// Copyright 2021 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.asset.v1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/cloud/asset/v1/assets.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/rpc/status.proto"; import "google/type/expr.proto"; option csharp_namespace = "Google.Cloud.Asset.V1"; option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1;asset"; option java_multiple_files = true; option java_outer_classname = "AssetServiceProto"; option java_package = "com.google.cloud.asset.v1"; option php_namespace = "Google\\Cloud\\Asset\\V1"; // Asset service definition. service AssetService { option (google.api.default_host) = "cloudasset.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Exports assets with time and resource types to a given Cloud Storage // location/BigQuery table. For Cloud Storage location destinations, the // output format is newline-delimited JSON. Each line represents a // [google.cloud.asset.v1.Asset][google.cloud.asset.v1.Asset] in the JSON format; for BigQuery table // destinations, the output table stores the fields in asset proto as columns. // This API implements the [google.longrunning.Operation][google.longrunning.Operation] API // , which allows you to keep track of the export. We recommend intervals of // at least 2 seconds with exponential retry to poll the export operation // result. For regular-size resource parent, the export operation usually // finishes within 5 minutes. rpc ExportAssets(ExportAssetsRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=*/*}:exportAssets" body: "*" }; option (google.longrunning.operation_info) = { response_type: "google.cloud.asset.v1.ExportAssetsResponse" metadata_type: "google.cloud.asset.v1.ExportAssetsRequest" }; } // Lists assets with time and resource types and returns paged results in // response. rpc ListAssets(ListAssetsRequest) returns (ListAssetsResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}/assets" }; option (google.api.method_signature) = "parent"; } // Batch gets the update history of assets that overlap a time window. // For IAM_POLICY content, this API outputs history when the asset and its // attached IAM POLICY both exist. This can create gaps in the output history. // Otherwise, this API outputs history with asset in both non-delete or // deleted status. // If a specified asset does not exist, this API returns an INVALID_ARGUMENT // error. rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) returns (BatchGetAssetsHistoryResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}:batchGetAssetsHistory" }; } // Creates a feed in a parent project/folder/organization to listen to its // asset updates. rpc CreateFeed(CreateFeedRequest) returns (Feed) { option (google.api.http) = { post: "/v1/{parent=*/*}/feeds" body: "*" }; option (google.api.method_signature) = "parent"; } // Gets details about an asset feed. rpc GetFeed(GetFeedRequest) returns (Feed) { option (google.api.http) = { get: "/v1/{name=*/*/feeds/*}" }; option (google.api.method_signature) = "name"; } // Lists all asset feeds in a parent project/folder/organization. rpc ListFeeds(ListFeedsRequest) returns (ListFeedsResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}/feeds" }; option (google.api.method_signature) = "parent"; } // Updates an asset feed configuration. rpc UpdateFeed(UpdateFeedRequest) returns (Feed) { option (google.api.http) = { patch: "/v1/{feed.name=*/*/feeds/*}" body: "*" }; option (google.api.method_signature) = "feed"; } // Deletes an asset feed. rpc DeleteFeed(DeleteFeedRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=*/*/feeds/*}" }; option (google.api.method_signature) = "name"; } // Searches all Cloud resources within the specified scope, such as a project, // folder, or organization. The caller must be granted the // `cloudasset.assets.searchAllResources` permission on the desired scope, // otherwise the request will be rejected. rpc SearchAllResources(SearchAllResourcesRequest) returns (SearchAllResourcesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}:searchAllResources" }; option (google.api.method_signature) = "scope,query,asset_types"; } // Searches all IAM policies within the specified scope, such as a project, // folder, or organization. The caller must be granted the // `cloudasset.assets.searchAllIamPolicies` permission on the desired scope, // otherwise the request will be rejected. rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) returns (SearchAllIamPoliciesResponse) { option (google.api.http) = { get: "/v1/{scope=*/*}:searchAllIamPolicies" }; option (google.api.method_signature) = "scope,query"; } // Analyzes IAM policies to answer which identities have what accesses on // which resources. rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) returns (AnalyzeIamPolicyResponse) { option (google.api.http) = { get: "/v1/{analysis_query.scope=*/*}:analyzeIamPolicy" }; } // Analyzes IAM policies asynchronously to answer which identities have what // accesses on which resources, and writes the analysis results to a Google // Cloud Storage or a BigQuery destination. For Cloud Storage destination, the // output format is the JSON format that represents a // [AnalyzeIamPolicyResponse][google.cloud.asset.v1.AnalyzeIamPolicyResponse]. This method implements the // [google.longrunning.Operation][google.longrunning.Operation], which allows you to track the operation // status. We recommend intervals of at least 2 seconds with exponential // backoff retry to poll the operation result. The metadata contains the // metadata for the long-running operation. rpc AnalyzeIamPolicyLongrunning(AnalyzeIamPolicyLongrunningRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{analysis_query.scope=*/*}:analyzeIamPolicyLongrunning" body: "*" }; option (google.longrunning.operation_info) = { response_type: "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningResponse" metadata_type: "google.cloud.asset.v1.AnalyzeIamPolicyLongrunningMetadata" }; } // Analyze moving a resource to a specified destination without kicking off // the actual move. The analysis is best effort depending on the user's // permissions of viewing different hierarchical policies and configurations. // The policies and configuration are subject to change before the actual // resource migration takes place. rpc AnalyzeMove(AnalyzeMoveRequest) returns (AnalyzeMoveResponse) { option (google.api.http) = { get: "/v1/{resource=*/*}:analyzeMove" }; } } // Represents the metadata of the longrunning operation for the // AnalyzeIamPolicyLongrunning rpc. message AnalyzeIamPolicyLongrunningMetadata { // Output only. The time the operation was created. google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; } // Export asset request. message ExportAssetsRequest { // Required. The relative name of the root asset. This can only be an // organization number (such as "organizations/123"), a project ID (such as // "projects/my-project-id"), or a project number (such as "projects/12345"), // or a folder number (such as "folders/123"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "cloudasset.googleapis.com/Asset" } ]; // Timestamp to take an asset snapshot. This can only be set to a timestamp // between the current time and the current time minus 35 days (inclusive). // If not specified, the current time will be used. Due to delays in resource // data collection and indexing, there is a volatile window during which // running the same query may get different results. google.protobuf.Timestamp read_time = 2; // A list of asset types to take a snapshot for. For example: // "compute.googleapis.com/Disk". // // Regular expressions are also supported. For example: // // * "compute.googleapis.com.