1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.asset.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/orgpolicy/v1/orgpolicy.proto"; 22import "google/cloud/osconfig/v1/inventory.proto"; 23import "google/iam/v1/policy.proto"; 24import "google/identity/accesscontextmanager/v1/access_level.proto"; 25import "google/identity/accesscontextmanager/v1/access_policy.proto"; 26import "google/identity/accesscontextmanager/v1/service_perimeter.proto"; 27import "google/protobuf/struct.proto"; 28import "google/protobuf/timestamp.proto"; 29import "google/rpc/code.proto"; 30 31option cc_enable_arenas = true; 32option csharp_namespace = "Google.Cloud.Asset.V1"; 33option go_package = "cloud.google.com/go/asset/apiv1/assetpb;assetpb"; 34option java_multiple_files = true; 35option java_outer_classname = "AssetProto"; 36option java_package = "com.google.cloud.asset.v1"; 37option php_namespace = "Google\\Cloud\\Asset\\V1"; 38 39// An asset in Google Cloud and its temporal metadata, including the time window 40// when it was observed and its status during that window. 41message TemporalAsset { 42 // State of prior asset. 43 enum PriorAssetState { 44 // prior_asset is not applicable for the current asset. 45 PRIOR_ASSET_STATE_UNSPECIFIED = 0; 46 47 // prior_asset is populated correctly. 48 PRESENT = 1; 49 50 // Failed to set prior_asset. 51 INVALID = 2; 52 53 // Current asset is the first known state. 54 DOES_NOT_EXIST = 3; 55 56 // prior_asset is a deletion. 57 DELETED = 4; 58 } 59 60 // The time window when the asset data and state was observed. 61 TimeWindow window = 1; 62 63 // Whether the asset has been deleted or not. 64 bool deleted = 2; 65 66 // An asset in Google Cloud. 67 Asset asset = 3; 68 69 // State of prior_asset. 70 PriorAssetState prior_asset_state = 4; 71 72 // Prior copy of the asset. Populated if prior_asset_state is PRESENT. 73 // Currently this is only set for responses in Real-Time Feed. 74 Asset prior_asset = 5; 75} 76 77// A time window specified by its `start_time` and `end_time`. 78message TimeWindow { 79 // Start time of the time window (exclusive). 80 google.protobuf.Timestamp start_time = 1; 81 82 // End time of the time window (inclusive). If not specified, the current 83 // timestamp is used instead. 84 google.protobuf.Timestamp end_time = 2; 85} 86 87// An asset in Google Cloud. An asset can be any resource in the Google Cloud 88// [resource 89// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 90// a resource outside the Google Cloud resource hierarchy (such as Google 91// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy), 92// or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP relationship). 93// See [Supported asset 94// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 95// for more information. 96message Asset { 97 option (google.api.resource) = { 98 type: "cloudasset.googleapis.com/Asset" 99 pattern: "*" 100 }; 101 102 // The last update timestamp of an asset. update_time is updated when 103 // create/update/delete operation is performed. 104 google.protobuf.Timestamp update_time = 11; 105 106 // The full name of the asset. Example: 107 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1` 108 // 109 // See [Resource 110 // names](https://cloud.google.com/apis/design/resource_names#full_resource_name) 111 // for more information. 112 string name = 1; 113 114 // The type of the asset. Example: `compute.googleapis.com/Disk` 115 // 116 // See [Supported asset 117 // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 118 // for more information. 119 string asset_type = 2; 120 121 // A representation of the resource. 122 Resource resource = 3; 123 124 // A representation of the IAM policy set on a Google Cloud resource. 125 // There can be a maximum of one IAM policy set on any given resource. 126 // In addition, IAM policies inherit their granted access scope from any 127 // policies set on parent resources in the resource hierarchy. Therefore, the 128 // effectively policy is the union of both the policy set on this resource 129 // and each policy set on all of the resource's ancestry resource levels in 130 // the hierarchy. See 131 // [this topic](https://cloud.google.com/iam/help/allow-policies/inheritance) 132 // for more information. 133 google.iam.v1.Policy iam_policy = 4; 134 135 // A representation of an [organization 136 // policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). 137 // There can be more than one organization policy with different constraints 138 // set on a given resource. 139 repeated google.cloud.orgpolicy.v1.Policy org_policy = 6; 140 141 // A representation of an [access 142 // policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies). 