# frozen_string_literal: true
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
module Google
module Cloud
module Asset
module V1
# An asset in Google Cloud and its temporal metadata, including the time window
# when it was observed and its status during that window.
# @!attribute [rw] window
# @return [::Google::Cloud::Asset::V1::TimeWindow]
# The time window when the asset data and state was observed.
# @!attribute [rw] deleted
# @return [::Boolean]
# Whether the asset has been deleted or not.
# @!attribute [rw] asset
# @return [::Google::Cloud::Asset::V1::Asset]
# An asset in Google Cloud.
# @!attribute [rw] prior_asset_state
# @return [::Google::Cloud::Asset::V1::TemporalAsset::PriorAssetState]
# State of prior_asset.
# @!attribute [rw] prior_asset
# @return [::Google::Cloud::Asset::V1::Asset]
# Prior copy of the asset. Populated if prior_asset_state is PRESENT.
# Currently this is only set for responses in Real-Time Feed.
class TemporalAsset
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
# State of prior asset.
module PriorAssetState
# prior_asset is not applicable for the current asset.
PRIOR_ASSET_STATE_UNSPECIFIED = 0
# prior_asset is populated correctly.
PRESENT = 1
# Failed to set prior_asset.
INVALID = 2
# Current asset is the first known state.
DOES_NOT_EXIST = 3
# prior_asset is a deletion.
DELETED = 4
end
end
# A time window specified by its `start_time` and `end_time`.
# @!attribute [rw] start_time
# @return [::Google::Protobuf::Timestamp]
# Start time of the time window (exclusive).
# @!attribute [rw] end_time
# @return [::Google::Protobuf::Timestamp]
# End time of the time window (inclusive). If not specified, the current
# timestamp is used instead.
class TimeWindow
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# An asset in Google Cloud. An asset can be any resource in the Google Cloud
# [resource
# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
# a resource outside the Google Cloud resource hierarchy (such as Google
# Kubernetes Engine clusters and objects), or a policy (e.g. Cloud IAM policy).
# See [Supported asset
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
# for more information.
# @!attribute [rw] update_time
# @return [::Google::Protobuf::Timestamp]
# The last update timestamp of an asset. update_time is updated when
# create/update/delete operation is performed.
# @!attribute [rw] name
# @return [::String]
# The full name of the asset. Example:
# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`
#
# See [Resource
# names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
# for more information.
# @!attribute [rw] asset_type
# @return [::String]
# The type of the asset. Example: `compute.googleapis.com/Disk`
#
# See [Supported asset
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
# for more information.
# @!attribute [rw] resource
# @return [::Google::Cloud::Asset::V1::Resource]
# A representation of the resource.
# @!attribute [rw] iam_policy
# @return [::Google::Iam::V1::Policy]
# A representation of the Cloud IAM policy set on a Google Cloud resource.
# There can be a maximum of one Cloud IAM policy set on any given resource.
# In addition, Cloud IAM policies inherit their granted access scope from any
# policies set on parent resources in the resource hierarchy. Therefore, the
# effectively policy is the union of both the policy set on this resource
# and each policy set on all of the resource's ancestry resource levels in
# the hierarchy. See
# [this topic](https://cloud.google.com/iam/docs/policies#inheritance) for
# more information.
# @!attribute [rw] org_policy
# @return [::Array<::Google::Cloud::OrgPolicy::V1::Policy>]
# A representation of an [organization
# policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy).
# There can be more than one organization policy with different constraints
# set on a given resource.
# @!attribute [rw] access_policy
# @return [::Google::Identity::AccessContextManager::V1::AccessPolicy]
# Please also refer to the [access policy user
# guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
# @!attribute [rw] access_level
# @return [::Google::Identity::AccessContextManager::V1::AccessLevel]
# Please also refer to the [access level user
# guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
# @!attribute [rw] service_perimeter
# @return [::Google::Identity::AccessContextManager::V1::ServicePerimeter]
# Please also refer to the [service perimeter user
# guide](https://cloud.google.com/vpc-service-controls/docs/overview).
# @!attribute [rw] os_inventory
# @return [::Google::Cloud::OsConfig::V1::Inventory]
# A representation of runtime OS Inventory information. See [this
# topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
# for more information.
# @!attribute [rw] ancestors
# @return [::Array<::String>]
# The ancestry path of an asset in Google Cloud [resource
# hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
# represented as a list of relative resource names. An ancestry path starts
# with the closest ancestor in the hierarchy and ends at root. If the asset
# is a project, folder, or organization, the ancestry path starts from the
# asset itself.
#
# Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
class Asset
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# A representation of a Google Cloud resource.
