feat: added new resource references to fields in AnalyzeMoveRequest

docs: updated comments chore: removed backend configuration from service config PiperOrigin-RevId: 590982722
googleapis · Dec 14, 2023 · da09f4c · da09f4c
1 parent ff9f02a
commit da09f4c
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 68 deletions.
diff --git a/google/cloud/asset/v1/asset_service.proto b/google/cloud/asset/v1/asset_service.proto
@@ -306,7 +306,7 @@ service AssetService {
   //
   // This RPC only returns either resources of types supported by [searchable
   // asset
-  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types),
+  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types),
   // or IAM policies.
   rpc AnalyzeOrgPolicyGovernedAssets(AnalyzeOrgPolicyGovernedAssetsRequest)
       returns (AnalyzeOrgPolicyGovernedAssetsResponse) {
@@ -923,31 +923,31 @@ message SearchAllResourcesRequest {
   // * `labels.env:*` to find Google Cloud resources that have a label `env`.
   // * `tagKeys:env` to find Google Cloud resources that have directly
   //   attached tags where the
-  //   [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
-  //   .`namespacedName` contains `env`.
+  //   [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
+  //   contains `env`.
   // * `tagValues:prod*` to find Google Cloud resources that have directly
   //   attached tags where the
-  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-  //   .`namespacedName` contains a word prefixed by `prod`.
+  //   [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   contains a word prefixed by `prod`.
   // * `tagValueIds=tagValues/123` to find Google Cloud resources that have
   //   directly attached tags where the
-  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-  //   .`name` is exactly `tagValues/123`.
+  //   [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   is exactly `tagValues/123`.
   // * `effectiveTagKeys:env` to find Google Cloud resources that have
   //   directly attached or inherited tags where the
-  //   [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
-  //   .`namespacedName` contains `env`.
+  //   [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
+  //   contains `env`.
   // * `effectiveTagValues:prod*` to find Google Cloud resources that have
   //   directly attached or inherited tags where the
-  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-  //   .`namespacedName` contains a word prefixed by `prod`.
+  //   [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   contains a word prefixed by `prod`.
   // * `effectiveTagValueIds=tagValues/123` to find Google Cloud resources that
   //    have directly attached or inherited tags where the
-  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
-  //   .`name` is exactly `tagValues/123`.
+  //   [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   is exactly `tagValues/123`.
   // * `kmsKey:key` to find Google Cloud resources encrypted with a
   //   customer-managed encryption key whose name contains `key` as a word. This
-  //   field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS
+  //   field is deprecated. Use the `kmsKeys` field to retrieve Cloud KMS
   //   key information.
   // * `kmsKeys:key` to find Google Cloud resources encrypted with
   //   customer-managed encryption keys whose name contains the word `key`.
@@ -959,6 +959,10 @@ message SearchAllResourcesRequest {
   //   Compute Engine instances that have relationships with `instance-group-1`
   //   in the Compute Engine instance group resource name, for relationship type
   //   `INSTANCE_TO_INSTANCEGROUP`.
+  // * `sccSecurityMarks.key=value` to find Cloud resources that are attached
+  //   with security marks whose key is `key` and value is `value`.
+  // * `sccSecurityMarks.key:*` to find Cloud resources that are attached with
+  //   security marks whose key is `key`.
   // * `state:ACTIVE` to find Google Cloud resources whose state contains
   //   `ACTIVE` as a word.
   // * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't
@@ -981,7 +985,7 @@ message SearchAllResourcesRequest {
 
   // Optional. A list of asset types that this request searches for. If empty,
   // it will search all the [searchable asset
-  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
+  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).
   //
   // Regular expressions are also supported. For example:
   //
@@ -1150,7 +1154,7 @@ message SearchAllIamPoliciesRequest {
   // Optional. A list of asset types that the IAM policies are attached to. If
   // empty, it will search the IAM policies that are attached to all the
   // [searchable asset
-  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
+  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).
   //
   // Regular expressions are also supported. For example:
   //
@@ -1400,7 +1404,7 @@ message AnalyzeIamPolicyRequest {
   // If both `analysis_query` and `saved_analysis_query` are provided, they
   // will be merged together with the `saved_analysis_query` as base and
   // the `analysis_query` as overrides. For more details of the merge behavior,
-  // please refer to the
+  // refer to the
   // [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details)
   // page.
   //
@@ -1556,7 +1560,7 @@ message AnalyzeIamPolicyLongrunningRequest {
   // If both `analysis_query` and `saved_analysis_query` are provided, they
   // will be merged together with the `saved_analysis_query` as base and
   // the `analysis_query` as overrides. For more details of the merge behavior,
-  // please refer to the
+  // refer to the
   // [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details)
   // doc.
   //
@@ -1776,14 +1780,22 @@ message AnalyzeMoveRequest {
   // Only Google Cloud projects are supported as of today. Hence, this can only
   // be a project ID (such as "projects/my-project-id") or a project number
   // (such as "projects/12345").
-  string resource = 1 [(google.api.field_behavior) = REQUIRED];
+  string resource = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudresourcemanager.googleapis.com/Project"
+    }
+  ];
 
