// Copyright 2024 Google LLC. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Code generated file. DO NOT EDIT. // Package cloudasset provides access to the Cloud Asset API. // // For product documentation, see: https://cloud.google.com/asset-inventory/docs/quickstart // // # Library status // // These client libraries are officially supported by Google. However, this // library is considered complete and is in maintenance mode. This means // that we will address critical bugs and security issues but will not add // any new features. // // When possible, we recommend using our newer // [Cloud Client Libraries for Go](https://pkg.go.dev/cloud.google.com/go) // that are still actively being worked and iterated on. // // # Creating a client // // Usage example: // // import "google.golang.org/api/cloudasset/v1p5beta1" // ... // ctx := context.Background() // cloudassetService, err := cloudasset.NewService(ctx) // // In this example, Google Application Default Credentials are used for // authentication. For information on how to create and obtain Application // Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. // // # Other authentication options // // To use an API key for authentication (note: some APIs do not support API // keys), use [google.golang.org/api/option.WithAPIKey]: // // cloudassetService, err := cloudasset.NewService(ctx, option.WithAPIKey("AIza...")) // // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth // flow, use [google.golang.org/api/option.WithTokenSource]: // // config := &oauth2.Config{...} // // ... // token, err := config.Exchange(ctx, ...) // cloudassetService, err := cloudasset.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) // // See [google.golang.org/api/option.ClientOption] for details on options. package cloudasset // import "google.golang.org/api/cloudasset/v1p5beta1" import ( "bytes" "context" "encoding/json" "errors" "fmt" "io" "net/http" "net/url" "strconv" "strings" googleapi "google.golang.org/api/googleapi" internal "google.golang.org/api/internal" gensupport "google.golang.org/api/internal/gensupport" option "google.golang.org/api/option" internaloption "google.golang.org/api/option/internaloption" htransport "google.golang.org/api/transport/http" ) // Always reference these packages, just in case the auto-generated code // below doesn't. var _ = bytes.NewBuffer var _ = strconv.Itoa var _ = fmt.Sprintf var _ = json.NewDecoder var _ = io.Copy var _ = url.Parse var _ = gensupport.MarshalJSON var _ = googleapi.Version var _ = errors.New var _ = strings.Replace var _ = context.Canceled var _ = internaloption.WithDefaultEndpoint var _ = internal.Version const apiId = "cloudasset:v1p5beta1" const apiName = "cloudasset" const apiVersion = "v1p5beta1" const basePath = "https://cloudasset.googleapis.com/" const basePathTemplate = "https://cloudasset.UNIVERSE_DOMAIN/" const mtlsBasePath = "https://cloudasset.mtls.googleapis.com/" // OAuth2 scopes used by this API. const ( // See, edit, configure, and delete your Google Cloud data and see the email // address for your Google Account. CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform" ) // NewService creates a new Service. func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { scopesOption := internaloption.WithDefaultScopes( "https://www.googleapis.com/auth/cloud-platform", ) // NOTE: prepend, so we don't override user-specified scopes. opts = append([]option.ClientOption{scopesOption}, opts...) opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) opts = append(opts, internaloption.WithDefaultEndpointTemplate(basePathTemplate)) opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) opts = append(opts, internaloption.EnableNewAuthLibrary()) client, endpoint, err := htransport.NewClient(ctx, opts...) if err != nil { return nil, err } s, err := New(client) if err != nil { return nil, err } if endpoint != "" { s.BasePath = endpoint } return s, nil } // New creates a new Service. It uses the provided http.Client for requests. // // Deprecated: please use NewService instead. // To provide a custom HTTP client, use option.WithHTTPClient. // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. func New(client *http.Client) (*Service, error) { if client == nil { return nil, errors.New("client is nil") } s := &Service{client: client, BasePath: basePath} s.Assets = NewAssetsService(s) return s, nil } type Service struct { client *http.Client BasePath string // API endpoint base URL UserAgent string // optional additional User-Agent fragment Assets *AssetsService } func (s *Service) userAgent() string { if s.UserAgent == "" { return googleapi.UserAgent } return googleapi.UserAgent + " " + s.UserAgent } func NewAssetsService(s *Service) *AssetsService { rs := &AssetsService{s: s} return rs } type AssetsService struct { s *Service } // AnalyzeIamPolicyLongrunningMetadata: Represents the metadata of the // longrunning operation for the AnalyzeIamPolicyLongrunning RPC. type AnalyzeIamPolicyLongrunningMetadata struct { // CreateTime: Output only. The time the operation was created. CreateTime string `json:"createTime,omitempty"` // ForceSendFields is a list of field names (e.g. "CreateTime") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "CreateTime") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *AnalyzeIamPolicyLongrunningMetadata) MarshalJSON() ([]byte, error) { type NoMethod AnalyzeIamPolicyLongrunningMetadata return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // AnalyzeIamPolicyLongrunningResponse: A response message for // AssetService.AnalyzeIamPolicyLongrunning. type AnalyzeIamPolicyLongrunningResponse struct { } // Asset: An asset in Google Cloud. An asset can be any resource in the Google // Cloud resource hierarchy // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google // Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See // Supported asset types // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) for // more information. type Asset struct { // AccessLevel: Please also refer to the access level user guide // (https://cloud.google.com/access-context-manager/docs/overview#access-levels). AccessLevel *GoogleIdentityAccesscontextmanagerV1AccessLevel `json:"accessLevel,omitempty"` // AccessPolicy: Please also refer to the access policy user guide // (https://cloud.google.com/access-context-manager/docs/overview#access-policies). AccessPolicy *GoogleIdentityAccesscontextmanagerV1AccessPolicy `json:"accessPolicy,omitempty"` // Ancestors: The ancestry path of an asset in Google Cloud resource hierarchy // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // represented as a list of relative resource names. An ancestry path starts // with the closest ancestor in the hierarchy and ends at root. If the asset is // a project, folder, or organization, the ancestry path starts from the asset // itself. Example: `["projects/123456789", "folders/5432", // "organizations/1234"]` Ancestors []string `json:"ancestors,omitempty"` // AssetType: The type of the asset. Example: `compute.googleapis.com/Disk` See // Supported asset types // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) for // more information. AssetType string `json:"assetType,omitempty"` // IamPolicy: A representation of the IAM policy set on a Google Cloud // resource. There can be a maximum of one IAM policy set on any given // resource. In addition, IAM policies inherit their granted access scope from // any policies set on parent resources in the resource hierarchy. Therefore, // the effectively policy is the union of both the policy set on this resource // and each policy set on all of the resource's ancestry resource levels in the // hierarchy. See this topic // (https://cloud.google.com/iam/help/allow-policies/inheritance) for more // information. IamPolicy *Policy `json:"iamPolicy,omitempty"` // Name: The full name of the asset. Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/insta // nce1` See Resource names // (https://cloud.google.com/apis/design/resource_names#full_resource_name) for // more information. Name string `json:"name,omitempty"` // OrgPolicy: A representation of an organization policy // (https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). // There can be more than one organization policy with different constraints // set on a given resource. OrgPolicy []*GoogleCloudOrgpolicyV1Policy `json:"orgPolicy,omitempty"` // Resource: A representation of the resource. Resource *Resource `json:"resource,omitempty"` // ServicePerimeter: Please also refer to the service perimeter user guide // (https://cloud.google.com/vpc-service-controls/docs/overview). ServicePerimeter *GoogleIdentityAccesscontextmanagerV1ServicePerimeter `json:"servicePerimeter,omitempty"` // ForceSendFields is a list of field names (e.g. "AccessLevel") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AccessLevel") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *Asset) MarshalJSON() ([]byte, error) { type NoMethod Asset return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // AuditConfig: Specifies the audit configuration for a service. The // configuration determines which permission types are logged, and what // identities, if any, are exempted from logging. An AuditConfig must have one // or more AuditLogConfigs. If there are AuditConfigs for both `allServices` // and a specific service, the union of the two AuditConfigs is used for that // service: the log_types specified in each AuditConfig are enabled, and the // exempted_members in each AuditLogConfig are exempted. Example Policy with // multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", // "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ // "user:jose@example.com" ] }, { "log_type": "DATA_WRITE" }, { "log_type": // "ADMIN_READ" } ] }, { "service": "sampleservice.googleapis.com", // "audit_log_configs": [ { "log_type": "DATA_READ" }, { "log_type": // "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] } ] } ] } For // sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ // logging. It also exempts `jose@example.com` from DATA_READ logging, and // `aliya@example.com` from DATA_WRITE logging. type AuditConfig struct { // AuditLogConfigs: The configuration for logging of each type of permission. AuditLogConfigs []*AuditLogConfig `json:"auditLogConfigs,omitempty"` // Service: Specifies a service that will be enabled for audit logging. For // example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` // is a special value that covers all services. Service string `json:"service,omitempty"` // ForceSendFields is a list of field names (e.g. "AuditLogConfigs") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AuditLogConfigs") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *AuditConfig) MarshalJSON() ([]byte, error) { type NoMethod AuditConfig return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // AuditLogConfig: Provides the configuration for logging a type of // permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", // "exempted_members": [ "user:jose@example.com" ] }, { "log_type": // "DATA_WRITE" } ] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while // exempting jose@example.com from DATA_READ logging. type AuditLogConfig struct { // ExemptedMembers: Specifies the identities that do not cause logging for this // type of permission. Follows the same format of Binding.members. ExemptedMembers []string `json:"exemptedMembers,omitempty"` // LogType: The log type that this config enables. // // Possible values: // "LOG_TYPE_UNSPECIFIED" - Default case. Should never be this. // "ADMIN_READ" - Admin reads. Example: CloudIAM getIamPolicy // "DATA_WRITE" - Data writes. Example: CloudSQL Users create // "DATA_READ" - Data reads. Example: CloudSQL Users list LogType string `json:"logType,omitempty"` // ForceSendFields is a list of field names (e.g. "ExemptedMembers") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "ExemptedMembers") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *AuditLogConfig) MarshalJSON() ([]byte, error) { type NoMethod AuditLogConfig return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // Binding: Associates `members`, or