@google-cloud/dlp 5.7.0 → 5.8.0

package/build/protos/google/privacy/dlp/v2/dlp.proto

@@ -798,6 +798,43 @@ service DlpService {
     option (google.api.method_signature) = "name";
   }
 
+  // Lists file store data profiles for an organization.
+  rpc ListFileStoreDataProfiles(ListFileStoreDataProfilesRequest)
+      returns (ListFileStoreDataProfilesResponse) {
+    option (google.api.http) = {
+      get: "/v2/{parent=organizations/*/locations/*}/fileStoreDataProfiles"
+      additional_bindings {
+        get: "/v2/{parent=projects/*/locations/*}/fileStoreDataProfiles"
+      }
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Gets a file store data profile.
+  rpc GetFileStoreDataProfile(GetFileStoreDataProfileRequest)
+      returns (FileStoreDataProfile) {
+    option (google.api.http) = {
+      get: "/v2/{name=organizations/*/locations/*/fileStoreDataProfiles/*}"
+      additional_bindings {
+        get: "/v2/{name=projects/*/locations/*/fileStoreDataProfiles/*}"
+      }
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Delete a FileStoreDataProfile. Will not prevent the profile from being
+  // regenerated if the resource is still included in a discovery configuration.
+  rpc DeleteFileStoreDataProfile(DeleteFileStoreDataProfileRequest)
+      returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v2/{name=organizations/*/locations/*/fileStoreDataProfiles/*}"
+      additional_bindings {
+        delete: "/v2/{name=projects/*/locations/*/fileStoreDataProfiles/*}"
+      }
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Gets a table data profile.
   rpc GetTableDataProfile(GetTableDataProfileRequest)
       returns (TableDataProfile) {
@@ -1174,6 +1211,15 @@ message ByteContentItem {
 
     // tsv
     TSV = 13;
+
+    // Audio file types. Only used for profiling.
+    AUDIO = 15;
+
+    // Video file types. Only used for profiling.
+    VIDEO = 16;
+
+    // Executable file types. Only used for profiling.
+    EXECUTABLE = 17;
   }
 
   // The type of data stored in the bytes string. Default will be TEXT_UTF8.
@@ -1288,6 +1334,7 @@ message Finding {
   // No more than 10 labels can be associated with a given finding.
   //
   // Examples:
+  //
   // * `"environment" : "production"`
   // * `"pipeline" : "etl"`
   map<string, string> labels = 10;
@@ -1519,9 +1566,9 @@ message RedactImageRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -1584,9 +1631,9 @@ message DeidentifyContentRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -1653,9 +1700,9 @@ message ReidentifyContentRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -1725,9 +1772,9 @@ message InspectContentRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -1878,6 +1925,9 @@ message DataProfileBigQueryRowSchema {
 
     // Column data profile column
     ColumnDataProfile column_profile = 2;
+
+    // File store data profile column.
+    FileStoreDataProfile file_store_profile = 3;
   }
 }
 
@@ -1986,12 +2036,18 @@ message InfoTypeCategory {
     // The infoType is typically used in Argentina.
     ARGENTINA = 2;
 
+    // The infoType is typically used in Armenia.
+    ARMENIA = 51;
+
     // The infoType is typically used in Australia.
     AUSTRALIA = 3;
 
     // The infoType is typically used in Azerbaijan.
     AZERBAIJAN = 48;
 
+    // The infoType is typically used in Belarus.
+    BELARUS = 50;
+
     // The infoType is typically used in Belgium.
     BELGIUM = 4;
 
@@ -3200,9 +3256,10 @@ message FixedSizeBucketingConfig {
 
 // Generalization function that buckets values based on ranges. The ranges and
 // replacement values are dynamically provided by the user for custom behavior,
-// such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
-// This can be used on
-// data of type: number, long, string, timestamp.
+// such as 1-30 -> LOW, 31-65 -> MEDIUM, 66-100 -> HIGH.
+//
+// This can be used on data of type: number, long, string, timestamp.
+//
 // If the bound `Value` type differs from the type of data being transformed, we
 // will first attempt converting the type of the data to be transformed to match
 // the type of the bound before comparing.
@@ -3933,12 +3990,27 @@ message DeidentifyTemplate {
 // Details information about an error encountered during job execution or
 // the results of an unsuccessful activation of the JobTrigger.
 message Error {
+  // Additional information about the error.
+  enum ErrorExtraInfo {
+    // Unused.
+    ERROR_INFO_UNSPECIFIED = 0;
+
+    // Image scan is not available in the region.
+    IMAGE_SCAN_UNAVAILABLE_IN_REGION = 1;
+
+    // File store cluster is not supported for profile generation.
+    FILE_STORE_CLUSTER_UNSUPPORTED = 2;
+  }
+
   // Detailed error codes and messages.
   google.rpc.Status details = 1;
 
