of the fields will be populated, and only "name" is guaranteed to be set.
+  // For full details of a Connection, call GetConnection with the name.
+  repeated Connection connections = 1;
+
+  // Token to retrieve the next page of results. An empty value means there are
+  // no more results.
+  string next_page_token = 2;
+}
+
+// Request message for UpdateConnection.
+message UpdateConnectionRequest {
+  // Required. Resource name in the format:
+  // `projects/{project}/locations/{location}/connections/{connection}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = { type: "dlp.googleapis.com/Connection" }
+  ];
+
+  // Required. The connection with new values for the relevant fields.
+  Connection connection = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. Mask to control which fields get updated.
+  google.protobuf.FieldMask update_mask = 3
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Request message for DeleteConnection.
+message DeleteConnectionRequest {
+  // Required. Resource name of the Connection to be deleted, in the format:
+  // `projects/{project}/locations/{location}/connections/{connection}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = { type: "dlp.googleapis.com/Connection" }
+  ];
+}
+
+// A data connection to allow DLP to profile data in locations that require
+// additional configuration.
+message Connection {
+  option (google.api.resource) = {
+    type: "dlp.googleapis.com/Connection"
+    pattern: "projects/{project}/locations/{location}/connections/{connection}"
+  };
+
+  // Output only. Name of the connection:
+  // `projects/{project}/locations/{location}/connections/{name}`.
+  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Required. The connection's state in its lifecycle.
+  ConnectionState state = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Output only. Set if status == ERROR, to provide additional details. Will
+  // store the last 10 errors sorted with the most recent first.
+  repeated Error errors = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Type of connection.
+  oneof properties {
+    // Connect to a Cloud SQL instance.
+    CloudSqlProperties cloud_sql = 4;
+  }
+}
+
+// State of the connection.
+// New values may be added over time.
+enum ConnectionState {
+  // Unused
+  CONNECTION_STATE_UNSPECIFIED = 0;
+
+  // DLP automatically created this connection during an initial scan, and it is
+  // awaiting full configuration by a user.
+  MISSING_CREDENTIALS = 1;
+
+  // A configured connection that has not encountered any errors.
+  AVAILABLE = 2;
+
+  // A configured connection that encountered errors during its last use. It
+  // will not be used again until it is set to AVAILABLE.
+  //
+  // If the resolution requires external action, then a request to set the
+  // status to AVAILABLE will mark this connection for use. Otherwise, any
+  // changes to the connection properties will automatically mark it as
+  // AVAILABLE.
+  ERROR = 3;
+}
+
+// A credential consisting of a username and password, where the password is
+// stored in a Secret Manager resource.
+// Note: Secret Manager [charges
+// apply](https://cloud.google.com/secret-manager/pricing).
+message SecretManagerCredential {
+  // Required. The username.
+  string username = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The name of the Secret Manager resource that stores the password,
+  // in the form `projects/project-id/secrets/secret-name/versions/version`.
+  string password_secret_version_name = 2
+      [(google.api.field_behavior) = REQUIRED];
+}
+
+// Use IAM auth to connect. This requires the Cloud SQL IAM feature to be
+// enabled on the instance, which is not the default for Cloud SQL.
+// See https://cloud.google.com/sql/docs/postgres/authentication and
+// https://cloud.google.com/sql/docs/mysql/authentication.
+message CloudSqlIamCredential {}
+
+// Cloud SQL connection properties.
+message CloudSqlProperties {
+  // Database engine of a Cloud SQL instance.
+  // New values may be added over time.
+  enum DatabaseEngine {
+    // An engine that is not currently supported by SDP.
+    DATABASE_ENGINE_UNKNOWN = 0;
+
+    // Cloud SQL for MySQL instance.
+    DATABASE_ENGINE_MYSQL = 1;
+
+    // Cloud SQL for Postgres instance.
+    DATABASE_ENGINE_POSTGRES = 2;
+  }
+
+  // Optional. Immutable. The Cloud SQL instance for which the connection is
+  // defined. Only one connection per instance is allowed. This can only be set
+  // at creation time, and cannot be updated.
+  //
+  // It is an error to use a connection_name from different project or region
+  // than the one that holds the connection.
+  // For example, a Connection resource for Cloud SQL connection_name
+  // `project-id:us-central1:sql-instance`
+  // must be created under the parent
+  // `projects/project-id/locations/us-central1`
+  string connection_name = 1 [
+    (google.api.field_behavior) = IMMUTABLE,
+    (google.api.field_behavior) = OPTIONAL
+  ];
+
+  // How to authenticate to the instance.
+  oneof credential {
+    // A username and password stored in Secret Manager.
+    SecretManagerCredential username_password = 2;
+
+    // Built-in IAM authentication (must be configured in Cloud SQL).
+    CloudSqlIamCredential cloud_sql_iam = 3;
+  }
+
+  // Required. DLP will limit its connections to max_connections.
+  // Must be 2 or greater.
+  int32 max_connections = 4 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The database engine used by the Cloud SQL instance that this
+  // connection configures.
+  DatabaseEngine database_engine = 7 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Request message for DeleteTableProfile.
+message DeleteTableDataProfileRequest {
+  // Required. Resource name of the table data profile.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "dlp.googleapis.com/TableDataProfile"
+    }
+  ];
+}
+
 // Message used to identify the type of resource being profiled.
 message DataSourceType {
   // Output only. An identifying string to the type of resource being profiled.