*" snapshots resources whose asset type starts // with "compute.googleapis.com". // * ".*Instance" snapshots resources whose asset type ends with "Instance". // * ".*Instance.*" snapshots resources whose asset type contains "Instance". // // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported // regular expression syntax. If the regular expression does not match any // supported asset type, an INVALID_ARGUMENT error will be returned. // // If specified, only matching assets will be returned, otherwise, it will // snapshot all asset types. See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) // for all supported asset types. repeated string asset_types = 3; // Asset content type. If not specified, no content but the asset name will be // returned. ContentType content_type = 4; // Required. Output configuration indicating where the results will be output to. OutputConfig output_config = 5 [(google.api.field_behavior) = REQUIRED]; // A list of relationship types to export, for example: // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if // content_type=RELATIONSHIP. // * If specified: // it snapshots specified relationships. It returns an error if // any of the [relationship_types] doesn't belong to the supported // relationship types of the [asset_types] or if any of the [asset_types] // doesn't belong to the source types of the [relationship_types]. // * Otherwise: // it snapshots the supported relationships for all [asset_types] or returns // an error if any of the [asset_types] has no relationship support. // An unspecified asset types field means all supported asset_types. // See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all // supported asset types and relationship types. repeated string relationship_types = 6; } // The export asset response. This message is returned by the // [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] method in the returned // [google.longrunning.Operation.response][google.longrunning.Operation.response] field. message ExportAssetsResponse { // Time the snapshot was taken. google.protobuf.Timestamp read_time = 1; // Output configuration indicating where the results were output to. OutputConfig output_config = 2; // Output result indicating where the assets were exported to. For example, a // set of actual Google Cloud Storage object uris where the assets are // exported to. The uris can be different from what [output_config] has // specified, as the service will split the output object into multiple ones // once it exceeds a single Google Cloud Storage object limit. OutputResult output_result = 3; } // ListAssets request. message ListAssetsRequest { // Required. Name of the organization or project the assets belong to. Format: // "organizations/[organization-number]" (such as "organizations/123"), // "projects/[project-id]" (such as "projects/my-project-id"), or // "projects/[project-number]" (such as "projects/12345"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "cloudasset.googleapis.com/Asset" } ]; // Timestamp to take an asset snapshot. This can only be set to a timestamp // between the current time and the current time minus 35 days (inclusive). // If not specified, the current time will be used. Due to delays in resource // data collection and indexing, there is a volatile window during which // running the same query may get different results. google.protobuf.Timestamp read_time = 2; // A list of asset types to take a snapshot for. For example: // "compute.googleapis.com/Disk". // // Regular expression is also supported. For example: // // * "compute.googleapis.com.*" snapshots resources whose asset type starts // with "compute.googleapis.com". // * ".*Instance" snapshots resources whose asset type ends with "Instance". // * ".*Instance.*" snapshots resources whose asset type contains "Instance". // // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported // regular expression syntax. If the regular expression does not match any // supported asset type, an INVALID_ARGUMENT error will be returned. // // If specified, only matching assets will be returned, otherwise, it will // snapshot all asset types. See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) // for all supported asset types. repeated string asset_types = 3; // Asset content type. If not specified, no content but the asset name will // be returned. ContentType content_type = 4; // The maximum number of assets to be returned in a single response. Default // is 100, minimum is 1, and maximum is 1000. int32 page_size = 5; // The `next_page_token` returned from the previous `ListAssetsResponse`, or // unspecified for the first `ListAssetsRequest`. It is a continuation of a // prior `ListAssets` call, and the API should return the next page of assets. string page_token = 6; // A list of relationship types to output, for example: // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if // content_type=RELATIONSHIP. // * If specified: // it snapshots specified relationships. It returns an error if // any of the [relationship_types] doesn't belong to the supported // relationship types of the [asset_types] or if any of the [asset_types] // doesn't belong to the source types of the [relationship_types]. // * Otherwise: // it snapshots the supported relationships for all [asset_types] or returns // an error if any of the [asset_types] has no relationship support. // An unspecified asset types field means all supported asset_types. // See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) // for all supported asset types and relationship types. repeated string relationship_types = 7; } // ListAssets response. message ListAssetsResponse { // Time the snapshot was taken. google.protobuf.Timestamp read_time = 1; // Assets. repeated Asset assets = 2; // Token to retrieve the next page of results. It expires 72 hours after the // page token for the first page is generated. Set to empty if there are no // remaining results. string next_page_token = 3; } // Batch get assets history request. message BatchGetAssetsHistoryRequest { // Required. The relative name of the root asset. It can only be an // organization number (such as "organizations/123"), a project ID (such as // "projects/my-project-id")", or a project number (such as "projects/12345"). string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "cloudasset.googleapis.com/Asset" } ]; // A list of the full names of the assets. // See: https://cloud.google.com/asset-inventory/docs/resource-name-format // Example: // // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. // // The