143 oneof access_context_policy { 144 // Please also refer to the [access policy user 145 // guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies). 146 google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7; 147 148 // Please also refer to the [access level user 149 // guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels). 150 google.identity.accesscontextmanager.v1.AccessLevel access_level = 8; 151 152 // Please also refer to the [service perimeter user 153 // guide](https://cloud.google.com/vpc-service-controls/docs/overview). 154 google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 155 9; 156 } 157 158 // A representation of runtime OS Inventory information. See [this 159 // topic](https://cloud.google.com/compute/docs/instances/os-inventory-management) 160 // for more information. 161 google.cloud.osconfig.v1.Inventory os_inventory = 12; 162 163 // DEPRECATED. This field only presents for the purpose of 164 // backward-compatibility. The server will never generate responses with this 165 // field. 166 // The related assets of the asset of one relationship type. One asset 167 // only represents one type of relationship. 168 RelatedAssets related_assets = 13 [deprecated = true]; 169 170 // One related asset of the current asset. 171 RelatedAsset related_asset = 15; 172 173 // The ancestry path of an asset in Google Cloud [resource 174 // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 175 // represented as a list of relative resource names. An ancestry path starts 176 // with the closest ancestor in the hierarchy and ends at root. If the asset 177 // is a project, folder, or organization, the ancestry path starts from the 178 // asset itself. 179 // 180 // Example: `["projects/123456789", "folders/5432", "organizations/1234"]` 181 repeated string ancestors = 10; 182} 183 184// A representation of a Google Cloud resource. 185message Resource { 186 // The API version. Example: `v1` 187 string version = 1; 188 189 // The URL of the discovery document containing the resource's JSON schema. 190 // Example: 191 // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest` 192 // 193 // This value is unspecified for resources that do not have an API based on a 194 // discovery document, such as Cloud Bigtable. 195 string discovery_document_uri = 2; 196 197 // The JSON schema name listed in the discovery document. Example: 198 // `Project` 199 // 200 // This value is unspecified for resources that do not have an API based on a 201 // discovery document, such as Cloud Bigtable. 202 string discovery_name = 3; 203 204 // The REST URL for accessing the resource. An HTTP `GET` request using this 205 // URL returns the resource itself. Example: 206 // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123` 207 // 208 // This value is unspecified for resources without a REST API. 209 string resource_url = 4; 210 211 // The full name of the immediate parent of this resource. See 212 // [Resource 213 // Names](https://cloud.google.com/apis/design/resource_names#full_resource_name) 214 // for more information. 215 // 216 // For Google Cloud assets, this value is the parent resource defined in the 217 // [IAM policy 218 // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy). 219 // Example: 220 // `//cloudresourcemanager.googleapis.com/projects/my_project_123` 221 // 222 // For third-party assets, this field may be set differently. 223 string parent = 5; 224 225 // The content of the resource, in which some sensitive fields are removed 226 // and may not be present. 227 google.protobuf.Struct data = 6; 228 229 // The location of the resource in Google Cloud, such as its zone and region. 230 // For more information, see https://cloud.google.com/about/locations/. 231 string location = 8; 232} 233 234// DEPRECATED. This message only presents for the purpose of 235// backward-compatibility. The server will never populate this message in 236// responses. 237// The detailed related assets with the `relationship_type`. 238message RelatedAssets { 239 option deprecated = true; 240 241 // The detailed relationship attributes. 242 RelationshipAttributes relationship_attributes = 1; 243 244 // The peer resources of the relationship. 245 repeated RelatedAsset assets = 2; 246} 247 248// DEPRECATED. This message only presents for the purpose of 249// backward-compatibility. The server will never populate this message in 250// responses. 251// The relationship attributes which include `type`, `source_resource_type`, 252// `target_resource_type` and `action`. 