diff --git a/google/cloud/asset/v1/asset_service.proto b/google/cloud/asset/v1/asset_service.proto index 9c7b16d0..0eab6efd 100644 --- a/google/cloud/asset/v1/asset_service.proto +++ b/google/cloud/asset/v1/asset_service.proto @@ -37,12 +37,14 @@ option php_namespace = "Google\\Cloud\\Asset\\V1"; // Asset service definition. service AssetService { option (google.api.default_host) = "cloudasset.googleapis.com"; - option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + option (google.api.oauth_scopes) = + "https://www.googleapis.com/auth/cloud-platform"; // Exports assets with time and resource types to a given Cloud Storage // location. The output format is newline-delimited JSON. - // This API implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you - // to keep track of the export. + // This API implements the + // [google.longrunning.Operation][google.longrunning.Operation] API allowing + // you to keep track of the export. rpc ExportAssets(ExportAssetsRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=*/*}:exportAssets" @@ -61,7 +63,8 @@ service AssetService { // attached IAM POLICY both exist. This can create gaps in the output history. // If a specified asset does not exist, this API returns an INVALID_ARGUMENT // error. - rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) returns (BatchGetAssetsHistoryResponse) { + rpc BatchGetAssetsHistory(BatchGetAssetsHistoryRequest) + returns (BatchGetAssetsHistoryResponse) { option (google.api.http) = { get: "/v1/{parent=*/*}:batchGetAssetsHistory" }; @@ -109,6 +112,30 @@ service AssetService { }; option (google.api.method_signature) = "name"; } + + // Searches all the resources within the given accessible scope (e.g., a + // project, a folder or an organization). Callers should have + // cloud.assets.SearchAllResources permission upon the requested scope, + // otherwise the request will be rejected. + rpc SearchAllResources(SearchAllResourcesRequest) + returns (SearchAllResourcesResponse) { + option (google.api.http) = { + get: "/v1/{scope=*/*}:searchAllResources" + }; + option (google.api.method_signature) = "scope,query,asset_types"; + } + + // Searches all the IAM policies within the given accessible scope (e.g., a + // project, a folder or an organization). Callers should have + // cloud.assets.SearchAllIamPolicies permission upon the requested scope, + // otherwise the request will be rejected. + rpc SearchAllIamPolicies(SearchAllIamPoliciesRequest) + returns (SearchAllIamPoliciesResponse) { + option (google.api.http) = { + get: "/v1/{scope=*/*}:searchAllIamPolicies" + }; + option (google.api.method_signature) = "scope,query"; + } } // Export asset request. @@ -148,8 +175,10 @@ message ExportAssetsRequest { } // The export asset response. This message is returned by the -// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] method in the returned -// [google.longrunning.Operation.response][google.longrunning.Operation.response] field. +// [google.longrunning.Operations.GetOperation][google.longrunning.Operations.GetOperation] +// method in the returned +// [google.longrunning.Operation.response][google.longrunning.Operation.response] +// field. message ExportAssetsResponse { // Time the snapshot was taken. google.protobuf.Timestamp read_time = 1; @@ -214,9 +243,8 @@ message CreateFeedRequest { // be unique under a specific parent project/folder/organization. string feed_id = 2 [(google.api.field_behavior) = REQUIRED]; - // Required. The feed details. The field `name` must be empty and it will be generated - // in the format of: - // projects/project_number/feeds/feed_id + // Required. The feed details. The field `name` must be empty and it will be + // generated in the format of: projects/project_number/feeds/feed_id // folders/folder_number/feeds/feed_id // organizations/organization_number/feeds/feed_id Feed feed = 3 [(google.api.field_behavior) = REQUIRED]; @@ -230,9 +258,7 @@ message GetFeedRequest { // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudasset.googleapis.com/Feed" - } + (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } @@ -251,8 +277,8 @@ message ListFeedsResponse { // Update asset feed request. message UpdateFeedRequest { - // Required. The new values of feed details. It must match an existing feed and the - // field `name` must be in the format of: + // Required. The new values of feed details. It must match an existing feed + // and the field `name` must be in the format of: // projects/project_number/feeds/feed_id or // folders/folder_number/feeds/feed_id or // organizations/organization_number/feeds/feed_id. @@ -261,7 +287,8 @@ message UpdateFeedRequest { // Required. Only updates the `feed` fields indicated by this mask. // The field mask must not be empty, and it must not contain fields that // are immutable or only set by the server. - google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; + google.protobuf.FieldMask update_mask = 2 + [(google.api.field_behavior) = REQUIRED]; } message DeleteFeedRequest { @@ -271,9 +298,7 @@ message DeleteFeedRequest { // organizations/organization_number/feeds/feed_id string name = 1 [ (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudasset.googleapis.com/Feed" - } + (google.api.resource_reference) = { type: "cloudasset.googleapis.com/Feed" } ]; } @@ -401,7 +426,156 @@ message Feed { // Required. Feed output configuration defining where the asset updates are // published to. - FeedOutputConfig feed_output_config = 5 [(google.api.field_behavior) = REQUIRED]; + FeedOutputConfig feed_output_config = 5 + [(google.api.field_behavior) = REQUIRED]; +} + +// Search all resources request. +message SearchAllResourcesRequest { + // Required. A scope can be a project, a folder or an organization. The search + // is limited to the resources within the `scope`. + // + // The allowed values are: + // + // * projects/{PROJECT_ID} + // * projects/{PROJECT_NUMBER} + // * folders/{FOLDER_NUMBER} + // * organizations/{ORGANIZATION_NUMBER} + string scope = 1 [(google.api.field_behavior) = REQUIRED]; + + // Optional. The query statement. An empty query can be specified to search + // all the resources of certain `asset_types` within the given `scope`. + // + // Examples: + // + // * `name : "Important"` to find Cloud resources whose name contains + // "Important" as a word. + // * `displayName : "Impor*"` to find Cloud resources whose display name + // contains "Impor" as a word prefix. + // * `description : "*por*"` to find Cloud resources whose description + // contains "por" as a substring. + // * `location : "us-west*"` to find Cloud resources whose location is + // prefixed with "us-west". + // * `labels : "prod"` to find Cloud resources whose labels contain "prod" as + // a key or value. + // * `labels.env : "prod"` to find Cloud resources which have a label "env" + // and its value is "prod". + // * `labels.env : *` to find Cloud resources which have a label "env". + // * `"Important"` to find Cloud resources which contain "Important" as a word + // in any of the searchable fields. + // * `"Impor*"` to find Cloud resources which contain "Impor" as a word prefix + // in any of the searchable fields. + // * `"*por*"` to find Cloud resources which contain "por" as a substring in + // any of the searchable fields. + // * `("Important" AND location : ("us-west1" OR "global"))` to find Cloud + // resources which contain "Important" as a word in any of the searchable + // fields and are also located in the "us-west1" region or the "global" + // location. + // + // See [how to construct a + // query](https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query) + // for more details. + string query = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. A list of asset types that this request searches for. If empty, + // it will search all the [searchable asset + // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types). + repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. The page size for search result pagination. Page size is capped + // at 500 even if a larger value is given. If set to zero, server will pick an + // appropriate default. Returned results may be fewer than requested. When + // this happens, there could be more results as long as `next_page_token` is + // returned. + int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. If present, then retrieve the next batch of results from the + // preceding call to this method. `page_token` must be the value of + // `next_page_token` from the previous response. The values of all other + // method parameters, must be identical to those in the previous call. + string page_token = 5 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. A comma separated list of fields specifying the sorting order of + // the results. The default order is ascending. Add " DESC" after the field + // name to indicate descending order. Redundant space characters are ignored. + // Example: "location DESC, name". See [supported resource metadata + // fields](https://cloud.google.com/asset-inventory/docs/searching-resources#query_on_resource_metadata_fields) + // for more details. + string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; +} + +// Search all resources response. +message SearchAllResourcesResponse { + // A list of Resources that match the search query. It contains the resource + // standard metadata information. + repeated ResourceSearchResult results = 1; + + // If there are more results than those appearing in this response, then + // `next_page_token` is included. To get the next set of results, call this + // method again using the value of `next_page_token` as `page_token`. + string next_page_token = 2; +} + +// Search all IAM policies request. +message SearchAllIamPoliciesRequest { + // Required. A scope can be a project, a folder or an organization. The search + // is limited to the IAM policies within the `scope`. + // + // The allowed values are: + // + // * projects/{PROJECT_ID} + // * projects/{PROJECT_NUMBER} + // * folders/{FOLDER_NUMBER} + // * organizations/{ORGANIZATION_NUMBER} + string scope = 1 [(google.api.field_behavior) = REQUIRED]; + + // Optional. The query statement. An empty query can be specified to search + // all the IAM policies within