From ff71d1a34668a0684b0ec55cf068774faf3c127f Mon Sep 17 00:00:00 2001
From: "gcf-owl-bot[bot]" <78513119+gcf-owl-bot[bot]@users.noreply.github.com>
Date: Wed, 6 Mar 2024 06:19:55 -0500
Subject: [PATCH] feat: [google-cloud-asset] Add `asset_type` field to
 `GovernedIamPolicy` and `GovernedResource` (#12418)

- [ ] Regenerate this pull request now.

BEGIN_COMMIT_OVERRIDE
feat: Add `effective_tags` field to `GovernedResource`
feat: Add fields `project`, `folders`, `organization` and
`effective_tags` to `GovernedContainer`
feat: Add fields `project`, `folders` and `organization` to
`OrgPolicyResult`
feat: Add field `condition_evaluation` to `AnalyzerOrgPolicy.Rule`
docs: Update comment for rpc `AnalyzeOrgPolicyGovernedAssets` to include
additional canned constraints
feat: Add `asset_type` field to `GovernedIamPolicy` and
`GovernedResource`
END_COMMIT_OVERRIDE


PiperOrigin-RevId: 612934037

Source-Link:
https://github.com/googleapis/googleapis/commit/324b2817686f13f17895a9dd891799d9286bb985

Source-Link:
https://github.com/googleapis/googleapis-gen/commit/d50dfda07a68c654c95d63d5762e1b8d0717fbc5
Copy-Tag:
eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWFzc2V0Ly5Pd2xCb3QueWFtbCIsImgiOiJkNTBkZmRhMDdhNjhjNjU0Yzk1ZDYzZDU3NjJlMWI4ZDA3MTdmYmM1In0=

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
---
 .../services/asset_service/async_client.py    |  55 +++++++--
 .../asset_v1/services/asset_service/client.py |  55 +++++++--
 .../services/asset_service/transports/grpc.py |  55 +++++++--
 .../asset_service/transports/grpc_asyncio.py  |  55 +++++++--
 .../cloud/asset_v1/types/asset_service.py     | 109 ++++++++++++++++++
 5 files changed, 281 insertions(+), 48 deletions(-)

