@googleapis/cloudasset
Version:
784 lines (775 loc) • 378 kB
text/typescript
// Copyright 2020 Google LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
/* eslint-disable @typescript-eslint/no-explicit-any */
/* eslint-disable @typescript-eslint/no-unused-vars */
/* eslint-disable @typescript-eslint/no-empty-interface */
/* eslint-disable @typescript-eslint/no-namespace */
/* eslint-disable no-irregular-whitespace */
import {
OAuth2Client,
JWT,
Compute,
UserRefreshClient,
BaseExternalAccountClient,
GaxiosResponseWithHTTP2,
GoogleConfigurable,
createAPIRequest,
MethodOptions,
StreamMethodOptions,
GlobalOptions,
GoogleAuth,
BodyResponseCallback,
APIRequestContext,
} from 'googleapis-common';
import {Readable} from 'stream';
export namespace cloudasset_v1 {
export interface Options extends GlobalOptions {
version: 'v1';
}
interface StandardParameters {
/**
* Auth client or API Key for the request
*/
auth?:
| string
| OAuth2Client
| JWT
| Compute
| UserRefreshClient
| BaseExternalAccountClient
| GoogleAuth;
/**
* V1 error format.
*/
'$.xgafv'?: string;
/**
* OAuth access token.
*/
access_token?: string;
/**
* Data format for response.
*/
alt?: string;
/**
* JSONP
*/
callback?: string;
/**
* Selector specifying which fields to include in a partial response.
*/
fields?: string;
/**
* API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
*/
key?: string;
/**
* OAuth 2.0 token for the current user.
*/
oauth_token?: string;
/**
* Returns response with indentations and line breaks.
*/
prettyPrint?: boolean;
/**
* Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
*/
quotaUser?: string;
/**
* Legacy upload protocol for media (e.g. "media", "multipart").
*/
uploadType?: string;
/**
* Upload protocol for media (e.g. "raw", "multipart").
*/
upload_protocol?: string;
}
/**
* Cloud Asset API
*
* The Cloud Asset API manages the history and inventory of Google Cloud resources.
*
* @example
* ```js
* const {google} = require('googleapis');
* const cloudasset = google.cloudasset('v1');
* ```
*/
export class Cloudasset {
context: APIRequestContext;
assets: Resource$Assets;
effectiveIamPolicies: Resource$Effectiveiampolicies;
feeds: Resource$Feeds;
operations: Resource$Operations;
savedQueries: Resource$Savedqueries;
v1: Resource$V1;
constructor(options: GlobalOptions, google?: GoogleConfigurable) {
this.context = {
_options: options || {},
google,
};
this.assets = new Resource$Assets(this.context);
this.effectiveIamPolicies = new Resource$Effectiveiampolicies(
this.context
);
this.feeds = new Resource$Feeds(this.context);
this.operations = new Resource$Operations(this.context);
this.savedQueries = new Resource$Savedqueries(this.context);
this.v1 = new Resource$V1(this.context);
}
}
/**
* Specifies roles and/or permissions to analyze, to determine both the identities possessing them and the resources they control. If multiple values are specified, results will include roles or permissions matching any of them. The total number of roles and permissions should be equal or less than 10.
*/
export interface Schema$AccessSelector {
/**
* Optional. The permissions to appear in result.
*/
permissions?: string[] | null;
/**
* Optional. The roles to appear in result.
*/
roles?: string[] | null;
}
/**
* Represents the metadata of the longrunning operation for the AnalyzeIamPolicyLongrunning RPC.
*/
export interface Schema$AnalyzeIamPolicyLongrunningMetadata {
/**
* Output only. The time the operation was created.
*/
createTime?: string | null;
}
/**
* A request message for AssetService.AnalyzeIamPolicyLongrunning.
*/
export interface Schema$AnalyzeIamPolicyLongrunningRequest {
/**
* Required. The request query.
*/
analysisQuery?: Schema$IamPolicyAnalysisQuery;
/**
* Required. Output configuration indicating where the results will be output to.