the given `scope`. + // + // Examples: + // + // * `policy : "amy@gmail.com"` to find Cloud IAM policy bindings that + // specify user "amy@gmail.com". + // * `policy : "roles/compute.admin"` to find Cloud IAM policy bindings that + // specify the Compute Admin role. + // * `policy.role.permissions : "storage.buckets.update"` to find Cloud IAM + // policy bindings that specify a role containing "storage.buckets.update" + // permission. + // * `resource : "organizations/123"` to find Cloud IAM policy bindings that + // are set on "organizations/123". + // * `(resource : ("organizations/123" OR "folders/1234") AND policy : "amy")` + // to find Cloud IAM policy bindings that are set on "organizations/123" or + // "folders/1234", and also specify user "amy". + // + // See [how to construct a + // query](https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query) + // for more details. + string query = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. The page size for search result pagination. Page size is capped + // at 500 even if a larger value is given. If set to zero, server will pick an + // appropriate default. Returned results may be fewer than requested. When + // this happens, there could be more results as long as `next_page_token` is + // returned. + int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. If present, retrieve the next batch of results from the preceding + // call to this method. `page_token` must be the value of `next_page_token` + // from the previous response. The values of all other method parameters must + // be identical to those in the previous call. + string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; +} + +// Search all IAM policies response. +message SearchAllIamPoliciesResponse { + // A list of IamPolicy that match the search query. Related information such + // as the associated resource is returned along with the policy. + repeated IamPolicySearchResult results = 1; + + // Set if there are more results than those appearing in this response; to get + // the next set of results, call this method again, using this value as the + // `page_token`. + string next_page_token = 2; } // Asset content type. diff --git a/google/cloud/asset/v1/assets.proto b/google/cloud/asset/v1/assets.proto index 1e8b40a1..4e537d5c 100644 --- a/google/cloud/asset/v1/assets.proto +++ b/google/cloud/asset/v1/assets.proto @@ -16,6 +16,7 @@ syntax = "proto3"; package google.cloud.asset.v1; +import "google/api/annotations.proto"; import "google/api/resource.proto"; import "google/cloud/orgpolicy/v1/orgpolicy.proto"; import "google/iam/v1/policy.proto"; @@ -25,7 +26,6 @@ import "google/identity/accesscontextmanager/v1/service_perimeter.proto"; import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; -import "google/api/annotations.proto"; option cc_enable_arenas = true; option csharp_namespace = "Google.Cloud.Asset.V1"; @@ -111,7 +111,8 @@ message Asset { google.identity.accesscontextmanager.v1.AccessLevel access_level = 8; - google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9; + google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = + 9; } // The ancestry path of an asset in Google Cloud [resource @@ -169,4 +170,163 @@ message Resource { // The content of the resource, in which some sensitive fields are removed // and may not be present. google.protobuf.Struct data = 6; + + // The location of the resource in Google Cloud, such as its zone and region. + // For more information, see https://cloud.google.com/about/locations/. + string location = 8; +} + +// A result of Resource Search, containing information of a cloud resoure. +message ResourceSearchResult { + // The full resource name of this resource. Example: + // "//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1". + // See [Cloud Asset Inventory Resource Name + // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) + // for more information. + // + // To search against the `name`: + // + // * use a field query. Example: `name : "instance1"` + // * use a free text query. Example: `"instance1"` + string name = 1; + + // The type of this resource. Example: "compute.googleapis.com/Disk". + // + // To search against the `asset_type`: + // + // * specify the `asset_type` field in your search request. + string asset_type = 2; + + // The project that this resource belongs to, in the form of + // projects/{PROJECT_NUMBER}. + // + // To search against the `project`: + // + // * specify the `scope` field as this project in your search request. + string project = 3; + + // The display name of this resource. + // + // To search against the `display_name`: + // + // * use a field query. Example: `displayName : "My Instance"` + // * use a free text query. Example: `"My Instance"` + string display_name = 4; + + // One or more paragraphs of text description of this resource. Maximum length + // could be up to 1M bytes. + // + // To search against the `description`: + // + // * use a field query. Example: `description : "*important instance*"` + // * use a free text query. Example: `"*important instance*"` + string description = 5; + + // Location