// Copyright 2020 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.asset.v1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/cloud/asset/v1/assets.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/timestamp.proto"; import "google/type/expr.proto"; option csharp_namespace = "Google.Cloud.Asset.V1"; option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1;asset"; option java_multiple_files = true; option java_outer_classname = "AssetServiceProto"; option java_package = "com.google.cloud.asset.v1"; option php_namespace = "Google\\Cloud\\Asset\\V1"; // Asset service definition. service AssetService { option (google.api.default_host) = "cloudasset.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Exports assets with time and resource types to a given Cloud Storage // location/BigQuery table. For Cloud Storage location destinations, the // output format is newline-delimited JSON. Each line represents a // [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON // format; for BigQuery table destinations, the output table stores the fields // in asset proto as columns. This API implements the // [google.longrunning.Operation][google.longrunning.Operation] API , which // allows you to keep track of the export. We recommend intervals of at least // 2 seconds with exponential retry to poll the export operation result. For // regular-size resource parent, the export operation usually finishes within // 5 minutes. rpc ExportAssets(ExportAssetsRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=*/*}:exportAssets" body: "*" }; option (google.longrunning.operation_info) = { response_type: "google.cloud.asset.v1.ExportAssetsResponse" metadata_type: "google.cloud.asset.v1.ExportAssetsRequest" }; } // Batch gets the update history of assets that overlap a time window. // For IAM_POLICY content, this API outputs history when the asset and its // attached IAM POLICY both exist. This can create gaps in the output history. // Otherwise, this API outputs history with asset in both non-delete or // deleted status. // If a specified asset does not exist, this API returns an INVALID_ARGUMENT // error. rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) returns (BatchGetAssetsHistoryResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}:batchGetAssetsHistory" }; } // Creates a feed in a parent project/folder/organization to listen to its // asset updates. rpc CreateFeed(CreateFeedRequest) returns (Feed) { option (google.api.http) = { post: "/v1/{parent=*/*}/feeds" body: "*" }; option (google.api.method_signature) = "parent"; } // Gets details about an asset feed. rpc GetFeed(GetFeedRequest) returns (Feed) { option (google.api.http) = { get: "/v1/{name=*/*/feeds/*}" }; option (google.api.method_signature) = "name"; } // Lists all asset feeds in a parent project/folder/organization. rpc ListFeeds(ListFeedsRequest) returns (ListFeedsResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}/feeds" }; option (google.api.method_signature) = "parent"; } // Updates an asset feed configuration. rpc UpdateFeed(UpdateFeedRequest) returns (Feed) { option (google.api.http) = { patch: "/v1/{feed.name=*/*/feeds/*}" body: "*" }; option (google.api.method_signature) = "feed"; } // Deletes an asset feed. rpc DeleteFeed(DeleteFeedRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=*/*/feeds/*}" }; option (google.api.method_signature) = "name"; } // Searches all the resources within the given accessible scope (e.g., a // project, a folder or an organization). Callers should have // cloud.assets.SearchAllResources permission upon the requested scope, // otherwise the request will be rejected. rpc SearchAllResources(SearchAllResourcesRequest) returns (SearchAllResourcesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}:searchAllResources" }; option (google.api.method_signature) = "scope,query,asset_types"; } // Searches all the IAM policies within the given accessible scope (e.g., a // project, a folder or an organization). Callers should have // cloud.assets.SearchAllIamPolicies permission upon the requested scope, // otherwise the request will be rejected. rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) returns (SearchAllIamPoliciesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}:searchAllIamPolicies" }; option (google.api.method_signature) = "scope,query"; } } // Export asset request. message ExportAssetsRequest { // Required. The relative name of the root asset. This can only be an // organization number (such as "organizations/123"), a project ID (such as // "projects/my-project-id"), or a project number (such as "projects/12345"), // or a folder number (such as "folders/123"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "cloudasset.googleapis.com/Asset" } ]; // Timestamp to take an asset snapshot. This can only be set to a timestamp // between the current time and the current time minus 35 days (inclusive). // If not specified, the current time will be used. Due to delays in resource // data collection and indexing, there is a volatile window during which // running the same query may get different results. google.protobuf.Timestamp read_time = 2; // A list of asset types of which to take a snapshot for. Example: // "compute.googleapis.com/Disk". If specified, only matching assets will be // returned. See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) // for all supported asset types. repeated