*/
outputConfig?: Schema$IamPolicyAnalysisOutputConfig;
/**
* Optional. The name of a saved query, which must be in the format of: * projects/project_number/savedQueries/saved_query_id * folders/folder_number/savedQueries/saved_query_id * organizations/organization_number/savedQueries/saved_query_id If both `analysis_query` and `saved_analysis_query` are provided, they will be merged together with the `saved_analysis_query` as base and the `analysis_query` as overrides. For more details of the merge behavior, refer to the [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) doc. Note that you cannot override primitive fields with default value, such as 0 or empty string, etc., because we use proto3, which doesn't support field presence yet.
*/
savedAnalysisQuery?: string | null;
}
/**
* A response message for AssetService.AnalyzeIamPolicyLongrunning.
*/
export interface Schema$AnalyzeIamPolicyLongrunningResponse {}
/**
* A response message for AssetService.AnalyzeIamPolicy.
*/
export interface Schema$AnalyzeIamPolicyResponse {
/**
* Represents whether all entries in the main_analysis and service_account_impersonation_analysis have been fully explored to answer the query in the request.
*/
fullyExplored?: boolean | null;
/**
* The main analysis that matches the original request.
*/
mainAnalysis?: Schema$IamPolicyAnalysis;
/**
* The service account impersonation analysis if IamPolicyAnalysisQuery.Options.analyze_service_account_impersonation is enabled.
*/
serviceAccountImpersonationAnalysis?: Schema$IamPolicyAnalysis[];
}
/**
* The response message for resource move analysis.
*/
export interface Schema$AnalyzeMoveResponse {
/**
* The list of analyses returned from performing the intended resource move analysis. The analysis is grouped by different Google Cloud services.
*/
moveAnalysis?: Schema$MoveAnalysis[];
}
/**
* The response message for AssetService.AnalyzeOrgPolicies.
*/
export interface Schema$AnalyzeOrgPoliciesResponse {
/**
* The definition of the constraint in the request.
*/
constraint?: Schema$AnalyzerOrgPolicyConstraint;
/**
* The page token to fetch the next page for AnalyzeOrgPoliciesResponse.org_policy_results.
*/
nextPageToken?: string | null;
/**
* The organization policies under the AnalyzeOrgPoliciesRequest.scope with the AnalyzeOrgPoliciesRequest.constraint.
*/
orgPolicyResults?: Schema$OrgPolicyResult[];
}
/**
* The response message for AssetService.AnalyzeOrgPolicyGovernedAssets.
*/
export interface Schema$AnalyzeOrgPolicyGovernedAssetsResponse {
/**
* The definition of the constraint in the request.
*/
constraint?: Schema$AnalyzerOrgPolicyConstraint;
/**
* The list of the analyzed governed assets.
*/
governedAssets?: Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedAsset[];
/**
* The page token to fetch the next page for AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets.
*/
nextPageToken?: string | null;
}
/**
* The response message for AssetService.AnalyzeOrgPolicyGovernedContainers.
*/
export interface Schema$AnalyzeOrgPolicyGovernedContainersResponse {
/**
* The definition of the constraint in the request.
*/
constraint?: Schema$AnalyzerOrgPolicyConstraint;
/**
* The list of the analyzed governed containers.
*/
governedContainers?: Schema$GoogleCloudAssetV1GovernedContainer[];
/**
* The page token to fetch the next page for AnalyzeOrgPolicyGovernedContainersResponse.governed_containers.
*/
nextPageToken?: string | null;
}
/**
* This organization policy message is a modified version of the one defined in the Organization Policy system. This message contains several fields defined in the original organization policy with some new fields for analysis purpose.
*/
export interface Schema$AnalyzerOrgPolicy {
/**
* The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of an organization/folder/project resource where this organization policy applies to. For any user defined org policies, this field has the same value as the [attached_resource] field. Only for default policy, this field has the different value.
*/
appliedResource?: string | null;
/**
* The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of an organization/folder/project resource where this organization policy is set. Notice that some type of constraints are defined with default policy. This field will be empty for them.