principals, with a `role`. type Binding struct { // Condition: The condition that is associated with this binding. If the // condition evaluates to `true`, then this binding applies to the current // request. If the condition evaluates to `false`, then this binding does not // apply to the current request. However, a different role binding might grant // the same role to one or more of the principals in this binding. To learn // which resources support conditions in their IAM policies, see the IAM // documentation // (https://cloud.google.com/iam/help/conditions/resource-policies). Condition *Expr `json:"condition,omitempty"` // Members: Specifies the principals requesting access for a Google Cloud // resource. `members` can have the following values: * `allUsers`: A special // identifier that represents anyone who is on the internet; with or without a // Google account. * `allAuthenticatedUsers`: A special identifier that // represents anyone who is authenticated with a Google account or a service // account. Does not include identities that come from external identity // providers (IdPs) through identity federation. * `user:{emailid}`: An email // address that represents a specific Google account. For example, // `alice@example.com` . * `serviceAccount:{emailid}`: An email address that // represents a Google service account. For example, // `my-other-app@appspot.gserviceaccount.com`. * // `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An // identifier for a Kubernetes service account // (https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). // For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * // `group:{emailid}`: An email address that represents a Google group. For // example, `admins@example.com`. * `domain:{domain}`: The G Suite domain // (primary) that represents all the users of that domain. For example, // `google.com` or `example.com`. * // `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/sub // ject/{subject_attribute_value}`: A single identity in a workforce identity // pool. * // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ // group/{group_id}`: All workforce identities in a group. * // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ // attribute.{attribute_name}/{attribute_value}`: All workforce identities with // a specific attribute value. * // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ // *`: All identities in a workforce identity pool. * // `principal://iam.googleapis.com/projects/{project_number}/locations/global/wo // rkloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single // identity in a workload identity pool. * // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global // /workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool // group. * // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global // /workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value} // `: All identities in a workload identity pool with a certain attribute. * // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global // /workloadIdentityPools/{pool_id}/*`: All identities in a workload identity // pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus // unique identifier) representing a user that has been recently deleted. For // example, `alice@example.com?uid=123456789012345678901`. If the user is // recovered, this value reverts to `user:{emailid}` and the recovered user // retains the role in the binding. * // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus // unique identifier) representing a service account that has been recently // deleted. For example, // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the // service account is undeleted, this value reverts to // `serviceAccount:{emailid}` and the undeleted service account retains the // role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email // address (plus unique identifier) representing a Google group that has been // recently deleted. For example, // `admins@example.com?uid=123456789012345678901`. If the group is recovered, // this value reverts to `group:{emailid}` and the recovered group retains the // role in the binding. * // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool // _id}/subject/{subject_attribute_value}`: Deleted single identity in a // workforce identity pool. For example, // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-po // ol-id/subject/my-subject-attribute-value`. Members []string `json:"members,omitempty"` // Role: Role that is assigned to the list of `members`, or principals. For // example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview // of the IAM roles and permissions, see the IAM documentation // (https://cloud.google.com/iam/docs/roles-overview). For a list of the // available pre-defined roles, see here // (https://cloud.google.com/iam/docs/understanding-roles). Role string `json:"role,omitempty"` // ForceSendFields is a list of field names (e.g. "Condition") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Condition") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *Binding) MarshalJSON() ([]byte, error) { type NoMethod Binding return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // Expr: Represents a textual expression in the Common Expression Language // (CEL) syntax. CEL is a C-like expression language. The syntax and semantics // of CEL are documented at https://github.com/google/cel-spec. Example // (Comparison): title: "Summary size limit" description: "Determines if a // summary is less than 100 chars" expression: "document.summary.size() < 100" // Example (Equality): title: "Requestor is owner" description: "Determines if // requestor is the document owner" expression: "document.owner == // request.auth.claims.email" Example (Logic): title: "Public documents" // description: "Determine whether the document should be publicly visible" // expression: "document.type != 'private' && document.type != 'internal'" // Example (Data Manipulation): title: "Notification string" description: // "Create a notification string with a timestamp." expression: "'New message // received at ' + string(document.create_time)" The exact variables and // functions that may be referenced within an expression are determined by the // service that evaluates it. See the service documentation for additional // information. type Expr struct { // Description: Optional. Description of the expression. This is a longer text // which describes the expression, e.g. when hovered over it in a UI. Description string `json:"description,omitempty"` // Expression: Textual representation of an expression in Common Expression // Language syntax. Expression string `json:"expression,omitempty"` // Location: Optional. String indicating the location of the expression for // error reporting, e.g. a file name and a position in the file. Location string `json:"location,omitempty"` // Title: Optional. Title for the expression, i.e. a short string describing // its purpose. This can be used e.g. in UIs which allow to enter the // expression. Title string `json:"title,omitempty"` // ForceSendFields is a list of field names (e.g. "Description") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Description") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *Expr) MarshalJSON() ([]byte, error) { type NoMethod Expr return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudAssetV1p7beta1Asset: An asset in Google Cloud. An asset can be // any resource in the Google Cloud resource hierarchy // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google // Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See // Supported asset types // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) for // more information. type GoogleCloudAssetV1p7beta1Asset struct { // AccessLevel: Please also refer to the access level user guide // (https://cloud.google.com/access-context-manager/docs/overview#access-levels). AccessLevel *GoogleIdentityAccesscontextmanagerV1AccessLevel `json:"accessLevel,omitempty"` // AccessPolicy: Please also refer to the access policy user guide // (https://cloud.google.com/access-context-manager/docs/overview#access-policies). AccessPolicy *GoogleIdentityAccesscontextmanagerV1AccessPolicy `json:"accessPolicy,omitempty"` // Ancestors: The ancestry path of an asset in Google Cloud resource hierarchy // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // represented as a list of relative resource names. An ancestry path starts // with the closest ancestor in the hierarchy and ends at root. If the asset is // a project, folder, or organization, the ancestry path starts from the asset // itself. Example: `["projects/123456789", "folders/5432", // "organizations/1234"]` Ancestors []string `json:"ancestors,omitempty"` // AssetType: The type of the asset. Example: `compute.googleapis.com/Disk` See // Supported asset types // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) for // more information. AssetType string `json:"assetType,omitempty"` // IamPolicy: A representation of the IAM policy set on a Google Cloud // resource. There can be a maximum of one IAM policy set on any given // resource. In addition, IAM policies inherit their granted access scope from // any policies set on parent resources in the resource hierarchy. Therefore, // the effectively policy is the union of both the policy set on this resource // and each policy set on all of the resource's ancestry resource levels in the // hierarchy. See this topic // (https://cloud.google.com/iam/help/allow-policies/inheritance) for more // information. IamPolicy *Policy `json:"iamPolicy,omitempty"` // Name: The full name of the asset. Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/insta // nce1` See Resource names // (https://cloud.google.com/apis/design/resource_names#full_resource_name) for // more information. Name string `json:"name,omitempty"` // OrgPolicy: A representation of an organization policy // (https://cloud.google.com/resource-manager/docs/organization-policy/overview#organization_policy). // There can be more than one organization policy with different constraints // set on a given resource. OrgPolicy []*GoogleCloudOrgpolicyV1Policy `json:"orgPolicy,omitempty"` // RelatedAssets: The related assets of the asset of one relationship type. One // asset only represents one type of relationship. RelatedAssets *GoogleCloudAssetV1p7beta1RelatedAssets `json:"relatedAssets,omitempty"` // Resource: A representation of the resource. Resource *GoogleCloudAssetV1p7beta1Resource `json:"resource,omitempty"` // ServicePerimeter: Please also refer to the service perimeter user guide // (https://cloud.google.com/vpc-service-controls/docs/overview). ServicePerimeter *GoogleIdentityAccesscontextmanagerV1ServicePerimeter `json:"servicePerimeter,omitempty"` // UpdateTime: The last update timestamp of an asset. update_time is updated // when create/update/delete operation is performed. UpdateTime string `json:"updateTime,omitempty"` // ForceSendFields is a list of field names (e.g. "AccessLevel") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AccessLevel") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudAssetV1p7beta1Asset) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudAssetV1p7beta1Asset return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudAssetV1p7beta1RelatedAsset: An asset identify in Google Cloud // which contains its name, type and ancestors. An asset can be any resource in // the Google Cloud resource hierarchy // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // a resource outside the Google Cloud resource hierarchy (such as Google // Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See // Supported asset types // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) for // more information. type GoogleCloudAssetV1p7beta1RelatedAsset struct { // Ancestors: The ancestors of an asset in Google Cloud resource hierarchy // (https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy), // represented as a list of relative resource names. An ancestry path starts // with the closest ancestor in the hierarchy and ends at root. Example: // `["projects/123456789", "folders/5432", "organizations/1234"]` Ancestors []string `json:"ancestors,omitempty"` // Asset: The full name of the asset. Example: // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/insta // nce1` See Resource names // (https://cloud.google.com/apis/design/resource_names#full_resource_name) for // more information. Asset string `json:"asset,omitempty"` // AssetType: The type of the asset. Example: `compute.googleapis.com/Disk` See // Supported asset types // (https://cloud.google.com/asset-inventory/docs/supported-asset-types) for // more information. AssetType string `json:"assetType,omitempty"` // ForceSendFields is a list of field names (e.g. "Ancestors") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Ancestors") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudAssetV1p7beta1RelatedAsset) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudAssetV1p7beta1RelatedAsset return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudAssetV1p7beta1RelatedAssets: The detailed related assets with the // `relationship_type`. type GoogleCloudAssetV1p7beta1RelatedAssets struct { // Assets: The peer resources of the relationship. Assets []*GoogleCloudAssetV1p7beta1RelatedAsset `json:"assets,omitempty"` // RelationshipAttributes: The detailed relation attributes. RelationshipAttributes *GoogleCloudAssetV1p7beta1RelationshipAttributes `json:"relationshipAttributes,omitempty"` // ForceSendFields is a list of field names (e.g. "Assets") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Assets") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudAssetV1p7beta1RelatedAssets) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudAssetV1p7beta1RelatedAssets return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudAssetV1p7beta1RelationshipAttributes: The relationship attributes // which include `type`, `source_resource_type`, `target_resource_type` and // `action`. type GoogleCloudAssetV1p7beta1RelationshipAttributes struct { // Action: The detail of the relationship, e.g. `contains`, `attaches` Action string `json:"action,omitempty"` // SourceResourceType: The source asset type. Example: // `compute.googleapis.com/Instance` SourceResourceType string `json:"sourceResourceType,omitempty"` // TargetResourceType: The target asset type. Example: // `compute.googleapis.com/Disk` TargetResourceType string `json:"targetResourceType,omitempty"` // Type: The unique identifier of the relationship type. Example: // `INSTANCE_TO_INSTANCEGROUP` Type string `json:"type,omitempty"` // ForceSendFields is a list of field names (e.g. "Action") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Action") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudAssetV1p7beta1RelationshipAttributes) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudAssetV1p7beta1RelationshipAttributes return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudAssetV1p7beta1Resource: A representation of a Google Cloud // resource. type GoogleCloudAssetV1p7beta1Resource struct { // Data: The content of the resource, in which some sensitive fields are // removed and may not be present. Data googleapi.RawMessage `json:"data,omitempty"` // DiscoveryDocumentUri: The URL of the discovery document containing the // resource's JSON schema. Example: // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest` This value is // unspecified for resources that do not have an API based on a discovery // document, such as Cloud Bigtable. DiscoveryDocumentUri string `json:"discoveryDocumentUri,omitempty"` // DiscoveryName: The JSON schema name listed in the discovery document. // Example: `Project` This value is unspecified for resources that do not have // an API based on a discovery document, such as Cloud Bigtable. DiscoveryName string `json:"discoveryName,omitempty"` // Location: The location of the resource in Google Cloud, such as its zone and // region. For more information, see https://cloud.google.com/about/locations/. Location string `json:"location,omitempty"` // Parent: The full name of the immediate parent of this resource. See Resource // Names // (https://cloud.google.com/apis/design/resource_names#full_resource_name) for // more information. For Google Cloud assets, this value is the parent resource // defined in the IAM policy hierarchy // (https://cloud.google.com/iam/docs/overview#policy_hierarchy). Example: // `//cloudresourcemanager.googleapis.com/projects/my_project_123` For // third-party assets, this field may be set differently. Parent string `json:"parent,omitempty"` // ResourceUrl: The REST URL for accessing the resource. An HTTP `GET` request // using this URL returns the resource itself. Example: // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123` // This value is unspecified for resources without a REST API. ResourceUrl string `json:"resourceUrl,omitempty"` // Version: The API version. Example: `v1` Version string `json:"version,omitempty"` // ForceSendFields is a list of field names (e.g. "Data") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Data") to include in API requests // with the JSON null value. By default, fields with empty values are omitted // from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudAssetV1p7beta1Resource) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudAssetV1p7beta1Resource return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudOrgpolicyV1BooleanPolicy: Used in `policy_type` to specify how // `boolean_policy` will behave at this resource. type GoogleCloudOrgpolicyV1BooleanPolicy struct { // Enforced: If `true`, then the `Policy` is enforced. If `false`, then any // configuration is acceptable. Suppose you have a `Constraint` // `constraints/compute.disableSerialPortAccess` with `constraint_default` set // to `ALLOW`. A `Policy` for that `Constraint` exhibits the following // behavior: - If the `Policy` at this resource has enforced set to `false`, // serial port connection attempts will be allowed. - If the `Policy` at this // resource has enforced set to `true`, serial port connection attempts will be // refused. - If the `Policy` at this resource is `RestoreDefault`, serial port // connection attempts will be allowed. - If no `Policy` is set at this // resource or anywhere higher in the resource hierarchy, serial port // connection attempts will be allowed. - If no `Policy` is set at this // resource, but one exists higher in the resource hierarchy, the behavior is // as if the`Policy` were set at this resource. The following examples // demonstrate the different possible layerings: Example 1 (nearest // `Constraint` wins): `organizations/foo` has a `Policy` with: {enforced: // false} `projects/bar` has no `Policy` set. The constraint at `projects/bar` // and `organizations/foo` will not be enforced. Example 2 (enforcement gets // replaced): `organizations/foo` has a `Policy` with: {enforced: false} // `projects/bar` has a `Policy` with: {enforced: true} The constraint at // `organizations/foo` is not enforced. The constraint at `projects/bar` is // enforced. Example 3 (RestoreDefault): `organizations/foo` has a `Policy` // with: {enforced: true} `projects/bar` has a `Policy` with: {RestoreDefault: // {}} The constraint at `organizations/foo` is enforced. The constraint at // `projects/bar` is not enforced, because `constraint_default` for the // `Constraint` is `ALLOW`. Enforced bool `json:"enforced,omitempty"` // ForceSendFields is a list of field names (e.g. "Enforced") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Enforced") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudOrgpolicyV1BooleanPolicy) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudOrgpolicyV1BooleanPolicy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudOrgpolicyV1ListPolicy: Used in `policy_type` to specify how // `list_policy` behaves at this resource. `ListPolicy` can define specific // values and subtrees of Cloud Resource Manager resource hierarchy // (`Organizations`, `Folders`, `Projects`) that are allowed or denied by // setting the `allowed_values` and `denied_values` fields. This is achieved by // using the `under:` and optional `is:` prefixes. The `under:` prefix is used // to denote resource subtree values. The `is:` prefix is used to denote // specific values, and is required only if the value contains a ":". Values // prefixed with "is:" are treated the same as values with no prefix. Ancestry // subtrees must be in one of the following formats: - "projects/", e.g. // "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - // "organizations/", e.g. "organizations/1234" The `supports_under` field of // the associated `Constraint` defines whether ancestry prefixes can be used. // You can set `allowed_values` and `denied_values` in the same `Policy` if // `all_values` is `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to // allow or deny all values. If `all_values` is set to either `ALLOW` or // `DENY`, `allowed_values` and `denied_values` must be unset. type GoogleCloudOrgpolicyV1ListPolicy struct { // AllValues: The policy all_values state. // // Possible values: // "ALL_VALUES_UNSPECIFIED" - Indicates that allowed_values or denied_values // must be set. // "ALLOW" - A policy with this set allows all values. // "DENY" - A policy with this set denies all values. AllValues string `json:"allValues,omitempty"` // AllowedValues: List of values allowed at this resource. Can only be set if // `all_values` is set to `ALL_VALUES_UNSPECIFIED`. AllowedValues []string `json:"allowedValues,omitempty"` // DeniedValues: List of values denied at this resource. Can only be set if // `all_values` is set to `ALL_VALUES_UNSPECIFIED`. DeniedValues []string `json:"deniedValues,omitempty"` // InheritFromParent: Determines the inheritance behavior for this `Policy`. By // default, a `ListPolicy` set at a resource supersedes any `Policy` set // anywhere up the resource hierarchy. However, if `inherit_from_parent` is set // to `true`, then the values from the effective `Policy` of the parent // resource are inherited, meaning the values set in this `Policy` are added to // the values inherited up the hierarchy. Setting `Policy` hierarchies that // inherit both allowed values and denied values isn't recommended in most // circumstances to keep the configuration simple and understandable. However, // it is possible to set a `Policy` with `allowed_values` set that inherits a // `Policy` with `denied_values` set. In this case, the values that are allowed // must be in `allowed_values` and not present in `denied_values`. For example, // suppose you have a `Constraint` `constraints/serviceuser.services`, which // has a `constraint_type` of `list_constraint`, and with `constraint_default` // set to `ALLOW`. Suppose that at the Organization level, a `Policy` is // applied that restricts the allowed API activations to {`E1`, `E2`}. Then, if // a `Policy` is applied to a project below the Organization that has // `inherit_from_parent` set to `false` and field all_values set to DENY, then // an attempt to activate any API will be denied. The following examples // demonstrate different possible layerings for `projects/bar` parented by // `organizations/foo`: Example 1 (no inherited values): `organizations/foo` // has a `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} // `projects/bar` has `inherit_from_parent` `false` and values: // {allowed_values: "E3" allowed_values: "E4"} The accepted values at // `organizations/foo` are `E1`, `E2`. The accepted values at `projects/bar` // are `E3`, and `E4`. Example 2 (inherited values): `organizations/foo` has a // `Policy` with values: {allowed_values: "E1" allowed_values:"E2"} // `projects/bar` has a `Policy` with values: {value: "E3" value: "E4" // inherit_from_parent: true} The accepted values at `organizations/foo` are // `E1`, `E2`. The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and // `E4`. Example 3 (inheriting both allowed and denied values): // `organizations/foo` has a `Policy` with values: {allowed_values: "E1" // allowed_values: "E2"} `projects/bar` has a `Policy` with: {denied_values: // "E1"} The accepted values at `organizations/foo` are `E1`, `E2`. The value // accepted at `projects/bar` is `E2`. Example 4 (RestoreDefault): // `organizations/foo` has a `Policy` with values: {allowed_values: "E1" // allowed_values:"E2"} `projects/bar` has a `Policy` with values: // {RestoreDefault: {}} The accepted values at `organizations/foo` are `E1`, // `E2`. The accepted values at `projects/bar` are either all or none depending // on the value of `constraint_default` (if `ALLOW`, all; if `DENY`, none). // Example 5 (no policy inherits parent policy): `organizations/foo` has no // `Policy` set. `projects/bar` has no `Policy` set. The accepted values at // both levels are either all or none depending on the value of // `constraint_default` (if `ALLOW`, all; if `DENY`, none). Example 6 // (ListConstraint allowing all): `organizations/foo` has a `Policy` with // values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a // `Policy` with: {all: ALLOW} The accepted values at `organizations/foo` are // `E1`, E2`. Any value is accepted at `projects/bar`. Example 7 // (ListConstraint allowing none): `organizations/foo` has a `Policy` with // values: {allowed_values: "E1" allowed_values: "E2"} `projects/bar` has a // `Policy` with: {all: DENY} The accepted values at `organizations/foo` are // `E1`, E2`. No value is accepted at `projects/bar`. Example 10 (allowed and // denied subtrees of Resource Manager hierarchy): Given the following resource // hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, `organizations/foo` has a // `Policy` with values: {allowed_values: "under:organizations/O1"} // `projects/bar` has a `Policy` with: {allowed_values: "under:projects/P3"} // {denied_values: "under:folders/F2"} The accepted values at // `organizations/foo` are `organizations/O1`, `folders/F1`, `folders/F2`, // `projects/P1`, `projects/P2`, `projects/P3`. The accepted values at // `projects/bar` are `organizations/O1`, `folders/F1`, `projects/P1`. InheritFromParent bool `json:"inheritFromParent,omitempty"` // SuggestedValue: Optional. The Google Cloud Console will try to default to a // configuration that matches the value specified in this `Policy`. If // `suggested_value` is not set, it will inherit the value specified higher in // the hierarchy, unless `inherit_from_parent` is `false`. SuggestedValue string `json:"suggestedValue,omitempty"` // ForceSendFields is a list of field names (e.g. "AllValues") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AllValues") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudOrgpolicyV1ListPolicy) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudOrgpolicyV1ListPolicy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudOrgpolicyV1Policy: Defines a Cloud Organization `Policy` which is // used to specify `Constraints` for configurations of Cloud Platform // resources. type GoogleCloudOrgpolicyV1Policy struct { // BooleanPolicy: For boolean `Constraints`, whether to enforce the // `Constraint` or not. BooleanPolicy *GoogleCloudOrgpolicyV1BooleanPolicy `json:"booleanPolicy,omitempty"` // Constraint: The name of the `Constraint` the `Policy` is configuring, for // example, `constraints/serviceuser.services`. A list of available constraints // (/resource-manager/docs/organization-policy/org-policy-constraints) is // available. Immutable after creation. Constraint string `json:"constraint,omitempty"` // Etag: An opaque tag indicating the current version of the `Policy`, used for // concurrency control. When the `Policy` is returned from either a `GetPolicy` // or a `ListOrgPolicy` request, this `etag` indicates the version of the // current `Policy` to use when executing a read-modify-write loop. When the // `Policy` is returned from a `GetEffectivePolicy` request, the `etag` will be // unset. When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` // value that was returned from a `GetOrgPolicy` request as part of a // read-modify-write loop for concurrency control. Not setting the `etag`in a // `SetOrgPolicy` request will result in an unconditional write of the // `Policy`. Etag string `json:"etag,omitempty"` // ListPolicy: List of values either allowed or disallowed. ListPolicy *GoogleCloudOrgpolicyV1ListPolicy `json:"listPolicy,omitempty"` // RestoreDefault: Restores the default behavior of the constraint; independent // of `Constraint` type. RestoreDefault *GoogleCloudOrgpolicyV1RestoreDefault `json:"restoreDefault,omitempty"` // UpdateTime: The time stamp the `Policy` was previously updated. This is set // by the server, not specified by the caller, and represents the last time a // call to `SetOrgPolicy` was made for that `Policy`. Any value set by the // client will be ignored. UpdateTime string `json:"updateTime,omitempty"` // Version: Version of the `Policy`. Default version is 0; Version int64 `json:"version,omitempty"` // ForceSendFields is a list of field names (e.g. "BooleanPolicy") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "BooleanPolicy") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleCloudOrgpolicyV1Policy) MarshalJSON() ([]byte, error) { type NoMethod GoogleCloudOrgpolicyV1Policy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleCloudOrgpolicyV1RestoreDefault: Ignores policies set above this // resource and restores the `constraint_default` enforcement behavior of the // specific `Constraint` at this resource. Suppose that `constraint_default` is // set to `ALLOW` for the `Constraint` `constraints/serviceuser.services`. // Suppose that organization foo.com sets a `Policy` at their Organization // resource node that restricts the allowed service activations to deny all // service activations. They could then set a `Policy` with the `policy_type` // `restore_default` on several experimental projects, restoring the // `constraint_default` enforcement of the `Constraint` for only those // projects, allowing those projects to have all services activated. type GoogleCloudOrgpolicyV1RestoreDefault struct { } // GoogleIdentityAccesscontextmanagerV1AccessLevel: An `AccessLevel` is a label // that can be applied to requests to Google Cloud services, along with a list // of requirements necessary for the label to be applied. type GoogleIdentityAccesscontextmanagerV1AccessLevel struct { // Basic: A `BasicLevel` composed of `Conditions`. Basic *GoogleIdentityAccesscontextmanagerV1BasicLevel `json:"basic,omitempty"` // Custom: A `CustomLevel` written in the Common Expression Language. Custom *GoogleIdentityAccesscontextmanagerV1CustomLevel `json:"custom,omitempty"` // Description: Description of the `AccessLevel` and its use. Does not affect // behavior. Description string `json:"description,omitempty"` // Name: Resource name for the `AccessLevel`. Format: // `accessPolicies/{access_policy}/accessLevels/{access_level}`. The // `access_level` component must begin with a letter, followed by alphanumeric // characters or `_`. Its maximum length is 50 characters. After you create an // `AccessLevel`, you cannot change its `name`. Name string `json:"name,omitempty"` // Title: Human readable title. Must be unique within the Policy. Title string `json:"title,omitempty"` // ForceSendFields is a list of field names (e.g. "Basic") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Basic") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1AccessLevel) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1AccessLevel return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1AccessPolicy: `AccessPolicy` is a // container for `AccessLevels` (which define the necessary attributes to use // Google Cloud services) and `ServicePerimeters` (which define regions of // services able to freely pass data within a perimeter). An access policy is // globally visible within an organization, and the restrictions it specifies // apply to all projects within an organization. type GoogleIdentityAccesscontextmanagerV1AccessPolicy struct { // Etag: Output only. An opaque identifier for the current version of the // `AccessPolicy`. This will always be a strongly validated etag, meaning that // two Access Polices will be identical if and only if their etags are // identical. Clients should not expect this to be in any specific format. Etag string `json:"etag,omitempty"` // Name: Output only. Resource name of the `AccessPolicy`. Format: // `accessPolicies/{access_policy}` Name string `json:"name,omitempty"` // Parent: Required. The parent of this `AccessPolicy` in the Cloud Resource // Hierarchy. Currently immutable once created. Format: // `organizations/{organization_id}` Parent string `json:"parent,omitempty"` // Scopes: The scopes of the AccessPolicy. Scopes define which resources a // policy can restrict and where its resources can be referenced. For example, // policy A with `scopes=["folders/123"]` has the following behavior: - // ServicePerimeter can only restrict projects within `folders/123`. - // ServicePerimeter within policy A can only reference access levels defined // within policy A. - Only one policy can include a given scope; thus, // attempting to create a second policy which includes `folders/123` will // result in an error. If no scopes are provided, then any resource within the // organization can be restricted. Scopes cannot be modified after a policy is // created. Policies can only have a single scope. Format: list of // `folders/{folder_number}` or `projects/{project_number}` Scopes []string `json:"scopes,omitempty"` // Title: Required. Human readable title. Does not affect behavior. Title string `json:"title,omitempty"` // ForceSendFields is a list of field names (e.g. "Etag") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Etag") to include in API requests // with the JSON null value. By default, fields with empty values are omitted // from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1AccessPolicy) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1AccessPolicy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1ApiOperation: Identification for an API // Operation. type GoogleIdentityAccesscontextmanagerV1ApiOperation struct { // MethodSelectors: API methods or permissions to allow. Method or permission // must belong to the service specified by `service_name` field. A single // MethodSelector entry with `*` specified for the `method` field will allow // all methods AND permissions for the service specified in `service_name`. MethodSelectors []*GoogleIdentityAccesscontextmanagerV1MethodSelector `json:"methodSelectors,omitempty"` // ServiceName: The name of the API whose methods or permissions the // IngressPolicy or EgressPolicy want to allow. A single ApiOperation with // `service_name` field set to `*` will allow all methods AND permissions for // all services. ServiceName string `json:"serviceName,omitempty"` // ForceSendFields is a list of field names (e.g. "MethodSelectors") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "MethodSelectors") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1ApiOperation) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1ApiOperation return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1BasicLevel: `BasicLevel` is an // `AccessLevel` using a set of recommended features. type GoogleIdentityAccesscontextmanagerV1BasicLevel struct { // CombiningFunction: How the `conditions` list should be combined to determine // if a request is granted this `AccessLevel`. If AND is used, each `Condition` // in `conditions` must be satisfied for the `AccessLevel` to be applied. If OR // is used, at least one `Condition` in `conditions` must be satisfied for the // `AccessLevel` to be applied. Default behavior is AND. // // Possible values: // "AND" - All `Conditions` must be true for the `BasicLevel` to be true. // "OR" - If at least one `Condition` is true, then the `BasicLevel` is true. CombiningFunction string `json:"combiningFunction,omitempty"` // Conditions: Required. A list of requirements for the `AccessLevel` to be // granted. Conditions []*GoogleIdentityAccesscontextmanagerV1Condition `json:"conditions,omitempty"` // ForceSendFields is a list of field names (e.g. "CombiningFunction") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "CombiningFunction") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1BasicLevel) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1BasicLevel