diff --git a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/async_client.py b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/async_client.py
index bdb019d5b525..a99db07ddf6f 100644
--- a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/async_client.py
+++ b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/async_client.py
@@ -3151,18 +3151,49 @@ async def analyze_org_policy_governed_assets(
     ) -> pagers.AnalyzeOrgPolicyGovernedAssetsAsyncPager:
         r"""Analyzes organization policies governed assets (Google Cloud
         resources or policies) under a scope. This RPC supports custom
-        constraints and the following 10 canned constraints:
-
-        -  storage.uniformBucketLevelAccess
-        -  iam.disableServiceAccountKeyCreation
-        -  iam.allowedPolicyMemberDomains
-        -  compute.vmExternalIpAccess
-        -  appengine.enforceServiceAccountActAsCheck
-        -  gcp.resourceLocations
-        -  compute.trustedImageProjects
-        -  compute.skipDefaultNetworkCreation
-        -  compute.requireOsLogin
-        -  compute.disableNestedVirtualization
+        constraints and the following canned constraints:
+
+        -  constraints/ainotebooks.accessMode
+        -  constraints/ainotebooks.disableFileDownloads
+        -  constraints/ainotebooks.disableRootAccess
+        -  constraints/ainotebooks.disableTerminal
+        -  constraints/ainotebooks.environmentOptions
+        -  constraints/ainotebooks.requireAutoUpgradeSchedule
+        -  constraints/ainotebooks.restrictVpcNetworks
+        -  constraints/compute.disableGuestAttributesAccess
+        -  constraints/compute.disableInstanceDataAccessApis
+        -  constraints/compute.disableNestedVirtualization
+        -  constraints/compute.disableSerialPortAccess
+        -  constraints/compute.disableSerialPortLogging
+        -  constraints/compute.disableVpcExternalIpv6
+        -  constraints/compute.requireOsLogin
+        -  constraints/compute.requireShieldedVm
+        -  constraints/compute.restrictLoadBalancerCreationForTypes
+        -  constraints/compute.restrictProtocolForwardingCreationForTypes
+        -  constraints/compute.restrictXpnProjectLienRemoval
+        -  constraints/compute.setNewProjectDefaultToZonalDNSOnly
+        -  constraints/compute.skipDefaultNetworkCreation
+        -  constraints/compute.trustedImageProjects
+        -  constraints/compute.vmCanIpForward
+        -  constraints/compute.vmExternalIpAccess
+        -  constraints/gcp.detailedAuditLoggingMode
+        -  constraints/gcp.resourceLocations
+        -  constraints/iam.allowedPolicyMemberDomains
+        -  constraints/iam.automaticIamGrantsForDefaultServiceAccounts
+        -  constraints/iam.disableServiceAccountCreation
+        -  constraints/iam.disableServiceAccountKeyCreation
+        -  constraints/iam.disableServiceAccountKeyUpload
+        -  constraints/iam.restrictCrossProjectServiceAccountLienRemoval
+        -  constraints/iam.serviceAccountKeyExpiryHours
+        -  constraints/resourcemanager.accessBoundaries
+        -  constraints/resourcemanager.allowedExportDestinations
+        -  constraints/sql.restrictAuthorizedNetworks
+        -  constraints/sql.restrictNoncompliantDiagnosticDataAccess
+        -  constraints/sql.restrictNoncompliantResourceCreation
+        -  constraints/sql.restrictPublicIp
+        -  constraints/storage.publicAccessPrevention
+        -  constraints/storage.restrictAuthTypes
+        -  constraints/storage.uniformBucketLevelAccess
 
         This RPC only returns either resources of types `supported by
         search
diff --git a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/client.py b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/client.py
index fde3fdb80c73..f8ed954798b7 100644
--- a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/client.py
+++ b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/client.py
@@ -3521,18 +3521,49 @@ def analyze_org_policy_governed_assets(
     ) -> pagers.AnalyzeOrgPolicyGovernedAssetsPager:
         r"""Analyzes organization policies governed assets (Google Cloud
         resources or policies) under a scope. This RPC supports custom
-        constraints and the following 10 canned constraints:
-
-        -  storage.uniformBucketLevelAccess
-        -  iam.disableServiceAccountKeyCreation
-        -  iam.allowedPolicyMemberDomains
-        -  compute.vmExternalIpAccess
-        -  appengine.enforceServiceAccountActAsCheck
-        -  gcp.resourceLocations
-        -  compute.trustedImageProjects
-        -  compute.skipDefaultNetworkCreation
-        -  compute.requireOsLogin
-        -  compute.disableNestedVirtualization
+        constraints and the following canned constraints:
+
+        -  constraints/ainotebooks.accessMode
+        -  constraints/ainotebooks.disableFileDownloads
+        -  constraints/ainotebooks.disableRootAccess
+        -  constraints/ainotebooks.disableTerminal
+        -  constraints/ainotebooks.environmentOptions
+        -  constraints/ainotebooks.requireAutoUpgradeSchedule
+        -  constraints/ainotebooks.restrictVpcNetworks
+        -  constraints/compute.disableGuestAttributesAccess
+        -  constraints/compute.disableInstanceDataAccessApis
+        -  constraints/compute.disableNestedVirtualization
+        -  constraints/compute.disableSerialPortAccess
+        -  constraints/compute.disableSerialPortLogging
+        -  constraints/compute.disableVpcExternalIpv6
+        -  constraints/compute.requireOsLogin
+        -  constraints/compute.requireShieldedVm
+        -  constraints/compute.restrictLoadBalancerCreationForTypes
+        -  constraints/compute.restrictProtocolForwardingCreationForTypes
+        -  constraints/compute.restrictXpnProjectLienRemoval
+        -  constraints/compute.setNewProjectDefaultToZonalDNSOnly
+        -  constraints/compute.skipDefaultNetworkCreation
+        -  constraints/compute.trustedImageProjects
+        -  constraints/compute.vmCanIpForward
+        -  constraints/compute.vmExternalIpAccess
+        -  constraints/gcp.detailedAuditLoggingMode
+        -  constraints/gcp.resourceLocations
+        -  constraints/iam.allowedPolicyMemberDomains
+        -  constraints/iam.automaticIamGrantsForDefaultServiceAccounts
+        -  constraints/iam.disableServiceAccountCreation
+        -  constraints/iam.disableServiceAccountKeyCreation
+        -  constraints/iam.disableServiceAccountKeyUpload
+        -  constraints/iam.restrictCrossProjectServiceAccountLienRemoval
+        -  constraints/iam.serviceAccountKeyExpiryHours
+        -  constraints/resourcemanager.accessBoundaries
+        -  constraints/resourcemanager.allowedExportDestinations
+        -  constraints/sql.restrictAuthorizedNetworks
+        -  constraints/sql.restrictNoncompliantDiagnosticDataAccess
+        -  constraints/sql.restrictNoncompliantResourceCreation
+        -  constraints/sql.restrictPublicIp
+        -  constraints/storage.publicAccessPrevention
+        -  constraints/storage.restrictAuthTypes
+        -  constraints/storage.uniformBucketLevelAccess
 