string asset_types = 3; // Asset content type. If not specified, no content but the asset name will be // returned. ContentType content_type = 4; // Required. Output configuration indicating where the results will be output // to. OutputConfig output_config = 5 [(google.api.field_behavior) = REQUIRED]; } // The export asset response. This message is returned by the // [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] // method in the returned // [google.longrunning.Operation.response][google.longrunning.Operation.response] // field. message ExportAssetsResponse { // Time the snapshot was taken. google.protobuf.Timestamp read_time = 1; // Output configuration indicating where the results were output to. OutputConfig output_config = 2; } // Batch get assets history request. message BatchGetAssetsHistoryRequest { // Required. The relative name of the root asset. It can only be an // organization number (such as "organizations/123"), a project ID (such as // "projects/my-project-id")", or a project number (such as "projects/12345"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "cloudasset.googleapis.com/Asset" } ]; // A list of the full names of the assets. // See: https://cloud.google.com/asset-inventory/docs/resource-name-format // Example: // // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. // // The request becomes a no-op if the asset name list is empty, and the max // size of the asset name list is 100 in one request. repeated string asset_names = 2; // Optional. The content type. ContentType content_type = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The time window for the asset history. Both start_time and // end_time are optional and if set, it must be after the current time minus // 35 days. If end_time is not set, it is default to current timestamp. // If start_time is not set, the snapshot of the assets at end_time will be // returned. The returned results contain all temporal assets whose time // window overlap with read_time_window. TimeWindow read_time_window = 4 [(google.api.field_behavior) = OPTIONAL]; } // Batch get assets history response. message BatchGetAssetsHistoryResponse { // A list of assets with valid time windows. repeated TemporalAsset assets = 1; } // Create asset feed request. message CreateFeedRequest { // Required. The name of the project/folder/organization where this feed // should be created in. It can only be an organization number (such as // "organizations/123"), a folder number (such as "folders/123"), a project ID // (such as "projects/my-project-id")", or a project number (such as // "projects/12345"). string parent = 1 [(google.api.field_behavior) = REQUIRED]; // Required. This is the client-assigned asset feed identifier and it needs to // be unique under a specific parent project/folder/organization. string feed_id = 2 [(google.api.field_behavior) = REQUIRED]; // Required. The feed details. The field `name` must be empty and it will be // generated in the format of: projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id Feed feed = 3 [(google.api.field_behavior) = REQUIRED]; } // Get asset feed request. message GetFeedRequest { // Required. The name of the Feed and it must be in the format of: // projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } // List asset feeds request. message ListFeedsRequest { // Required. The parent project/folder/organization whose feeds are to be // listed. It can only be using project/folder/organization number (such as // "folders/12345")", or a project ID (such as "projects/my-project-id"). string parent = 1 [(google.api.field_behavior) = REQUIRED]; } message ListFeedsResponse { // A list of feeds. repeated Feed feeds = 1; } // Update asset feed request. message UpdateFeedRequest { // Required. The new values of feed details. It must match an existing feed // and the field `name` must be in the format of: // projects/project_number/feeds/feed_id or // folders/folder_number/feeds/feed_id or // organizations/organization_number/feeds/feed_id. Feed feed = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Only updates the `feed` fields indicated by this mask. // The field mask must not be empty, and it must not contain fields that // are immutable or only set by the server. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } message DeleteFeedRequest { // Required. The name of the feed and it must be in the format of: // projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } // Output configuration for export assets destination. message OutputConfig { // Asset export destination. oneof destination { // Destination on Cloud Storage. GcsDestination gcs_destination = 1; // Destination on BigQuery. The output table stores the fields in asset // proto as columns in BigQuery. BigQueryDestination bigquery_destination = 2; } } // A Cloud Storage location. message GcsDestination { // Required. oneof object_uri { // The uri of the Cloud Storage object. It's the same uri that is used by // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and // Editing Object // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) // for more information. string uri = 1; // The uri prefix of all generated Cloud Storage objects. Example: // "gs://bucket_name/object_name_prefix". Each object uri is in format: // "gs://bucket_name/object_name_prefix// and only // contains assets for that type. starts from 0. Example: // "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is // the first shard of output objects containing all // compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be // returned if file with the same name "gs://bucket_name/object_name_prefix" // already exists. string uri_prefix = 2; } } // A BigQuery destination for exporting assets to. message BigQueryDestination { // Required. The BigQuery dataset in format // "projects/projectId/datasets/datasetId", to which the snapshot result // should be exported. If this dataset does not exist, the export call returns // an INVALID_ARGUMENT error. string dataset = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The BigQuery table to which the snapshot result should be // written. If this table does not exist, a new table with the given name // will be created. string table = 2 [(google.api.field_behavior) = REQUIRED]; // If the destination table already exists and this flag is `TRUE`, the // table will be overwritten by the contents of assets snapshot. If the flag // is `FALSE` or unset and the destination table already exists, the export // call returns an INVALID_ARGUMEMT error. bool force = 3; } // A Pub/Sub destination. message PubsubDestination { // The name of the Pub/Sub topic to publish to. // Example: `projects/PROJECT_ID/topics/TOPIC_ID`. string topic = 1; } // Output configuration for asset feed destination. message FeedOutputConfig { // Asset feed destination. oneof destination { // Destination on Pub/Sub. PubsubDestination pubsub_destination = 1; } } // An asset feed used to export asset updates to a destinations. // An asset feed filter controls what updates are exported. // The asset feed must be created within a project, organization, or // folder. Supported destinations are: // Pub/Sub topics. message Feed { option (google.api.resource) = { type: "cloudasset.googleapis.com/Feed" pattern: "projects/{project}/feeds/{feed}" pattern: "folders/{folder}/feeds/{feed}" pattern: "organizations/{organization}/feeds/{feed}" history: ORIGINALLY_SINGLE_PATTERN }; // Required. The format will be // projects/{project_number}/feeds/{client-assigned_feed_identifier} or // folders/{folder_number}/feeds/{client-assigned_feed_identifier} or // organizations/{organization_number}/feeds/{client-assigned_feed_identifier} // // The client-assigned feed identifier must be unique within the parent // project/folder/organization. string name = 1 [(google.api.field_behavior) = REQUIRED]; // A list of the full names of the assets to receive updates. You must specify // either or both of asset_names and asset_types. Only asset updates matching // specified asset_names or asset_types are exported to the feed. // Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. // See [Resource // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more info. repeated string asset_names = 2; // A list of types of the assets to receive updates. You must specify either // or both of asset_names and asset_types. Only asset updates matching // specified asset_names or asset_types are exported to the feed. // Example: `"compute.googleapis.com/Disk"` // // See [this // topic](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for a list of all supported asset types. repeated string asset_types = 3; // Asset content type. If not specified, no content but the asset name and // type will be returned. ContentType content_type = 4; // Required. Feed output configuration defining where the asset updates are // published to. FeedOutputConfig feed_output_config = 5 [(google.api.field_behavior) = REQUIRED]; // A condition which determines whether an asset update should be published. // If specified, an asset will be returned only when the expression evaluates // to true. // When set, `expression` field in the `Expr` must be a valid [CEL expression] // (https://github.com/google/cel-spec) on a TemporalAsset with name // `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted // == true") will only publish Asset deletions. Other fields in `Expr` are // optional. google.type.Expr condition = 6; } // Search all resources request. message SearchAllResourcesRequest { // Required. A scope can be a project, a folder or an organization. The search // is limited to the resources within the `scope`. // // The allowed values are: // // * projects/{PROJECT_ID} // * projects/{PROJECT_NUMBER} // * folders/{FOLDER_NUMBER} // * organizations/{ORGANIZATION_NUMBER} string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. The query statement. An empty query can be specified to search // all the resources of certain `asset_types` within the given `scope`. // // Examples: // // * `name : "Important"` to find Cloud resources whose name contains // "Important" as a word. // * `displayName : "Impor*"` to find Cloud resources whose display name // contains "Impor" as a word prefix. // * `description : "*por*"` to find Cloud resources whose description // contains "por" as a substring. // * `location : "us-west*"` to find Cloud resources whose location is // prefixed with "us-west". // * `labels : "prod"` to find Cloud resources whose labels contain "prod" as // a key or value. // * `labels.env : "prod"` to find Cloud resources which have a label "env" // and its value is "prod". // * `labels.env : *` to find Cloud resources which have a label "env". // * `"Important"` to find Cloud resources which contain "Important" as a word // in any of the searchable fields. // * `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix // in any of the searchable fields. // * `"*por*"` to find Cloud resources which contain "por" as a substring in // any of the searchable fields. // * `("Important" AND location : ("us-west1" OR "global"))` to find Cloud // resources which contain "Important" as a word in any of the searchable // fields and are also located in the "us-west1" region or the "global" // location. // // See [how to construct a // query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query) // for more details. string query = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. A list of asset types that this request searches for. If empty, // it will search all the [searchable asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The page size for search result pagination. Page size is capped // at 500 even if a larger value is given. If set to zero, server will pick an // appropriate default. Returned results may be fewer than requested. When // this happens, there could be more results as long as `next_page_token` is // returned. int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. If present, then retrieve the next batch of results from the // preceding call to this method. `page_token` must be the value of // `next_page_token` from the previous response. The values of all other // method parameters, must be identical to those in the previous call. string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; // Optional. A comma separated list of fields specifying the sorting order of // the results. The default order is ascending. Add " DESC" after the field // name to indicate descending order. Redundant space characters are ignored. // Example: "location DESC, name". See [supported resource metadata // fields](https://cloud.google.com/asset-inventory/docs/searching-resources#query_on_resource_metadata_fields) // for more details. string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; } // Search all resources response. message SearchAllResourcesResponse { // A list of Resources that match the search query. It contains the resource // standard metadata information. repeated ResourceSearchResult results = 1; // If there are more results than those appearing in this response, then // `next_page_token` is included. To get the next set of results, call this // method again using the value of `next_page_token` as `page_token`. string next_page_token = 2; } // Search all IAM policies request. message SearchAllIamPoliciesRequest { // Required. A scope can be a project, a folder or an organization. The search // is limited to the IAM policies within the `scope`. // // The allowed values are: // // * projects/{PROJECT_ID} // * projects/{PROJECT_NUMBER} // * folders/{FOLDER_NUMBER} // * organizations/{ORGANIZATION_NUMBER} string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. The query statement. An empty query can be specified to search // all the IAM policies within the given `scope`. // // Examples: // // * `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that // specify user "amy@gmail.com". // * `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that // specify the Compute Admin role. // * `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM // policy bindings that specify a role containing "storage.buckets.update" // permission. // * `resource : "organizations/123"` to find Cloud IAM policy bindings that // are set on "organizations/123". // * `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")` // to find Cloud IAM policy bindings that are set on "organizations/123" or // "folders/1234", and also specify user "amy". // // See [how to construct a // query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query) // for more details. string query = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. The page size for search result pagination. Page size is capped // at 500 even if a larger value is given. If set to zero, server will pick an // appropriate default. Returned results may be fewer than requested. When // this happens, there could be more results as long as `next_page_token` is // returned. int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. If present, retrieve the next batch of results from the preceding // call to this method. `page_token` must be the value of `next_page_token` // from the previous response. The values of all other method parameters must // be identical to those in the previous call. string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; } // Search all IAM policies response. message SearchAllIamPoliciesResponse { // A list of IamPolicy that match the search query. Related information such // as the associated resource is returned along with the policy. repeated IamPolicySearchResult results = 1; // Set if there are more results than those appearing in this response; to get // the next set of results, call this method again, using this value as the // `page_token`. string next_page_token = 2; } // Asset content type. enum ContentType { // Unspecified content type. CONTENT_TYPE_UNSPECIFIED = 0; // Resource metadata. RESOURCE = 1; // The actual IAM policy set on a resource. IAM_POLICY = 2; // The Cloud Organization Policy set on an asset. ORG_POLICY = 4; // The Cloud Access context mananger Policy set on an asset. ACCESS_POLICY = 5; }