253message RelationshipAttributes { 254 option deprecated = true; 255 256 // The unique identifier of the relationship type. Example: 257 // `INSTANCE_TO_INSTANCEGROUP` 258 string type = 4; 259 260 // The source asset type. Example: `compute.googleapis.com/Instance` 261 string source_resource_type = 1; 262 263 // The target asset type. Example: `compute.googleapis.com/Disk` 264 string target_resource_type = 2; 265 266 // The detail of the relationship, e.g. `contains`, `attaches` 267 string action = 3; 268} 269 270// An asset identifier in Google Cloud which contains its name, type and 271// ancestors. An asset can be any resource in the Google Cloud [resource 272// hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 273// a resource outside the Google Cloud resource hierarchy (such as Google 274// Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). 275// See [Supported asset 276// types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 277// for more information. 278message RelatedAsset { 279 // The full name of the asset. Example: 280 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1` 281 // 282 // See [Resource 283 // names](https://cloud.google.com/apis/design/resource_names#full_resource_name) 284 // for more information. 285 string asset = 1 [(google.api.resource_reference) = { 286 type: "cloudasset.googleapis.com/Asset" 287 }]; 288 289 // The type of the asset. Example: `compute.googleapis.com/Disk` 290 // 291 // See [Supported asset 292 // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) 293 // for more information. 294 string asset_type = 2; 295 296 // The ancestors of an asset in Google Cloud [resource 297 // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), 298 // represented as a list of relative resource names. An ancestry path starts 299 // with the closest ancestor in the hierarchy and ends at root. 300 // 301 // Example: `["projects/123456789", "folders/5432", "organizations/1234"]` 302 repeated string ancestors = 3; 303 304 // The unique identifier of the relationship type. Example: 305 // `INSTANCE_TO_INSTANCEGROUP` 306 string relationship_type = 4; 307} 308 309// A result of Resource Search, containing information of a cloud resource. 310// Next ID: 32 311message ResourceSearchResult { 312 // The full resource name of this resource. Example: 313 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. 314 // See [Cloud Asset Inventory Resource Name 315 // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) 316 // for more information. 317 // 318 // To search against the `name`: 319 // 320 // * Use a field query. Example: `name:instance1` 321 // * Use a free text query. Example: `instance1` 322 string name = 1; 323 324 // The type of this resource. Example: `compute.googleapis.com/Disk`. 325 // 326 // To search against the `asset_type`: 327 // 328 // * Specify the `asset_type` field in your search request. 329 string asset_type = 2; 330 331 // The project that this resource belongs to, in the form of 332 // projects/{PROJECT_NUMBER}. This field is available when the resource 333 // belongs to a project. 334 // 335 // To search against `project`: 336 // 337 // * Use a field query. Example: `project:12345` 338 // * Use a free text query. Example: `12345` 339 // * Specify the `scope` field as this project in your search request. 340 string project = 3; 341 342 // The folder(s) that this resource belongs to, in the form of 343 // folders/{FOLDER_NUMBER}. This field is available when the resource 344 // belongs to one or more folders. 345 // 346 // To search against `folders`: 347 // 348 // * Use a field query. Example: `folders:(123 OR 456)` 349 // * Use a free text query. Example: `123` 350 // * Specify the `scope` field as this folder in your search request. 351 repeated string folders = 17; 352 353 // The organization that this resource belongs to, in the form of 354 // organizations/{ORGANIZATION_NUMBER}. This field is available when the 355 // resource belongs to an organization. 356 // 357 // To search against `organization`: 358 // 359 // * Use a field query. Example: `organization:123` 360 // * Use a free text query. Example: `123` 361 // * Specify the `scope` field as this organization in your search request. 