# @!attribute [rw] version
# @return [::String]
# The API version. Example: `v1`
# @!attribute [rw] discovery_document_uri
# @return [::String]
# The URL of the discovery document containing the resource's JSON schema.
# Example:
# `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest`
#
# This value is unspecified for resources that do not have an API based on a
# discovery document, such as Cloud Bigtable.
# @!attribute [rw] discovery_name
# @return [::String]
# The JSON schema name listed in the discovery document. Example:
# `Project`
#
# This value is unspecified for resources that do not have an API based on a
# discovery document, such as Cloud Bigtable.
# @!attribute [rw] resource_url
# @return [::String]
# The REST URL for accessing the resource. An HTTP `GET` request using this
# URL returns the resource itself. Example:
# `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123`
#
# This value is unspecified for resources without a REST API.
# @!attribute [rw] parent
# @return [::String]
# The full name of the immediate parent of this resource. See
# [Resource
# Names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
# for more information.
#
# For Google Cloud assets, this value is the parent resource defined in the
# [Cloud IAM policy
# hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
# Example:
# `//cloudresourcemanager.googleapis.com/projects/my_project_123`
#
# For third-party assets, this field may be set differently.
# @!attribute [rw] data
# @return [::Google::Protobuf::Struct]
# The content of the resource, in which some sensitive fields are removed
# and may not be present.
# @!attribute [rw] location
# @return [::String]
# The location of the resource in Google Cloud, such as its zone and region.
# For more information, see https://cloud.google.com/about/locations/.
class Resource
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# A result of Resource Search, containing information of a cloud resource.
