From da09f4c505cb49ed886c460ff57edcfb142f450d Mon Sep 17 00:00:00 2001 From: Google APIs Date: Thu, 14 Dec 2023 10:28:31 -0800 Subject: [PATCH] feat: added new resource references to fields in AnalyzeMoveRequest docs: updated comments chore: removed backend configuration from service config PiperOrigin-RevId: 590982722 --- google/cloud/asset/v1/asset_service.proto | 120 +++++++++++------- google/cloud/asset/v1/assets.proto | 29 ++--- .../v1/cloudasset_grpc_service_config.json | 17 +++ google/cloud/asset/v1/cloudasset_v1.yaml | 7 - 4 files changed, 105 insertions(+), 68 deletions(-) diff --git a/google/cloud/asset/v1/asset_service.proto b/google/cloud/asset/v1/asset_service.proto index b33eefab088c5..b773916450779 100644 --- a/google/cloud/asset/v1/asset_service.proto +++ b/google/cloud/asset/v1/asset_service.proto @@ -306,7 +306,7 @@ service AssetService { // // This RPC only returns either resources of types supported by [searchable // asset - // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types), + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types), // or IAM policies. rpc AnalyzeOrgPolicyGovernedAssets(AnalyzeOrgPolicyGovernedAssetsRequest) returns (AnalyzeOrgPolicyGovernedAssetsResponse) { @@ -923,31 +923,31 @@ message SearchAllResourcesRequest { // * `labels.env:*` to find Google Cloud resources that have a label `env`. // * `tagKeys:env` to find Google Cloud resources that have directly // attached tags where the - // [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey) - // .`namespacedName` contains `env`. + // [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey) + // contains `env`. // * `tagValues:prod*` to find Google Cloud resources that have directly // attached tags where the - // [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) - // .`namespacedName` contains a word prefixed by `prod`. + // [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) + // contains a word prefixed by `prod`. // * `tagValueIds=tagValues/123` to find Google Cloud resources that have // directly attached tags where the - // [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) - // .`name` is exactly `tagValues/123`. + // [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) + // is exactly `tagValues/123`. // * `effectiveTagKeys:env` to find Google Cloud resources that have // directly attached or inherited tags where the - // [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey) - // .`namespacedName` contains `env`. + // [`TagKey.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey) + // contains `env`. // * `effectiveTagValues:prod*` to find Google Cloud resources that have // directly attached or inherited tags where the - // [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) - // .`namespacedName` contains a word prefixed by `prod`. + // [`TagValue.namespacedName`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) + // contains a word prefixed by `prod`. // * `effectiveTagValueIds=tagValues/123` to find Google Cloud resources that // have directly attached or inherited tags where the - // [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) - // .`name` is exactly `tagValues/123`. + // [`TagValue.name`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue) + // is exactly `tagValues/123`. // * `kmsKey:key` to find Google Cloud resources encrypted with a // customer-managed encryption key whose name contains `key` as a word. This - // field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS + // field is deprecated. Use the `kmsKeys` field to retrieve Cloud KMS // key information. // * `kmsKeys:key` to find Google Cloud resources encrypted with // customer-managed encryption keys whose name contains the word `key`. @@ -959,6 +959,10 @@ message SearchAllResourcesRequest { // Compute Engine instances that have relationships with `instance-group-1` // in the Compute Engine instance group resource name, for relationship type // `INSTANCE_TO_INSTANCEGROUP`. + // * `sccSecurityMarks.key=value` to find Cloud resources that are attached + // with security marks whose key is `key` and value is `value`. + // * `sccSecurityMarks.key:*` to find Cloud resources that are attached with + // security marks whose key is `key`. // * `state:ACTIVE` to find Google Cloud resources whose state contains // `ACTIVE` as a word. // * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't @@ -981,7 +985,7 @@ message SearchAllResourcesRequest { // Optional. A list of asset types