feat: add support for directly attached and effective tags

docs: clarify comments for tags and effective tags Clients can search resources filtered by effective tags and start to use the new `tags` field instead of old `tag_key`, `tag_value`, `tag_value_id` fields to access directly attached tags. PiperOrigin-RevId: 567554529
googleapis · Sep 22, 2023 · 1a3ea87 · 1a3ea87
1 parent 10516ee
commit 1a3ea87
Show file tree

Hide file tree

Showing 2 changed files with 199 additions and 87 deletions.
diff --git a/google/cloud/asset/v1/asset_service.proto b/google/cloud/asset/v1/asset_service.proto
@@ -199,8 +199,7 @@ service AssetService {
   }
 
   // Issue a job that queries assets using a SQL statement compatible with
-  // [BigQuery Standard
-  // SQL](http://cloud/bigquery/docs/reference/standard-sql/enabling-standard-sql).
+  // [BigQuery SQL](https://cloud.google.com/bigquery/docs/introduction-sql).
   //
   // If the query execution finishes within timeout and there's no pagination,
   // the full query results will be returned in the `QueryAssetsResponse`.
@@ -209,9 +208,8 @@ service AssetService {
   // with the `job_reference` from the a previous `QueryAssets` call.
   //
   // Note, the query result has approximately 10 GB limitation enforced by
-  // BigQuery
-  // https://cloud.google.com/bigquery/docs/best-practices-performance-output,
-  // queries return larger results will result in errors.
+  // [BigQuery](https://cloud.google.com/bigquery/docs/best-practices-performance-output).
+  // Queries return larger results will result in errors.
   rpc QueryAssets(QueryAssetsRequest) returns (QueryAssetsResponse) {
     option (google.api.http) = {
       post: "/v1/{parent=*/*}:queryAssets"
@@ -911,49 +909,73 @@ message SearchAllResourcesRequest {
   // Examples:
   //
   // * `name:Important` to find Google Cloud resources whose name contains
-  //   "Important" as a word.
+  //   `Important` as a word.
   // * `name=Important` to find the Google Cloud resource whose name is exactly
-  //   "Important".
+  //   `Important`.
   // * `displayName:Impor*` to find Google Cloud resources whose display name
-  //   contains "Impor" as a prefix of any word in the field.
+  //   contains `Impor` as a prefix of any word in the field.
   // * `location:us-west*` to find Google Cloud resources whose location
-  //   contains both "us" and "west" as prefixes.
-  // * `labels:prod` to find Google Cloud resources whose labels contain "prod"
+  //   contains both `us` and `west` as prefixes.
+  // * `labels:prod` to find Google Cloud resources whose labels contain `prod`
   //   as a key or value.
-  // * `labels.env:prod` to find Google Cloud resources that have a label "env"
-  //   and its value is "prod".
-  // * `labels.env:*` to find Google Cloud resources that have a label "env".
+  // * `labels.env:prod` to find Google Cloud resources that have a label `env`
+  //   and its value is `prod`.
+  // * `labels.env:*` to find Google Cloud resources that have a label `env`.
+  // * `tagKeys:env` to find Google Cloud resources that have directly
+  //   attached tags where the
+  //   [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
+  //   .`namespacedName` contains `env`.
+  // * `tagValues:prod*` to find Google Cloud resources that have directly
+  //   attached tags where the
+  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   .`namespacedName` contains a word prefixed by `prod`.
+  // * `tagValueIds=tagValues/123` to find Google Cloud resources that have
+  //   directly attached tags where the
+  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   .`name` is exactly `tagValues/123`.
+  // * `effectiveTagKeys:env` to find Google Cloud resources that have
+  //   directly attached or inherited tags where the
+  //   [`TagKey`](https://cloud.google.com/resource-manager/reference/rest/v3/tagKeys#resource:-tagkey)
+  //   .`namespacedName` contains `env`.
+  // * `effectiveTagValues:prod*` to find Google Cloud resources that have
+  //   directly attached or inherited tags where the
+  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   .`namespacedName` contains a word prefixed by `prod`.
+  // * `effectiveTagValueIds=tagValues/123` to find Google Cloud resources that
+  //    have directly attached or inherited tags where the
+  //   [`TagValue`](https://cloud.google.com/resource-manager/reference/rest/v3/tagValues#resource:-tagvalue)
+  //   .`name` is exactly `tagValues/123`.
   // * `kmsKey:key` to find Google Cloud resources encrypted with a
-  //   customer-managed encryption key whose name contains "key" as a word. This
+  //   customer-managed encryption key whose name contains `key` as a word. This
   //   field is deprecated. Please use the `kmsKeys` field to retrieve Cloud KMS
   //   key information.
   // * `kmsKeys:key` to find Google Cloud resources encrypted with
-  //   customer-managed encryption keys whose name contains the word "key".
+  //   customer-managed encryption keys whose name contains the word `key`.
   // * `relationships:instance-group-1` to find Google Cloud resources that have
-  //   relationships with "instance-group-1" in the related resource name.
+  //   relationships with `instance-group-1` in the related resource name.
   // * `relationships:INSTANCE_TO_INSTANCEGROUP` to find Compute Engine
-  //   instances that have relationships of type "INSTANCE_TO_INSTANCEGROUP".
+  //   instances that have relationships of type `INSTANCE_TO_INSTANCEGROUP`.
   // * `relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1` to find
-  //   Compute Engine instances that have relationships with "instance-group-1"
+  //   Compute Engine instances that have relationships with `instance-group-1`
   //   in the Compute Engine instance group resource name, for relationship type
-  //   "INSTANCE_TO_INSTANCEGROUP".
+  //   `INSTANCE_TO_INSTANCEGROUP`.
   // * `state:ACTIVE` to find Google Cloud resources whose state contains
-  //   "ACTIVE" as a word.
+  //   `ACTIVE` as a word.
   // * `NOT state:ACTIVE` to find Google Cloud resources whose state doesn't
-  //   contain "ACTIVE" as a word.
+  //   contain `ACTIVE` as a word.
   // * `createTime<1609459200` to find Google Cloud resources that were created
-  //   before "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of
-  //   "2021-01-01 00:00:00 UTC" in seconds.
+  //   before `2021-01-01 00:00:00 UTC`. `1609459200` is the epoch timestamp of
+  //   `2021-01-01 00:00:00 UTC` in seconds.
   // * `updateTime>1609459200` to find Google Cloud resources that were updated
-  //   after "2021-01-01 00:00:00 UTC". 1609459200 is the epoch timestamp of
-  //   "2021-01-01 00:00:00 UTC" in seconds.
-  // * `Important` to find Google Cloud resources that contain "Important" as a
+  //   after `2021-01-01 00:00:00 UTC`. `1609459200` is the epoch timestamp of
+  //   `2021-01-01 00:00:00 UTC` in seconds.
+  // * `Important` to find Google Cloud resources that contain `Important` as a
   //   word in any of the searchable fields.
-  // * `Impor*` to find Google Cloud resources that contain "Impor" as a prefix
+  // * `Impor*` to find Google Cloud resources that contain `Impor` as a prefix
   //   of any word in any of the searchable fields.
   // * `Important location:(us-west1 OR global)` to find Google Cloud
-  //   resources that contain "Important" as a word in any of the searchable
-  //   fields and are also located in the "us-west1" region or the "global"
+  //   resources that contain `Important` as a word in any of the searchable
+  //   fields and are also located in the `us-west1` region or the `global`
   //   location.
   string query = 2 [(google.api.field_behavior) = OPTIONAL];
 