*/
attachedResource?: string | null;
/**
* If `inherit_from_parent` is true, Rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the effective root for evaluation.
*/
inheritFromParent?: boolean | null;
/**
* Ignores policies set above this resource and restores the default behavior of the constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, `rules` must be empty and `inherit_from_parent` must be set to false.
*/
reset?: boolean | null;
/**
* List of rules for this organization policy.
*/
rules?: Schema$GoogleCloudAssetV1Rule[];
}
/**
* The organization policy constraint definition.
*/
export interface Schema$AnalyzerOrgPolicyConstraint {
/**
* The definition of the custom constraint.
*/
customConstraint?: Schema$GoogleCloudAssetV1CustomConstraint;
/**
* The definition of the canned constraint defined by Google.
*/
googleDefinedConstraint?: Schema$GoogleCloudAssetV1Constraint;
}
/**
* An asset in Google Cloud. An asset can be any resource in the Google Cloud [resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy), or a relationship (e.g. an INSTANCE_TO_INSTANCEGROUP relationship). See [Supported asset types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) for more information.
*/
export interface Schema$Asset {
/**
* Also refer to the [access level user guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
*/
accessLevel?: Schema$GoogleIdentityAccesscontextmanagerV1AccessLevel;
/**
* Also refer to the [access policy user guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
*/
accessPolicy?: Schema$GoogleIdentityAccesscontextmanagerV1AccessPolicy;
/**
* The ancestry path of an asset in Google Cloud [resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. If the asset is a project, folder, or organization, the ancestry path starts from the asset itself. Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
*/
ancestors?: string[] | null;
/**
* The exceptions of a resource.
*/
assetExceptions?: Schema$AssetException[];
/**
* The type of the asset. Example: `compute.googleapis.com/Disk` See [Supported asset types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) for more information.
*/
assetType?: string | null;
/**
* A representation of the IAM policy set on a Google Cloud resource. There can be a maximum of one IAM policy set on any given resource. In addition, IAM policies inherit their granted access scope from any policies set on parent resources in the resource hierarchy. Therefore, the effectively policy is the union of both the policy set on this resource and each policy set on all of the resource's ancestry resource levels in the hierarchy. See [this topic](https://cloud.google.com/iam/help/allow-policies/inheritance) for more information.
*/
iamPolicy?: Schema$Policy;
/**
* The full name of the asset. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1` See [Resource names](https://cloud.google.com/apis/design/resource_names#full_resource_name) for more information.
*/
name?: string | null;
/**
* A representation of an [organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). There can be more than one organization policy with different constraints set on a given resource.
*/
orgPolicy?: Schema$GoogleCloudOrgpolicyV1Policy[];
/**
* A representation of runtime OS Inventory information. See [this topic](https://cloud.google.com/compute/docs/instances/os-inventory-management) for more information.
*/
osInventory?: Schema$Inventory;
/**
* One related asset of the current asset.
*/
relatedAsset?: Schema$RelatedAsset;
/**
* DEPRECATED. This field only presents for the purpose of backward-compatibility. The server will never generate responses with this field. The related assets of the asset of one relationship type. One asset only represents one type of relationship.
*/
relatedAssets?: Schema$RelatedAssets;
/**
* A representation of the resource.
*/
resource?: Schema$Resource;
/**
* Also refer to the [service perimeter user guide](https://cloud.google.com/vpc-service-controls/docs/overview).
*/
servicePerimeter?: Schema$GoogleIdentityAccesscontextmanagerV1ServicePerimeter;
/**
* The last update timestamp of an asset. update_time is updated when create/update/delete operation is performed.
*/
updateTime?: string | null;
}
/**
* The enhanced metadata information for a resource.
*/
export interface Schema$AssetEnrichment {
/**
* The resource owners for a resource. Note that this field only contains the members that have "roles/owner" role in the resource's IAM Policy.
*/
resourceOwners?: Schema$ResourceOwners;
}
/**
* An exception of an asset.
