package google.cloud.assuredworkloads.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Service to manage AssuredWorkloads.

• rpc CreateWorkload (CreateWorkloadRequest, longrunning.Operation)

  assuredworkloads.proto:47

  Creates Assured Workload.

  message CreateWorkloadRequest

  assuredworkloads.proto:133

  Request for creating a workload.

  • string parent = 1

    Required. The resource name of the new Workload's parent. Must be of the form `organizations/{org_id}/locations/{location_id}`.

  • optional Workload workload = 2

    Required. Assured Workload to create

  • string external_id = 3

    Optional. A identifier associated with the workload and underlying projects which allows for the break down of billing costs for a workload. The value provided for the identifier will add a label to the workload and contained projects with the identifier as the value.

• rpc UpdateWorkload (UpdateWorkloadRequest, Workload)

  assuredworkloads.proto:63

  Updates an existing workload. Currently allows updating of workload display_name and labels. For force updates don't set etag field in the Workload. Only one update operation per workload can be in progress.

  message UpdateWorkloadRequest

  assuredworkloads.proto:154

  Request for Updating a workload.

  • optional Workload workload = 1

    Required. The workload to update. The workload's `name` field is used to identify the workload to be updated. Format: organizations/{org_id}/locations/{location_id}/workloads/{workload_id}

  • optional protobuf.FieldMask update_mask = 2

    Required. The list of fields to be updated.

• rpc RestrictAllowedResources (RestrictAllowedResourcesRequest, RestrictAllowedResourcesResponse)

  assuredworkloads.proto:77

  Restrict the list of resources allowed in the Workload environment. The current list of allowed products can be found at https://cloud.google.com/assured-workloads/docs/supported-products In addition to assuredworkloads.workload.update permission, the user should also have orgpolicy.policy.set permission on the folder resource to use this functionality.

  message RestrictAllowedResourcesRequest

  assuredworkloads.proto:534

  Request for restricting list of available resources in Workload environment.

  • string name = 1

    Required. The resource name of the Workload. This is the workloads's relative path in the API, formatted as "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". For example, "organizations/123/locations/us-east1/workloads/assured-workload-1".

  • RestrictAllowedResourcesRequest.RestrictionType restriction_type = 2

    Required. The type of restriction for using gcp products in the Workload environment.

  message RestrictAllowedResourcesResponse

  assuredworkloads.proto:563

  Response for restricting the list of allowed resources.

  (message has no fields)

• rpc DeleteWorkload (DeleteWorkloadRequest, protobuf.Empty)

  assuredworkloads.proto:87

  Deletes the workload. Make sure that workload's direct children are already in a deleted state, otherwise the request will fail with a FAILED_PRECONDITION error.

  message DeleteWorkloadRequest

  assuredworkloads.proto:166

  Request for deleting a Workload.

  • string name = 1

    Required. The `name` field is used to identify the workload. Format: organizations/{org_id}/locations/{location_id}/workloads/{workload_id}

  • string etag = 2

    Optional. The etag of the workload. If this is provided, it must match the server's etag.

• rpc GetWorkload (GetWorkloadRequest, Workload)

  assuredworkloads.proto:95

  Gets Assured Workload associated with a CRM Node

  message GetWorkloadRequest

  assuredworkloads.proto:183

  Request for fetching a workload.

  • string name = 1

    Required. The resource name of the Workload to fetch. This is the workload's relative path in the API, formatted as "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". For example, "organizations/123/locations/us-east1/workloads/assured-workload-1".

• rpc ListWorkloads (ListWorkloadsRequest, ListWorkloadsResponse)

  assuredworkloads.proto:103

  Lists Assured Workloads under a CRM Node.

  message ListWorkloadsRequest

  assuredworkloads.proto:198

  Request for fetching workloads in an organization.

  • string parent = 1

    Required. Parent Resource to list workloads from. Must be of the form `organizations/{org_id}/locations/{location}`.

  • int32 page_size = 2

    Page size.

  • string page_token = 3

    Page token returned from previous request. Page token contains context from previous request. Page token needs to be passed in the second and following requests.

  • string filter = 4

    A custom filter for filtering by properties of a workload. At this time, only filtering by labels is supported.

  message ListWorkloadsResponse

  assuredworkloads.proto:222

  Response of ListWorkloads endpoint.

  • repeated Workload workloads = 1

    List of Workloads under a given parent.

  • string next_page_token = 2

    The next page token. Return empty if reached the last page.

• rpc ListViolations (ListViolationsRequest, ListViolationsResponse)

  assuredworkloads.proto:115

  Lists the Violations in the AssuredWorkload Environment. Callers may also choose to read across multiple Workloads as per [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash character) as a wildcard character instead of workload-id in the parent. Format `organizations/{org_id}/locations/{location}/workloads/-`

  message ListViolationsRequest

  assuredworkloads.proto:606

  Request for fetching violations in an organization.