362 string organization = 18; 363 364 // The display name of this resource. This field is available only when the 365 // resource's Protobuf contains it. 366 // 367 // To search against the `display_name`: 368 // 369 // * Use a field query. Example: `displayName:"My Instance"` 370 // * Use a free text query. Example: `"My Instance"` 371 string display_name = 4; 372 373 // One or more paragraphs of text description of this resource. Maximum length 374 // could be up to 1M bytes. This field is available only when the resource's 375 // Protobuf contains it. 376 // 377 // To search against the `description`: 378 // 379 // * Use a field query. Example: `description:"important instance"` 380 // * Use a free text query. Example: `"important instance"` 381 string description = 5; 382 383 // Location can be `global`, regional like `us-east1`, or zonal like 384 // `us-west1-b`. This field is available only when the resource's Protobuf 385 // contains it. 386 // 387 // To search against the `location`: 388 // 389 // * Use a field query. Example: `location:us-west*` 390 // * Use a free text query. Example: `us-west*` 391 string location = 6; 392 393 // Labels associated with this resource. See [Labelling and grouping Google 394 // Cloud 395 // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) 396 // for more information. This field is available only when the resource's 397 // Protobuf contains it. 398 // 399 // To search against the `labels`: 400 // 401 // * Use a field query: 402 // - query on any label's key or value. Example: `labels:prod` 403 // - query by a given label. Example: `labels.env:prod` 404 // - query by a given label's existence. Example: `labels.env:*` 405 // * Use a free text query. Example: `prod` 406 map<string, string> labels = 7; 407 408 // Network tags associated with this resource. Like labels, network tags are a 409 // type of annotations used to group Google Cloud resources. See [Labelling 410 // Google Cloud 411 // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) 412 // for more information. This field is available only when the resource's 413 // Protobuf contains it. 414 // 415 // To search against the `network_tags`: 416 // 417 // * Use a field query. Example: `networkTags:internal` 418 // * Use a free text query. Example: `internal` 419 repeated string network_tags = 8; 420 421 // The Cloud KMS 422 // [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys) 423 // name or 424 // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions) 425 // name. 426 // 427 // This field only presents for the purpose of backward compatibility. Please 428 // use the `kms_keys` field to retrieve Cloud KMS key information. This field 429 // is available only when the resource's Protobuf contains it and will only be 430 // populated for [these resource 431 // types](https://cloud.google.com/asset-inventory/docs/legacy-field-names#resource_types_with_the_to_be_deprecated_kmskey_field) 432 // for backward compatible purposes. 433 // 434 // To search against the `kms_key`: 435 // 436 // * Use a field query. Example: `kmsKey:key` 437 // * Use a free text query. Example: `key` 438 string kms_key = 10 [deprecated = true]; 439 440 // The Cloud KMS 441 // [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys) 442 // names or 443 // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions) 444 // names. This field is available only when the resource's Protobuf contains 445 // it. 446 // 447 // To search against the `kms_keys`: 448 // 449 // * Use a field query. Example: `kmsKeys:key` 450 // * Use a free text query. Example: `key` 451 repeated string kms_keys = 28; 452 453 // The create timestamp of this resource, at which the resource was created. 454 // The granularity is in seconds. Timestamp.nanos will always be 0. This field 455 // is available only when the resource's Protobuf contains it. 456 // 457 // To search against `create_time`: 458 // 459 // * Use a field query. 460 // - value in seconds since unix epoch. Example: `createTime > 1609459200` 461 // - value in date string. Example: `createTime > 2021-01-01` 462 // - value in date-time string (must be quoted). Example: `createTime > 463 // "2021-01-01T00:00:00"` 464 google.protobuf.Timestamp create_time = 11; 465 466 // The last update timestamp of this resource, at which the resource was last 467 // modified or deleted. The granularity is in seconds. Timestamp.nanos will 468 // always be 0. This field is available only when the resource's Protobuf 469 // contains it. 470 // 471 // To search against `update_time`: 472 // 473 // * Use a field query. 474 // - value in seconds since unix epoch. Example: `updateTime < 1609459200` 475 // - value in date string. Example: `updateTime < 2021-01-01` 476 // - value in date-time string (must be quoted). Example: `updateTime < 477 // "2021-01-01T00:00:00"` 478 google.protobuf.Timestamp update_time = 12; 479 480 // The state of this resource. Different resources types have different state 481 // definitions that are mapped from various fields of different resource 482 // types. This field is available only when the resource's Protobuf contains 483 // it. 484 // 485 // Example: 486 // If the resource is an instance provided by Compute Engine, 487 // its state will include PROVISIONING, STAGING, RUNNING, STOPPING, 488 // SUSPENDING, SUSPENDED, REPAIRING, and TERMINATED. See `status` definition 489 // in [API 490 // Reference](https://cloud.google.com/compute/docs/reference/rest/v1/instances). 