*/
export interface Schema$AssetException {
/**
* The details of the exception.
*/
details?: string | null;
/**
* The type of exception.
*/
exceptionType?: string | null;
}
/**
* Attached resource representation, which is defined by the corresponding service provider. It represents an attached resource's payload.
*/
export interface Schema$AttachedResource {
/**
* The type of this attached resource. Example: `osconfig.googleapis.com/Inventory` You can find the supported attached asset types of each resource in this table: `https://cloud.google.com/asset-inventory/docs/supported-asset-types`
*/
assetType?: string | null;
/**
* Versioned resource representations of this attached resource. This is repeated because there could be multiple versions of the attached resource representations during version migration.
*/
versionedResources?: Schema$VersionedResource[];
}
/**
* Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] \}, { "log_type": "DATA_WRITE" \}, { "log_type": "ADMIN_READ" \} ] \}, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" \}, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] \} ] \} ] \} For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts `jose@example.com` from DATA_READ logging, and `aliya@example.com` from DATA_WRITE logging.
*/
export interface Schema$AuditConfig {
/**
* The configuration for logging of each type of permission.
*/
auditLogConfigs?: Schema$AuditLogConfig[];
/**
* Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.
*/
service?: string | null;
}
/**
* Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] \}, { "log_type": "DATA_WRITE" \} ] \} This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
*/
export interface Schema$AuditLogConfig {
/**
* Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members.
*/
exemptedMembers?: string[] | null;
/**
* The log type that this config enables.
*/
logType?: string | null;
}
/**
* Batch get assets history response.
*/
export interface Schema$BatchGetAssetsHistoryResponse {
/**
* A list of assets with valid time windows.
*/
assets?: Schema$TemporalAsset[];
}
/**
* A response message for AssetService.BatchGetEffectiveIamPolicies.
*/
export interface Schema$BatchGetEffectiveIamPoliciesResponse {
/**
* The effective policies for a batch of resources. Note that the results order is the same as the order of BatchGetEffectiveIamPoliciesRequest.names. When a resource does not have any effective IAM policies, its corresponding policy_result will contain empty EffectiveIamPolicy.policies.
*/
policyResults?: Schema$EffectiveIamPolicy[];
}
/**
* A BigQuery destination for exporting assets to.
*/
export interface Schema$BigQueryDestination {
/**
* Required. The BigQuery dataset in format "projects/projectId/datasets/datasetId", to which the snapshot result should be exported. If this dataset does not exist, the export call returns an INVALID_ARGUMENT error. Setting the `contentType` for `exportAssets` determines the [schema](/asset-inventory/docs/exporting-to-bigquery#bigquery-schema) of the BigQuery table. Setting `separateTablesPerAssetType` to `TRUE` also influences the schema.
*/
dataset?: string | null;
/**
* If the destination table already exists and this flag is `TRUE`, the table will be overwritten by the contents of assets snapshot. If the flag is `FALSE` or unset and the destination table already exists, the export call returns an INVALID_ARGUMENT error.
*/
force?: boolean | null;
/**
* [partition_spec] determines whether to export to partitioned table(s) and how to partition the data. If [partition_spec] is unset or [partition_spec.partition_key] is unset or `PARTITION_KEY_UNSPECIFIED`, the snapshot results will be exported to non-partitioned table(s). [force] will decide whether to overwrite existing table(s). If [partition_spec] is specified. First, the snapshot results will be written to partitioned table(s) with two additional timestamp columns, readTime and requestTime, one of which will be the partition key. Secondly, in the case when any destination table already exists, it will first try to update existing table's schema as necessary by appending additional columns. Then, if [force] is `TRUE`, the corresponding partition will be overwritten by the snapshot results (data in different partitions will remain intact); if [force] is unset or `FALSE`, it will append the data. An error will be returned if the schema update or data appension fails.