   // The times the error occurred. List includes the oldest timestamp and the
   // last 9 timestamps.
   repeated google.protobuf.Timestamp timestamps = 2;
+
+  // Additional information about the error.
+  ErrorExtraInfo extra_info = 4;
 }
 
 // Contains a configuration to make API calls on a repeating basis.
@@ -4114,7 +4186,7 @@ message Action {
     // Where to store the output.
     oneof output {
       // Required. User settable Cloud Storage bucket and folders to store
-      // de-identified files. This field must be set for cloud storage
+      // de-identified files. This field must be set for Cloud Storage
       // deidentification. The output Cloud Storage bucket must be different
       // from the input bucket. De-identified files will overwrite files in the
       // output path.
@@ -4124,12 +4196,12 @@ message Action {
     }
 
     // List of user-specified file type groups to transform. If specified, only
-    // the files with these filetypes will be transformed. If empty, all
+    // the files with these file types will be transformed. If empty, all
     // supported files will be transformed. Supported types may be automatically
     // added over time. If a file type is set in this field that isn't supported
     // by the Deidentify action then the job will fail and will not be
-    // successfully created/started. Currently the only filetypes supported are:
-    // IMAGES, TEXT_FILES, CSV, TSV.
+    // successfully created/started. Currently the only file types supported
+    // are: IMAGES, TEXT_FILES, CSV, TSV.
     repeated FileType file_types_to_transform = 8;
   }
 
@@ -4208,13 +4280,13 @@ message CreateInspectTemplateRequest {
   // (project or organization) and whether you have [specified a processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
-  // + Organizations scope, location specified:<br/>
+  // + Organizations scope, location specified:
   //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Organizations scope, no location specified (defaults to global):<br/>
+  // + Organizations scope, no location specified (defaults to global):
   //   `organizations/`<var>ORG_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -4282,13 +4354,13 @@ message ListInspectTemplatesRequest {
   // (project or organization) and whether you have [specified a processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
-  // + Organizations scope, location specified:<br/>
+  // + Organizations scope, location specified:
   //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Organizations scope, no location specified (defaults to global):<br/>
+  // + Organizations scope, no location specified (defaults to global):
   //   `organizations/`<var>ORG_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -4311,7 +4383,7 @@ message ListInspectTemplatesRequest {
   // returns a page of max size 100.
   int32 page_size = 3;
 
-  // Comma separated list of fields to order by,
+  // Comma-separated list of fields to order by,
   // followed by `asc` or `desc` postfix. This list is case insensitive. The
   // default sorting order is ascending. Redundant space characters are
   // insignificant.
@@ -4361,9 +4433,9 @@ message CreateJobTriggerRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -4431,8 +4503,13 @@ message GetJobTriggerRequest {
 message CreateDiscoveryConfigRequest {
   // Required. Parent resource name.
   //
-  // The format of this value is as follows:
-  // `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
+  // The format of this value varies depending on the scope of the request
+  // (project or organization):
+  //
+  // + Projects scope:
+  //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
+  // + Organizations scope:
+  //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
   // identifier `example-project`, and specifies the `europe-west3` location
@@ -4513,7 +4590,7 @@ message ListDiscoveryConfigsRequest {
   // Size of the page. This value can be limited by a server.
   int32 page_size = 3;
 
-  // Comma separated list of config fields to order by,
+  // Comma-separated list of config fields to order by,
   // followed by `asc` or `desc` postfix. This list is case insensitive. The
   // default sorting order is ascending. Redundant space characters are
   // insignificant.
@@ -4560,9 +4637,9 @@ message CreateDlpJobRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -4605,9 +4682,9 @@ message ListJobTriggersRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -4630,7 +4707,7 @@ message ListJobTriggersRequest {
   // Size of the page. This value can be limited by a server.
   int32 page_size = 3;
 
-  // Comma separated list of triggeredJob fields to order by,
+  // Comma-separated list of triggeredJob fields to order by,
   // followed by `asc` or `desc` postfix. This list is case insensitive. The
   // default sorting order is ascending. Redundant space characters are
   // insignificant.
@@ -4748,6 +4825,9 @@ message DataProfileAction {
 
       // The name of the profiled resource.
       RESOURCE_NAME = 2;
+
+      // The full file store data profile.
+      FILE_STORE_PROFILE = 3;
     }
 
     // Cloud Pub/Sub topic to send notifications to.
@@ -4925,7 +5005,7 @@ message DataProfileLocation {
     // The ID of an organization to scan.
     int64 organization_id = 1;
 