         This RPC only returns either resources of types `supported by
         search
diff --git a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc.py b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc.py
index 187fb491df27..0c134139a8ab 100644
--- a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc.py
+++ b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc.py
@@ -927,18 +927,49 @@ def analyze_org_policy_governed_assets(
 
         Analyzes organization policies governed assets (Google Cloud
         resources or policies) under a scope. This RPC supports custom
-        constraints and the following 10 canned constraints:
-
-        -  storage.uniformBucketLevelAccess
-        -  iam.disableServiceAccountKeyCreation
-        -  iam.allowedPolicyMemberDomains
-        -  compute.vmExternalIpAccess
-        -  appengine.enforceServiceAccountActAsCheck
-        -  gcp.resourceLocations
-        -  compute.trustedImageProjects
-        -  compute.skipDefaultNetworkCreation
-        -  compute.requireOsLogin
-        -  compute.disableNestedVirtualization
+        constraints and the following canned constraints:
+
+        -  constraints/ainotebooks.accessMode
+        -  constraints/ainotebooks.disableFileDownloads
+        -  constraints/ainotebooks.disableRootAccess
+        -  constraints/ainotebooks.disableTerminal
+        -  constraints/ainotebooks.environmentOptions
+        -  constraints/ainotebooks.requireAutoUpgradeSchedule
+        -  constraints/ainotebooks.restrictVpcNetworks
+        -  constraints/compute.disableGuestAttributesAccess
+        -  constraints/compute.disableInstanceDataAccessApis
+        -  constraints/compute.disableNestedVirtualization
+        -  constraints/compute.disableSerialPortAccess
+        -  constraints/compute.disableSerialPortLogging
+        -  constraints/compute.disableVpcExternalIpv6
+        -  constraints/compute.requireOsLogin
+        -  constraints/compute.requireShieldedVm
+        -  constraints/compute.restrictLoadBalancerCreationForTypes
+        -  constraints/compute.restrictProtocolForwardingCreationForTypes
+        -  constraints/compute.restrictXpnProjectLienRemoval
+        -  constraints/compute.setNewProjectDefaultToZonalDNSOnly
+        -  constraints/compute.skipDefaultNetworkCreation
+        -  constraints/compute.trustedImageProjects
+        -  constraints/compute.vmCanIpForward
+        -  constraints/compute.vmExternalIpAccess
+        -  constraints/gcp.detailedAuditLoggingMode
+        -  constraints/gcp.resourceLocations
+        -  constraints/iam.allowedPolicyMemberDomains
+        -  constraints/iam.automaticIamGrantsForDefaultServiceAccounts
+        -  constraints/iam.disableServiceAccountCreation
+        -  constraints/iam.disableServiceAccountKeyCreation
+        -  constraints/iam.disableServiceAccountKeyUpload
+        -  constraints/iam.restrictCrossProjectServiceAccountLienRemoval
+        -  constraints/iam.serviceAccountKeyExpiryHours
+        -  constraints/resourcemanager.accessBoundaries
+        -  constraints/resourcemanager.allowedExportDestinations
+        -  constraints/sql.restrictAuthorizedNetworks
+        -  constraints/sql.restrictNoncompliantDiagnosticDataAccess
+        -  constraints/sql.restrictNoncompliantResourceCreation
+        -  constraints/sql.restrictPublicIp
+        -  constraints/storage.publicAccessPrevention
+        -  constraints/storage.restrictAuthTypes
+        -  constraints/storage.uniformBucketLevelAccess
 