*/
partitionSpec?: Schema$PartitionSpec;
/**
* If this flag is `TRUE`, the snapshot results will be written to one or multiple tables, each of which contains results of one asset type. The [force] and [partition_spec] fields will apply to each of them. Field [table] will be concatenated with "_" and the asset type names (see https://cloud.google.com/asset-inventory/docs/supported-asset-types for supported asset types) to construct per-asset-type table names, in which all non-alphanumeric characters like "." and "/" will be substituted by "_". Example: if field [table] is "mytable" and snapshot results contain "storage.googleapis.com/Bucket" assets, the corresponding table name will be "mytable_storage_googleapis_com_Bucket". If any of these tables does not exist, a new table with the concatenated name will be created. When [content_type] in the ExportAssetsRequest is `RESOURCE`, the schema of each table will include RECORD-type columns mapped to the nested fields in the Asset.resource.data field of that asset type (up to the 15 nested level BigQuery supports (https://cloud.google.com/bigquery/docs/nested-repeated#limitations)). The fields in \>15 nested levels will be stored in JSON format string as a child column of its parent RECORD column. If error occurs when exporting to any table, the whole export call will return an error but the export results that already succeed will persist. Example: if exporting to table_type_A succeeds when exporting to table_type_B fails during one export call, the results in table_type_A will persist and there will not be partial results persisting in a table.
*/
separateTablesPerAssetType?: boolean | null;
/**
* Required. The BigQuery table to which the snapshot result should be written. If this table does not exist, a new table with the given name will be created.
*/
table?: string | null;
}
/**
* Associates `members`, or principals, with a `role`.
*/
export interface Schema$Binding {
/**
* The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
*/
condition?: Schema$Expr;
/**
* Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid\}.svc.id.goog[{namespace\}/{kubernetes-sa\}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/subject/{subject_attribute_value\}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/group/{group_id\}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/attribute.{attribute_name\}/{attribute_value\}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/x`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/subject/{subject_attribute_value\}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/group/{group_id\}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/attribute.{attribute_name\}/{attribute_value\}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/x`: All identities in a workload identity pool. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/subject/{subject_attribute_value\}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
*/
members?: string[] | null;
/**
* Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles).
*/
role?: string | null;
}
/**
* The IAM conditions context.
*/
export interface Schema$ConditionContext {
/**
* The hypothetical access timestamp to evaluate IAM conditions. Note that this value must not be earlier than the current time; otherwise, an INVALID_ARGUMENT error will be returned.
*/
accessTime?: string | null;
}
/**
* The condition evaluation.
*/
export interface Schema$ConditionEvaluation {
/**
* The evaluation result.
*/
evaluationValue?: string | null;
}
/**
* Create asset feed request.
*/
export interface Schema$CreateFeedRequest {
/**
* Required. The feed details. The field `name` must be empty and it will be generated in the format of: projects/project_number/feeds/feed_id folders/folder_number/feeds/feed_id organizations/organization_number/feeds/feed_id
*/
feed?: Schema$Feed;
/**
* Required. This is the client-assigned asset feed identifier and it needs to be unique under a specific parent project/folder/organization.
*/
feedId?: string | null;
}
/**
* Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp
*/
export interface Schema$Date {
/**
* Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
*/
day?: number | null;
/**
* Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
*/
month?: number | null;
/**
* Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
*/
year?: number | null;
}
/**
* The effective IAM policies on one resource.
*/
export interface Schema$EffectiveIamPolicy {
/**
* The [full_resource_name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) for which the policies are computed. This is one of the BatchGetEffectiveIamPoliciesRequest.names the caller provides in the request.
*/
fullResourceName?: string | null;
/**
* The effective policies for the full_resource_name. These policies include the policy set on the full_resource_name and those set on its parents and ancestors up to the BatchGetEffectiveIamPoliciesRequest.scope. Note that these policies are not filtered according to the resource type of the full_resource_name. These policies are hierarchically ordered by PolicyInfo.attached_resource starting from full_resource_name itself to its parents and ancestors, such that policies[i]'s PolicyInfo.attached_resource is the child of policies[i+1]'s PolicyInfo.attached_resource, if policies[i+1] exists.