-    // The ID of the Folder within an organization to scan.
+    // The ID of the folder within an organization to scan.
     int64 folder_id = 2;
   }
 }
@@ -5040,6 +5120,10 @@ message DiscoveryTarget {
     // resource metadata and reports them as vulnerabilities to Security Command
     // Center. Only one target of this type is allowed.
     SecretsDiscoveryTarget secrets_target = 3;
+
+    // Cloud Storage target for Discovery. The first target to match a table
+    // will be the one applied.
+    CloudStorageDiscoveryTarget cloud_storage_target = 4;
   }
 }
 
@@ -5157,6 +5241,11 @@ message DiscoveryGenerationCadence {
 
   // Governs when to update data profiles when a table is modified.
   DiscoveryTableModifiedCadence table_modified_cadence = 2;
+
+  // Governs when to update data profiles when the inspection rules
+  // defined by the `InspectTemplate` change.
+  // If not set, changing the template will not cause a data profile to update.
+  DiscoveryInspectTemplateModifiedCadence inspect_template_modified_cadence = 3;
 }
 
 // The cadence at which to update data profiles when a table is modified.
@@ -5208,6 +5297,14 @@ enum BigQuerySchemaModification {
   SCHEMA_REMOVED_COLUMNS = 2;
 }
 
+// The cadence at which to update data profiles when the inspection rules
+// defined by the `InspectTemplate` change.
+message DiscoveryInspectTemplateModifiedCadence {
+  // How frequently data profiles can be updated when the template is modified.
+  // Defaults to never.
+  DataProfileUpdateFrequency frequency = 1;
+}
+
 // Target used to match against for discovery with Cloud SQL tables.
 message CloudSqlDiscoveryTarget {
   // Required. The tables the discovery cadence applies to. The first target
@@ -5410,6 +5507,225 @@ message DiscoveryCloudSqlGenerationCadence {
 // Security Command Center.
 message SecretsDiscoveryTarget {}
 