return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1Condition: A condition necessary for an // `AccessLevel` to be granted. The Condition is an AND over its fields. So a // Condition is true if: 1) the request IP is from one of the listed // subnetworks AND 2) the originating device complies with the listed device // policy AND 3) all listed access levels are granted AND 4) the request was // sent at a time allowed by the DateTimeRestriction. type GoogleIdentityAccesscontextmanagerV1Condition struct { // DevicePolicy: Device specific restrictions, all restrictions must hold for // the Condition to be true. If not specified, all devices are allowed. DevicePolicy *GoogleIdentityAccesscontextmanagerV1DevicePolicy `json:"devicePolicy,omitempty"` // IpSubnetworks: CIDR block IP subnetwork specification. May be IPv4 or IPv6. // Note that for a CIDR IP address block, the specified IP address portion must // be properly truncated (i.e. all the host bits must be zero) or the input is // considered malformed. For example, "192.0.2.0/24" is accepted but // "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted // whereas "2001:db8::1/32" is not. The originating IP of a request must be in // one of the listed subnets in order for this Condition to be true. If empty, // all IP addresses are allowed. IpSubnetworks []string `json:"ipSubnetworks,omitempty"` // Members: The request must be made by one of the provided user or service // accounts. Groups are not supported. Syntax: `user:{emailid}` // `serviceAccount:{emailid}` If not specified, a request may come from any // user. Members []string `json:"members,omitempty"` // Negate: Whether to negate the Condition. If true, the Condition becomes a // NAND over its non-empty fields. Any non-empty field criteria evaluating to // false will result in the Condition to be satisfied. Defaults to false. Negate bool `json:"negate,omitempty"` // Regions: The request must originate from one of the provided // countries/regions. Must be valid ISO 3166-1 alpha-2 codes. Regions []string `json:"regions,omitempty"` // RequiredAccessLevels: A list of other access levels defined in the same // `Policy`, referenced by resource name. Referencing an `AccessLevel` which // does not exist is an error. All access levels listed must be granted for the // Condition to be true. Example: // "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME" RequiredAccessLevels []string `json:"requiredAccessLevels,omitempty"` // VpcNetworkSources: The request must originate from one of the provided VPC // networks in Google Cloud. Cannot specify this field together with // `ip_subnetworks`. VpcNetworkSources []*GoogleIdentityAccesscontextmanagerV1VpcNetworkSource `json:"vpcNetworkSources,omitempty"` // ForceSendFields is a list of field names (e.g. "DevicePolicy") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "DevicePolicy") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1Condition) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1Condition return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1CustomLevel: `CustomLevel` is an // `AccessLevel` using the Cloud Common Expression Language to represent the // necessary conditions for the level to apply to a request. See CEL spec at: // https://github.com/google/cel-spec type GoogleIdentityAccesscontextmanagerV1CustomLevel struct { // Expr: Required. A Cloud CEL expression evaluating to a boolean. Expr *Expr `json:"expr,omitempty"` // ForceSendFields is a list of field names (e.g. "Expr") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Expr") to include in API requests // with the JSON null value. By default, fields with empty values are omitted // from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1CustomLevel) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1CustomLevel return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1DevicePolicy: `DevicePolicy` specifies // device specific restrictions necessary to acquire a given access level. A // `DevicePolicy` specifies requirements for requests from devices to be // granted access levels, it does not do any enforcement on the device. // `DevicePolicy` acts as an AND over all specified fields, and each repeated // field is an OR over its elements. Any unset fields are ignored. For example, // if the proto is { os_type : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, // encryption_status: ENCRYPTED}, then the DevicePolicy will be true for // requests originating from encrypted Linux desktops and encrypted Windows // desktops. type GoogleIdentityAccesscontextmanagerV1DevicePolicy struct { // AllowedDeviceManagementLevels: Allowed device management levels, an empty // list allows all management levels. // // Possible values: // "MANAGEMENT_UNSPECIFIED" - The device's management level is not specified // or not known. // "NONE" - The device is not managed. // "BASIC" - Basic management is enabled, which is generally limited to // monitoring and wiping the corporate account. // "COMPLETE" - Complete device management. This includes more thorough // monitoring and the ability to directly manage the device (such as remote // wiping). This can be enabled through the Android Enterprise Platform. AllowedDeviceManagementLevels []string `json:"allowedDeviceManagementLevels,omitempty"` // AllowedEncryptionStatuses: Allowed encryptions statuses, an empty list // allows all statuses. // // Possible values: // "ENCRYPTION_UNSPECIFIED" - The encryption status of the device is not // specified or not known. // "ENCRYPTION_UNSUPPORTED" - The device does not support encryption. // "UNENCRYPTED" - The device supports encryption, but is currently // unencrypted. // "ENCRYPTED" - The device is encrypted. AllowedEncryptionStatuses []string `json:"allowedEncryptionStatuses,omitempty"` // OsConstraints: Allowed OS versions, an empty list allows all types and all // versions. OsConstraints []*GoogleIdentityAccesscontextmanagerV1OsConstraint `json:"osConstraints,omitempty"` // RequireAdminApproval: Whether the device needs to be approved by the // customer admin. RequireAdminApproval bool `json:"requireAdminApproval,omitempty"` // RequireCorpOwned: Whether the device needs to be corp owned. RequireCorpOwned bool `json:"requireCorpOwned,omitempty"` // RequireScreenlock: Whether or not screenlock is required for the // DevicePolicy to be true. Defaults to `false`. RequireScreenlock bool `json:"requireScreenlock,omitempty"` // ForceSendFields is a list of field names (e.g. // "AllowedDeviceManagementLevels") to unconditionally include in API requests. // By default, fields with empty or default values are omitted from API // requests. See https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields // for more details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AllowedDeviceManagementLevels") // to include in API requests with the JSON null value. By default, fields with // empty values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1DevicePolicy) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1DevicePolicy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1EgressFrom: Defines the conditions under // which an EgressPolicy matches a request. Conditions based on information // about the source of the request. Note that if the destination of the request // is also protected by a ServicePerimeter, then that ServicePerimeter must // have an IngressPolicy which allows access in order for this request to // succeed. type GoogleIdentityAccesscontextmanagerV1EgressFrom struct { // Identities: A list of identities that are allowed access through // [EgressPolicy]. Identities can be an individual user, service account, // Google group, or third-party identity. The `v1` identities that have the // prefix `user`, `group`, `serviceAccount`, `principal`, and `principalSet` in // https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. Identities []string `json:"identities,omitempty"` // IdentityType: Specifies the type of identities that are allowed access to // outside the perimeter. If left unspecified, then members of `identities` // field will be allowed access. // // Possible values: // "IDENTITY_TYPE_UNSPECIFIED" - No blanket identity group specified. // "ANY_IDENTITY" - Authorize access from all identities outside the // perimeter. // "ANY_USER_ACCOUNT" - Authorize access from all human users outside the // perimeter. // "ANY_SERVICE_ACCOUNT" - Authorize access from all service accounts outside // the perimeter. IdentityType string `json:"identityType,omitempty"` // SourceRestriction: Whether to enforce traffic restrictions based on // `sources` field. If the `sources` fields is non-empty, then this field must // be set to `SOURCE_RESTRICTION_ENABLED`. // // Possible values: // "SOURCE_RESTRICTION_UNSPECIFIED" - Enforcement preference unspecified, // will not enforce traffic restrictions based on `sources` in EgressFrom. // "SOURCE_RESTRICTION_ENABLED" - Enforcement preference enabled, traffic // restrictions will be enforced based on `sources` in EgressFrom. // "SOURCE_RESTRICTION_DISABLED" - Enforcement preference disabled, will not // enforce traffic restrictions based on `sources` in EgressFrom. SourceRestriction string `json:"sourceRestriction,omitempty"` // Sources: Sources that this EgressPolicy authorizes access from. If this // field is not empty, then `source_restriction` must be set to // `SOURCE_RESTRICTION_ENABLED`. Sources []*GoogleIdentityAccesscontextmanagerV1EgressSource `json:"sources,omitempty"` // ForceSendFields is a list of field names (e.g. "Identities") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Identities") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1EgressFrom) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1EgressFrom return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1EgressPolicy: Policy for egress from // perimeter. EgressPolicies match requests based on `egress_from` and // `egress_to` stanzas. For an EgressPolicy to match, both `egress_from` and // `egress_to` stanzas must be matched. If an EgressPolicy matches a request, // the request is allowed to span the ServicePerimeter boundary. For example, // an EgressPolicy can be used to allow VMs on networks within the // ServicePerimeter to access a defined set of projects outside the perimeter // in certain contexts (e.g. to read data from a Cloud Storage bucket or query // against a BigQuery dataset). EgressPolicies are concerned with the // *resources* that a request relates as well as the API services and API // actions being used. They do not related to the direction of data movement. // More detailed documentation for this concept can be found in the // descriptions of EgressFrom and EgressTo. type GoogleIdentityAccesscontextmanagerV1EgressPolicy struct { // EgressFrom: Defines conditions on the source of a request causing this // EgressPolicy to apply. EgressFrom *GoogleIdentityAccesscontextmanagerV1EgressFrom `json:"egressFrom,omitempty"` // EgressTo: Defines the conditions on the ApiOperation and destination // resources that cause this EgressPolicy to apply. EgressTo *GoogleIdentityAccesscontextmanagerV1EgressTo `json:"egressTo,omitempty"` // ForceSendFields is a list of field names (e.g. "EgressFrom") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "EgressFrom") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1EgressPolicy) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1EgressPolicy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1EgressSource: The source that // EgressPolicy authorizes access from inside the ServicePerimeter to somewhere // outside the ServicePerimeter boundaries. type GoogleIdentityAccesscontextmanagerV1EgressSource struct { // AccessLevel: An AccessLevel resource name that allows protected resources // inside the ServicePerimeters to access outside the ServicePerimeter // boundaries. AccessLevels listed must be in the same policy as this // ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. // If an AccessLevel name is not specified, only resources within the perimeter // can be accessed through Google Cloud