request becomes a no-op if the asset name list is empty, and the max // size of the asset name list is 100 in one request. repeated string asset_names = 2; // Optional. The content type. ContentType content_type = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The time window for the asset history. Both start_time and // end_time are optional and if set, it must be after the current time minus // 35 days. If end_time is not set, it is default to current timestamp. // If start_time is not set, the snapshot of the assets at end_time will be // returned. The returned results contain all temporal assets whose time // window overlap with read_time_window. TimeWindow read_time_window = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. A list of relationship types to output, for example: // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if // content_type=RELATIONSHIP. // * If specified: // it outputs specified relationships' history on the [asset_names]. It // returns an error if any of the [relationship_types] doesn't belong to the // supported relationship types of the [asset_names] or if any of the // [asset_names]'s types doesn't belong to the source types of the // [relationship_types]. // * Otherwise: // it outputs the supported relationships' history on the [asset_names] or // returns an error if any of the [asset_names]'s types has no relationship // support. // See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all // supported asset types and relationship types. repeated string relationship_types = 5 [(google.api.field_behavior) = OPTIONAL]; } // Batch get assets history response. message BatchGetAssetsHistoryResponse { // A list of assets with valid time windows. repeated TemporalAsset assets = 1; } // Create asset feed request. message CreateFeedRequest { // Required. The name of the project/folder/organization where this feed // should be created in. It can only be an organization number (such as // "organizations/123"), a folder number (such as "folders/123"), a project ID // (such as "projects/my-project-id")", or a project number (such as // "projects/12345"). string parent = 1 [(google.api.field_behavior) = REQUIRED]; // Required. This is the client-assigned asset feed identifier and it needs to // be unique under a specific parent project/folder/organization. string feed_id = 2 [(google.api.field_behavior) = REQUIRED]; // Required. The feed details. The field `name` must be empty and it will be generated // in the format of: // projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id Feed feed = 3 [(google.api.field_behavior) = REQUIRED]; } // Get asset feed request. message GetFeedRequest { // Required. The name of the Feed and it must be in the format of: // projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } // List asset feeds request. message ListFeedsRequest { // Required. The parent project/folder/organization whose feeds are to be // listed. It can only be using project/folder/organization number (such as // "folders/12345")", or a project ID (such as "projects/my-project-id"). string parent = 1 [(google.api.field_behavior) = REQUIRED]; } message ListFeedsResponse { // A list of feeds. repeated Feed feeds = 1; } // Update asset feed request. message UpdateFeedRequest { // Required. The new values of feed details. It must match an existing feed and the // field `name` must be in the format of: // projects/project_number/feeds/feed_id or // folders/folder_number/feeds/feed_id or // organizations/organization_number/feeds/feed_id. Feed feed = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Only updates the `feed` fields indicated by this mask. // The field mask must not be empty, and it must not contain fields that // are immutable or only set by the server. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } message DeleteFeedRequest { // Required. The name of the feed and it must be in the format of: // projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } // Output configuration for export assets destination. message OutputConfig { // Asset export destination. oneof destination { // Destination on Cloud Storage. GcsDestination gcs_destination = 1; // Destination on BigQuery. The output table stores the fields in asset // proto as columns in BigQuery. BigQueryDestination bigquery_destination = 2; } } // Output result of export assets. message OutputResult { // Asset export result. oneof result { // Export result on Cloud Storage. GcsOutputResult gcs_result = 1; } } // A Cloud Storage output result. message GcsOutputResult { // List of uris of the Cloud Storage objects. Example: // "gs://bucket_name/object_name". repeated string uris = 1; } // A Cloud Storage location. message GcsDestination { // Required. oneof object_uri { // The uri of the Cloud Storage object. It's the same uri that is used by // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and // Editing Object // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) // for more information. // // If the specified Cloud Storage object already exists and there is no // [hold](https://cloud.google.com/storage/docs/object-holds), it will be // overwritten with the exported result. string uri = 1; // The uri prefix of all generated Cloud Storage objects. Example: // "gs://bucket_name/object_name_prefix". Each object uri is in format: // "gs://bucket_name/object_name_prefix// and only // contains assets for that type. starts from 0. Example: // "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is // the first shard of output objects containing all // compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be // returned if file with the same name "gs://bucket_name/object_name_prefix" // already exists. string uri_prefix = 2; } } // A BigQuery destination for exporting assets to. message BigQueryDestination { // Required. The BigQuery dataset in format // "projects/projectId/datasets/datasetId", to which the snapshot result // should be exported. If this dataset does not exist, the export call returns // an INVALID_ARGUMENT error. string dataset = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The BigQuery table to which the snapshot result should be // written. If this table does not exist, a new table with the given name // will be created. string table = 2 [(google.api.field_behavior) = REQUIRED]; // If the destination table already exists and this flag is `TRUE`, the // table will be overwritten by the contents of assets snapshot. If the flag // is `FALSE` or unset and the destination table already exists, the export // call returns an INVALID_ARGUMEMT error. bool force = 3; // [partition_spec] determines whether to export to partitioned table(s) and // how to partition the data. // // If [partition_spec] is unset or [partition_spec.partition_key] is unset or // `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to // non-partitioned table(s). [force] will decide whether to overwrite existing // table(s). // // If [partition_spec] is specified. First, the snapshot results will be // written to partitioned table(s) with two additional timestamp columns, // readTime