# @!attribute [rw] name
# @return [::String]
# The full resource name of this resource. Example:
# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
# See [Cloud Asset Inventory Resource Name
# Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
# for more information.
#
# To search against the `name`:
#
# * use a field query. Example: `name:instance1`
# * use a free text query. Example: `instance1`
# @!attribute [rw] asset_type
# @return [::String]
# The type of this resource. Example: `compute.googleapis.com/Disk`.
#
# To search against the `asset_type`:
#
# * specify the `asset_type` field in your search request.
# @!attribute [rw] project
# @return [::String]
# The project that this resource belongs to, in the form of
# projects/\\{PROJECT_NUMBER}.
#
# To search against the `project`:
#
# * specify the `scope` field as this project in your search request.
# @!attribute [rw] display_name
# @return [::String]
# The display name of this resource.
#
# To search against the `display_name`:
#
# * use a field query. Example: `displayName:"My Instance"`
# * use a free text query. Example: `"My Instance"`
# @!attribute [rw] description
# @return [::String]
# One or more paragraphs of text description of this resource. Maximum length
# could be up to 1M bytes.
#
# To search against the `description`:
#
# * use a field query. Example: `description:"*important instance*"`
# * use a free text query. Example: `"*important instance*"`
# @!attribute [rw] location
# @return [::String]
# Location can be `global`, regional like `us-east1`, or zonal like
# `us-west1-b`.
#
# To search against the `location`:
#
# * use a field query. Example: `location:us-west*`
# * use a free text query. Example: `us-west*`
# @!attribute [rw] labels
# @return [::Google::Protobuf::Map{::String => ::String}]
# Labels associated with this resource. See [Labelling and grouping GCP
# resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
# for more information.
#
# To search against the `labels`:
#
# * use a field query:
# - query on any label's key or value. Example: `labels:prod`
# - query by a given label. Example: `labels.env:prod`
# - query by a given label's existence. Example: `labels.env:*`
# * use a free text query. Example: `prod`
# @!attribute [rw] network_tags
# @return [::Array<::String>]
# Network tags associated with this resource. Like labels, network tags are a
# type of annotations used to group GCP resources. See [Labelling GCP
# resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
# for more information.
#
# To search against the `network_tags`:
#
# * use a field query. Example: `networkTags:internal`
# * use a free text query. Example: `internal`
# @!attribute [rw] additional_attributes
# @return [::Google::Protobuf::Struct]
# The additional searchable attributes of this resource. The attributes may
# vary from one resource type to another. Examples: `projectId` for Project,
# `dnsName` for DNS ManagedZone. This field contains a subset of the resource
# metadata fields that are returned by the List or Get APIs provided by the
# corresponding GCP service (e.g., Compute Engine). see [API references and
# supported searchable
# attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types)
# for more information.
#
# You can search values of these fields through free text search. However,
# you should not consume the field programically as the field names and
# values may change as the GCP service updates to a new incompatible API
# version.
#
# To search against the `additional_attributes`:
#
# * use a free text query to match the attributes values. Example: to search
# `additional_attributes = { dnsName: "foobar" }`, you can issue a query
# `foobar`.
class ResourceSearchResult
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
# @!attribute [rw] key
# @return [::String]
# @!attribute [rw] value
# @return [::String]
class LabelsEntry
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
end
# A result of IAM Policy search, containing information of an IAM policy.
# @!attribute [rw] resource
# @return [::String]
# The full resource name of the resource associated with this IAM policy.
# Example:
# `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
# See [Cloud Asset Inventory Resource Name
# Format](https://cloud.google.com/asset-inventory/docs/resource-name-format)
# for more information.
#
# To search against the `resource`:
#
# * use a field query. Example: `resource:organizations/123`
# @!attribute [rw] project
# @return [::String]
# The project that the associated GCP resource belongs to, in the form of
# projects/\\{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM
# instance, Cloud Storage bucket), the project field will indicate the
# project that contains the resource. If an IAM policy is set on a folder or
# orgnization, the project field will be empty.
#
# To search against the `project`:
#
# * specify the `scope` field as this project in your search request.
# @!attribute [rw] policy
# @return [::Google::Iam::V1::Policy]
# The IAM policy directly set on the given resource. Note that the original
# IAM policy can contain multiple bindings. This only contains the bindings
# that match the given query. For queries that don't contain a constrain on
# policies (e.g., an empty query), this contains all the bindings.
#
# To search against the `policy` bindings:
#
# * use a field query:
# - query by the policy contained members. Example:
# `policy:amy@gmail.com`
# - query by the policy contained roles. Example:
# `policy:roles/compute.admin`
# - query by the policy contained roles' included permissions. Example:
# `policy.role.permissions:compute.instances.create`
# @!attribute [rw] explanation
# @return [::Google::Cloud::Asset::V1::IamPolicySearchResult::Explanation]
# Explanation about the IAM policy search result. It contains additional
# information to explain why the search result matches the query.
class IamPolicySearchResult
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
# Explanation about the IAM policy search result.
# @!attribute [rw] matched_permissions
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::Asset::V1::IamPolicySearchResult::Explanation::Permissions}]