*/
policies?: Schema$PolicyInfo[];
}
/**
* The effective tags and the ancestor resources from which they were inherited.
*/
export interface Schema$EffectiveTagDetails {
/**
* The [full resource name](https://cloud.google.com/asset-inventory/docs/resource-name-format) of the ancestor from which effective_tags are inherited, according to [tag inheritance](https://cloud.google.com/resource-manager/docs/tags/tags-overview#inheritance).
*/
attachedResource?: string | null;
/**
* The effective tags inherited from the attached_resource. Note that tags with the same key but different values may attach to resources at a different hierarchy levels. The lower hierarchy tag value will overwrite the higher hierarchy tag value of the same tag key. In this case, the tag value at the higher hierarchy level will be removed. For more information, see [tag inheritance](https://cloud.google.com/resource-manager/docs/tags/tags-overview#inheritance).
*/
effectiveTags?: Schema$Tag[];
}
/**
* A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); \}
*/
export interface Schema$Empty {}
/**
* Explanation about the IAM policy search result.
*/
export interface Schema$Explanation {
/**
* The map from roles to their included permissions that match the permission query (i.e., a query containing `policy.role.permissions:`). Example: if query `policy.role.permissions:compute.disk.get` matches a policy binding that contains owner role, the matched_permissions will be `{"roles/owner": ["compute.disk.get"]\}`. The roles can also be found in the returned `policy` bindings. Note that the map is populated only for requests with permission queries.
*/
matchedPermissions?: {[key: string]: Schema$Permissions} | null;
}
/**
* Export asset request.
*/
export interface Schema$ExportAssetsRequest {
/**
* A list of asset types to take a snapshot for. For example: "compute.googleapis.com/Disk". Regular expressions are also supported. For example: * "compute.googleapis.com.*" snapshots resources whose asset type starts with "compute.googleapis.com". * ".*Instance" snapshots resources whose asset type ends with "Instance". * ".*Instance.*" snapshots resources whose asset type contains "Instance". See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned. If specified, only matching assets will be returned, otherwise, it will snapshot all asset types. See [Introduction to Cloud Asset Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all supported asset types.
*/
assetTypes?: string[] | null;
/**
* Asset content type. If not specified, no content but the asset name will be returned.
*/
contentType?: string | null;
/**
* Required. Output configuration indicating where the results will be output to.
*/
outputConfig?: Schema$OutputConfig;
/**
* Timestamp to take an asset snapshot. This can only be set to a timestamp between the current time and the current time minus 35 days (inclusive). If not specified, the current time will be used. Due to delays in resource data collection and indexing, there is a volatile window during which running the same query may get different results.
*/
readTime?: string | null;
/**
* A list of relationship types to export, for example: `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if content_type=RELATIONSHIP. * If specified: it snapshots specified relationships. It returns an error if any of the [relationship_types] doesn't belong to the supported relationship types of the [asset_types] or if any of the [asset_types] doesn't belong to the source types of the [relationship_types]. * Otherwise: it snapshots the supported relationships for all [asset_types] or returns an error if any of the [asset_types] has no relationship support. An unspecified asset types field means all supported asset_types. See [Introduction to Cloud Asset Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all supported asset types and relationship types.
*/
relationshipTypes?: string[] | null;
}
/**
* Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
*/
export interface Schema$Expr {
/**
* Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
*/
description?: string | null;
/**
* Textual representation of an expression in Common Expression Language syntax.
*/
expression?: string | null;
/**
* Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
*/
location?: string | null;
/**
* Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
*/
title?: string | null;
}
/**
* An asset feed used to export asset updates to a destinations. An asset feed filter controls what updates are exported. The asset feed must be created within a project, organization, or folder. Supported destinations are: Pub/Sub topics.
*/
export interface Schema$Feed {
/**
* A list of the full names of the assets to receive updates. You must specify either or both of asset_names and asset_types. Only asset updates matching specified asset_names or asset_types are exported to the feed. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. For a list of the full names for supported asset types, see [Resource name format](/asset-inventory/docs/resource-name-format).
