// Copyright 2020 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.asset.v1; import "google/api/annotations.proto"; import "google/api/resource.proto"; import "google/cloud/orgpolicy/v1/orgpolicy.proto"; import "google/iam/v1/policy.proto"; import "google/identity/accesscontextmanager/v1/access_level.proto"; import "google/identity/accesscontextmanager/v1/access_policy.proto"; import "google/identity/accesscontextmanager/v1/service_perimeter.proto"; import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/rpc/code.proto"; option cc_enable_arenas = true; option csharp_namespace = "Google.Cloud.Asset.V1"; option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1;asset"; option java_multiple_files = true; option java_outer_classname = "AssetProto"; option java_package = "com.google.cloud.asset.v1"; option php_namespace = "Google\\Cloud\\Asset\\V1"; // An asset in Google Cloud and its temporal metadata, including the time window // when it was observed and its status during that window. message TemporalAsset { // State of prior asset. enum PriorAssetState { // prior_asset is not applicable for the current asset. PRIOR_ASSET_STATE_UNSPECIFIED = 0; // prior_asset is populated correctly. PRESENT = 1; // Failed to set prior_asset. INVALID = 2; // Current asset is the first known state. DOES_NOT_EXIST = 3; // prior_asset is a deletion. DELETED = 4; } // The time window when the asset data and state was observed. TimeWindow window = 1; // Whether the asset has been deleted or not. bool deleted = 2; // An asset in Google Cloud. Asset asset = 3; // State of prior_asset. PriorAssetState prior_asset_state = 4; // Prior copy of the asset. Populated if prior_asset_state is PRESENT. // Currently this is only set for responses in Real-Time Feed. Asset prior_asset = 5; } // A time window specified by its `start_time` and `end_time`. message TimeWindow { // Start time of the time window (exclusive). google.protobuf.Timestamp start_time = 1; // End time of the time window (inclusive). If not specified, the current // timestamp is used instead. google.protobuf.Timestamp end_time = 2; } // An asset in Google Cloud. An asset can be any resource in the Google Cloud // [resource // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google // Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy). // See [Supported asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for more information. message Asset { option (google.api.resource) = { type: "cloudasset.googleapis.com/Asset" pattern: "*" }; // The last update timestamp of an asset. update_time is updated when // create/update/delete operation is performed. google.protobuf.Timestamp update_time = 11; // The full name of the asset. Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1` // // See [Resource // names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more information. string name = 1; // The type of the asset. Example: `compute.googleapis.com/Disk` // // See [Supported asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for more information. string asset_type = 2; // A representation of the resource. Resource resource = 3; // A representation of the Cloud IAM policy set on a Google Cloud resource. // There can be a maximum of one Cloud IAM policy set on any given resource. // In addition, Cloud IAM policies inherit their granted access scope from any // policies set on parent resources in the resource hierarchy. Therefore, the // effectively policy is the union of both the policy set on this resource // and each policy set on all of the resource's ancestry resource levels in // the hierarchy. See // [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for // more information. google.iam.v1.Policy iam_policy = 4; // A representation of an [organization // policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). // There can be more than one organization policy with different constraints // set on a given resource. repeated google.cloud.orgpolicy.v1.Policy org_policy = 6; // A representation of an [access // policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies). oneof access_context_policy { // Please also refer to the [access policy user // guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies). google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7; // Please also refer to the [access level user // guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels). google.identity.accesscontextmanager.v1.AccessLevel access_level = 8; // Please also refer to the [service perimeter user // guide](https://cloud.google.com/vpc-service-controls/docs/overview). google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9; } // The ancestry path of an asset in Google Cloud [resource // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // represented as a list of relative resource names. An ancestry path starts // with the closest ancestor in the hierarchy and ends at root. If the asset // is a project, folder, or organization, the ancestry path starts from the // asset itself. // // Example: `["projects/123456789", "folders/5432", "organizations/1234"]` repeated string ancestors = 10; } // A representation of a Google Cloud resource. message Resource { // The API version. Example: `v1` string version = 1; // The URL of the discovery document containing the resource's JSON schema. // Example: // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest` // // This value is unspecified for resources that do not have an API based on a // discovery document, such as Cloud Bigtable. string discovery_document_uri = 2; // The JSON schema name listed in the discovery document. Example: // `Project` // // This value is unspecified for resources that do not have an API based on a // discovery document, such as Cloud Bigtable. string discovery_name = 3; // The REST URL for accessing the resource. An HTTP `GET` request using this // URL returns the resource itself. Example: // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123` // // This value is unspecified for resources without a REST API. string resource_url = 4; // The full name of the immediate parent of this resource. See // [Resource // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more information. // // For Google Cloud assets, this value is the parent resource defined in the // [Cloud IAM policy // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy). // Example: // `//cloudresourcemanager.googleapis.com/projects/my_project_123` // // For third-party assets, this field may be set differently. string parent = 5; // The content of the resource, in which some sensitive fields are removed // and may not be present. google.protobuf.Struct data = 6; // The location of the resource in Google Cloud, such as its zone and region. // For more information, see https://cloud.google.com/about/locations/. string location = 8; } // A result of Resource Search, containing information of a cloud resoure. message ResourceSearchResult { // The full resource name of this resource. Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. // See [Cloud Asset Inventory Resource Name // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) // for more information. // // To search against the `name`: // // * use a field query. Example: `name : "instance1"` // * use a free text query. Example: `"instance1"` string name = 1; // The type of this resource. Example: `compute.googleapis.com/Disk`. // // To search against the `asset_type`: // // * specify the `asset_type` field in your search request. string asset_type = 2; // The project that this resource belongs to, in the form of // projects/{PROJECT_NUMBER}. // // To search against the `project`: // // * specify the `scope` field as this project in your search request. string project = 3; // The display name of this resource. // // To search against the `display_name`: // // * use a field query. Example: `displayName : "My Instance"` // * use a free text query. Example: `"My Instance"` string display_name = 4; // One or more paragraphs of text description of this resource. Maximum length // could be up to 1M bytes. // // To search against the `description`: // // * use a field query. Example: `description : "*important instance*"` // * use a free text query. Example: `"*important instance*"` string description = 5; // Location can be `global`, regional like `us-east1`, or zonal like // `us-west1-b`. // // To search against the `location`: // // * use a field query. Example: `location : "us-west*"` // * use a free text query. Example: `"us-west*"` string location = 6; // Labels associated with this resource. See [Labelling and grouping GCP // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) // for more information. // // To search against the `labels`: // // * use a field query, as following: // - query on any label's key or value. Example: `labels : "prod"` // - query by a given label. Example: `labels.env : "prod"` // - query by a given label'sexistence. Example: `labels.env : *` // * use a free text query. Example: `"prod"` map labels = 7; // Network tags associated with this resource. Like labels, network tags are a // type of annotations used to group GCP resources. See [Labelling GCP // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) // for more information. // // To search against the `network_tags`: // // * use a field query. Example: `networkTags : "internal"` // * use a free text query. Example: `"internal"` repeated string network_tags = 8; // The additional attributes of this resource. The attributes may vary from // one resource type to another. Examples: `projectId` for Project, // `dnsName` for DNS ManagedZone. // // To search against the `additional_attributes`: // // * use a free text query to match the attributes values. Example: to search // `additional_attributes = { dnsName: "foobar" }`, you can issue a query // `"foobar"`. google.protobuf.Struct additional_attributes = 9; } // A result of IAM Policy search, containing information of an IAM policy. message IamPolicySearchResult { // Explanation about the IAM policy search result. message Explanation { // IAM permissions message Permissions { // A list of permissions. A sample permission string: `compute.disk.get`. repeated string permissions = 1; } // The map from roles to their included permissions that match the // permission query (i.e., a query containing `policy.role.permissions:`). // Example: if query `policy.role.permissions : "compute.disk.get"` // matches a policy binding that contains owner role, the // matched_permissions will be `{"roles/owner": ["compute.disk.get"]}`. The // roles can also be found in the returned `policy` bindings. Note that the // map is populated only for requests with permission queries. map matched_permissions = 1; } // The full resource name of the resource associated with this IAM policy. // Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. // See [Cloud Asset Inventory Resource Name // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) // for more information. // // To search against the `resource`: // // * use a field query. Example: `resource : "organizations/123"` string resource = 1; // The project that the associated GCP resource belongs to, in the form of // projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM // instance, Cloud Storage bucket), the project field will indicate the // project that contains the resource. If an IAM policy is set on a folder or // orgnization, the project field will be empty. // // To search against the `project`: // // * specify the `scope` field as this project in your search request. string project = 2; // The IAM policy directly set on the given resource. Note that the original // IAM policy can contain multiple bindings. This only contains the bindings // that match the given query. For queries that don't contain a constrain on // policies (e.g., an empty query), this contains all the bindings. // // To search against the `policy` bindings: // // * use a field query, as following: // - query by the policy contained members. Example: // `policy : "amy@gmail.com"` // - query by the policy contained roles. Example: // `policy : "roles/compute.admin"` // - query by the policy contained roles' implied permissions. Example: // `policy.role.permissions : "compute.instances.create"` google.iam.v1.Policy policy = 3; // Explanation about the IAM policy search result. It contains additional // information to explain why the search result matches the query. Explanation explanation = 4; }