that this request searches for. If empty, // it will search all the [searchable asset - // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types). // // Regular expressions are also supported. For example: // @@ -1150,7 +1154,7 @@ message SearchAllIamPoliciesRequest { // Optional. A list of asset types that the IAM policies are attached to. If // empty, it will search the IAM policies that are attached to all the // [searchable asset - // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types). // // Regular expressions are also supported. For example: // @@ -1400,7 +1404,7 @@ message AnalyzeIamPolicyRequest { // If both `analysis_query` and `saved_analysis_query` are provided, they // will be merged together with the `saved_analysis_query` as base and // the `analysis_query` as overrides. For more details of the merge behavior, - // please refer to the + // refer to the // [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) // page. // @@ -1556,7 +1560,7 @@ message AnalyzeIamPolicyLongrunningRequest { // If both `analysis_query` and `saved_analysis_query` are provided, they // will be merged together with the `saved_analysis_query` as base and // the `analysis_query` as overrides. For more details of the merge behavior, - // please refer to the + // refer to the // [MergeFrom](https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.message#Message.MergeFrom.details) // doc. // @@ -1776,14 +1780,22 @@ message AnalyzeMoveRequest { // Only Google Cloud projects are supported as of today. Hence, this can only // be a project ID (such as "projects/my-project-id") or a project number // (such as "projects/12345"). - string resource = 1 [(google.api.field_behavior) = REQUIRED]; + string resource = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Project" + } + ]; // Required. Name of the Google Cloud folder or organization to reparent the // target resource. The analysis will be performed against hypothetically // moving the resource to this specified desitination parent. This can only be // a folder number (such as "folders/123") or an organization number (such as // "organizations/123"). - string destination_parent = 2 [(google.api.field_behavior) = REQUIRED]; + string destination_parent = 2 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { type: "*" } + ]; // Analysis view indicating what information should be included in the // analysis response. If unspecified, the default view is FULL. @@ -2053,7 +2065,7 @@ message BatchGetEffectiveIamPoliciesRequest { // Required. The names refer to the [full_resource_names] // (https://cloud.google.com/asset-inventory/docs/resource-name-format) // of [searchable asset - // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types). // A maximum of 20 resources' effective policies can be retrieved in a batch. repeated string names = 3 [ (google.api.field_behavior) = REQUIRED, @@ -2355,12 +2367,15 @@ message AnalyzeOrgPoliciesRequest { // The expression to filter // [AnalyzeOrgPoliciesResponse.org_policy_results][google.cloud.asset.v1.AnalyzeOrgPoliciesResponse.org_policy_results]. - // The only supported field is `consolidated_policy.attached_resource`, and - // the only supported operator is `=`. + // Filtering is currently available for bare literal values and the following + // fields: + // * consolidated_policy.attached_resource + // * consolidated_policy.rules.enforce // - // Example: + // When filtering by a specific field, the only supported operator is `=`. + // For example, filtering by // consolidated_policy.attached_resource="//cloudresourcemanager.googleapis.com/folders/001" - // will return the org policy results of"folders/001". + // will return all the Organization Policy results attached to "folders/001". string filter = 3; // The maximum number of items to return per page. If unspecified, @@ -2423,13 +2438,17 @@ message AnalyzeOrgPolicyGovernedContainersRequest { // constraint. string constraint = 2 [(google.api.field_behavior) = REQUIRED]; - // The expression to filter the governed containers in result. - // The only supported field is `parent`, and the only supported operator is - // `=`. - // - // Example: - // parent="//cloudresourcemanager.googleapis.com/folders/001" will return all - // containers under "folders/001". + // The expression to filter + // [AnalyzeOrgPolicyGovernedContainersResponse.governed_containers][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.governed_containers]. + // Filtering is currently available