+// Target used to match against for discovery with Cloud Storage buckets.
+message CloudStorageDiscoveryTarget {
+  // Required. The buckets the generation_cadence applies to. The first target
+  // with a matching filter will be the one to apply to a bucket.
+  DiscoveryCloudStorageFilter filter = 1
+      [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. In addition to matching the filter, these conditions must be true
+  // before a profile is generated.
+  DiscoveryFileStoreConditions conditions = 4
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // How often and when to update profiles.
+  oneof cadence {
+    // Optional. How often and when to update profiles. New buckets that match
+    // both the filter and conditions are scanned as quickly as possible
+    // depending on system capacity.
+    DiscoveryCloudStorageGenerationCadence generation_cadence = 2
+        [(google.api.field_behavior) = OPTIONAL];
+
+    // Optional. Disable profiling for buckets that match this filter.
+    Disabled disabled = 3 [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
+// Determines which buckets will have profiles generated within an organization
+// or project. Includes the ability to filter by regular expression patterns
+// on project ID and bucket name.
+message DiscoveryCloudStorageFilter {
+  // Whether the filter applies to a specific set of buckets or all
+  // other buckets within the location being profiled. The first
+  // filter to match will be applied, regardless of the condition. If none is
+  // set, will default to `others`.
+  oneof filter {
+    // Optional. A specific set of buckets for this filter to apply to.
+    FileStoreCollection collection = 1 [(google.api.field_behavior) = OPTIONAL];
+
+    // Optional. The bucket to scan. Targets including this can only include one
+    // target (the target with this bucket). This enables profiling the contents
+    // of a single bucket, while the other options allow for easy profiling of
+    // many bucets within a project or an organization.
+    CloudStorageResourceReference cloud_storage_resource_reference = 2
+        [(google.api.field_behavior) = OPTIONAL];
+
+    // Optional. Catch-all. This should always be the last target in the list
+    // because anything above it will apply first. Should only appear once in a
+    // configuration. If none is specified, a default one will be added
+    // automatically.
+    AllOtherResources others = 100 [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
+// Match file stores (e.g. buckets) using regex filters.
+message FileStoreCollection {
+  // The first filter containing a pattern that matches a file store will
+  // be used.
+  oneof pattern {
+    // Optional. A collection of regular expressions to match a file store
+    // against.
+    FileStoreRegexes include_regexes = 1
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
+// A collection of regular expressions to determine what file store to match
+// against.
+message FileStoreRegexes {
+  // Required. The group of regular expression patterns to match against one or
+  // more file stores. Maximum of 100 entries. The sum of all regular
+  // expression's length can't exceed 10 KiB.
+  repeated FileStoreRegex patterns = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// A pattern to match against one or more file stores.
+message FileStoreRegex {
+  // The type of resource regex to use.
+  oneof resource_regex {
+    // Optional. Regex for Cloud Storage.
+    CloudStorageRegex cloud_storage_regex = 1
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
+// A pattern to match against one or more file stores. At least one
+// pattern must be specified. Regular expressions use RE2
+// [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
+// under the google/re2 repository on GitHub.
+message CloudStorageRegex {
+  // Optional. For organizations, if unset, will match all projects.
+  string project_id_regex = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Regex to test the bucket name against. If empty, all buckets
+  // match. Example: "marketing2021" or "(marketing)\d{4}" will both match the
+  // bucket gs://marketing2021
+  string bucket_name_regex = 2 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Identifies a single Cloud Storage bucket.
+message CloudStorageResourceReference {
+  // Required. The bucket to scan.
+  string bucket_name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. If within a project-level config, then this must match the
+  // config's project id.
+  string project_id = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// How often existing buckets should have their profiles refreshed.
+// New buckets are scanned as quickly as possible depending on system
+// capacity.
+message DiscoveryCloudStorageGenerationCadence {
+  // Optional. Data changes in Cloud Storage can't trigger reprofiling. If you
+  // set this field, profiles are refreshed at this frequency regardless of
+  // whether the underlying buckets have changed. Defaults to never.
+  DataProfileUpdateFrequency refresh_frequency = 1
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Governs when to update data profiles when the inspection rules
+  // defined by the `InspectTemplate` change.
+  // If not set, changing the template will not cause a data profile to update.
+  DiscoveryInspectTemplateModifiedCadence inspect_template_modified_cadence = 2
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Requirements that must be true before a Cloud Storage bucket or object is
+// scanned in discovery for the first time. There is an AND relationship between
+// the top-level attributes.
+message DiscoveryCloudStorageConditions {
+  // The attribute of an object. See
+  // https://cloud.google.com/storage/docs/storage-classes for more information
+  // on storage classes.
+  enum CloudStorageObjectAttribute {
+    // Unused.
+    CLOUD_STORAGE_OBJECT_ATTRIBUTE_UNSPECIFIED = 0;
+
+    // Scan objects regardless of the attribute.
+    ALL_SUPPORTED_OBJECTS = 1;
+
+    // Scan objects with the standard storage class.
+    STANDARD = 2;
+
+    // Scan objects with the nearline storage class. This will incur retrieval
+    // fees.
+    NEARLINE = 3;
+
+    // Scan objects with the coldline storage class. This will incur retrieval
+    // fees.
+    COLDLINE = 4;
+
+    // Scan objects with the archive storage class. This will incur retrieval
+    // fees.
+    ARCHIVE = 5;
+
+    // Scan objects with the regional storage class.
+    REGIONAL = 6;
+
+    // Scan objects with the multi-regional storage class.
+    MULTI_REGIONAL = 7;
+
+    // Scan objects with the dual-regional storage class. This will incur
+    // retrieval fees.
+    DURABLE_REDUCED_AVAILABILITY = 8;
+  }
+
+  // The attribute of a bucket.
+  enum CloudStorageBucketAttribute {
+    // Unused.
+    CLOUD_STORAGE_BUCKET_ATTRIBUTE_UNSPECIFIED = 0;
+
+    // Scan buckets regardless of the attribute.
+    ALL_SUPPORTED_BUCKETS = 1;
+
+    // Buckets with autoclass disabled
+    // (https://cloud.google.com/storage/docs/autoclass). Only one of
+    // AUTOCLASS_DISABLED or AUTOCLASS_ENABLED should be set.
+    AUTOCLASS_DISABLED = 2;
+
+    // Buckets with autoclass enabled
+    // (https://cloud.google.com/storage/docs/autoclass). Only one of
+    // AUTOCLASS_DISABLED or AUTOCLASS_ENABLED should be set. Scanning
+    // Autoclass-enabled buckets can affect object storage classes.
+    AUTOCLASS_ENABLED = 3;
+  }
+
+  // Required. Only objects with the specified attributes will be scanned. If an
+  // object has one of the specified attributes but is inside an excluded
+  // bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A
+  // profile will be created even if no objects match the
+  // included_object_attributes.
+  repeated CloudStorageObjectAttribute included_object_attributes = 1
+      [(google.api.field_behavior) = REQUIRED];
+
+  // Required. Only objects with the specified attributes will be scanned.
+  // Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
+  repeated CloudStorageBucketAttribute included_bucket_attributes = 2
+      [(google.api.field_behavior) = REQUIRED];
+}
+
+// Requirements that must be true before a file store is scanned in discovery
+// for the first time. There is an AND relationship between the top-level
+// attributes.
+message DiscoveryFileStoreConditions {
+  // Optional. File store must have been created after this date. Used to avoid
+  // backfilling.
+  google.protobuf.Timestamp created_after = 1
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Minimum age a file store must have. If set, the value must be 1
+  // hour or greater.
+  google.protobuf.Duration min_age = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // File store specific conditions.
+  oneof conditions {
+    // Optional. Cloud Storage conditions.
+    DiscoveryCloudStorageConditions cloud_storage_conditions = 3
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+}
+
 // The location to begin a discovery scan. Denotes an organization ID or folder
 // ID within an organization.
 message DiscoveryStartingLocation {
@@ -5418,11 +5734,14 @@ message DiscoveryStartingLocation {
     // The ID of an organization to scan.
     int64 organization_id = 1;
 
