Skip to content

Commit 0bdb9c8

Browse files
gcf-owl-bot[bot]ddelgrosso1
gcf-owl-bot[bot]
and
ddelgrosso1
authored
feat: [asset] Add asset_type field to GovernedIamPolicy and GovernedResource (#5110)
* feat: Add `asset_type` field to `GovernedIamPolicy` and `GovernedResource` feat: Add `effective_tags` field to `GovernedResource` feat: Add fields `project`, `folders`, `organization` and `effective_tags` to `GovernedContainer` feat: Add fields `project`, `folders` and `organization` to `OrgPolicyResult` feat: Add field `condition_evaluation` to `AnalyzerOrgPolicy.Rule` docs: Update comment for rpc `AnalyzeOrgPolicyGovernedAssets` to include additional canned constraints PiperOrigin-RevId: 612934037 Source-Link: googleapis/googleapis@324b281 Source-Link: googleapis/googleapis-gen@d50dfda Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWFzc2V0Ly5Pd2xCb3QueWFtbCIsImgiOiJkNTBkZmRhMDdhNjhjNjU0Yzk1ZDYzZDU3NjJlMWI4ZDA3MTdmYmM1In0= * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Denis DelGrosso <[email protected]>
1 parent 3952337 commit 0bdb9c8

9 files changed

Lines changed: 4635 additions & 276 deletions

File tree

packages/google-cloud-asset/protos/google/cloud/asset/v1/asset_service.proto

Lines changed: 109 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -291,18 +291,49 @@ service AssetService {
291291

292292
// Analyzes organization policies governed assets (Google Cloud resources or
293293
// policies) under a scope. This RPC supports custom constraints and the
294-
// following 10 canned constraints:
295-
//
296-
// * storage.uniformBucketLevelAccess
297-
// * iam.disableServiceAccountKeyCreation
298-
// * iam.allowedPolicyMemberDomains
299-
// * compute.vmExternalIpAccess
300-
// * appengine.enforceServiceAccountActAsCheck
301-
// * gcp.resourceLocations
302-
// * compute.trustedImageProjects
303-
// * compute.skipDefaultNetworkCreation
304-
// * compute.requireOsLogin
305-
// * compute.disableNestedVirtualization
294+
// following canned constraints:
295+
//
296+
// * constraints/ainotebooks.accessMode
297+
// * constraints/ainotebooks.disableFileDownloads
298+
// * constraints/ainotebooks.disableRootAccess
299+
// * constraints/ainotebooks.disableTerminal
300+
// * constraints/ainotebooks.environmentOptions
301+
// * constraints/ainotebooks.requireAutoUpgradeSchedule
302+
// * constraints/ainotebooks.restrictVpcNetworks
303+
// * constraints/compute.disableGuestAttributesAccess
304+
// * constraints/compute.disableInstanceDataAccessApis
305+
// * constraints/compute.disableNestedVirtualization
306+
// * constraints/compute.disableSerialPortAccess
307+
// * constraints/compute.disableSerialPortLogging
308+
// * constraints/compute.disableVpcExternalIpv6
309+
// * constraints/compute.requireOsLogin
310+
// * constraints/compute.requireShieldedVm
311+
// * constraints/compute.restrictLoadBalancerCreationForTypes
312+
// * constraints/compute.restrictProtocolForwardingCreationForTypes
313+
// * constraints/compute.restrictXpnProjectLienRemoval
314+
// * constraints/compute.setNewProjectDefaultToZonalDNSOnly
315+
// * constraints/compute.skipDefaultNetworkCreation
316+
// * constraints/compute.trustedImageProjects
317+
// * constraints/compute.vmCanIpForward
318+
// * constraints/compute.vmExternalIpAccess
319+
// * constraints/gcp.detailedAuditLoggingMode
320+
// * constraints/gcp.resourceLocations
321+
// * constraints/iam.allowedPolicyMemberDomains
322+
// * constraints/iam.automaticIamGrantsForDefaultServiceAccounts
323+
// * constraints/iam.disableServiceAccountCreation
324+
// * constraints/iam.disableServiceAccountKeyCreation
325+
// * constraints/iam.disableServiceAccountKeyUpload
326+
// * constraints/iam.restrictCrossProjectServiceAccountLienRemoval
327+
// * constraints/iam.serviceAccountKeyExpiryHours
328+
// * constraints/resourcemanager.accessBoundaries
329+
// * constraints/resourcemanager.allowedExportDestinations
330+
// * constraints/sql.restrictAuthorizedNetworks
331+
// * constraints/sql.restrictNoncompliantDiagnosticDataAccess
332+
// * constraints/sql.restrictNoncompliantResourceCreation
333+
// * constraints/sql.restrictPublicIp
334+
// * constraints/storage.publicAccessPrevention
335+
// * constraints/storage.restrictAuthTypes
336+
// * constraints/storage.uniformBucketLevelAccess
306337
//
307338
// This RPC only returns either resources of types [supported by search
308339
// APIs](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
@@ -2170,6 +2201,18 @@ message AnalyzerOrgPolicy {
21702201