491 // If the resource is a project provided by Resource Manager, its state 492 // will include LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and 493 // DELETE_IN_PROGRESS. See `lifecycleState` definition in [API 494 // Reference](https://cloud.google.com/resource-manager/reference/rest/v1/projects). 495 // 496 // To search against the `state`: 497 // 498 // * Use a field query. Example: `state:RUNNING` 499 // * Use a free text query. Example: `RUNNING` 500 string state = 13; 501 502 // The additional searchable attributes of this resource. The attributes may 503 // vary from one resource type to another. Examples: `projectId` for Project, 504 // `dnsName` for DNS ManagedZone. This field contains a subset of the resource 505 // metadata fields that are returned by the List or Get APIs provided by the 506 // corresponding Google Cloud service (e.g., Compute Engine). see [API 507 // references and supported searchable 508 // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types) 509 // to see which fields are included. 510 // 511 // You can search values of these fields through free text search. However, 512 // you should not consume the field programically as the field names and 513 // values may change as the Google Cloud service updates to a new incompatible 514 // API version. 515 // 516 // To search against the `additional_attributes`: 517 // 518 // * Use a free text query to match the attributes values. Example: to search 519 // `additional_attributes = { dnsName: "foobar" }`, you can issue a query 520 // `foobar`. 521 google.protobuf.Struct additional_attributes = 9; 522 523 // The full resource name of this resource's parent, if it has one. 524 // To search against the `parent_full_resource_name`: 525 // 526 // * Use a field query. Example: 527 // `parentFullResourceName:"project-name"` 528 // * Use a free text query. Example: 529 // `project-name` 530 string parent_full_resource_name = 19; 531 532 // Versioned resource representations of this resource. This is repeated 533 // because there could be multiple versions of resource representations during 534 // version migration. 535 // 536 // This `versioned_resources` field is not searchable. Some attributes of the 537 // resource representations are exposed in `additional_attributes` field, so 538 // as to allow users to search on them. 539 repeated VersionedResource versioned_resources = 16; 540 541 // Attached resources of this resource. For example, an OSConfig 542 // Inventory is an attached resource of a Compute Instance. This field is 543 // repeated because a resource could have multiple attached resources. 544 // 545 // This `attached_resources` field is not searchable. Some attributes 546 // of the attached resources are exposed in `additional_attributes` field, so 547 // as to allow users to search on them. 548 repeated AttachedResource attached_resources = 20; 549 550 // A map of related resources of this resource, keyed by the 551 // relationship type. A relationship type is in the format of 552 // {SourceType}_{ACTION}_{DestType}. Example: `DISK_TO_INSTANCE`, 553 // `DISK_TO_NETWORK`, `INSTANCE_TO_INSTANCEGROUP`. 554 // See [supported relationship 555 // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_relationship_types). 556 map<string, RelatedResources> relationships = 21; 557 558 // TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}. 559 // To search against the `tagKeys`: 560 // 561 // * Use a field query. Example: 562 // - `tagKeys:"123456789/env*"` 563 // - `tagKeys="123456789/env"` 564 // - `tagKeys:"env"` 565 // 566 // * Use a free text query. Example: 567 // - `env` 568 repeated string tag_keys = 23; 569 570 // TagValue namespaced names, in the format of 571 // {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}. 572 // To search against the `tagValues`: 573 // 574 // * Use a field query. Example: 575 // - `tagValues:"env"` 576 // - `tagValues:"env/prod"` 577 // - `tagValues:"123456789/env/prod*"` 578 // - `tagValues="123456789/env/prod"` 579 // 580 // * Use a free text query. Example: 581 // - `prod` 582 repeated string tag_values = 25; 583 584 // TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. 