can be "global", regional like "us-east1", or zonal like + // "us-west1-b". + // + // To search against the `location`: + // + // * use a field query. Example: `location : "us-west*"` + // * use a free text query. Example: `"us-west*"` + string location = 6; + + // Labels associated with this resource. See [Labelling and grouping GCP + // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) + // for more information. + // + // To search against the `labels`: + // + // * use a field query, as following: + // - query on any label's key or value. Example: `labels : "prod"` + // - query by a given label. Example: `labels.env : "prod"` + // - query by a given label'sexistence. Example: `labels.env : *` + // * use a free text query. Example: `"prod"` + map labels = 7; + + // Network tags associated with this resource. Like labels, network tags are a + // type of annotations used to group GCP resources. See [Labelling GCP + // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources) + // for more information. + // + // To search against the `network_tags`: + // + // * use a field query. Example: `networkTags : "internal"` + // * use a free text query. Example: `"internal"` + repeated string network_tags = 8; + + // The additional attributes of this resource. The attributes may vary from + // one resource type to another. Examples: "projectId" for Project, + // "dnsName" for DNS ManagedZone. + // + // To search against the `additional_attributes`: + // + // * use a free text query to match the attributes values. Example: to search + // additional_attributes = { dnsName: "foobar" }, you can issue a query + // `"foobar"`. + google.protobuf.Struct additional_attributes = 9; +} + +// A result of IAM Policy search, containing information of an IAM policy. +message IamPolicySearchResult { + // Explanation about the IAM policy search result. + message Explanation { + // IAM permissions + message Permissions { + // A list of permissions. A sample permission string: "compute.disk.get". + repeated string permissions = 1; + } + + // The map from roles to their included permissions that match the + // permission query (i.e., a query containing `policy.role.permissions:`). + // Example: if query `policy.role.permissions : "compute.disk.get"` + // matches a policy binding that contains owner role, the + // matched_permissions will be {"roles/owner": ["compute.disk.get"]}. The + // roles can also be found in the returned `policy` bindings. Note that the + // map is populated only for requests with permission queries. + map matched_permissions = 1; + } + + // The full resource name of the resource associated with this IAM policy. + // Example: + // "//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1". + // See [Cloud Asset Inventory Resource Name + // Format](https://cloud.google.com/asset-inventory/docs/resource-name-format) + // for more information. + // + // To search against the `resource`: + // + // * use a field query. Example: `resource : "organizations/123"` + string resource = 1; + + // The project that the associated GCP resource belongs to, in the form of + // projects/{PROJECT_NUMBER}. If an IAM policy is set on a resource (like VM + // instance, Cloud Storage bucket), the project field will indicate the + // project that contains the resource. If an IAM policy is set on a folder or + // orgnization, the project field will be empty. + // + // To search against the `project`: + // + // * specify the `scope` field as this project in your search request. + string project = 2; + + // The IAM policy directly set on the given resource. Note that the original + // IAM policy can contain multiple bindings. This only contains the bindings + // that match the given query. For queries that don't contain a constrain on + // policies (e.g., an empty query), this contains all the bindings. + // + // To search against the `policy` bindings: + // + // * use a field query, as following: + // - query by the policy contained members. Example: + // `policy : "amy@gmail.com"` + // - query by the policy contained roles. Example: + // `policy : "roles/compute.admin"` + // - query by the policy contained roles' implied permissions. Example: + // `policy.role.permissions : "compute.instances.create"` + google.iam.v1.Policy policy = 3; + + // Explanation about the IAM policy search result. It contains additional + // information to explain why the search result matches the query. + Explanation explanation = 4; } diff --git a/google/cloud/asset/v1/cloudasset_grpc_service_config.json b/google/cloud/asset/v1/cloudasset_grpc_service_config.json index b13314bc..031b3169 100755 --- a/google/cloud/asset/v1/cloudasset_grpc_service_config.json +++ b/google/cloud/asset/v1/cloudasset_grpc_service_config.json @@ -26,6 +26,29 @@ "UNAVAILABLE" ] } + }, + { + "name": [ + { + "service": "google.cloud.asset.v1.AssetService", + "method": "SearchAllResources" + }, + { + "service": "google.cloud.asset.v1.AssetService", + "method": "SearchAllIamPolicies" + } + ], + "timeout": "15s", + "retryPolicy": { + "maxAttempts": 5, + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } } ] }