and requestTime, one of which will be the partition key. Secondly, // in the case when any destination table already exists, it will first try to // update existing table's schema as necessary by appending additional // columns. Then, if [force] is `TRUE`, the corresponding partition will be // overwritten by the snapshot results (data in different partitions will // remain intact); if [force] is unset or `FALSE`, it will append the data. An // error will be returned if the schema update or data appension fails. PartitionSpec partition_spec = 4; // If this flag is `TRUE`, the snapshot results will be written to one or // multiple tables, each of which contains results of one asset type. The // [force] and [partition_spec] fields will apply to each of them. // // Field [table] will be concatenated with "_" and the asset type names (see // https://cloud.google.com/asset-inventory/docs/supported-asset-types for // supported asset types) to construct per-asset-type table names, in which // all non-alphanumeric characters like "." and "/" will be substituted by // "_". Example: if field [table] is "mytable" and snapshot results // contain "storage.googleapis.com/Bucket" assets, the corresponding table // name will be "mytable_storage_googleapis_com_Bucket". If any of these // tables does not exist, a new table with the concatenated name will be // created. // // When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of // each table will include RECORD-type columns mapped to the nested fields in // the Asset.resource.data field of that asset type (up to the 15 nested level // BigQuery supports // (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The // fields in >15 nested levels will be stored in JSON format string as a child // column of its parent RECORD column. // // If error occurs when exporting to any table, the whole export call will // return an error but the export results that already succeed will persist. // Example: if exporting to table_type_A succeeds when exporting to // table_type_B fails during one export call, the results in table_type_A will // persist and there will not be partial results persisting in a table. bool separate_tables_per_asset_type = 5; } // Specifications of BigQuery partitioned table as export destination. message PartitionSpec { // This enum is used to determine the partition key column when exporting // assets to BigQuery partitioned table(s). Note that, if the partition key is // a timestamp column, the actual partition is based on its date value // (expressed in UTC. see details in // https://cloud.google.com/bigquery/docs/partitioned-tables#date_timestamp_partitioned_tables). enum PartitionKey { // Unspecified partition key. If used, it means using non-partitioned table. PARTITION_KEY_UNSPECIFIED = 0; // The time when the snapshot is taken. If specified as partition key, the // result table(s) is partitoned by the additional timestamp column, // readTime. If [read_time] in ExportAssetsRequest is specified, the // readTime column's value will be the same as it. Otherwise, its value will // be the current time that is used to take the snapshot. READ_TIME = 1; // The time when the request is received and started to be processed. If // specified as partition key, the result table(s) is partitoned by the // requestTime column, an additional timestamp column representing when the // request was received. REQUEST_TIME = 2; } // The partition key for BigQuery partitioned table. PartitionKey partition_key = 1; } // A Pub/Sub destination. message PubsubDestination { // The name of the Pub/Sub topic to publish to. // Example: `projects/PROJECT_ID/topics/TOPIC_ID`. string topic = 1; } // Output configuration for asset feed destination. message FeedOutputConfig { // Asset feed destination. oneof destination { // Destination on Pub/Sub. PubsubDestination pubsub_destination = 1; } } // An asset feed used to export asset updates to a destinations. // An asset feed filter controls what updates are exported. // The asset feed must be created within a project, organization, or // folder. Supported destinations are: // Pub/Sub topics. message Feed { option (google.api.resource) = { type: "cloudasset.googleapis.com/Feed" pattern: "projects/{project}/feeds/{feed}" pattern: "folders/{folder}/feeds/{feed}" pattern: "organizations/{organization}/feeds/{feed}" history: ORIGINALLY_SINGLE_PATTERN }; // Required. The format will be // projects/{project_number}/feeds/{client-assigned_feed_identifier} or // folders/{folder_number}/feeds/{client-assigned_feed_identifier} or // organizations/{organization_number}/feeds/{client-assigned_feed_identifier} // // The client-assigned feed identifier must be unique within the parent // project/folder/organization. string name = 1 [(google.api.field_behavior) = REQUIRED]; // A list of the full names of the assets to receive updates. You must specify // either or both of asset_names and asset_types. Only asset updates matching // specified asset_names or asset_types are exported to the feed. // Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. // See [Resource // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name) // for more info. repeated string asset_names = 2; // A list of types of the assets to receive updates. You must specify either // or both of asset_names and asset_types. Only asset updates matching // specified asset_names or asset_types are exported to the feed. // Example: `"compute.googleapis.com/Disk"` // // See [this // topic](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // for a list of all supported asset types. repeated string asset_types = 3; // Asset content type. If not specified, no content but the asset name and // type will be returned. ContentType content_type = 4; // Required. Feed output configuration defining where the asset updates are // published to. FeedOutputConfig feed_output_config = 5 [(google.api.field_behavior) = REQUIRED]; // A condition which determines whether an asset update should be published. // If specified, an asset will be returned only when the expression evaluates // to true. // When set, `expression` field in the `Expr` must be a valid [CEL expression] // (https://github.com/google/cel-spec) on a TemporalAsset with name // `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted // == true") will only publish Asset deletions. Other fields of `Expr` are // optional. // // See our [user // guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes-with-condition) // for detailed instructions. google.type.Expr condition = 6; // A list of relationship types to output, for example: // `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if // content_type=RELATIONSHIP. // * If specified: // it outputs specified relationship updates on the [asset_names] or the // [asset_types]. It returns an error if any of the [relationship_types] // doesn't belong to the supported relationship types of the [asset_names] or // [asset_types], or any of the [asset_names] or the [asset_types] doesn't // belong to the source types of the [relationship_types]. // * Otherwise: // it outputs the supported