*/
assetNames?: string[] | null;
/**
* A list of types of the assets to receive updates. You must specify either or both of asset_names and asset_types. Only asset updates matching specified asset_names or asset_types are exported to the feed. Example: `"compute.googleapis.com/Disk"` For a list of all supported asset types, see [Supported asset types](/asset-inventory/docs/supported-asset-types).
*/
assetTypes?: string[] | null;
/**
* A condition which determines whether an asset update should be published. If specified, an asset will be returned only when the expression evaluates to true. When set, `expression` field in the `Expr` must be a valid [CEL expression] (https://github.com/google/cel-spec) on a TemporalAsset with name `temporal_asset`. Example: a Feed with expression ("temporal_asset.deleted == true") will only publish Asset deletions. Other fields of `Expr` are optional. See our [user guide](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes-with-condition) for detailed instructions.
*/
condition?: Schema$Expr;
/**
* Asset content type. If not specified, no content but the asset name and type will be returned.
*/
contentType?: string | null;
/**
* Required. Feed output configuration defining where the asset updates are published to.
*/
feedOutputConfig?: Schema$FeedOutputConfig;
/**
* Required. The format will be projects/{project_number\}/feeds/{client-assigned_feed_identifier\} or folders/{folder_number\}/feeds/{client-assigned_feed_identifier\} or organizations/{organization_number\}/feeds/{client-assigned_feed_identifier\} The client-assigned feed identifier must be unique within the parent project/folder/organization.
*/
name?: string | null;
/**
* A list of relationship types to output, for example: `INSTANCE_TO_INSTANCEGROUP`. This field should only be specified if content_type=RELATIONSHIP. * If specified: it outputs specified relationship updates on the [asset_names] or the [asset_types]. It returns an error if any of the [relationship_types] doesn't belong to the supported relationship types of the [asset_names] or [asset_types], or any of the [asset_names] or the [asset_types] doesn't belong to the source types of the [relationship_types]. * Otherwise: it outputs the supported relationships of the types of [asset_names] and [asset_types] or returns an error if any of the [asset_names] or the [asset_types] has no replationship support. See [Introduction to Cloud Asset Inventory](https://cloud.google.com/asset-inventory/docs/overview) for all supported asset types and relationship types.
*/
relationshipTypes?: string[] | null;
}
/**
* Output configuration for asset feed destination.
*/
export interface Schema$FeedOutputConfig {
/**
* Destination on Pub/Sub.
*/
pubsubDestination?: Schema$PubsubDestination;
}
/**
* A Cloud Storage location.
*/
export interface Schema$GcsDestination {
/**
* The URI of the Cloud Storage object. It's the same URI that is used by gsutil. Example: "gs://bucket_name/object_name". See [Viewing and Editing Object Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata) for more information. If the specified Cloud Storage object already exists and there is no [hold](https://cloud.google.com/storage/docs/object-holds), it will be overwritten with the exported result.
*/
uri?: string | null;
/**
* The URI prefix of all generated Cloud Storage objects. Example: "gs://bucket_name/object_name_prefix". Each object URI is in format: "gs://bucket_name/object_name_prefix// and only contains assets for that type. starts from 0. Example: "gs://bucket_name/object_name_prefix/compute.googleapis.com/Disk/0" is the first shard of output objects containing all compute.googleapis.com/Disk assets. An INVALID_ARGUMENT error will be returned if file with the same name "gs://bucket_name/object_name_prefix" already exists.
*/
uriPrefix?: string | null;
}
/**
* An IAM role or permission under analysis.
*/
export interface Schema$GoogleCloudAssetV1Access {
/**
* The analysis state of this access.
*/
analysisState?: Schema$IamPolicyAnalysisState;
/**
* The permission.
*/
permission?: string | null;
/**
* The role.
*/
role?: string | null;
}
/**
* An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry. NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations. For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3; This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3]
*/
export interface Schema$GoogleCloudAssetV1AccessControlList {
/**
* The accesses that match one of the following conditions: - The access_selector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding's role.