  • string parent = 1

    Required. The Workload name. Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.

  • optional TimeWindow interval = 2

    Optional. Specifies the time window for retrieving active Violations. When specified, retrieves Violations that were active between start_time and end_time.

  • int32 page_size = 3

    Optional. Page size.

  • string page_token = 4

    Optional. Page token returned from previous request.

  • string filter = 5

    Optional. A custom filter for filtering by the Violations properties.

  message ListViolationsResponse

  assuredworkloads.proto:632

  Response of ListViolations endpoint.

  • repeated Violation violations = 1

    List of Violations under a Workload.

  • string next_page_token = 2

    The next page token. Returns empty if reached the last page.

• rpc GetViolation (GetViolationRequest, Violation)

  assuredworkloads.proto:120

  Retrieves Assured Workload Violation based on ID.

  message GetViolationRequest

  assuredworkloads.proto:641

  Request for fetching a Workload Violation.

  • string name = 1

    Required. The resource name of the Violation to fetch (ie. Violation.name). Format: organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}

• rpc AcknowledgeViolation (AcknowledgeViolationRequest, AcknowledgeViolationResponse)

  assuredworkloads.proto:128

  Acknowledges an existing violation. By acknowledging a violation, users acknowledge the existence of a compliance violation in their workload and decide to ignore it due to a valid business justification. Acknowledgement is a permanent operation and it cannot be reverted.

  message AcknowledgeViolationRequest

  assuredworkloads.proto:569

  Request for acknowledging the violation Next Id: 4

  • string name = 1

    Required. The resource name of the Violation to acknowledge. Format: organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}

  • string comment = 2

    Required. Business justification explaining the need for violation acknowledgement

  • string non_compliant_org_policy = 3

    Optional. This field is deprecated and will be removed in future version of the API. Name of the OrgPolicy which was modified with non-compliant change and resulted in this violation. Format: projects/{project_number}/policies/{constraint_name} folders/{folder_id}/policies/{constraint_name} organizations/{organization_id}/policies/{constraint_name}

  message AcknowledgeViolationResponse

  assuredworkloads.proto:592

  Response for violation acknowledgement

  (message has no fields)

Operation metadata to give request details of CreateWorkload.

• optional protobuf.Timestamp create_time = 1

  Optional. Time when the operation was created.

• string display_name = 2

  Optional. The display name of the workload.

• string parent = 3

  Optional. The parent of the workload.

• Workload.ComplianceRegime compliance_regime = 4

  Optional. Compliance controls that should be applied to the resources managed by the workload.

The type of restriction.

Used in: RestrictAllowedResourcesRequest

• RESTRICTION_TYPE_UNSPECIFIED = 0

  Unknown restriction type.

• ALLOW_ALL_GCP_RESOURCES = 1

  Allow the use all of all gcp products, irrespective of the compliance posture. This effectively removes gcp.restrictServiceUsage OrgPolicy on the AssuredWorkloads Folder.

• ALLOW_COMPLIANT_RESOURCES = 2

  Based on Workload's compliance regime, allowed list changes. See - https://cloud.google.com/assured-workloads/docs/supported-products for the list of supported resources.

Interval defining a time window.

Used in: ListViolationsRequest

• optional protobuf.Timestamp start_time = 1

  The start of the time window.

• optional protobuf.Timestamp end_time = 2

  The end of the time window.

Workload monitoring Violation.

Used as response type in: AssuredWorkloadsService.GetViolation

Used as field type in: ListViolationsResponse

• string name = 1

  Output only. Immutable. Name of the Violation. Format: organizations/{organization}/locations/{location}/workloads/{workload_id}/violations/{violations_id}

• string description = 2

  Output only. Description for the Violation. e.g. OrgPolicy gcp.resourceLocations has non compliant value.

• optional protobuf.Timestamp begin_time = 3

  Output only. Time of the event which triggered the Violation.

• optional protobuf.Timestamp update_time = 4

  Output only. The last time when the Violation record was updated.

• optional protobuf.Timestamp resolve_time = 5

  Output only. Time of the event which fixed the Violation. If the violation is ACTIVE this will be empty.

• string category = 6

  Output only. Category under which this violation is mapped. e.g. Location, Service Usage, Access, Encryption, etc.

• Violation.State state = 7

  Output only. State of the violation

• string org_policy_constraint = 8

  Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in this violation.