relationships of the types of [asset_names] and // [asset_types] or returns an error if any of the [asset_names] or the // [asset_types] has no replationship support. // See [Introduction to Cloud Asset // Inventory](https://cloud.google.com/asset-inventory/docs/overview) // for all supported asset types and relationship types. repeated string relationship_types = 7; } // Search all resources request. message SearchAllResourcesRequest { // Required. A scope can be a project, a folder, or an organization. The search is // limited to the resources within the `scope`. The caller must be granted the // [`cloudasset.assets.searchAllResources`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) // permission on the desired scope. // // The allowed values are: // // * projects/{PROJECT_ID} (e.g., "projects/foo-bar") // * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") // * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. The query statement. See [how to construct a // query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query) // for more information. If not specified or empty, it will search all the // resources within the specified `scope`. // // Examples: // // * `name:Important` to find Cloud resources whose name contains // "Important" as a word. // * `name=Important` to find the Cloud resource whose name is exactly // "Important". // * `displayName:Impor*` to find Cloud resources whose display name // contains "Impor" as a prefix of any word in the field. // * `location:us-west*` to find Cloud resources whose location contains both // "us" and "west" as prefixes. // * `labels:prod` to find Cloud resources whose labels contain "prod" as // a key or value. // * `labels.env:prod` to find Cloud resources that have a label "env" // and its value is "prod". // * `labels.env:*` to find Cloud resources that have a label "env". // * `kmsKey:key` to find Cloud resources encrypted with a customer-managed // encryption key whose name contains the word "key". // * `state:ACTIVE` to find Cloud resources whose state contains "ACTIVE" as a // word. // * `NOT state:ACTIVE` to find Cloud resources whose state doesn't contain // "ACTIVE" as a word. // * `createTime<1609459200` to find Cloud resources that were created before // "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of // "2021-01-01 00:00:00 UTC" in seconds. // * `updateTime>1609459200` to find Cloud resources that were updated after // "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of // "2021-01-01 00:00:00 UTC" in seconds. // * `Important` to find Cloud resources that contain "Important" as a word // in any of the searchable fields. // * `Impor*` to find Cloud resources that contain "Impor" as a prefix of any // word in any of the searchable fields. // * `Important location:(us-west1 OR global)` to find Cloud // resources that contain "Important" as a word in any of the searchable // fields and are also located in the "us-west1" region or the "global" // location. string query = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. A list of asset types that this request searches for. If empty, it will // search all the [searchable asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). // // Regular expressions are also supported. For example: // // * "compute.googleapis.com.*" snapshots resources whose asset type starts // with "compute.googleapis.com". // * ".*Instance" snapshots resources whose asset type ends with "Instance". // * ".*Instance.*" snapshots resources whose asset type contains "Instance". // // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported // regular expression syntax. If the regular expression does not match any // supported asset type, an INVALID_ARGUMENT error will be returned. repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The page size for search result pagination. Page size is capped at 500 even // if a larger value is given. If set to zero, server will pick an appropriate // default. Returned results may be fewer than requested. When this happens, // there could be more results as long as `next_page_token` is returned. int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. If present, then retrieve the next batch of results from the preceding call // to this method. `page_token` must be the value of `next_page_token` from // the previous response. The values of all other method parameters, must be // identical to those in the previous call. string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; // Optional. A comma-separated list of fields specifying the sorting order of the // results. The default order is ascending. Add " DESC" after the field name // to indicate descending order. Redundant space characters are ignored. // Example: "location DESC, name". // Only singular primitive fields in the response are sortable: // // * name // * assetType // * project // * displayName // * description // * location // * kmsKey // * createTime // * updateTime // * state // * parentFullResourceName // * parentAssetType // // All the other fields such as repeated fields (e.g., `networkTags`), map // fields (e.g., `labels`) and struct fields (e.g., `additionalAttributes`) // are not supported. string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; // Optional. A comma-separated list of fields specifying which fields to be returned in // ResourceSearchResult. Only '*' or combination of top level fields can be // specified. Field names of both snake_case and camelCase are supported. // Examples: `"*"`, `"name,location"`, `"name,versionedResources"`. // // The read_mask paths must be valid field paths listed but not limited to // (both snake_case and camelCase are supported): // // * name // * assetType // * project // * displayName // * description // * location // * labels // * networkTags // * kmsKey // * createTime // * updateTime // * state // * additionalAttributes // * versionedResources // // If read_mask is not specified, all fields except versionedResources will // be returned. // If only '*' is specified, all fields including versionedResources will be // returned. // Any invalid field path will trigger INVALID_ARGUMENT error. google.protobuf.FieldMask read_mask = 8 [(google.api.field_behavior) = OPTIONAL]; } // Search all resources response. message SearchAllResourcesResponse { // A list of Resources that match the search query. It contains the resource // standard metadata information. repeated ResourceSearchResult results = 1; // If there are more results than those appearing in this response, then // `next_page_token` is included. To get the next set of results, call this // method again using the value of `next_page_token` as `page_token`. string next_page_token = 2; } // Search all IAM policies request. message SearchAllIamPoliciesRequest { // Required. A scope can be a project, a folder, or an organization. The search is // limited to the IAM policies within the `scope`. The caller must be granted // the // [`cloudasset.assets.searchAllIamPolicies`](https://cloud.google.com/asset-inventory/docs/access-control#required_permissions) // permission on the desired scope. // // The