for bare literal values and the following + // fields: + // * parent + // * consolidated_policy.rules.enforce + // + // When filtering by a specific field, the only supported operator is `=`. + // For example, filtering by + // parent="//cloudresourcemanager.googleapis.com/folders/001" + // will return all the containers under "folders/001". string filter = 3; // The maximum number of items to return per page. If unspecified, @@ -2502,18 +2521,33 @@ message AnalyzeOrgPolicyGovernedAssetsRequest { // constraint. string constraint = 2 [(google.api.field_behavior) = REQUIRED]; - // The expression to filter the governed assets in result. The only supported - // fields for governed resources are `governed_resource.project` and - // `governed_resource.folders`. The only supported fields for governed iam - // policies are `governed_iam_policy.project` and - // `governed_iam_policy.folders`. The only supported operator is `=`. - // - // Example 1: governed_resource.project="projects/12345678" filter will return - // all governed resources under projects/12345678 including the project - // ifself, if applicable. + // The expression to filter + // [AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets]. // - // Example 2: governed_iam_policy.folders="folders/12345678" filter will - // return all governed iam policies under folders/12345678, if applicable. + // For governed resources, filtering is currently available for bare literal + // values and the following fields: + // * governed_resource.project + // * governed_resource.folders + // * consolidated_policy.rules.enforce + // When filtering by `governed_resource.project` or + // `consolidated_policy.rules.enforce`, the only supported operator is `=`. + // When filtering by `governed_resource.folders`, the supported operators + // are `=` and `:`. + // For example, filtering by `governed_resource.project="projects/12345678"` + // will return all the governed resources under "projects/12345678", + // including the project itself if applicable. + // + // For governed IAM policies, filtering is currently available for bare + // literal values and the following fields: + // * governed_iam_policy.project + // * governed_iam_policy.folders + // * consolidated_policy.rules.enforce + // When filtering by `governed_iam_policy.project` or + // `consolidated_policy.rules.enforce`, the only supported operator is `=`. + // When filtering by `governed_iam_policy.folders`, the supported operators + // are `=` and `:`. + // For example, filtering by `governed_iam_policy.folders:"folders/12345678"` + // will return all the governed IAM policies under "folders/001". string filter = 3; // The maximum number of items to return per page. If unspecified, diff --git a/google/cloud/asset/v1/assets.proto b/google/cloud/asset/v1/assets.proto index a3dcdc0248dfe..7cfc80d0524e3 100644 --- a/google/cloud/asset/v1/assets.proto +++ b/google/cloud/asset/v1/assets.proto @@ -16,7 +16,6 @@ syntax = "proto3"; package google.cloud.asset.v1; -import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/cloud/orgpolicy/v1/orgpolicy.proto"; import "google/cloud/osconfig/v1/inventory.proto"; @@ -141,15 +140,15 @@ message Asset { // A representation of an [access // policy](https://cloud.google.com/access-context-manager/docs/overview#access-policies). oneof access_context_policy { - // Please also refer to the [access policy user + // Also refer to the [access policy user // guide](https://cloud.google.com/access-context-manager/docs/overview#access-policies). google.identity.accesscontextmanager.v1.AccessPolicy access_policy = 7; - // Please also refer to the [access level user + // Also refer to the [access level user // guide](https://cloud.google.com/access-context-manager/docs/overview#access-levels). google.identity.accesscontextmanager.v1.AccessLevel access_level = 8; - // Please also refer to the [service perimeter user + // Also refer to the [service perimeter user // guide](https://cloud.google.com/vpc-service-controls/docs/overview). google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9; @@ -218,8 +217,6 @@ message Resource { // hierarchy](https://cloud.google.com/iam/docs/overview#policy_hierarchy). // Example: // `//cloudresourcemanager.googleapis.com/projects/my_project_123` - // - // For third-party assets, this field may be set differently. string parent = 5; // The content of the resource, in which some sensitive fields are removed @@ -458,8 +455,8 @@ message