@@ -974,10 +996,10 @@ message SearchAllResourcesRequest {
   repeated string asset_types = 3 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. The page size for search result pagination. Page size is capped
-  // at 500 even if a larger value is given. If set to zero, server will pick an
-  // appropriate default. Returned results may be fewer than requested. When
-  // this happens, there could be more results as long as `next_page_token` is
-  // returned.
+  // at 500 even if a larger value is given. If set to zero or a negative value,
+  // server will pick an appropriate default. Returned results may be fewer than
+  // requested. When this happens, there could be more results as long as
+  // `next_page_token` is returned.
   int32 page_size = 4 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. If present, then retrieve the next batch of results from the
@@ -990,7 +1012,7 @@ message SearchAllResourcesRequest {
   // the results. The default order is ascending. Add " DESC" after the field
   // name to indicate descending order. Redundant space characters are ignored.
   // Example: "location DESC, name".
-  // Only singular primitive fields in the response are sortable:
+  // Only the following fields in the response are sortable:
   //
   //   * name
   //   * assetType
@@ -1003,44 +1025,38 @@ message SearchAllResourcesRequest {
   //   * state
   //   * parentFullResourceName
   //   * parentAssetType
-  //
-  // All the other fields such as repeated fields (e.g., `networkTags`,
-  // `kmsKeys`), map fields (e.g., `labels`) and struct fields (e.g.,
-  // `additionalAttributes`) are not supported.
   string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. A comma-separated list of fields specifying which fields to be
-  // returned in ResourceSearchResult. Only '*' or combination of top level
-  // fields can be specified. Field names of both snake_case and camelCase are
-  // supported. Examples: `"*"`, `"name,location"`, `"name,versionedResources"`.
-  //
-  // The read_mask paths must be valid field paths listed but not limited to
-  // (both snake_case and camelCase are supported):
-  //
-  //   * name
-  //   * assetType
-  //   * project
-  //   * displayName
-  //   * description
-  //   * location
-  //   * tagKeys
-  //   * tagValues
-  //   * tagValueIds
-  //   * labels
-  //   * networkTags
-  //   * kmsKey (This field is deprecated. Please use the `kmsKeys` field to
-  //     retrieve Cloud KMS key information.)
-  //   * kmsKeys
-  //   * createTime
-  //   * updateTime
-  //   * state
-  //   * additionalAttributes
-  //   * versionedResources
-  //
-  // If read_mask is not specified, all fields except versionedResources will
-  // be returned.
-  // If only '*' is specified, all fields including versionedResources will be
-  // returned.
+  // Optional. A comma-separated list of fields that you want returned in the
+  // results. The following fields are returned by default if not specified:
+  //
+  //   * `name`
+  //   * `assetType`
+  //   * `project`
+  //   * `folders`
+  //   * `organization`
+  //   * `displayName`
+  //   * `description`
+  //   * `location`
+  //   * `labels`
+  //   * `tags`
+  //   * `effectiveTags`
+  //   * `networkTags`
+  //   * `kmsKeys`
+  //   * `createTime`
+  //   * `updateTime`
+  //   * `state`
+  //   * `additionalAttributes`
+  //   * `parentFullResourceName`
+  //   * `parentAssetType`
+  //
+  // Some fields of large size, such as `versionedResources`,
+  // `attachedResources`, `effectiveTags` etc., are not returned by default, but
+  // you can specify them in the `read_mask` parameter if you want to include
+  // them. If `"*"` is specified, all [available
+  // fields](https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllResources#resourcesearchresult)
+  // are returned.
+  // Examples: `"name,location"`, `"name,versionedResources"`, `"*"`.
   // Any invalid field path will trigger INVALID_ARGUMENT error.
   google.protobuf.FieldMask read_mask = 8
       [(google.api.field_behavior) = OPTIONAL];
@@ -1119,10 +1135,10 @@ message SearchAllIamPoliciesRequest {
   string query = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. The page size for search result pagination. Page size is capped
-  // at 500 even if a larger value is given. If set to zero, server will pick an
-  // appropriate default. Returned results may be fewer than requested. When
-  // this happens, there could be more results as long as `next_page_token` is
-  // returned.
+  // at 500 even if a larger value is given. If set to zero or a negative value,
+  // server will pick an appropriate default. Returned results may be fewer than
+  // requested. When this happens, there could be more results as long as
+  // `next_page_token` is returned.
   int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. If present, retrieve the next batch of results from the preceding
@@ -1861,8 +1877,8 @@ message QueryAssetsRequest {
   ];
 