allowed values are: // // * projects/{PROJECT_ID} (e.g., "projects/foo-bar") // * projects/{PROJECT_NUMBER} (e.g., "projects/12345678") // * folders/{FOLDER_NUMBER} (e.g., "folders/1234567") // * organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456") string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. The query statement. See [how to construct a // query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query) // for more information. If not specified or empty, it will search all the // IAM policies within the specified `scope`. Note that the query string is // compared against each Cloud IAM policy binding, including its members, // roles, and Cloud IAM conditions. The returned Cloud IAM policies will only // contain the bindings that match your query. To learn more about the IAM // policy structure, see [IAM policy // doc](https://cloud.google.com/iam/docs/policies#structure). // // Examples: // // * `policy:amy@gmail.com` to find IAM policy bindings that specify user // "amy@gmail.com". // * `policy:roles/compute.admin` to find IAM policy bindings that specify // the Compute Admin role. // * `policy:comp*` to find IAM policy bindings that contain "comp" as a // prefix of any word in the binding. // * `policy.role.permissions:storage.buckets.update` to find IAM policy // bindings that specify a role containing "storage.buckets.update" // permission. Note that if callers don't have `iam.roles.get` access to a // role's included permissions, policy bindings that specify this role will // be dropped from the search results. // * `policy.role.permissions:upd*` to find IAM policy bindings that specify a // role containing "upd" as a prefix of any word in the role permission. // Note that if callers don't have `iam.roles.get` access to a role's // included permissions, policy bindings that specify this role will be // dropped from the search results. // * `resource:organizations/123456` to find IAM policy bindings // that are set on "organizations/123456". // * `resource=//cloudresourcemanager.googleapis.com/projects/myproject` to // find IAM policy bindings that are set on the project named "myproject". // * `Important` to find IAM policy bindings that contain "Important" as a // word in any of the searchable fields (except for the included // permissions). // * `resource:(instance1 OR instance2) policy:amy` to find // IAM policy bindings that are set on resources "instance1" or // "instance2" and also specify user "amy". // * `roles:roles/compute.admin` to find IAM policy bindings that specify the // Compute Admin role. // * `memberTypes:user` to find IAM policy bindings that contain the "user" // member type. string query = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. The page size for search result pagination. Page size is capped at 500 even // if a larger value is given. If set to zero, server will pick an appropriate // default. Returned results may be fewer than requested. When this happens, // there could be more results as long as `next_page_token` is returned. int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. If present, retrieve the next batch of results from the preceding call to // this method. `page_token` must be the value of `next_page_token` from the // previous response. The values of all other method parameters must be // identical to those in the previous call. string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. A list of asset types that the IAM policies are attached to. If empty, it // will search the IAM policies that are attached to all the [searchable asset // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). // // Regular expressions are also supported. For example: // // * "compute.googleapis.com.*" snapshots IAM policies attached to asset type // starts with "compute.googleapis.com". // * ".*Instance" snapshots IAM policies attached to asset type ends with // "Instance". // * ".*Instance.*" snapshots IAM policies attached to asset type contains // "Instance". // // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported // regular expression syntax. If the regular expression does not match any // supported asset type, an INVALID_ARGUMENT error will be returned. repeated string asset_types = 5 [(google.api.field_behavior) = OPTIONAL]; // Optional. A comma-separated list of fields specifying the sorting order of the // results. The default order is ascending. Add " DESC" after the field name // to indicate descending order. Redundant space characters are ignored. // Example: "assetType DESC, resource". // Only singular primitive fields in the response are sortable: // * resource // * assetType // * project // All the other fields such as repeated fields (e.g., `folders`) and // non-primitive fields (e.g., `policy`) are not supported. string order_by = 7 [(google.api.field_behavior) = OPTIONAL]; } // Search all IAM policies response. message SearchAllIamPoliciesResponse { // A list of IamPolicy that match the search query. Related information such // as the associated resource is returned along with the policy. repeated IamPolicySearchResult results = 1; // Set if there are more results than those appearing in this response; to get // the next set of results, call this method again, using this value as the // `page_token`. string next_page_token = 2; } // ## IAM policy analysis query message. message IamPolicyAnalysisQuery { // Specifies the resource to analyze for access policies, which may be set // directly on the resource, or on ancestors such as organizations, folders or // projects. message ResourceSelector { // Required. The [full resource name] // (https://cloud.google.com/asset-inventory/docs/resource-name-format) // of a resource of [supported resource // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED]; } // Specifies an identity for which to determine resource access, based on // roles assigned either directly to them or to the groups they belong to, // directly or indirectly. message IdentitySelector { // Required. The identity appear in the form of members in // [IAM policy // binding](https://cloud.google.com/iam/reference/rest/v1/Binding). // // The examples of supported forms are: // "user:mike@example.com", // "group:admins@example.com", // "domain:google.com", // "serviceAccount:my-project-id@appspot.gserviceaccount.com". // // Notice that wildcard characters (such as * and ?) are not supported. // You must give a specific identity. string identity = 1 [(google.api.field_behavior) = REQUIRED]; } // Specifies roles and/or permissions to analyze, to determine both the // identities possessing them and the resources they control. If multiple // values are specified, results will include roles or permissions matching // any of them. The total number of roles and permissions should be equal or // less than 10. message AccessSelector { // Optional. The roles to appear in result. repeated string roles = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. The permissions to appear in result. repeated string permissions = 2 [(google.api.field_behavior) = OPTIONAL]; } // Contains query options. message Options { // Optional. If true, the identities section of the result will expand any // Google groups appearing in an IAM policy binding. // // If [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector] is specified, the // identity in the result will be determined by the selector, and this flag // is not allowed to set. // // Default is false. bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. If true, the access section of result will expand any roles // appearing in IAM policy bindings to include their permissions. // // If [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector] is specified, the access // section of the result will be determined by the selector, and this flag // is not allowed to set. // // Default is false. bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. If true and [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] is not // specified, the resource section of the result will expand any resource // attached to an IAM policy to include resources lower in the resource // hierarchy. // // For example, if the request analyzes for which resources user A has // permission P, and the results include an IAM policy with P on a GCP // folder, the results will also include resources in that folder with // permission P. // // If true and [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector] is specified, // the resource section of the result will expand the specified resource to // include resources lower in the resource hierarchy. Only project or // lower resources are supported. Folder and organization resource cannot be // used together with this option. // // For example, if the request analyzes for which users have permission P on // a GCP project with this option enabled, the results will include all // users who have permission P on that project or any lower resource. // // Default is false. bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. If true, the result will output resource edges, starting // from the policy attached resource, to any expanded resources. // Default is false. bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. If true, the result will output group identity edges, starting // from the binding's group members, to any expanded identities. // Default is false. bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL]; // Optional. If true, the response will include access analysis from identities to // resources via service account impersonation. This is a very expensive // operation, because many derived queries will be executed. We highly // recommend you use [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning] rpc // instead. // // For example, if the request analyzes for which resources user A has // permission P, and there's an IAM policy states user A has // iam.serviceAccounts.getAccessToken permission to a service account SA, // and there's another IAM policy states service account SA has permission P // to a GCP folder F, then user A potentially has access to the GCP folder // F. And those advanced analysis results will be included in // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. // // Another example, if the request analyzes for who has // permission P to a GCP folder F, and there's an IAM policy states user A // has iam.serviceAccounts.actAs permission to a service account SA, and // there's another IAM policy states service account SA has permission P to // the GCP folder F, then user A potentially has access to the GCP folder // F. And those advanced analysis results will be included in // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis]. // // Default is false. bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL]; } // The IAM conditions context. message ConditionContext { // The IAM conditions time context. oneof TimeContext { // The hypothetical access timestamp to evaluate IAM conditions. Note that // this value must not be earlier than the current time; otherwise, an // INVALID_ARGUMENT error will be returned. google.protobuf.Timestamp access_time = 1; } } // Required. The relative name of the root asset. Only resources and IAM policies within // the scope will be analyzed. // // This can only be an organization number (such as "organizations/123"), a // folder number (such as "folders/123"), a project ID (such as // "projects/my-project-id"), or a project number (such as "projects/12345"). // // To know how to get organization id, visit [here // ](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id). // // To know how to get folder or project id, visit [here // ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects). string scope = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. Specifies a resource for analysis. ResourceSelector resource_selector = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. Specifies an identity for analysis. IdentitySelector identity_selector = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. Specifies roles or permissions for analysis. This is optional. AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. The query options. Options options = 5 [(google.api.field_behavior) = OPTIONAL]; // Optional. The hypothetical context for IAM conditions evaluation. ConditionContext condition_context = 6 [(google.api.field_behavior) = OPTIONAL]; } // A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. message AnalyzeIamPolicyRequest { // Required. The request query. IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. Amount of time executable has to complete. See JSON representation of // [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json). // // If this field is set with a value less than the RPC deadline, and the // execution of your query hasn't finished in the specified // execution timeout, you will get a response with partial result. // Otherwise, your query's execution will continue until the RPC deadline. // If it's not finished until then, you will get a DEADLINE_EXCEEDED error. // // Default is empty. google.protobuf.Duration execution_timeout = 2 [(google.api.field_behavior) = OPTIONAL]; } // A response message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1.AssetService.AnalyzeIamPolicy]. message AnalyzeIamPolicyResponse { // An analysis message to group the query and results. message IamPolicyAnalysis { // The analysis query. IamPolicyAnalysisQuery analysis_query = 1; // A list of [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult] that matches the analysis query, or // empty if no result is found. repeated IamPolicyAnalysisResult analysis_results = 2; // Represents whether all entries in the [analysis_results][google.cloud.asset.v1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] have been // fully explored to answer the query. bool fully_explored = 3; // A list of non-critical errors happened during the query handling. repeated IamPolicyAnalysisState non_critical_errors = 5; } // The main analysis that matches the original request. IamPolicyAnalysis main_analysis = 1; // The service account impersonation analysis if // [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is // enabled. repeated IamPolicyAnalysis