-    // The ID of the Folder within an organization to scan.
+    // The ID of the folder within an organization to scan.
     int64 folder_id = 2;
   }
 }
 
+// Match discovery resources not covered by any other filter.
+message AllOtherResources {}
+
 // Combines all of the information about a DLP job.
 message DlpJob {
   option (google.api.resource) = {
@@ -5517,9 +5836,9 @@ message ListDlpJobsRequest {
   // processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -5573,7 +5892,7 @@ message ListDlpJobsRequest {
   // The type of job. Defaults to `DlpJobType.INSPECT`
   DlpJobType type = 5;
 
-  // Comma separated list of fields to order by,
+  // Comma-separated list of fields to order by,
   // followed by `asc` or `desc` postfix. This list is case insensitive. The
   // default sorting order is ascending. Redundant space characters are
   // insignificant.
@@ -5636,13 +5955,13 @@ message CreateDeidentifyTemplateRequest {
   // (project or organization) and whether you have [specified a processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
-  // + Organizations scope, location specified:<br/>
+  // + Organizations scope, location specified:
   //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Organizations scope, no location specified (defaults to global):<br/>
+  // + Organizations scope, no location specified (defaults to global):
   //   `organizations/`<var>ORG_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -5712,13 +6031,13 @@ message ListDeidentifyTemplatesRequest {
   // (project or organization) and whether you have [specified a processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
-  // + Organizations scope, location specified:<br/>
+  // + Organizations scope, location specified:
   //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Organizations scope, no location specified (defaults to global):<br/>
+  // + Organizations scope, no location specified (defaults to global):
   //   `organizations/`<var>ORG_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -5741,7 +6060,7 @@ message ListDeidentifyTemplatesRequest {
   // returns a page of max size 100.
   int32 page_size = 3;
 
-  // Comma separated list of fields to order by,
+  // Comma-separated list of fields to order by,
   // followed by `asc` or `desc` postfix. This list is case insensitive. The
   // default sorting order is ascending. Redundant space characters are
   // insignificant.
@@ -5909,13 +6228,13 @@ message CreateStoredInfoTypeRequest {
   // (project or organization) and whether you have [specified a processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
-  // + Organizations scope, location specified:<br/>
+  // + Organizations scope, location specified:
   //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Organizations scope, no location specified (defaults to global):<br/>
+  // + Organizations scope, no location specified (defaults to global):
   //   `organizations/`<var>ORG_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -5985,9 +6304,9 @@ message ListStoredInfoTypesRequest {
   // (project or organization) and whether you have [specified a processing
   // location](https://cloud.google.com/sensitive-data-protection/docs/specifying-location):
   //
-  // + Projects scope, location specified:<br/>
+  // + Projects scope, location specified:
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Projects scope, no location specified (defaults to global):<br/>
+  // + Projects scope, no location specified (defaults to global):
   //   `projects/`<var>PROJECT_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
@@ -6010,7 +6329,7 @@ message ListStoredInfoTypesRequest {
   // returns a page of max size 100.
   int32 page_size = 3;
 
-  // Comma separated list of fields to order by,
+  // Comma-separated list of fields to order by,
   // followed by `asc` or `desc` postfix. This list is case insensitive. The
   // default sorting order is ascending. Redundant space characters are
   // insignificant.
@@ -6126,6 +6445,7 @@ message HybridFindingDetails {
   // No more than 10 labels can be associated with a given finding.
   //
   // Examples:
+  //
   // * `"environment" : "production"`
   // * `"pipeline" : "etl"`
   map<string, string> labels = 5;
@@ -6273,7 +6593,7 @@ message ListProjectDataProfilesRequest {
   // returns a page of max size 100.
   int32 page_size = 3;
 
-  // Comma separated list of fields to order by, followed by `asc` or `desc`
+  // Comma-separated list of fields to order by, followed by `asc` or `desc`
   // postfix. This list is case insensitive. The default sorting order is
   // ascending. Redundant space characters are insignificant. Only one order
   // field at a time is allowed.
@@ -6343,7 +6663,7 @@ message ListTableDataProfilesRequest {
   // returns a page of max size 100.
   int32 page_size = 3;
 