ResourceSearchResult { // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions) // name. // - // This field only presents for the purpose of backward compatibility. Please - // use the `kms_keys` field to retrieve Cloud KMS key information. This field + // This field only presents for the purpose of backward compatibility. + // Use the `kms_keys` field to retrieve Cloud KMS key information. This field // is available only when the resource's Protobuf contains it and will only be // populated for [these resource // types](https://cloud.google.com/asset-inventory/docs/legacy-field-names#resource_types_with_the_to_be_deprecated_kmskey_field) @@ -539,7 +536,7 @@ message ResourceSearchResult { // metadata fields that are returned by the List or Get APIs provided by the // corresponding Google Cloud service (e.g., Compute Engine). see [API // references and supported searchable - // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types) + // attributes](https://cloud.google.com/asset-inventory/docs/supported-asset-types) // to see which fields are included. // // You can search values of these fields through free text search. However, @@ -590,7 +587,7 @@ message ResourceSearchResult { map relationships = 21; // This field is only present for the purpose of backward compatibility. - // Please use the `tags` field instead. + // Use the `tags` field instead. // // TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}. // To search against the `tagKeys`: @@ -605,7 +602,7 @@ message ResourceSearchResult { repeated string tag_keys = 23 [deprecated = true]; // This field is only present for the purpose of backward compatibility. - // Please use the `tags` field instead. + // Use the `tags` field instead. // // TagValue namespaced names, in the format of // {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}. @@ -622,7 +619,7 @@ message ResourceSearchResult { repeated string tag_values = 25 [deprecated = true]; // This field is only present for the purpose of backward compatibility. - // Please use the `tags` field instead. + // Use the `tags` field instead. // // TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. // To search against the `tagValueIds`: @@ -684,10 +681,6 @@ message ResourceSearchResult { // with the asset. // // - // Note that both staging & prod SecurityMarks are attached on prod resources. - // In CAS preprod/prod, both staging & prod SecurityMarks are ingested and - // returned in the following `security_marks` map. In that case, the prefix - // "staging." will be added to the keys of all the staging marks. // To search against SCC SecurityMarks field: // // * Use a field query: @@ -718,7 +711,7 @@ message VersionedResource { // // You can find the resource definition for each supported resource type in // this table: - // `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types` + // `https://cloud.google.com/asset-inventory/docs/supported-asset-types` google.protobuf.Struct resource = 2; } @@ -731,7 +724,7 @@ message AttachedResource { // // You can find the supported attached asset types of each resource in this // table: - // `https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types` + // `https://cloud.google.com/asset-inventory/docs/supported-asset-types` string asset_type = 1; // Versioned resource representations of this attached resource. This is diff --git a/google/cloud/asset/v1/cloudasset_grpc_service_config.json b/google/cloud/asset/v1/cloudasset_grpc_service_config.json index 1cd320f208a20..cd4e0b688e5b1 100755 --- a/google/cloud/asset/v1/cloudasset_grpc_service_config.json +++ b/google/cloud/asset/v1/cloudasset_grpc_service_config.json @@ -175,6 +175,23 @@ "UNAVAILABLE" ] } + }, + { + "name": [ + { + "service": "google.cloud.asset.v1.AssetService", + "method": "TraverseGraph" + } + ], + "timeout": "60s", + "retryPolicy": { + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "UNAVAILABLE" + ] + } } ] } diff --git a/google/cloud/asset/v1/cloudasset_v1.yaml b/google/cloud/asset/v1/cloudasset_v1.yaml index 0ffb3c8d345c6..717bb286164eb 100644 --- a/google/cloud/asset/v1/cloudasset_v1.yaml +++ b/google/cloud/asset/v1/cloudasset_v1.yaml @@ -26,13 +26,6 @@ documentation: Read more documents here: https://cloud.google.com/asset-inventory/docs -backend: - rules: - - selector: 'google.cloud.asset.v1.AssetService.*' - deadline: 600.0 - - selector: google.longrunning.Operations.GetOperation - deadline: 60.0 - http: rules: - selector: google.longrunning.Operations.GetOperation