585 // To search against the `tagValueIds`: 586 // 587 // * Use a field query. Example: 588 // - `tagValueIds:"456"` 589 // - `tagValueIds="tagValues/456"` 590 // 591 // * Use a free text query. Example: 592 // - `456` 593 repeated string tag_value_ids = 26; 594 595 // The type of this resource's immediate parent, if there is one. 596 // 597 // To search against the `parent_asset_type`: 598 // 599 // * Use a field query. Example: 600 // `parentAssetType:"cloudresourcemanager.googleapis.com/Project"` 601 // * Use a free text query. Example: 602 // `cloudresourcemanager.googleapis.com/Project` 603 string parent_asset_type = 103; 604} 605 606// Resource representation as defined by the corresponding service providing the 607// resource for a given API version. 608message VersionedResource { 609 // API version of the resource. 610 // 611 // Example: 612 // If the resource is an instance provided by Compute Engine v1 API as defined 613 // in `https://cloud.google.com/compute/docs/reference/rest/v1/instances`, 614 // version will be "v1". 615 string version = 1; 616 617 // JSON representation of the resource as defined by the corresponding 618 // service providing this resource. 619 // 620 // Example: 621 // If the resource is an instance provided by Compute Engine, this field will 622 // contain the JSON representation of the instance as defined by Compute 623 // Engine: 624 // `https://cloud.google.com/compute/docs/reference/rest/v1/instances`. 625 // 626 // You can find the resource definition for each supported resource type in 627 // this table: 628 // `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types` 629 google.protobuf.Struct resource = 2; 630} 631 632// Attached resource representation, which is defined by the corresponding 633// service provider. It represents an attached resource's payload. 634message AttachedResource { 635 // The type of this attached resource. 636 // 637 // Example: `osconfig.googleapis.com/Inventory` 638 // 639 // You can find the supported attached asset types of each resource in this 640 // table: 641 // `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types` 642 string asset_type = 1; 643 644 // Versioned resource representations of this attached resource. This is 645 // repeated because there could be multiple versions of the attached resource 646 // representations during version migration. 647 repeated VersionedResource versioned_resources = 3; 648} 649 650// The related resources of the primary resource. 651message RelatedResources { 652 // The detailed related resources of the primary resource. 653 repeated RelatedResource related_resources = 1; 654} 655 656// The detailed related resource. 657message RelatedResource { 658 // The type of the asset. Example: `compute.googleapis.com/Instance` 659 string asset_type = 1; 660 661 // The full resource name of the related resource. Example: 662 // `//compute.googleapis.com/projects/my_proj_123/zones/instance/instance123` 663 string full_resource_name = 2; 664} 665 666// A result of IAM Policy search, containing information of an IAM policy. 667message IamPolicySearchResult { 668 // Explanation about the IAM policy search result. 669 message Explanation { 670 // IAM permissions 671 message Permissions { 672 // A list of permissions. A sample permission string: `compute.disk.get`. 673 repeated string permissions = 1; 674 } 675 676 // The map from roles to their included permissions that match the 677 // permission query (i.e., a query containing `policy.role.permissions:`). 678 // Example: if query `policy.role.permissions:compute.disk.get` 679 // matches a policy binding that contains owner role, the 680 // matched_permissions will be `{"roles/owner": ["compute.disk.get"]}`. The 681 // roles can also be found in the returned `policy` bindings. Note that the 682 // map is populated only for requests with permission queries. 683 map<string, Permissions> matched_permissions = 1; 684 } 685 686 // The full resource name of the resource associated with this IAM policy. 687 // Example: 688 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. 689 // See [Cloud Asset Inventory Resource Name 690 // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) 691 // for more information. 692 // 693 // To search against the `resource`: 694 // 695 // * use a field query. Example: `resource:organizations/123` 696 string resource = 1; 697 698 // The type of the resource associated with this IAM policy. Example: 699 // `compute.googleapis.com/Disk`. 700 // 701 // To search against the `asset_type`: 702 // 703 // * specify the `asset_types` field in your search request. 