   // Required. Name of the Google Cloud folder or organization to reparent the
   // target resource. The analysis will be performed against hypothetically
   // moving the resource to this specified desitination parent. This can only be
   // a folder number (such as "folders/123") or an organization number (such as
   // "organizations/123").
-  string destination_parent = 2 [(google.api.field_behavior) = REQUIRED];
+  string destination_parent = 2 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = { type: "*" }
+  ];
 
   // Analysis view indicating what information should be included in the
   // analysis response. If unspecified, the default view is FULL.
@@ -2053,7 +2065,7 @@ message BatchGetEffectiveIamPoliciesRequest {
   // Required. The names refer to the [full_resource_names]
   // (https://cloud.google.com/asset-inventory/docs/resource-name-format)
   // of [searchable asset
-  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types).
+  // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types).
   // A maximum of 20 resources' effective policies can be retrieved in a batch.
   repeated string names = 3 [
     (google.api.field_behavior) = REQUIRED,
@@ -2355,12 +2367,15 @@ message AnalyzeOrgPoliciesRequest {
 
   // The expression to filter
   // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results].
-  // The only supported field is `consolidated_policy.attached_resource`, and
-  // the only supported operator is `=`.
+  // Filtering is currently available for bare literal values and the following
+  // fields:
+  // * consolidated_policy.attached_resource
+  // * consolidated_policy.rules.enforce
   //
-  // Example:
+  // When filtering by a specific field, the only supported operator is `=`.
+  // For example, filtering by
   // consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/folders/001"
-  // will return the org policy results of"folders/001".
+  // will return all the Organization Policy results attached to "folders/001".
   string filter = 3;
 
   // The maximum number of items to return per page. If unspecified,
@@ -2423,13 +2438,17 @@ message AnalyzeOrgPolicyGovernedContainersRequest {
   // constraint.
   string constraint = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // The expression to filter the governed containers in result.
-  // The only supported field is `parent`, and the only supported operator is
-  // `=`.
-  //
-  // Example:
-  // parent="//cloudresourcemanager.googleapis.com/folders/001" will return all
-  // containers under "folders/001".
+  // The expression to filter
+  // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers].
+  // Filtering is currently available for bare literal values and the following
+  // fields:
+  // * parent
+  // * consolidated_policy.rules.enforce
+  //
+  // When filtering by a specific field, the only supported operator is `=`.
+  // For example, filtering by
+  // parent="//cloudresourcemanager.googleapis.com/folders/001"
+  // will return all the containers under "folders/001".
   string filter = 3;
 
   // The maximum number of items to return per page. If unspecified,
@@ -2502,18 +2521,33 @@ message AnalyzeOrgPolicyGovernedAssetsRequest {
   // constraint.
   string constraint = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // The expression to filter the governed assets in result. The only supported
-  // fields for governed resources are `governed_resource.project` and
-  // `governed_resource.folders`. The only supported fields for governed iam
-  // policies are `governed_iam_policy.project` and
-  // `governed_iam_policy.folders`. The only supported operator is `=`.
-  //
-  // Example 1: governed_resource.project="projects/12345678" filter will return
-  // all governed resources under projects/12345678 including the project
-  // ifself, if applicable.
+  // The expression to filter
+  // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets].
   //
-  // Example 2: governed_iam_policy.folders="folders/12345678" filter will
-  // return all governed iam policies under folders/12345678, if applicable.
+  // For governed resources, filtering is currently available for bare literal
+  // values and the following fields:
+  // * governed_resource.project
+  // * governed_resource.folders
+  // * consolidated_policy.rules.enforce
+  // When filtering by `governed_resource.project` or
+  // `consolidated_policy.rules.enforce`, the only supported operator is `=`.
+  // When filtering by `governed_resource.folders`, the supported operators
+  // are `=` and `:`.
+  // For example, filtering by `governed_resource.project="projects/12345678"`
+  // will return all the governed resources under "projects/12345678",
+  // including the project itself if applicable.
+  //
+  // For governed IAM policies, filtering is currently available for bare
+  // literal values and the following fields:
+  // * governed_iam_policy.project
+  // * governed_iam_policy.folders
+  // * consolidated_policy.rules.enforce
+  // When filtering by `governed_iam_policy.project` or
+  // `consolidated_policy.rules.enforce`, the only supported operator is `=`.
+  // When filtering by `governed_iam_policy.folders`, the supported operators
+  // are `=` and `:`.
+  // For example, filtering by `governed_iam_policy.folders:"folders/12345678"`
+  // will return all the governed IAM policies under "folders/001".
   string filter = 3;
 
   // The maximum number of items to return per page. If unspecified,

diff --git a/google/cloud/asset/v1/assets.proto b/google/cloud/asset/v1/assets.proto
@@ -16,7 +16,6 @@ syntax = "proto3";
 
 package google.cloud.asset.v1;
 
-import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/orgpolicy/v1/orgpolicy.proto";
 import "google/cloud/osconfig/v1/inventory.proto";
@@ -141,15 +140,15 @@ message Asset {
   // A representation of an [access
   // policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
   oneof access_context_policy {
-    // Please also refer to the [access policy user
+    // Also refer to the [access policy user
     // guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies).
     google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7;
 