         This RPC only returns either resources of types `supported by
         search
diff --git a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc_asyncio.py b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc_asyncio.py
index 2373b9428267..75f0fee4a05e 100644
--- a/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc_asyncio.py
+++ b/packages/google-cloud-asset/google/cloud/asset_v1/services/asset_service/transports/grpc_asyncio.py
@@ -949,18 +949,49 @@ def analyze_org_policy_governed_assets(
 
         Analyzes organization policies governed assets (Google Cloud
         resources or policies) under a scope. This RPC supports custom
-        constraints and the following 10 canned constraints:
-
-        -  storage.uniformBucketLevelAccess
-        -  iam.disableServiceAccountKeyCreation
-        -  iam.allowedPolicyMemberDomains
-        -  compute.vmExternalIpAccess
-        -  appengine.enforceServiceAccountActAsCheck
-        -  gcp.resourceLocations
-        -  compute.trustedImageProjects
-        -  compute.skipDefaultNetworkCreation
-        -  compute.requireOsLogin
-        -  compute.disableNestedVirtualization
+        constraints and the following canned constraints:
+
+        -  constraints/ainotebooks.accessMode
+        -  constraints/ainotebooks.disableFileDownloads
+        -  constraints/ainotebooks.disableRootAccess
+        -  constraints/ainotebooks.disableTerminal
+        -  constraints/ainotebooks.environmentOptions
+        -  constraints/ainotebooks.requireAutoUpgradeSchedule
+        -  constraints/ainotebooks.restrictVpcNetworks
+        -  constraints/compute.disableGuestAttributesAccess
+        -  constraints/compute.disableInstanceDataAccessApis
+        -  constraints/compute.disableNestedVirtualization
+        -  constraints/compute.disableSerialPortAccess
+        -  constraints/compute.disableSerialPortLogging
+        -  constraints/compute.disableVpcExternalIpv6
+        -  constraints/compute.requireOsLogin
+        -  constraints/compute.requireShieldedVm
+        -  constraints/compute.restrictLoadBalancerCreationForTypes
+        -  constraints/compute.restrictProtocolForwardingCreationForTypes
+        -  constraints/compute.restrictXpnProjectLienRemoval
+        -  constraints/compute.setNewProjectDefaultToZonalDNSOnly
+        -  constraints/compute.skipDefaultNetworkCreation
+        -  constraints/compute.trustedImageProjects
+        -  constraints/compute.vmCanIpForward
+        -  constraints/compute.vmExternalIpAccess
+        -  constraints/gcp.detailedAuditLoggingMode
+        -  constraints/gcp.resourceLocations
+        -  constraints/iam.allowedPolicyMemberDomains
+        -  constraints/iam.automaticIamGrantsForDefaultServiceAccounts
+        -  constraints/iam.disableServiceAccountCreation
+        -  constraints/iam.disableServiceAccountKeyCreation
+        -  constraints/iam.disableServiceAccountKeyUpload
+        -  constraints/iam.restrictCrossProjectServiceAccountLienRemoval
+        -  constraints/iam.serviceAccountKeyExpiryHours
+        -  constraints/resourcemanager.accessBoundaries
+        -  constraints/resourcemanager.allowedExportDestinations
+        -  constraints/sql.restrictAuthorizedNetworks
+        -  constraints/sql.restrictNoncompliantDiagnosticDataAccess
+        -  constraints/sql.restrictNoncompliantResourceCreation
+        -  constraints/sql.restrictPublicIp
+        -  constraints/storage.publicAccessPrevention
+        -  constraints/storage.restrictAuthTypes
+        -  constraints/storage.uniformBucketLevelAccess
 