704 string asset_type = 5; 705 706 // The project that the associated Google Cloud resource belongs to, in the 707 // form of projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource 708 // (like VM instance, Cloud Storage bucket), the project field will indicate 709 // the project that contains the resource. If an IAM policy is set on a folder 710 // or orgnization, this field will be empty. 711 // 712 // To search against the `project`: 713 // 714 // * specify the `scope` field as this project in your search request. 715 string project = 2; 716 717 // The folder(s) that the IAM policy belongs to, in the form of 718 // folders/{FOLDER_NUMBER}. This field is available when the IAM policy 719 // belongs to one or more folders. 720 // 721 // To search against `folders`: 722 // 723 // * use a field query. Example: `folders:(123 OR 456)` 724 // * use a free text query. Example: `123` 725 // * specify the `scope` field as this folder in your search request. 726 repeated string folders = 6; 727 728 // The organization that the IAM policy belongs to, in the form 729 // of organizations/{ORGANIZATION_NUMBER}. This field is available when the 730 // IAM policy belongs to an organization. 731 // 732 // To search against `organization`: 733 // 734 // * use a field query. Example: `organization:123` 735 // * use a free text query. Example: `123` 736 // * specify the `scope` field as this organization in your search request. 737 string organization = 7; 738 739 // The IAM policy directly set on the given resource. Note that the original 740 // IAM policy can contain multiple bindings. This only contains the bindings 741 // that match the given query. For queries that don't contain a constrain on 742 // policies (e.g., an empty query), this contains all the bindings. 743 // 744 // To search against the `policy` bindings: 745 // 746 // * use a field query: 747 // - query by the policy contained members. Example: 748 // `policy:[email protected]` 749 // - query by the policy contained roles. Example: 750 // `policy:roles/compute.admin` 751 // - query by the policy contained roles' included permissions. Example: 752 // `policy.role.permissions:compute.instances.create` 753 google.iam.v1.Policy policy = 3; 754 755 // Explanation about the IAM policy search result. It contains additional 756 // information to explain why the search result matches the query. 757 Explanation explanation = 4; 758} 759 760// Represents the detailed state of an entity under analysis, such as a 761// resource, an identity or an access. 762message IamPolicyAnalysisState { 763 // The Google standard error code that best describes the state. 764 // For example: 765 // - OK means the analysis on this entity has been successfully finished; 766 // - PERMISSION_DENIED means an access denied error is encountered; 767 // - DEADLINE_EXCEEDED means the analysis on this entity hasn't been started 768 // in time; 769 google.rpc.Code code = 1; 770 771 // The human-readable description of the cause of failure. 772 string cause = 2; 773} 774 775// The Condition evaluation. 776message ConditionEvaluation { 777 // Value of this expression. 778 enum EvaluationValue { 779 // Reserved for future use. 780 EVALUATION_VALUE_UNSPECIFIED = 0; 781 782 // The evaluation result is `true`. 783 TRUE = 1; 784 785 // The evaluation result is `false`. 786 FALSE = 2; 787 788 // The evaluation result is `conditional` when the condition expression 789 // contains variables that are either missing input values or have not been 790 // supported by Analyzer yet. 791 CONDITIONAL = 3; 792 } 793 794 // The evaluation result. 795 EvaluationValue evaluation_value = 1; 796} 797 798// IAM Policy analysis result, consisting of one IAM policy binding and derived 799// access control lists. 800message IamPolicyAnalysisResult { 801 // A Google Cloud resource under analysis. 802 message Resource { 803 // The [full resource 804 // name](https://cloud.google.com/asset-inventory/docs/resource-name-format) 805 string full_resource_name = 1; 806 807 // The analysis state of this resource. 808 IamPolicyAnalysisState analysis_state = 2; 809 } 810 811 // An IAM role or permission under analysis. 812 message Access { 813 oneof oneof_access { 814 // The role. 815 string role = 1; 816 817 // The permission. 818 string permission = 2; 819 } 820 821 // The analysis state of this access. 822 IamPolicyAnalysisState analysis_state = 3; 823 } 824 825 // An identity under analysis. 826 message Identity { 827 // The identity name in any form of members appear in 828 // [IAM policy 829 // binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such 830 // as: 831 // - user:[email protected] 832 // - group:[email protected] 833 // - serviceAccount:[email protected] 834 // - projectOwner:some_project_id 835 // - domain:google.com 836 // - allUsers 837 // - etc. 838 string name = 1; 839 840 // The analysis state of this identity. 