-    // Please also refer to the [access level user
+    // Also refer to the [access level user
     // guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels).
     google.identity.accesscontextmanager.v1.AccessLevel access_level = 8;
 
-    // Please also refer to the [service perimeter user
+    // Also refer to the [service perimeter user
     // guide](https://cloud.google.com/vpc-service-controls/docs/overview).
     google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter =
         9;
@@ -218,8 +217,6 @@ message Resource {
   // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy).
   // Example:
   // `//cloudresourcemanager.googleapis.com/projects/my_project_123`
-  //
-  // For third-party assets, this field may be set differently.
   string parent = 5;
 
   // The content of the resource, in which some sensitive fields are removed
@@ -458,8 +455,8 @@ message ResourceSearchResult {
   // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions)
   // name.
   //
-  // This field only presents for the purpose of backward compatibility. Please
-  // use the `kms_keys` field to retrieve Cloud KMS key information. This field
+  // This field only presents for the purpose of backward compatibility.
+  // Use the `kms_keys` field to retrieve Cloud KMS key information. This field
   // is available only when the resource's Protobuf contains it and will only be
   // populated for [these resource
   // types](https://cloud.google.com/asset-inventory/docs/legacy-field-names#resource_types_with_the_to_be_deprecated_kmskey_field)
@@ -539,7 +536,7 @@ message ResourceSearchResult {
   // metadata fields that are returned by the List or Get APIs provided by the
   // corresponding Google Cloud service (e.g., Compute Engine). see [API
   // references and supported searchable
-  // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types)
+  // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
   // to see which fields are included.
   //
   // You can search values of these fields through free text search. However,
@@ -590,7 +587,7 @@ message ResourceSearchResult {
   map<string, RelatedResources> relationships = 21;
 
   // This field is only present for the purpose of backward compatibility.
-  // Please use the `tags` field instead.
+  // Use the `tags` field instead.
   //
   // TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}.
   // To search against the `tagKeys`:
@@ -605,7 +602,7 @@ message ResourceSearchResult {
   repeated string tag_keys = 23 [deprecated = true];
 
   // This field is only present for the purpose of backward compatibility.
-  // Please use the `tags` field instead.
+  // Use the `tags` field instead.
   //
   // TagValue namespaced names, in the format of
   // {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}.
@@ -622,7 +619,7 @@ message ResourceSearchResult {
   repeated string tag_values = 25 [deprecated = true];
 
   // This field is only present for the purpose of backward compatibility.
-  // Please use the `tags` field instead.
+  // Use the `tags` field instead.
   //
   // TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}.
   // To search against the `tagValueIds`:
@@ -684,10 +681,6 @@ message ResourceSearchResult {
   // with the asset.
   //
   //
-  // Note that both staging & prod SecurityMarks are attached on prod resources.
-  // In CAS preprod/prod, both staging & prod SecurityMarks are ingested and
-  // returned in the following `security_marks` map. In that case, the prefix
-  // "staging." will be added to the keys of all the staging marks.
   // To search against SCC SecurityMarks field:
   //
   //   * Use a field query:
@@ -718,7 +711,7 @@ message VersionedResource {
   //
   // You can find the resource definition for each supported resource type in
   // this table:
-  // `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
+  // `https://cloud.google.com/asset-inventory/docs/supported-asset-types`
   google.protobuf.Struct resource = 2;
 }
 
@@ -731,7 +724,7 @@ message AttachedResource {
   //
   // You can find the supported attached asset types of each resource in this
   // table:
-  // `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types`
+  // `https://cloud.google.com/asset-inventory/docs/supported-asset-types`
   string asset_type = 1;
 
   // Versioned resource representations of this attached resource. This is

diff --git a/google/cloud/asset/v1/cloudasset_grpc_service_config.json b/google/cloud/asset/v1/cloudasset_grpc_service_config.json
@@ -175,6 +175,23 @@
           "UNAVAILABLE"
         ]
       }
+    },
+    {
+      "name": [
+        {
+          "service": "google.cloud.asset.v1.AssetService",
+          "method": "TraverseGraph"
+        }
+      ],
+      "timeout": "60s",
+      "retryPolicy": {
+        "initialBackoff": "0.100s",
+        "maxBackoff": "60s",
+        "backoffMultiplier": 1.3,
+        "retryableStatusCodes": [
+          "UNAVAILABLE"
+        ]
+      }
     }
   ]
 }
diff --git a/google/cloud/asset/v1/cloudasset_v1.yaml b/google/cloud/asset/v1/cloudasset_v1.yaml
@@ -26,13 +26,6 @@ documentation:
     Read more documents here:
     https://cloud.google.com/asset-inventory/docs
 
-backend:
-  rules:
-  - selector: 'google.cloud.asset.v1.AssetService.*'
-    deadline: 600.0
-  - selector: google.longrunning.Operations.GetOperation
-    deadline: 60.0
-
 http:
   rules:
   - selector: google.longrunning.Operations.GetOperation