calls with request origins within the // perimeter. Example: `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a // single `*` is specified for `access_level`, then all EgressSources will be // allowed. AccessLevel string `json:"accessLevel,omitempty"` // ForceSendFields is a list of field names (e.g. "AccessLevel") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AccessLevel") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1EgressSource) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1EgressSource return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1EgressTo: Defines the conditions under // which an EgressPolicy matches a request. Conditions are based on information // about the ApiOperation intended to be performed on the `resources` // specified. Note that if the destination of the request is also protected by // a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy // which allows access in order for this request to succeed. The request must // match `operations` AND `resources` fields in order to be allowed egress out // of the perimeter. type GoogleIdentityAccesscontextmanagerV1EgressTo struct { // ExternalResources: A list of external resources that are allowed to be // accessed. Only AWS and Azure resources are supported. For Amazon S3, the // supported formats are s3://BUCKET_NAME, s3a://BUCKET_NAME, and // s3n://BUCKET_NAME. For Azure Storage, the supported format is // azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if // it contains an external resource in this list (Example: s3://bucket/path). // Currently '*' is not allowed. ExternalResources []string `json:"externalResources,omitempty"` // Operations: A list of ApiOperations allowed to be performed by the sources // specified in the corresponding EgressFrom. A request matches if it uses an // operation/service in this list. Operations []*GoogleIdentityAccesscontextmanagerV1ApiOperation `json:"operations,omitempty"` // Resources: A list of resources, currently only projects in the form // `projects/`, that are allowed to be accessed by sources defined in the // corresponding EgressFrom. A request matches if it contains a resource in // this list. If `*` is specified for `resources`, then this EgressTo rule will // authorize access to all resources outside the perimeter. Resources []string `json:"resources,omitempty"` // ForceSendFields is a list of field names (e.g. "ExternalResources") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "ExternalResources") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1EgressTo) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1EgressTo return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1IngressFrom: Defines the conditions // under which an IngressPolicy matches a request. Conditions are based on // information about the source of the request. The request must satisfy what // is defined in `sources` AND identity related fields in order to match. type GoogleIdentityAccesscontextmanagerV1IngressFrom struct { // Identities: A list of identities that are allowed access through // [IngressPolicy]. Identities can be an individual user, service account, // Google group, or third-party identity. The `v1` identities that have the // prefix `user`, `group`, `serviceAccount`, `principal`, and `principalSet` in // https://cloud.google.com/iam/docs/principal-identifiers#v1 are supported. Identities []string `json:"identities,omitempty"` // IdentityType: Specifies the type of identities that are allowed access from // outside the perimeter. If left unspecified, then members of `identities` // field will be allowed access. // // Possible values: // "IDENTITY_TYPE_UNSPECIFIED" - No blanket identity group specified. // "ANY_IDENTITY" - Authorize access from all identities outside the // perimeter. // "ANY_USER_ACCOUNT" - Authorize access from all human users outside the // perimeter. // "ANY_SERVICE_ACCOUNT" - Authorize access from all service accounts outside // the perimeter. IdentityType string `json:"identityType,omitempty"` // Sources: Sources that this IngressPolicy authorizes access from. Sources []*GoogleIdentityAccesscontextmanagerV1IngressSource `json:"sources,omitempty"` // ForceSendFields is a list of field names (e.g. "Identities") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Identities") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1IngressFrom) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1IngressFrom return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1IngressPolicy: Policy for ingress into // ServicePerimeter. IngressPolicies match requests based on `ingress_from` and // `ingress_to` stanzas. For an ingress policy to match, both the // `ingress_from` and `ingress_to` stanzas must be matched. If an IngressPolicy // matches a request, the request is allowed through the perimeter boundary // from outside the perimeter. For example, access from the internet can be // allowed either based on an AccessLevel or, for traffic hosted on Google // Cloud, the project of the source network. For access from private networks, // using the project of the hosting network is required. Individual ingress // policies can be limited by restricting which services and/or actions they // match using the `ingress_to` field. type GoogleIdentityAccesscontextmanagerV1IngressPolicy struct { // IngressFrom: Defines the conditions on the source of a request causing this // IngressPolicy to apply. IngressFrom *GoogleIdentityAccesscontextmanagerV1IngressFrom `json:"ingressFrom,omitempty"` // IngressTo: Defines the conditions on the ApiOperation and request // destination that cause this IngressPolicy to apply. IngressTo *GoogleIdentityAccesscontextmanagerV1IngressTo `json:"ingressTo,omitempty"` // ForceSendFields is a list of field names (e.g. "IngressFrom") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "IngressFrom") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1IngressPolicy) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1IngressPolicy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1IngressSource: The source that // IngressPolicy authorizes access from. type GoogleIdentityAccesscontextmanagerV1IngressSource struct { // AccessLevel: An AccessLevel resource name that allow resources within the // ServicePerimeters to be accessed from the internet. AccessLevels listed must // be in the same policy as this ServicePerimeter. Referencing a nonexistent // AccessLevel will cause an error. If no AccessLevel names are listed, // resources within the perimeter can only be accessed via Google Cloud calls // with request origins within the perimeter. Example: // `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is // specified for `access_level`, then all IngressSources will be allowed. AccessLevel string `json:"accessLevel,omitempty"` // Resource: A Google Cloud resource that is allowed to ingress the perimeter. // Requests from these resources will be allowed to access perimeter data. // Currently only projects and VPCs are allowed. Project format: // `projects/{project_number}` VPC network format: // `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}`. The // project may be in any Google Cloud organization, not just the organization // that the perimeter is defined in. `*` is not allowed, the case of allowing // all Google Cloud resources only is not supported. Resource string `json:"resource,omitempty"` // ForceSendFields is a list of field names (e.g. "AccessLevel") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AccessLevel") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1IngressSource) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1IngressSource return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1IngressTo: Defines the conditions under // which an IngressPolicy matches a request. Conditions are based on // information about the ApiOperation intended to be performed on the target // resource of the request. The request must satisfy what is defined in // `operations` AND `resources` in order to match. type GoogleIdentityAccesscontextmanagerV1IngressTo struct { // Operations: A list of ApiOperations allowed to be performed by the sources // specified in corresponding IngressFrom in this ServicePerimeter. Operations []*GoogleIdentityAccesscontextmanagerV1ApiOperation `json:"operations,omitempty"` // Resources: A list of resources, currently only projects in the form // `projects/`, protected by this ServicePerimeter that are allowed to be // accessed by sources defined in the corresponding IngressFrom. If a single // `*` is specified, then access to all resources inside the perimeter are // allowed. Resources []string `json:"resources,omitempty"` // ForceSendFields is a list of field names (e.g. "Operations") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Operations") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1IngressTo) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1IngressTo return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1MethodSelector: An allowed method or // permission of a service specified in ApiOperation. type GoogleIdentityAccesscontextmanagerV1MethodSelector struct { // Method: A valid method name for the corresponding `service_name` in // ApiOperation. If `*` is used as the value for the `method`, then ALL methods // and permissions are allowed. Method string `json:"method,omitempty"` // Permission: A valid Cloud IAM permission for the corresponding // `service_name` in ApiOperation. Permission string `json:"permission,omitempty"` // ForceSendFields is a list of field names (e.g. "Method") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Method") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1MethodSelector) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1MethodSelector return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1OsConstraint: A restriction on the OS // type and version of devices making requests. type GoogleIdentityAccesscontextmanagerV1OsConstraint struct { // MinimumVersion: The minimum allowed OS version. If not set, any version of // this OS satisfies the constraint. Format: "major.minor.patch". Examples: // "10.5.301", "9.2.1". MinimumVersion string `json:"minimumVersion,omitempty"` // OsType: Required. The allowed OS type. // // Possible values: // "OS_UNSPECIFIED" - The operating system of the device is not specified or // not known. // "DESKTOP_MAC" - A desktop Mac operating system. // "DESKTOP_WINDOWS" - A desktop Windows operating system. // "DESKTOP_LINUX" - A desktop Linux operating system. // "DESKTOP_CHROME_OS" - A desktop ChromeOS operating system. // "ANDROID" - An Android operating system. // "IOS" - An iOS operating system. OsType string `json:"osType,omitempty"` // RequireVerifiedChromeOs: Only allows requests from devices with a verified // Chrome OS. Verifications includes requirements that the device is // enterprise-managed, conformant to domain policies, and the caller has // permission to call the API targeted by the request. RequireVerifiedChromeOs bool `json:"requireVerifiedChromeOs,omitempty"` // ForceSendFields is a list of field names (e.g. "MinimumVersion") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "MinimumVersion") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1OsConstraint) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1OsConstraint return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1ServicePerimeter: `ServicePerimeter` // describes a set of Google Cloud resources which can freely import and export // data amongst themselves, but not export outside of the `ServicePerimeter`. // If a request with a source within this `ServicePerimeter` has a target // outside of the `ServicePerimeter`, the request will be blocked. Otherwise // the request is allowed. There are two types of Service Perimeter - Regular // and Bridge. Regular Service Perimeters cannot overlap, a single Google Cloud // project or VPC network can only belong to a single regular Service // Perimeter. Service Perimeter Bridges can contain only Google Cloud projects // as members, a single Google Cloud project may belong to multiple Service // Perimeter Bridges. type