841 IamPolicyAnalysisState analysis_state = 2; 842 } 843 844 // A directional edge. 845 message Edge { 846 // The source node of the edge. For example, it could be a full resource 847 // name for a resource node or an email of an identity. 848 string source_node = 1; 849 850 // The target node of the edge. For example, it could be a full resource 851 // name for a resource node or an email of an identity. 852 string target_node = 2; 853 } 854 855 // An access control list, derived from the above IAM policy binding, which 856 // contains a set of resources and accesses. May include one 857 // item from each set to compose an access control entry. 858 // 859 // NOTICE that there could be multiple access control lists for one IAM policy 860 // binding. The access control lists are created based on resource and access 861 // combinations. 862 // 863 // For example, assume we have the following cases in one IAM policy binding: 864 // - Permission P1 and P2 apply to resource R1 and R2; 865 // - Permission P3 applies to resource R2 and R3; 866 // 867 // This will result in the following access control lists: 868 // - AccessControlList 1: [R1, R2], [P1, P2] 869 // - AccessControlList 2: [R2, R3], [P3] 870 message AccessControlList { 871 // The resources that match one of the following conditions: 872 // - The resource_selector, if it is specified in request; 873 // - Otherwise, resources reachable from the policy attached resource. 874 repeated Resource resources = 1; 875 876 // The accesses that match one of the following conditions: 877 // - The access_selector, if it is specified in request; 878 // - Otherwise, access specifiers reachable from the policy binding's role. 879 repeated Access accesses = 2; 880 881 // Resource edges of the graph starting from the policy attached 882 // resource to any descendant resources. The 883 // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] 884 // contains the full resource name of a parent resource and 885 // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] 886 // contains the full resource name of a child resource. This field is 887 // present only if the output_resource_edges option is enabled in request. 888 repeated Edge resource_edges = 3; 889 890 // Condition evaluation for this AccessControlList, if there is a condition 891 // defined in the above IAM policy binding. 892 ConditionEvaluation condition_evaluation = 4; 893 } 894 895 // The identities and group edges. 896 message IdentityList { 897 // Only the identities that match one of the following conditions will be 898 // presented: 899 // - The identity_selector, if it is specified in request; 900 // - Otherwise, identities reachable from the policy binding's members. 901 repeated Identity identities = 1; 902 903 // Group identity edges of the graph starting from the binding's 904 // group members to any node of the 905 // [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities]. 906 // The 907 // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] 908 // contains a group, such as `group:[email protected]`. The 909 // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] 910 // contains a member of the group, such as `group:[email protected]` or 911 // `user:[email protected]`. This field is present only if the 912 // output_group_edges option is enabled in request. 913 repeated Edge group_edges = 2; 914 } 915 916 // The [full resource 917 // name](https://cloud.google.com/asset-inventory/docs/resource-name-format) 918 // of the resource to which the 919 // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] 920 // policy attaches. 921 string attached_resource_full_name = 1; 922 923 // The IAM policy binding under analysis. 924 google.iam.v1.Binding iam_binding = 2; 925 926 // The access control lists derived from the 927 // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] 928 // that match or potentially match resource and access selectors specified in 929 // the request. 930 repeated AccessControlList access_control_lists = 3; 931 932 // The identity list derived from members of the 933 // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] 934 // that match or potentially match identity selector specified in the request. 935 IdentityList identity_list = 4; 936 937 // Represents whether all analyses on the 938 // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] 939 // have successfully finished. 940 bool fully_explored = 5; 941} 942