         This RPC only returns either resources of types `supported by
         search
diff --git a/packages/google-cloud-asset/google/cloud/asset_v1/types/asset_service.py b/packages/google-cloud-asset/google/cloud/asset_v1/types/asset_service.py
index fc0d8b085ba7..0c622d6fe685 100644
--- a/packages/google-cloud-asset/google/cloud/asset_v1/types/asset_service.py
+++ b/packages/google-cloud-asset/google/cloud/asset_v1/types/asset_service.py
@@ -3151,6 +3151,18 @@ class Rule(proto.Message):
                 This field is a member of `oneof`_ ``kind``.
             condition (google.type.expr_pb2.Expr):
                 The evaluating condition for this rule.
+            condition_evaluation (google.cloud.asset_v1.types.ConditionEvaluation):
+                The condition evaluation result for this rule. Only
+                populated if it meets all the following criteria:
+
+                -  there is a
+                   [condition][google.cloud.asset.v1.AnalyzerOrgPolicy.Rule.condition]
+                   defined for this rule
+                -  this rule is within a consolidated_policy
+                -  the consolidated_policy is within
+                   [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer]
+                   or
+                   [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource]
         """
 
         class StringValues(proto.Message):
@@ -3198,6 +3210,11 @@ class StringValues(proto.Message):
             number=7,
             message=expr_pb2.Expr,
         )
+        condition_evaluation: gca_assets.ConditionEvaluation = proto.Field(
+            proto.MESSAGE,
+            number=8,
+            message=gca_assets.ConditionEvaluation,
+        )
 
     attached_resource: str = proto.Field(
         proto.STRING,
@@ -3600,6 +3617,20 @@ class OrgPolicyResult(proto.Message):
 
                 If the constraint is defined with default policy, it will
                 also appear in the list.
+            project (str):
+                The project that this consolidated policy belongs to, in the
+                format of projects/{PROJECT_NUMBER}. This field is available
+                when the consolidated policy belongs to a project.
+            folders (MutableSequence[str]):
+                The folder(s) that this consolidated policy belongs to, in
+                the format of folders/{FOLDER_NUMBER}. This field is
+                available when the consolidated policy belongs (directly or
+                cascadingly) to one or more folders.
+            organization (str):
+                The organization that this consolidated policy belongs to,
+                in the format of organizations/{ORGANIZATION_NUMBER}. This
+                field is available when the consolidated policy belongs
+                (directly or cascadingly) to an organization.
         """
 
         consolidated_policy: "AnalyzerOrgPolicy" = proto.Field(
@@ -3612,6 +3643,18 @@ class OrgPolicyResult(proto.Message):
             number=2,
             message="AnalyzerOrgPolicy",
         )
+        project: str = proto.Field(
+            proto.STRING,
+            number=3,
+        )
+        folders: MutableSequence[str] = proto.RepeatedField(
+            proto.STRING,
+            number=4,
+        )
+        organization: str = proto.Field(
+            proto.STRING,
+            number=5,
+        )
 
     @property
     def raw_page(self):
@@ -3747,6 +3790,22 @@ class GovernedContainer(proto.Message):
 