GoogleIdentityAccesscontextmanagerV1ServicePerimeter struct { // Description: Description of the `ServicePerimeter` and its use. Does not // affect behavior. Description string `json:"description,omitempty"` // Name: Resource name for the `ServicePerimeter`. Format: // `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`. The // `service_perimeter` component must begin with a letter, followed by // alphanumeric characters or `_`. After you create a `ServicePerimeter`, you // cannot change its `name`. Name string `json:"name,omitempty"` // PerimeterType: Perimeter type indicator. A single project or VPC network is // allowed to be a member of single regular perimeter, but multiple service // perimeter bridges. A project cannot be a included in a perimeter bridge // without being included in regular perimeter. For perimeter bridges, the // restricted service list as well as access level lists must be empty. // // Possible values: // "PERIMETER_TYPE_REGULAR" - Regular Perimeter. When no value is specified, // the perimeter uses this type. // "PERIMETER_TYPE_BRIDGE" - Perimeter Bridge. PerimeterType string `json:"perimeterType,omitempty"` // Spec: Proposed (or dry run) ServicePerimeter configuration. This // configuration allows to specify and test ServicePerimeter configuration // without enforcing actual access restrictions. Only allowed to be set when // the "use_explicit_dry_run_spec" flag is set. Spec *GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig `json:"spec,omitempty"` // Status: Current ServicePerimeter configuration. Specifies sets of resources, // restricted services and access levels that determine perimeter content and // boundaries. Status *GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig `json:"status,omitempty"` // Title: Human readable title. Must be unique within the Policy. Title string `json:"title,omitempty"` // UseExplicitDryRunSpec: Use explicit dry run spec flag. Ordinarily, a dry-run // spec implicitly exists for all Service Perimeters, and that spec is // identical to the status for those Service Perimeters. When this flag is set, // it inhibits the generation of the implicit spec, thereby allowing the user // to explicitly provide a configuration ("spec") to use in a dry-run version // of the Service Perimeter. This allows the user to test changes to the // enforced config ("status") without actually enforcing them. This testing is // done through analyzing the differences between currently enforced and // suggested restrictions. use_explicit_dry_run_spec must bet set to True if // any of the fields in the spec are set to non-default values. UseExplicitDryRunSpec bool `json:"useExplicitDryRunSpec,omitempty"` // ForceSendFields is a list of field names (e.g. "Description") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Description") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1ServicePerimeter) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1ServicePerimeter return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig: // `ServicePerimeterConfig` specifies a set of Google Cloud resources that // describe specific Service Perimeter configuration. type GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig struct { // AccessLevels: A list of `AccessLevel` resource names that allow resources // within the `ServicePerimeter` to be accessed from the internet. // `AccessLevels` listed must be in the same policy as this `ServicePerimeter`. // Referencing a nonexistent `AccessLevel` is a syntax error. If no // `AccessLevel` names are listed, resources within the perimeter can only be // accessed via Google Cloud calls with request origins within the perimeter. // Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service // Perimeter Bridge, must be empty. AccessLevels []string `json:"accessLevels,omitempty"` // EgressPolicies: List of EgressPolicies to apply to the perimeter. A // perimeter may have multiple EgressPolicies, each of which is evaluated // separately. Access is granted if any EgressPolicy grants it. Must be empty // for a perimeter bridge. EgressPolicies []*GoogleIdentityAccesscontextmanagerV1EgressPolicy `json:"egressPolicies,omitempty"` // IngressPolicies: List of IngressPolicies to apply to the perimeter. A // perimeter may have multiple IngressPolicies, each of which is evaluated // separately. Access is granted if any Ingress Policy grants it. Must be empty // for a perimeter bridge. IngressPolicies []*GoogleIdentityAccesscontextmanagerV1IngressPolicy `json:"ingressPolicies,omitempty"` // Resources: A list of Google Cloud resources that are inside of the service // perimeter. Currently only projects and VPCs are allowed. Project format: // `projects/{project_number}` VPC network format: // `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NAME}`. Resources []string `json:"resources,omitempty"` // RestrictedServices: Google Cloud services that are subject to the Service // Perimeter restrictions. For example, if `storage.googleapis.com` is // specified, access to the storage buckets inside the perimeter must meet the // perimeter's access restrictions. RestrictedServices []string `json:"restrictedServices,omitempty"` // VpcAccessibleServices: Configuration for APIs allowed within Perimeter. VpcAccessibleServices *GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices `json:"vpcAccessibleServices,omitempty"` // ForceSendFields is a list of field names (e.g. "AccessLevels") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AccessLevels") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1ServicePerimeterConfig return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices: Specifies how // APIs are allowed to communicate within the Service Perimeter. type GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices struct { // AllowedServices: The list of APIs usable within the Service Perimeter. Must // be empty unless 'enable_restriction' is True. You can specify a list of // individual services, as well as include the 'RESTRICTED-SERVICES' value, // which automatically includes all of the services protected by the perimeter. AllowedServices []string `json:"allowedServices,omitempty"` // EnableRestriction: Whether to restrict API calls within the Service // Perimeter to the list of APIs specified in 'allowed_services'. EnableRestriction bool `json:"enableRestriction,omitempty"` // ForceSendFields is a list of field names (e.g. "AllowedServices") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AllowedServices") to include in // API requests with the JSON null value. By default, fields with empty values // are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1VpcAccessibleServices return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1VpcNetworkSource: The originating // network source in Google Cloud. type GoogleIdentityAccesscontextmanagerV1VpcNetworkSource struct { // VpcSubnetwork: Sub-segment ranges of a VPC network. VpcSubnetwork *GoogleIdentityAccesscontextmanagerV1VpcSubNetwork `json:"vpcSubnetwork,omitempty"` // ForceSendFields is a list of field names (e.g. "VpcSubnetwork") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "VpcSubnetwork") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1VpcNetworkSource) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1VpcNetworkSource return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // GoogleIdentityAccesscontextmanagerV1VpcSubNetwork: Sub-segment ranges inside // of a VPC Network. type GoogleIdentityAccesscontextmanagerV1VpcSubNetwork struct { // Network: Required. Network name. If the network is not part of the // organization, the `compute.network.get` permission must be granted to the // caller. Format: // `//compute.googleapis.com/projects/{PROJECT_ID}/global/networks/{NETWORK_NAME // }` Example: // `//compute.googleapis.com/projects/my-project/global/networks/network-1` Network string `json:"network,omitempty"` // VpcIpSubnetworks: CIDR block IP subnetwork specification. The IP address // must be an IPv4 address and can be a public or private IP address. Note that // for a CIDR IP address block, the specified IP address portion must be // properly truncated (i.e. all the host bits must be zero) or the input is // considered malformed. For example, "192.0.2.0/24" is accepted but // "192.0.2.1/24" is not. If empty, all IP addresses are allowed. VpcIpSubnetworks []string `json:"vpcIpSubnetworks,omitempty"` // ForceSendFields is a list of field names (e.g. "Network") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Network") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *GoogleIdentityAccesscontextmanagerV1VpcSubNetwork) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityAccesscontextmanagerV1VpcSubNetwork return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // ListAssetsResponse: ListAssets response. type ListAssetsResponse struct { // Assets: Assets. Assets []*Asset `json:"assets,omitempty"` // NextPageToken: Token to retrieve the next page of results. It expires 72 // hours after the page token for the first page is generated. Set to empty if // there are no remaining results. NextPageToken string `json:"nextPageToken,omitempty"` // ReadTime: Time the snapshot was taken. ReadTime string `json:"readTime,omitempty"` // ServerResponse contains the HTTP response code and headers from the server. googleapi.ServerResponse `json:"-"` // ForceSendFields is a list of field names (e.g. "Assets") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Assets") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *ListAssetsResponse) MarshalJSON() ([]byte, error) { type NoMethod ListAssetsResponse return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // Policy: An Identity and Access Management (IAM) policy, which specifies // access controls for Google Cloud resources. A `Policy` is a collection of // `bindings`. A `binding` binds one or more `members`, or principals, to a // single `role`. Principals can be user accounts, service accounts, Google // groups, and domains (such as G Suite). A `role` is a named list of // permissions; each `role` can be an IAM predefined role or a user-created // custom role. For some types of Google Cloud resources, a `binding` can also // specify a `condition`, which is a logical expression that allows access to a // resource only if the expression evaluates to `true`. A condition can add // constraints based on attributes of the request, the resource, or both. To // learn which resources support conditions in their IAM policies, see the IAM // documentation // (https://cloud.google.com/iam/help/conditions/resource-policies). **JSON // example:** ``` { "bindings": [ { "role": // "roles/resourcemanager.organizationAdmin", "members": [ // "user:mike@example.com", "group:admins@example.com", "domain:google.com", // "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": // "roles/resourcemanager.organizationViewer", "members": [ // "user:eve@example.com" ], "condition": { "title": "expirable access", // "description": "Does not grant access after Sep 2020", "expression": // "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": // "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: - // members: - user:mike@example.com - group:admins@example.com - // domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com // role: roles/resourcemanager.organizationAdmin - members: - // user:eve@example.com role: roles/resourcemanager.organizationViewer // condition: title: expirable access description: Does not grant access after // Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') // etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, // see the IAM documentation (https://cloud.google.com/iam/docs/). type Policy struct { // AuditConfigs: Specifies cloud audit logging configuration for this policy. AuditConfigs []*AuditConfig `json:"auditConfigs,omitempty"` // Bindings: Associates a list of `members`, or principals, with a `role`. // Optionally, may specify a `condition` that determines how and when the // `bindings` are applied. Each of the `bindings` must contain at least one // principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; // up to 250 