• string audit_log_link = 11

  Output only. Immutable. Audit Log Link for violated resource Format: https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{timeRange}{folder}

• string non_compliant_org_policy = 12

  Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and resulted this violation. Format: projects/{project_number}/policies/{constraint_name} folders/{folder_id}/policies/{constraint_name} organizations/{organization_id}/policies/{constraint_name}

• optional Violation.Remediation remediation = 13

  Output only. Compliance violation remediation

• bool acknowledged = 14

  Output only. A boolean that indicates if the violation is acknowledged

• optional protobuf.Timestamp acknowledgement_time = 15

  Optional. Timestamp when this violation was acknowledged last. This will be absent when acknowledged field is marked as false.

• string exception_audit_log_link = 16

  Output only. Immutable. Audit Log link to find business justification provided for violation exception. Format: https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{protoPayload.methodName}{timeRange}{organization}

Represents remediation guidance to resolve compliance violation for AssuredWorkload

Used in: Violation

• optional Remediation.Instructions instructions = 1

  Required. Remediation instructions to resolve violations

• repeated string compliant_values = 2

  Values that can resolve the violation For example: for list org policy violations, this will either be the list of allowed or denied values

• Remediation.RemediationType remediation_type = 3

  Output only. Reemediation type based on the type of org policy values violated

Instructions to remediate violation

Used in: Remediation

• optional Instructions.Gcloud gcloud_instructions = 1

  Remediation instructions to resolve violation via gcloud cli

• optional Instructions.Console console_instructions = 2

  Remediation instructions to resolve violation via cloud console

Remediation instructions to resolve violation via cloud console

Used in: Instructions

• repeated string console_uris = 1

  Link to console page where violations can be resolved

• repeated string steps = 2

  Steps to resolve violation via cloud console

• repeated string additional_links = 3

  Additional urls for more information about steps

Remediation instructions to resolve violation via gcloud cli

Used in: Instructions

• repeated string gcloud_commands = 1

  Gcloud command to resolve violation

• repeated string steps = 2

  Steps to resolve violation via gcloud cli

• repeated string additional_links = 3

  Additional urls for more information about steps

Classifying remediation into various types based on the kind of violation. For example, violations caused due to changes in boolean org policy requires different remediation instructions compared to violation caused due to changes in allowed values of list org policy.

Used in: Remediation

• REMEDIATION_TYPE_UNSPECIFIED = 0

  Unspecified remediation type

• REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1

  Remediation type for boolean org policy

• REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2

  Remediation type for list org policy which have allowed values in the monitoring rule

• REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3

  Remediation type for list org policy which have denied values in the monitoring rule

• REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4

  Remediation type for gcp.restrictCmekCryptoKeyProjects

Violation State Values

Used in: Violation

• STATE_UNSPECIFIED = 0

  Unspecified state.

• RESOLVED = 2

  Violation is resolved.

• UNRESOLVED = 3

  Violation is Unresolved

• EXCEPTION = 4

  Violation is Exception

A Workload object for managing highly regulated workloads of cloud customers.

Used as response type in: AssuredWorkloadsService.GetWorkload, AssuredWorkloadsService.UpdateWorkload

Used as field type in: CreateWorkloadRequest, ListWorkloadsResponse, UpdateWorkloadRequest

• string name = 1

  Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload} Read-only.

• string display_name = 2

  Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload

• repeated Workload.ResourceInfo resources = 3

  Output only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only.

• Workload.ComplianceRegime compliance_regime = 4

  Required. Immutable. Compliance Regime associated with this workload.

• optional protobuf.Timestamp create_time = 5

  Output only. Immutable. The Workload creation timestamp.

• string billing_account = 6

  Optional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form `billingAccounts/{billing_account_id}`. For example, `billingAccounts/012345-567890-ABCDEF`.

• string etag = 9

  Optional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations.

• map<string, string> labels = 10

  Optional. Labels applied to the workload.

• string provisioned_resources_parent = 13

  Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id}

• optional Workload.KMSSettings kms_settings = 14

  Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.

• repeated Workload.ResourceSettings resource_settings = 15

  Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional.

• Workload.KajEnrollmentState kaj_enrollment_state = 17

  Output only. Represents the KAJ enrollment state of the given workload.

• bool enable_sovereign_controls = 18

  Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers.

• optional Workload.SaaEnrollmentResponse saa_enrollment_response = 20

  Output only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during GetWorkload call. In failure cases, user friendly error message is shown in SAA details page.

• repeated string compliant_but_disallowed_services = 24

  Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke RestrictAllowedResources endpoint to allow your project developers to use these services in their environment."

• Workload.Partner partner = 25

  Optional. Compliance Regime associated with this workload.

Supported Compliance Regimes.

Used in: CreateWorkloadOperationMetadata, Workload

• COMPLIANCE_REGIME_UNSPECIFIED = 0

  Unknown compliance regime.