# The map from roles to their included permissions that match the
# permission query (i.e., a query containing `policy.role.permissions:`).
# Example: if query `policy.role.permissions:compute.disk.get`
# matches a policy binding that contains owner role, the
# matched_permissions will be `{"roles/owner": ["compute.disk.get"]}`. The
# roles can also be found in the returned `policy` bindings. Note that the
# map is populated only for requests with permission queries.
class Explanation
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
# IAM permissions
# @!attribute [rw] permissions
# @return [::Array<::String>]
# A list of permissions. A sample permission string: `compute.disk.get`.
class Permissions
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# @!attribute [rw] key
# @return [::String]
# @!attribute [rw] value
# @return [::Google::Cloud::Asset::V1::IamPolicySearchResult::Explanation::Permissions]
class MatchedPermissionsEntry
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
end
end
# Represents the detailed state of an entity under analysis, such as a
# resource, an identity or an access.
# @!attribute [rw] code
# @return [::Google::Rpc::Code]
# The Google standard error code that best describes the state.
# For example:
# - OK means the analysis on this entity has been successfully finished;
# - PERMISSION_DENIED means an access denied error is encountered;
# - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started
# in time;
# @!attribute [rw] cause
# @return [::String]
# The human-readable description of the cause of failure.
class IamPolicyAnalysisState
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# IAM Policy analysis result, consisting of one IAM policy binding and derived
# access control lists.
# @!attribute [rw] attached_resource_full_name
# @return [::String]
# The [full resource
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
# of the resource to which the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} policy attaches.
# @!attribute [rw] iam_binding
# @return [::Google::Iam::V1::Binding]
# The Cloud IAM policy binding under analysis.
# @!attribute [rw] access_control_lists
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::AccessControlList>]
# The access control lists derived from the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} that match or
# potentially match resource and access selectors specified in the request.
# @!attribute [rw] identity_list
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList]
# The identity list derived from members of the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} that match or
# potentially match identity selector specified in the request.
# @!attribute [rw] fully_explored
# @return [::Boolean]
# Represents whether all analyses on the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult#iam_binding iam_binding} have successfully
# finished.
class IamPolicyAnalysisResult
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
# A Google Cloud resource under analysis.
# @!attribute [rw] full_resource_name
# @return [::String]
# The [full resource
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
# @!attribute [rw] analysis_state
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
# The analysis state of this resource.
class Resource
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# An IAM role or permission under analysis.
# @!attribute [rw] role
# @return [::String]
# The role.
# @!attribute [rw] permission
# @return [::String]
# The permission.
# @!attribute [rw] analysis_state
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
# The analysis state of this access.
class Access
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# An identity under analysis.
# @!attribute [rw] name
# @return [::String]
# The identity name in any form of members appear in
# [IAM policy
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
# as:
# - user:foo@google.com
# - group:group1@google.com
# - serviceAccount:s1@prj1.iam.gserviceaccount.com
# - projectOwner:some_project_id
# - domain:google.com
# - allUsers
# - etc.
# @!attribute [rw] analysis_state
# @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
# The analysis state of this identity.
class Identity
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# A directional edge.
# @!attribute [rw] source_node
# @return [::String]
# The source node of the edge. For example, it could be a full resource
# name for a resource node or an email of an identity.
# @!attribute [rw] target_node
# @return [::String]
# The target node of the edge. For example, it could be a full resource
# name for a resource node or an email of an identity.
class Edge
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# An access control list, derived from the above IAM policy binding, which
# contains a set of resources and accesses. May include one
# item from each set to compose an access control entry.
#
# NOTICE that there could be multiple access control lists for one IAM policy
# binding. The access control lists are created based on resource and access
# combinations.
#
# For example, assume we have the following cases in one IAM policy binding:
# - Permission P1 and P2 apply to resource R1 and R2;
# - Permission P3 applies to resource R2 and R3;
#
# This will result in the following access control lists:
# - AccessControlList 1: [R1, R2], [P1, P2]
# - AccessControlList 2: [R2, R3], [P3]
# @!attribute [rw] resources
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
# The resources that match one of the following conditions:
# - The resource_selector, if it is specified in request;
# - Otherwise, resources reachable from the policy attached resource.
# @!attribute [rw] accesses
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
# The accesses that match one of the following conditions:
# - The access_selector, if it is specified in request;
# - Otherwise, access specifiers reachable from the policy binding's role.
# @!attribute [rw] resource_edges
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
# Resource edges of the graph starting from the policy attached
# resource to any descendant resources. The {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node} contains
# the full resource name of a parent resource and {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
# contains the full resource name of a child resource. This field is
# present only if the output_resource_edges option is enabled in request.
class AccessControlList
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
# The identities and group edges.
# @!attribute [rw] identities
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
# Only the identities that match one of the following conditions will be
# presented:
# - The identity_selector, if it is specified in request;
# - Otherwise, identities reachable from the policy binding's members.
# @!attribute [rw] group_edges
# @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
# Group identity edges of the graph starting from the binding's
# group members to any node of the {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}. The {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
# contains a group, such as `group:parent@google.com`. The
# {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node} contains a member of the group,
# such as `group:child@google.com` or `user:foo@google.com`.
# This field is present only if the output_group_edges option is enabled in
# request.
class IdentityList
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
end
end
end
end
end