of these principals can be Google groups. Each occurrence of a // principal counts towards these limits. For example, if the `bindings` grant // 50 different roles to `user:alice@example.com`, and not to any other // principal, then you can add another 1,450 principals to the `bindings` in // the `Policy`. Bindings []*Binding `json:"bindings,omitempty"` // Etag: `etag` is used for optimistic concurrency control as a way to help // prevent simultaneous updates of a policy from overwriting each other. It is // strongly suggested that systems make use of the `etag` in the // read-modify-write cycle to perform policy updates in order to avoid race // conditions: An `etag` is returned in the response to `getIamPolicy`, and // systems are expected to put that etag in the request to `setIamPolicy` to // ensure that their change will be applied to the same version of the policy. // **Important:** If you use IAM Conditions, you must include the `etag` field // whenever you call `setIamPolicy`. If you omit this field, then IAM allows // you to overwrite a version `3` policy with a version `1` policy, and all of // the conditions in the version `3` policy are lost. Etag string `json:"etag,omitempty"` // Version: Specifies the format of the policy. Valid values are `0`, `1`, and // `3`. Requests that specify an invalid value are rejected. Any operation that // affects conditional role bindings must specify version `3`. This requirement // applies to the following operations: * Getting a policy that includes a // conditional role binding * Adding a conditional role binding to a policy * // Changing a conditional role binding in a policy * Removing any role binding, // with or without a condition, from a policy that includes conditions // **Important:** If you use IAM Conditions, you must include the `etag` field // whenever you call `setIamPolicy`. If you omit this field, then IAM allows // you to overwrite a version `3` policy with a version `1` policy, and all of // the conditions in the version `3` policy are lost. If a policy does not // include any conditions, operations on that policy may specify any valid // version or leave the field unset. To learn which resources support // conditions in their IAM policies, see the IAM documentation // (https://cloud.google.com/iam/help/conditions/resource-policies). Version int64 `json:"version,omitempty"` // ForceSendFields is a list of field names (e.g. "AuditConfigs") to // unconditionally include in API requests. By default, fields with empty or // default values are omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AuditConfigs") to include in API // requests with the JSON null value. By default, fields with empty values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *Policy) MarshalJSON() ([]byte, error) { type NoMethod Policy return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } // Resource: A representation of a Google Cloud resource. type Resource struct { // Data: The content of the resource, in which some sensitive fields are // removed and may not be present. Data googleapi.RawMessage `json:"data,omitempty"` // DiscoveryDocumentUri: The URL of the discovery document containing the // resource's JSON schema. Example: // `https://www.googleapis.com/discovery/v1/apis/compute/v1/rest` This value is // unspecified for resources that do not have an API based on a discovery // document, such as Cloud Bigtable. DiscoveryDocumentUri string `json:"discoveryDocumentUri,omitempty"` // DiscoveryName: The JSON schema name listed in the discovery document. // Example: `Project` This value is unspecified for resources that do not have // an API based on a discovery document, such as Cloud Bigtable. DiscoveryName string `json:"discoveryName,omitempty"` // Parent: The full name of the immediate parent of this resource. See Resource // Names // (https://cloud.google.com/apis/design/resource_names#full_resource_name) for // more information. For Google Cloud assets, this value is the parent resource // defined in the IAM policy hierarchy // (https://cloud.google.com/iam/docs/overview#policy_hierarchy). Example: // `//cloudresourcemanager.googleapis.com/projects/my_project_123` For // third-party assets, this field may be set differently. Parent string `json:"parent,omitempty"` // ResourceUrl: The REST URL for accessing the resource. An HTTP `GET` request // using this URL returns the resource itself. Example: // `https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123` // This value is unspecified for resources without a REST API. ResourceUrl string `json:"resourceUrl,omitempty"` // Version: The API version. Example: "v1". Version string `json:"version,omitempty"` // ForceSendFields is a list of field names (e.g. "Data") to unconditionally // include in API requests. By default, fields with empty or default values are // omitted from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more // details. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Data") to include in API requests // with the JSON null value. By default, fields with empty values are omitted // from API requests. See // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. NullFields []string `json:"-"` } func (s *Resource) MarshalJSON() ([]byte, error) { type NoMethod Resource return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) } type AssetsListCall struct { s *Service parent string urlParams_ gensupport.URLParams ifNoneMatch_ string ctx_ context.Context header_ http.Header } // List: Lists assets with time and resource types and returns paged results in // response. // // - parent: Name of the organization or project the assets belong to. Format: // "organizations/[organization-number]" (such as "organizations/123"), // "projects/[project-id]" (such as "projects/my-project-id"), or // "projects/[project-number]" (such as "projects/12345"). func (r *AssetsService) List(parent string) *AssetsListCall { c := &AssetsListCall{s: r.s, urlParams_: make(gensupport.URLParams)} c.parent = parent return c } // AssetTypes sets the optional parameter "assetTypes": A list of asset types // to take a snapshot for. For example: "compute.googleapis.com/Disk". Regular // expression is also supported. For example: * "compute.googleapis.com.*" // snapshots resources whose asset type starts with "compute.googleapis.com". * // ".*Instance" snapshots resources whose asset type ends with "Instance". * // ".*Instance.*" snapshots resources whose asset type contains "Instance". See // RE2 (https://github.com/google/re2/wiki/Syntax) for all supported regular // expression syntax. If the regular expression does not match any supported // asset type, an INVALID_ARGUMENT error will be returned. If specified, only // matching assets will be returned, otherwise, it will snapshot all asset // types. See Introduction to Cloud Asset Inventory // (https://cloud.google.com/asset-inventory/docs/overview) for all supported // asset types. func (c *AssetsListCall) AssetTypes(assetTypes ...string) *AssetsListCall { c.urlParams_.SetMulti("assetTypes", append([]string{}, assetTypes...)) return c } // ContentType sets the optional parameter "contentType": Asset content type. // If not specified, no content but the asset name will be returned. // // Possible values: // // "CONTENT_TYPE_UNSPECIFIED" - Unspecified content type. // "RESOURCE" - Resource metadata. // "IAM_POLICY" - The actual IAM policy set on a resource. // "ORG_POLICY" - The organization policy set on an asset. // "ACCESS_POLICY" - The Access Context Manager policy set on an asset. func (c *AssetsListCall) ContentType(contentType string) *AssetsListCall { c.urlParams_.Set("contentType", contentType) return c } // PageSize sets the optional parameter "pageSize": The maximum number of // assets to be returned in a single response. Default is 100, minimum is 1, // and maximum is 1000. func (c *AssetsListCall) PageSize(pageSize int64) *AssetsListCall { c.urlParams_.Set("pageSize", fmt.Sprint(pageSize)) return c } // PageToken sets the optional parameter "pageToken": The `next_page_token` // returned from the previous `ListAssetsResponse`, or unspecified for the // first `ListAssetsRequest`. It is a continuation of a prior `ListAssets` // call, and the API should return the next page of assets. func (c *AssetsListCall) PageToken(pageToken string) *AssetsListCall { c.urlParams_.Set("pageToken", pageToken) return c } // ReadTime sets the optional parameter "readTime": Timestamp to take an asset // snapshot. This can only be set to a timestamp between the current time and // the current time minus 35 days (inclusive). If not specified, the current // time will be used. Due to delays in resource data collection and indexing, // there is a volatile window during which running the same query may get // different results. func (c *AssetsListCall) ReadTime(readTime string) *AssetsListCall { c.urlParams_.Set("readTime", readTime) return c } // Fields allows partial responses to be retrieved. See // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more // details. func (c *AssetsListCall) Fields(s ...googleapi.Field) *AssetsListCall { c.urlParams_.Set("fields", googleapi.CombineFields(s)) return c } // IfNoneMatch sets an optional parameter which makes the operation fail if the // object's ETag matches the given value. This is useful for getting updates // only after the object has changed since the last request. func (c *AssetsListCall) IfNoneMatch(entityTag string) *AssetsListCall { c.ifNoneMatch_ = entityTag return c } // Context sets the context to be used in this call's Do method. func (c *AssetsListCall) Context(ctx context.Context) *AssetsListCall { c.ctx_ = ctx return c } // Header returns a http.Header that can be modified by the caller to add // headers to the request. func (c *AssetsListCall) Header() http.Header { if c.header_ == nil { c.header_ = make(http.Header) } return c.header_ } func (c *AssetsListCall) doRequest(alt string) (*http.Response, error) { reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) if c.ifNoneMatch_ != "" { reqHeaders.Set("If-None-Match", c.ifNoneMatch_) } var body io.Reader = nil c.urlParams_.Set("alt", alt) c.urlParams_.Set("prettyPrint", "false") urls := googleapi.ResolveRelative(c.s.BasePath, "v1p5beta1/{+parent}/assets") urls += "?" + c.urlParams_.Encode() req, err := http.NewRequest("GET", urls, body) if err != nil { return nil, err } req.Header = reqHeaders googleapi.Expand(req.URL, map[string]string{ "parent": c.parent, }) return gensupport.SendRequest(c.ctx_, c.s.client, req) } // Do executes the "cloudasset.assets.list" call. // Any non-2xx status code is an error. Response headers are in either // *ListAssetsResponse.ServerResponse.Header or (if a response was returned at // all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to // check whether the returned error was because http.StatusNotModified was // returned. func (c *AssetsListCall) Do(opts ...googleapi.CallOption) (*ListAssetsResponse, error) { gensupport.SetOptions(c.urlParams_, opts...) res, err := c.doRequest("json") if res != nil && res.StatusCode == http.StatusNotModified { if res.Body != nil { res.Body.Close() } return nil, gensupport.WrapError(&googleapi.Error{ Code: res.StatusCode, Header: res.Header, }) } if err != nil { return nil, err } defer googleapi.CloseBody(res) if err := googleapi.CheckResponse(res); err != nil { return nil, gensupport.WrapError(err) } ret := &ListAssetsResponse{ ServerResponse: googleapi.ServerResponse{ Header: res.Header, HTTPStatusCode: res.StatusCode, }, } target := &ret if err := gensupport.DecodeResponse(target, res); err != nil { return nil, err } return ret, nil } // Pages invokes f for each page of results. // A non-nil error returned from f will halt the iteration. // The provided context supersedes any context provided to the Context method. func (c *AssetsListCall) Pages(ctx context.Context, f func(*ListAssetsResponse) error) error { c.ctx_ = ctx defer c.PageToken(c.urlParams_.Get("pageToken")) for { x, err := c.Do() if err != nil { return err } if err := f(x); err != nil { return err } if x.NextPageToken == "" { return nil } c.PageToken(x.NextPageToken) } }