                 If the constraint is defined with default policy, it will
                 also appear in the list.
+            project (str):
+                The project that this resource belongs to, in the format of
+                projects/{PROJECT_NUMBER}. This field is available when the
+                resource belongs to a project.
+            folders (MutableSequence[str]):
+                The folder(s) that this resource belongs to, in the format
+                of folders/{FOLDER_NUMBER}. This field is available when the
+                resource belongs (directly or cascadingly) to one or more
+                folders.
+            organization (str):
+                The organization that this resource belongs to, in the
+                format of organizations/{ORGANIZATION_NUMBER}. This field is
+                available when the resource belongs (directly or
+                cascadingly) to an organization.
+            effective_tags (MutableSequence[google.cloud.asset_v1.types.EffectiveTagDetails]):
+                The effective tags on this resource.
         """
 
         full_resource_name: str = proto.Field(
@@ -3767,6 +3826,25 @@ class GovernedContainer(proto.Message):
             number=4,
             message="AnalyzerOrgPolicy",
         )
+        project: str = proto.Field(
+            proto.STRING,
+            number=5,
+        )
+        folders: MutableSequence[str] = proto.RepeatedField(
+            proto.STRING,
+            number=6,
+        )
+        organization: str = proto.Field(
+            proto.STRING,
+            number=7,
+        )
+        effective_tags: MutableSequence[
+            gca_assets.EffectiveTagDetails
+        ] = proto.RepeatedField(
+            proto.MESSAGE,
+            number=8,
+            message=gca_assets.EffectiveTagDetails,
+        )
 
     @property
     def raw_page(self):
@@ -3921,6 +3999,15 @@ class GovernedResource(proto.Message):
                 format of organizations/{ORGANIZATION_NUMBER}. This field is
                 available when the resource belongs (directly or
                 cascadingly) to an organization.
+            asset_type (str):
+                The asset type of the
+                [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name]
+                Example: ``cloudresourcemanager.googleapis.com/Project`` See
+                `Cloud Asset Inventory Supported Asset
+                Types <https://cloud.google.com/asset-inventory/docs/supported-asset-types>`__
+                for all supported asset types.
+            effective_tags (MutableSequence[google.cloud.asset_v1.types.EffectiveTagDetails]):
+                The effective tags on this resource.
         """
 
         full_resource_name: str = proto.Field(
@@ -3943,6 +4030,17 @@ class GovernedResource(proto.Message):
             proto.STRING,
             number=7,
         )
+        asset_type: str = proto.Field(
+            proto.STRING,
+            number=8,
+        )
+        effective_tags: MutableSequence[
+            gca_assets.EffectiveTagDetails
+        ] = proto.RepeatedField(
+            proto.MESSAGE,
+            number=9,
+            message=gca_assets.EffectiveTagDetails,
+        )
 
     class GovernedIamPolicy(proto.Message):
         r"""The IAM policies governed by the organization policies of the
@@ -3973,6 +4071,13 @@ class GovernedIamPolicy(proto.Message):
                 format of organizations/{ORGANIZATION_NUMBER}. This field is
                 available when the IAM policy belongs (directly or
                 cascadingly) to an organization.
+            asset_type (str):
+                The asset type of the
+                [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource].
+                Example: ``cloudresourcemanager.googleapis.com/Project`` See
+                `Cloud Asset Inventory Supported Asset
+                Types <https://cloud.google.com/asset-inventory/docs/supported-asset-types>`__
+                for all supported asset types.
         """
 
         attached_resource: str = proto.Field(
@@ -3996,6 +4101,10 @@ class GovernedIamPolicy(proto.Message):
             proto.STRING,
             number=7,
         )
+        asset_type: str = proto.Field(
+            proto.STRING,
+            number=8,
+        )
 
     class GovernedAsset(proto.Message):
         r"""Represents a Google Cloud asset(resource or IAM policy) governed by