   oneof query {
-    // Optional. A SQL statement that's compatible with [BigQuery Standard
-    // SQL](http://cloud/bigquery/docs/reference/standard-sql/enabling-standard-sql).
+    // Optional. A SQL statement that's compatible with [BigQuery
+    // SQL](https://cloud.google.com/bigquery/docs/introduction-sql).
     string statement = 2 [(google.api.field_behavior) = OPTIONAL];
 
     // Optional. Reference to the query job, which is from the
@@ -2108,7 +2124,10 @@ message BatchGetEffectiveIamPoliciesResponse {
 // in the original organization policy with some new fields for analysis
 // purpose.
 message AnalyzerOrgPolicy {
-  // Represents a rule defined in an organization policy
+  // This rule message is a customized version of the one defined in the
+  // Organization Policy system. In addition to the fields defined in the
+  // original organization policy, it contains additional field(s) under
+  // specific circumstances to support analysis results.
   message Rule {
     // The string values for the list constraints.
     message StringValues {
@@ -2542,7 +2561,7 @@ message AnalyzeOrgPolicyGovernedAssetsResponse {
   // The IAM policies governed by the organization policies of the
   // [AnalyzeOrgPolicyGovernedAssetsRequest.constraint][google.cloud.asset.v1.AnalyzeOrgPolicyGovernedAssetsRequest.constraint].
   message GovernedIamPolicy {
-    // The full resource name of the resource associated with this IAM policy.
+    // The full resource name of the resource on which this IAM policy is set.
     // Example:
     // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`.
     // See [Cloud Asset Inventory Resource Name