-  // Comma separated list of fields to order by, followed by `asc` or `desc`
+  // Comma-separated list of fields to order by, followed by `asc` or `desc`
   // postfix. This list is case insensitive. The default sorting order is
   // ascending. Redundant space characters are insignificant. Only one order
   // field at a time is allowed.
@@ -6424,12 +6744,13 @@ message ListColumnDataProfilesRequest {
   // returns a page of max size 100.
   int32 page_size = 3;
 
-  // Comma separated list of fields to order by, followed by `asc` or `desc`
+  // Comma-separated list of fields to order by, followed by `asc` or `desc`
   // postfix. This list is case insensitive. The default sorting order is
   // ascending. Redundant space characters are insignificant. Only one order
   // field at a time is allowed.
   //
   // Examples:
+  //
   // * `project_id asc`
   // * `table_id`
   // * `sensitivity_level desc`
@@ -6500,6 +6821,9 @@ message DataRiskLevel {
     // data found.
     RISK_LOW = 10;
 
+    // Unable to determine risk.
+    RISK_UNKNOWN = 12;
+
     // Medium risk - Sensitive data may be present but additional access or fine
     // grain access restrictions appear to be present.  Consider limiting
     // access even further or transform data to mask.
@@ -6541,6 +6865,12 @@ message ProjectDataProfile {
 
   // Success or error status of the last attempt to profile the project.
   ProfileStatus profile_status = 7;
+
+  // The number of table data profiles generated for this project.
+  int64 table_data_profile_count = 9;
+
+  // The number of file store data profiles generated for this project.
+  int64 file_store_data_profile_count = 10;
 }
 
 // How broadly the data in the resource has been shared. New items may be added
@@ -6554,7 +6884,7 @@ enum ResourceVisibility {
 
   // May contain public items.
   // For example, if a Cloud Storage bucket has uniform bucket level access
-  // disabled, some objects inside it may be public.
+  // disabled, some objects inside it may be public, but none are known yet.
   RESOURCE_VISIBILITY_INCONCLUSIVE = 15;
 
   // Visible only to specific users.
@@ -6613,7 +6943,7 @@ message TableDataProfile {
   // The resource type that was profiled.
   DataSourceType data_source_type = 36;
 
-  // The resource name to the project data profile for this table.
+  // The resource name of the project data profile for this table.
   string project_data_profile = 2;
 
   // The Google Cloud project ID that owns the resource.
@@ -6936,6 +7266,164 @@ message ColumnDataProfile {
   ColumnPolicyState policy_state = 15;
 }
 