21712202
// The evaluating condition for this rule.
21722203
google.type.Expr condition = 7;
2204+
2205+
// The condition evaluation result for this rule.
2206+
// Only populated if it meets all the following criteria:
2207+
// * there is a
2208+
// [condition][google.cloud.asset.v1.AnalyzerOrgPolicy.Rule.condition]
2209+
// defined for this rule
2210+
// * this rule is within a consolidated_policy
2211+
// * the consolidated_policy is within
2212+
// [AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedContainersResponse.GovernedContainer]
2213+
// or
2214+
// [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource]
2215+
ConditionEvaluation condition_evaluation = 8;
21732216
}
21742217

21752218
// The [full resource name]
@@ -2405,6 +2448,21 @@ message AnalyzeOrgPoliciesResponse {
24052448
// If the constraint is defined with default policy, it will also appear in
24062449
// the list.
24072450
repeated AnalyzerOrgPolicy policy_bundle = 2;
2451+
2452+
// The project that this consolidated policy belongs to, in the format of
2453+
// projects/{PROJECT_NUMBER}. This field is available when the consolidated
2454+
// policy belongs to a project.
2455+
string project = 3;
2456+
2457+
// The folder(s) that this consolidated policy belongs to, in the format of
2458+
// folders/{FOLDER_NUMBER}. This field is available when the consolidated
2459+
// policy belongs (directly or cascadingly) to one or more folders.
2460+
repeated string folders = 4;
2461+
2462+
// The organization that this consolidated policy belongs to, in the format
2463+
// of organizations/{ORGANIZATION_NUMBER}. This field is available when the
2464+
// consolidated policy belongs (directly or cascadingly) to an organization.
2465+
string organization = 5;
24082466
}
24092467

24102468
// The organization policies under the
@@ -2491,6 +2549,24 @@ message AnalyzeOrgPolicyGovernedContainersResponse {
24912549
// If the constraint is defined with default policy, it will also appear in
24922550
// the list.
24932551
repeated AnalyzerOrgPolicy policy_bundle = 4;
2552+
2553+
// The project that this resource belongs to, in the format of
2554+
// projects/{PROJECT_NUMBER}. This field is available when the resource
2555+
// belongs to a project.
2556+
string project = 5;
2557+
2558+
// The folder(s) that this resource belongs to, in the format of
2559+
// folders/{FOLDER_NUMBER}. This field is available when the resource
2560+
// belongs (directly or cascadingly) to one or more folders.
2561+
repeated string folders = 6;
2562+
2563+
// The organization that this resource belongs to, in the format of
2564+
// organizations/{ORGANIZATION_NUMBER}. This field is available when the
2565+
// resource belongs (directly or cascadingly) to an organization.
2566+
string organization = 7;
2567+
2568+
// The effective tags on this resource.
2569+
repeated EffectiveTagDetails effective_tags = 8;
24942570
}
24952571

24962572
// The list of the analyzed governed containers.
@@ -2589,6 +2665,18 @@ message AnalyzeOrgPolicyGovernedAssetsResponse {
25892665
// organizations/{ORGANIZATION_NUMBER}. This field is available when the
25902666
// resource belongs (directly or cascadingly) to an organization.
25912667
string organization = 7;
2668+
2669+
// The asset type of the
2670+
// [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name]
2671+
// Example:
2672+
// `cloudresourcemanager.googleapis.com/Project`
2673+
// See [Cloud Asset Inventory Supported Asset
2674+
// Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
2675+
// for all supported asset types.
2676+
string asset_type = 8;
2677+
2678+
// The effective tags on this resource.
2679+
repeated EffectiveTagDetails effective_tags = 9;
25922680
}
25932681

25942682
// The IAM policies governed by the organization policies of the
@@ -2619,6 +2707,15 @@ message AnalyzeOrgPolicyGovernedAssetsResponse {
26192707
// organizations/{ORGANIZATION_NUMBER}. This field is available when the
26202708
// IAM policy belongs (directly or cascadingly) to an organization.
26212709
string organization = 7;
2710+
2711+
// The asset type of the
2712+
// [AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsResponse.GovernedIamPolicy.attached_resource].
2713+
// Example:
2714+
// `cloudresourcemanager.googleapis.com/Project`
2715+
// See [Cloud Asset Inventory Supported Asset
2716+
// Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
2717+
// for all supported asset types.
2718+
string asset_type = 8;
26222719
}
26232720

26242721
// Represents a Google Cloud asset(resource or IAM policy) governed by the

0 commit comments

Comments
 (0)