• IL4 = 1

  Information protection as per DoD IL4 requirements.

• CJIS = 2

  Criminal Justice Information Services (CJIS) Security policies.

• FEDRAMP_HIGH = 3

  FedRAMP High data protection controls

• FEDRAMP_MODERATE = 4

  FedRAMP Moderate data protection controls

• US_REGIONAL_ACCESS = 5

  Assured Workloads For US Regions data protection controls

• HIPAA = 6

  Health Insurance Portability and Accountability Act controls

• HITRUST = 7

  Health Information Trust Alliance controls

• EU_REGIONS_AND_SUPPORT = 8

  Assured Workloads For EU Regions and Support controls

• CA_REGIONS_AND_SUPPORT = 9

  Assured Workloads For Canada Regions and Support controls

• ITAR = 10

  International Traffic in Arms Regulations

• AU_REGIONS_AND_US_SUPPORT = 11

  Assured Workloads for Australia Regions and Support controls Available for public preview consumption. Don't create production workloads.

• ASSURED_WORKLOADS_FOR_PARTNERS = 12

  Assured Workloads for Partners

Settings specific to the Key Management Service. This message is deprecated. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.

Used in: Workload

• optional protobuf.Timestamp next_rotation_time = 1

  Required. Input only. Immutable. The time at which the Key Management Service will automatically create a new version of the crypto key and mark it as the primary.

• optional protobuf.Duration rotation_period = 2

  Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key Management Service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

Key Access Justifications(KAJ) Enrollment State.

Used in: Workload

• KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0

  Default State for KAJ Enrollment.

• KAJ_ENROLLMENT_STATE_PENDING = 1

  Pending State for KAJ Enrollment.

• KAJ_ENROLLMENT_STATE_COMPLETE = 2

  Complete State for KAJ Enrollment.

Supported Assured Workloads Partners.

Used in: Workload

• PARTNER_UNSPECIFIED = 0

  Unknown partner regime/controls.

• LOCAL_CONTROLS_BY_S3NS = 1

  S3NS regime/controls.

Represent the resources that are children of this Workload.

Used in: Workload

• int64 resource_id = 1

  Resource identifier. For a project this represents project_number.

• ResourceInfo.ResourceType resource_type = 2

  Indicates the type of resource.

The type of resource.

Used in: ResourceInfo, ResourceSettings

• RESOURCE_TYPE_UNSPECIFIED = 0

  Unknown resource type.

• CONSUMER_PROJECT = 1

  Consumer project. AssuredWorkloads Projects are no longer supported. This field will be ignored only in CreateWorkload requests. ListWorkloads and GetWorkload will continue to provide projects information. Use CONSUMER_FOLDER instead.

• CONSUMER_FOLDER = 4

  Consumer Folder.

• ENCRYPTION_KEYS_PROJECT = 2

  Consumer project containing encryption keys.

• KEYRING = 3

  Keyring resource that hosts encryption keys.

Represent the custom settings for the resources to be created.

Used in: Workload

• string resource_id = 1

  Resource identifier. For a project this represents project_id. If the project is already taken, the workload creation will fail. For KeyRing, this represents the keyring_id. For a folder, don't set this value as folder_id is assigned by Google.

• ResourceInfo.ResourceType resource_type = 2

  Indicates the type of resource. This field should be specified to correspond the id to the right resource type (CONSUMER_FOLDER or ENCRYPTION_KEYS_PROJECT)

• string display_name = 3

  User-assigned resource display name. If not empty it will be used to create a resource with the specified name.

Signed Access Approvals (SAA) enrollment response.

Used in: Workload

• optional SaaEnrollmentResponse.SetupState setup_status = 1

  Indicates SAA enrollment status of a given workload.

• repeated SaaEnrollmentResponse.SetupError setup_errors = 2

  Indicates SAA enrollment setup error if any.

Setup error of SAA enrollment.

Used in: SaaEnrollmentResponse

• SETUP_ERROR_UNSPECIFIED = 0

  Unspecified.

• ERROR_INVALID_BASE_SETUP = 1

  Invalid states for all customers, to be redirected to AA UI for additional details.

• ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2

  Returned when there is not an EKM key configured.

• ERROR_NOT_ALL_SERVICES_ENROLLED = 3

  Returned when there are no enrolled services or the customer is enrolled in CAA only for a subset of services.

• ERROR_SETUP_CHECK_FAILED = 4

  Returned when exception was encountered during evaluation of other criteria.

Setup state of SAA enrollment.

Used in: SaaEnrollmentResponse

• SETUP_STATE_UNSPECIFIED = 0

  Unspecified.

• STATUS_PENDING = 1

  SAA enrollment pending.

• STATUS_COMPLETE = 2

  SAA enrollment comopleted.