+// The profile for a file store.
+//
+// * Cloud Storage: maps 1:1 with a bucket.
+message FileStoreDataProfile {
+  option (google.api.resource) = {
+    type: "dlp.googleapis.com/FileStoreDataProfile"
+    pattern: "organizations/{organization}/locations/{location}/fileStoreDataProfiles/{file_store_data_profile}"
+    pattern: "projects/{project}/locations/{location}/fileStoreDataProfiles/{file_store_data_profile}"
+  };
+
+  // Possible states of a profile. New items may be added.
+  enum State {
+    // Unused.
+    STATE_UNSPECIFIED = 0;
+
+    // The profile is currently running. Once a profile has finished it will
+    // transition to DONE.
+    RUNNING = 1;
+
+    // The profile is no longer generating.
+    // If profile_status.status.code is 0, the profile succeeded, otherwise, it
+    // failed.
+    DONE = 2;
+  }
+
+  // The name of the profile.
+  string name = 1;
+
+  // The resource type that was profiled.
+  DataSourceType data_source_type = 2;
+
+  // The resource name of the project data profile for this file store.
+  string project_data_profile = 3;
+
+  // The Google Cloud project ID that owns the resource.
+  string project_id = 4;
+
+  // The location of the file store.
+  //
+  // * Cloud Storage:
+  // https://cloud.google.com/storage/docs/locations#available-locations
+  string file_store_location = 5;
+
+  // For resources that have multiple storage locations, these are those
+  // regions. For Cloud Storage this is the list of regions chosen for
+  // dual-region storage. `file_store_location` will normally be the
+  // corresponding multi-region for the list of individual locations. The first
+  // region is always picked as the processing and storage location for the data
+  // profile.
+  repeated string data_storage_locations = 19;
+
+  // The location type of the bucket (region, dual-region, multi-region, etc).
+  // If dual-region, expect data_storage_locations to be populated.
+  string location_type = 20;
+
+  // The file store path.
+  //
+  // * Cloud Storage: `gs://{bucket}`
+  string file_store_path = 6;
+
+  // The resource name of the resource profiled.
+  // https://cloud.google.com/apis/design/resource_names#full_resource_name
+  string full_resource = 24;
+
+  // The snapshot of the configurations used to generate the profile.
+  DataProfileConfigSnapshot config_snapshot = 7;
+
+  // Success or error status from the most recent profile generation attempt.
+  // May be empty if the profile is still being generated.
+  ProfileStatus profile_status = 8;
+
+  // State of a profile.
+  State state = 9;
+
+  // The last time the profile was generated.
+  google.protobuf.Timestamp profile_last_generated = 10;
+
+  // How broadly a resource has been shared.
+  ResourceVisibility resource_visibility = 11;
+
+  // The sensitivity score of this resource.
+  SensitivityScore sensitivity_score = 12;
+
+  // The data risk level of this resource.
+  DataRiskLevel data_risk_level = 13;
+
+  // The time the file store was first created.
+  google.protobuf.Timestamp create_time = 14;
+
+  // The time the file store was last modified.
+  google.protobuf.Timestamp last_modified_time = 15;
+
+  // FileClusterSummary per each cluster.
+  repeated FileClusterSummary file_cluster_summaries = 16;
+
+  // Attributes of the resource being profiled.
+  // Currently used attributes:
+  //
+  // * customer_managed_encryption: boolean
+  //     - true: the resource is encrypted with a customer-managed key.
+  //     - false: the resource is encrypted with a provider-managed key.
+  map<string, Value> resource_attributes = 17;
+
+  // The labels applied to the resource at the time the profile was generated.
+  map<string, string> resource_labels = 18;
+
+  // InfoTypes detected in this file store.
+  repeated FileStoreInfoTypeSummary file_store_info_type_summaries = 21;
+
+  // The file store does not have any files.
+  bool file_store_is_empty = 23;
+}
+
+// Information regarding the discovered InfoType.
+message FileStoreInfoTypeSummary {
+  // The InfoType seen.
+  InfoType info_type = 1;
+}
+
+// Information regarding the discovered file extension.
+message FileExtensionInfo {
+  // The file extension if set. (aka .pdf, .jpg, .txt)
+  string file_extension = 1;
+}
+
+// The file cluster summary.
+message FileClusterSummary {
+  // The file cluster type.
+  FileClusterType file_cluster_type = 1;
+
+  // InfoTypes detected in this cluster.
+  repeated FileStoreInfoTypeSummary file_store_info_type_summaries = 2;
+
+  // The sensitivity score of this cluster. The score will be SENSITIVITY_LOW
+  // if nothing has been scanned.
+  SensitivityScore sensitivity_score = 3;
+
+  // The data risk level of this cluster. RISK_LOW if nothing has been
+  // scanned.
+  DataRiskLevel data_risk_level = 4;
+
+  // A list of errors detected while scanning this cluster. The list is
+  // truncated to 10 per cluster.
+  repeated Error errors = 6;
+
+  // A sample of file types scanned in this cluster. Empty if no files were
+  // scanned.
+  repeated FileExtensionInfo file_extensions_scanned = 7;
+
+  // A sample of file types seen in this cluster. Empty if no files were seen.
+  repeated FileExtensionInfo file_extensions_seen = 8;
+
+  // True if no files exist in this cluster. If the bucket had more files than
+  // could be listed, this will be false even if no files for this cluster
+  // were seen and file_extensions_seen is empty.
+  bool no_files_exist = 9;
+}
+
 // Request to get a project data profile.
 message GetProjectDataProfileRequest {
   // Required. Resource name, for example
@@ -6948,6 +7436,112 @@ message GetProjectDataProfileRequest {
   ];
 }
 