service_account_impersonation_analysis = 2; // Represents whether all entries in the [main_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.main_analysis] and // [service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] have been fully explored to // answer the query in the request. bool fully_explored = 3; } // Output configuration for export IAM policy analysis destination. message IamPolicyAnalysisOutputConfig { // A Cloud Storage location. message GcsDestination { // Required. The uri of the Cloud Storage object. It's the same uri that is used by // gsutil. Example: "gs://bucket_name/object_name". See [Viewing and // Editing Object // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) // for more information. // // If the specified Cloud Storage object already exists and there is no // [hold](https://cloud.google.com/storage/docs/object-holds), it will be // overwritten with the analysis result. string uri = 1 [(google.api.field_behavior) = REQUIRED]; } // A BigQuery destination. message BigQueryDestination { // This enum determines the partition key column for the bigquery tables. // Partitioning can improve query performance and reduce query cost by // filtering partitions. Refer to // https://cloud.google.com/bigquery/docs/partitioned-tables for details. enum PartitionKey { // Unspecified partition key. Tables won't be partitioned using this // option. PARTITION_KEY_UNSPECIFIED = 0; // The time when the request is received. If specified as partition key, // the result table(s) is partitoned by the RequestTime column, an // additional timestamp column representing when the request was received. REQUEST_TIME = 1; } // Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId", // to which the analysis results should be exported. If this dataset does // not exist, the export call will return an INVALID_ARGUMENT error. string dataset = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The prefix of the BigQuery tables to which the analysis results will be // written. Tables will be created based on this table_prefix if not exist: // * _analysis table will contain export operation's metadata. // * _analysis_result will contain all the // [IamPolicyAnalysisResult][google.cloud.asset.v1.IamPolicyAnalysisResult]. // When [partition_key] is specified, both tables will be partitioned based // on the [partition_key]. string table_prefix = 2 [(google.api.field_behavior) = REQUIRED]; // The partition key for BigQuery partitioned table. PartitionKey partition_key = 3; // Optional. Specifies the action that occurs if the destination table or partition // already exists. The following values are supported: // // * WRITE_TRUNCATE: If the table or partition already exists, BigQuery // overwrites the entire table or all the partitions data. // * WRITE_APPEND: If the table or partition already exists, BigQuery // appends the data to the table or the latest partition. // * WRITE_EMPTY: If the table already exists and contains data, an error is // returned. // // The default value is WRITE_APPEND. Each action is atomic and only occurs // if BigQuery is able to complete the job successfully. Details are at // https://cloud.google.com/bigquery/docs/loading-data-local#appending_to_or_overwriting_a_table_using_a_local_file. string write_disposition = 4 [(google.api.field_behavior) = OPTIONAL]; } // IAM policy analysis export destination. oneof destination { // Destination on Cloud Storage. GcsDestination gcs_destination = 1; // Destination on BigQuery. BigQueryDestination bigquery_destination = 2; } } // A request message for [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. message AnalyzeIamPolicyLongrunningRequest { // Required. The request query. IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Output configuration indicating where the results will be output to. IamPolicyAnalysisOutputConfig output_config = 2 [(google.api.field_behavior) = REQUIRED]; } // A response message for [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]. message AnalyzeIamPolicyLongrunningResponse { } // The request message for performing resource move analysis. message AnalyzeMoveRequest { // View enum for supporting partial analysis responses. enum AnalysisView { // The default/unset value. // The API will default to the FULL view. ANALYSIS_VIEW_UNSPECIFIED = 0; // Full analysis including all level of impacts of the specified resource // move. FULL = 1; // Basic analysis only including blockers which will prevent the specified // resource move at runtime. BASIC = 2; } // Required. Name of the resource to perform the analysis against. // Only GCP Project are supported as of today. Hence, this can only be Project // ID (such as "projects/my-project-id") or a Project Number (such as // "projects/12345"). string resource = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Name of the GCP Folder or Organization to reparent the target // resource. The analysis will be performed against hypothetically moving the // resource to this specified desitination parent. This can only be a Folder // number (such as "folders/123") or an Organization number (such as // "organizations/123"). string destination_parent = 2 [(google.api.field_behavior) = REQUIRED]; // Analysis view indicating what information should be included in the // analysis response. If unspecified, the default view is FULL. AnalysisView view = 3; } // The response message for resource move analysis. message AnalyzeMoveResponse { // The list of analyses returned from performing the intended resource move // analysis. The analysis is grouped by different Cloud services. repeated MoveAnalysis move_analysis = 1; } // A message to group the analysis information. message MoveAnalysis { // The user friendly display name of the analysis. E.g. IAM, Organization // Policy etc. string display_name = 1; oneof result { // Analysis result of moving the target resource. MoveAnalysisResult analysis = 2; // Description of error encountered when performing the analysis. google.rpc.Status error = 3; } } // An analysis result including blockers and warnings. message MoveAnalysisResult { // Blocking information that would prevent the target resource from moving // to the specified destination at runtime. repeated MoveImpact blockers = 1; // Warning information indicating that moving the target resource to the // specified destination might be unsafe. This can include important policy // information and configuration changes, but will not block moves at runtime. repeated MoveImpact warnings = 2; } // A message to group impacts of moving the target resource. message MoveImpact { // User friendly impact detail in a free form message. string detail = 1; } // Asset content type. enum ContentType { // Unspecified content type. CONTENT_TYPE_UNSPECIFIED = 0; // Resource metadata. RESOURCE = 1; // The actual IAM policy set on a resource. IAM_POLICY = 2; // The Cloud Organization Policy set on an asset. ORG_POLICY = 4; // The Cloud Access context manager Policy set on an asset. ACCESS_POLICY = 5; // The runtime OS Inventory information. OS_INVENTORY = 6; // The related resources. RELATIONSHIP = 7; }