*/
accesses?: Schema$GoogleCloudAssetV1Access[];
/**
* Condition evaluation for this AccessControlList, if there is a condition defined in the above IAM policy binding.
*/
conditionEvaluation?: Schema$ConditionEvaluation;
/**
* Resource edges of the graph starting from the policy attached resource to any descendant resources. The Edge.source_node contains the full resource name of a parent resource and Edge.target_node contains the full resource name of a child resource. This field is present only if the output_resource_edges option is enabled in request.
*/
resourceEdges?: Schema$GoogleCloudAssetV1Edge[];
/**
* The resources that match one of the following conditions: - The resource_selector, if it is specified in request; - Otherwise, resources reachable from the policy attached resource.
*/
resources?: Schema$GoogleCloudAssetV1Resource[];
}
/**
* Represents a Google Cloud asset(resource or IAM policy) governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
*/
export interface Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedAsset {
/**
* The consolidated policy for the analyzed asset. The consolidated policy is computed by merging and evaluating AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.policy_bundle. The evaluation will respect the organization policy [hierarchy rules](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy).
*/
consolidatedPolicy?: Schema$AnalyzerOrgPolicy;
/**
* An IAM policy governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
*/
governedIamPolicy?: Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy;
/**
* A Google Cloud resource governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
*/
governedResource?: Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedResource;
/**
* The ordered list of all organization policies from the consolidated_policy.attached_resource to the scope specified in the request. If the constraint is defined with default policy, it will also appear in the list.
*/
policyBundle?: Schema$AnalyzerOrgPolicy[];
}
/**
* The IAM policies governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
*/
export interface Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedIamPolicy {
/**
* The asset type of the AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource. Example: `cloudresourcemanager.googleapis.com/Project` See [Cloud Asset Inventory Supported Asset Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) for all supported asset types.
*/
assetType?: string | null;
/**
* The full resource name of the resource on which this IAM policy is set. Example: `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. See [Cloud Asset Inventory Resource Name Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) for more information.
*/
attachedResource?: string | null;
/**
* The folder(s) that this IAM policy belongs to, in the format of folders/{FOLDER_NUMBER\}. This field is available when the IAM policy belongs (directly or cascadingly) to one or more folders.
*/
folders?: string[] | null;
/**
* The organization that this IAM policy belongs to, in the format of organizations/{ORGANIZATION_NUMBER\}. This field is available when the IAM policy belongs (directly or cascadingly) to an organization.
*/
organization?: string | null;
/**
* The IAM policy directly set on the given resource.
*/
policy?: Schema$Policy;
/**
* The project that this IAM policy belongs to, in the format of projects/{PROJECT_NUMBER\}. This field is available when the IAM policy belongs to a project.
*/
project?: string | null;
}
/**
* The Google Cloud resources governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
*/
export interface Schema$GoogleCloudAssetV1AnalyzeOrgPolicyGovernedAssetsResponseGovernedResource {
/**
* The asset type of the AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name Example: `cloudresourcemanager.googleapis.com/Project` See [Cloud Asset Inventory Supported Asset Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) for all supported asset types.
*/
assetType?: string | null;
/**
* The effective tags on this resource.
*/
effectiveTags?: Schema$EffectiveTagDetails[];
/**
* The folder(s) that this resource belongs to, in the format of folders/{FOLDER_NUMBER\}. This field is available when the resource belongs (directly or cascadingly) to one or more folders.
*/
folders?: string[] | null;
/**
* The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of the Google Cloud resource.
*/
fullResourceName?: string | null;
/**
* The organization that this resource belongs to, in the format of organizations/{ORGANIZATION_NUMBER\}. This field is available when the resource belongs (directly or cascadingly) to an organization.
*/
organization?: string | null;
/**
* The [full resource name] (https://cloud.google.com/asset-inventory/docs/resource-name-format) of the parent of AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name.
*/
parent?: string | null;
/**
* The project that this resource belongs to, in the format of projects/{PROJECT_NUMBER\}. This field is available when the resource belongs t