+// Request to get a file store data profile.
+message GetFileStoreDataProfileRequest {
+  // Required. Resource name, for example
+  // `organizations/12345/locations/us/fileStoreDataProfiles/53234423`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "dlp.googleapis.com/ProjectDataProfile"
+    }
+  ];
+}
+
+// Request to list the file store profiles generated for a given organization or
+// project.
+message ListFileStoreDataProfilesRequest {
+  // Required. Resource name of the organization or project, for
+  // example `organizations/433245324/locations/europe` or
+  // `projects/project-id/locations/asia`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "dlp.googleapis.com/FileStoreDataProfile"
+    }
+  ];
+
+  // Optional. Page token to continue retrieval.
+  string page_token = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Size of the page. This value can be limited by the server. If
+  // zero, server returns a page of max size 100.
+  int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Comma-separated list of fields to order by, followed by `asc` or
+  // `desc` postfix. This list is case insensitive. The default sorting order is
+  // ascending. Redundant space characters are insignificant. Only one order
+  // field at a time is allowed.
+  //
+  // Examples:
+  //
+  // * `project_id asc`
+  // * `name`
+  // * `sensitivity_level desc`
+  //
+  // Supported fields are:
+  //
+  // - `project_id`: The Google Cloud project ID.
+  // - `sensitivity_level`: How sensitive the data in a table is, at most.
+  // - `data_risk_level`: How much risk is associated with this data.
+  // - `profile_last_generated`: When the profile was last updated in epoch
+  // seconds.
+  // - `last_modified`: The last time the resource was modified.
+  // - `resource_visibility`: Visibility restriction for this resource.
+  // - `name`: The name of the profile.
+  // - `create_time`: The time the file store was first created.
+  string order_by = 4 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Allows filtering.
+  //
+  // Supported syntax:
+  //
+  // * Filter expressions are made up of one or more restrictions.
+  // * Restrictions can be combined by `AND` or `OR` logical operators. A
+  // sequence of restrictions implicitly uses `AND`.
+  // * A restriction has the form of `{field} {operator} {value}`.
+  // * Supported fields/values:
+  //     - `project_id` - The Google Cloud project ID.
+  //     - `file_store_path` - The path like "gs://bucket".
+  //     - `sensitivity_level` - HIGH|MODERATE|LOW
+  //     - `data_risk_level` - HIGH|MODERATE|LOW
+  //     - `resource_visibility`: PUBLIC|RESTRICTED
+  //     - `status_code` - an RPC status code as defined in
+  //     https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto
+  // * The operator must be `=` or `!=`.
+  //
+  // Examples:
+  //
+  // * `project_id = 12345 AND status_code = 1`
+  // * `project_id = 12345 AND sensitivity_level = HIGH`
+  // * `project_id = 12345 AND resource_visibility = PUBLIC`
+  // * `file_store_path = "gs://mybucket"`
+  //
+  // The length of this field should be no more than 500 characters.
+  string filter = 5 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// List of file store data profiles generated for a given organization or
+// project.
+message ListFileStoreDataProfilesResponse {
+  // List of data profiles.
+  repeated FileStoreDataProfile file_store_data_profiles = 1;
+
+  // The next page token.
+  string next_page_token = 2;
+}
+
+// Request message for DeleteFileStoreProfile.
+message DeleteFileStoreDataProfileRequest {
+  // Required. Resource name of the file store data profile.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "dlp.googleapis.com/FileStoreDataProfile"
+    }
+  ];
+}
+
 // Request to get a table data profile.
 message GetTableDataProfileRequest {
   // Required. Resource name, for example
@@ -7032,6 +7626,11 @@ message DataProfilePubSubMessage {
   // `full_resource` will be populated.
   TableDataProfile profile = 1;
 
+  // If `DetailLevel` is `FILE_STORE_PROFILE` this will be fully populated.
+  // Otherwise, if `DetailLevel` is `RESOURCE_NAME`, then only `name` and
+  // `file_store_path` will be populated.
+  FileStoreDataProfile file_store_profile = 3;
+
   // The event that caused the Pub/Sub message to be sent.
   DataProfileAction.EventType event = 2;
 }
@@ -7288,3 +7887,46 @@ message DataSourceType {
   // Current values: google/bigquery/table, google/project
   string data_source = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
+
+// Message used to identify file cluster type being profiled.
+message FileClusterType {
+  // Cluster type. Each cluster corresponds to a set of file types.
+  // Over time new types may be added.
+  enum Cluster {
+    // Unused.
+    CLUSTER_UNSPECIFIED = 0;
+
+    // Unsupported files.
+    CLUSTER_UNKNOWN = 1;
+
+    // Plain text.
+    CLUSTER_TEXT = 2;
+
+    // Structured data like CSV, TSV etc.
+    CLUSTER_STRUCTURED_DATA = 3;
+
+    // Source code.
+    CLUSTER_SOURCE_CODE = 4;
+
+    // Rich document like docx, xlsx etc.
+    CLUSTER_RICH_DOCUMENT = 5;
+
+    // Images like jpeg, bmp.
+    CLUSTER_IMAGE = 6;
+
+    // Archives and containers like .zip, .tar etc.
+    CLUSTER_ARCHIVE = 7;
+
+    // Multimedia like .mp4, .avi etc.
+    CLUSTER_MULTIMEDIA = 8;
+
+    // Executable files like .exe, .class, .apk etc.
+    CLUSTER_EXECUTABLE = 9;
+  }
+
+  // File cluster type.
+  oneof file_cluster_type {
+    // Cluster type.
+    Cluster cluster = 1;
+  }
+}