Skip to content
This repository has been archived by the owner on Feb 28, 2024. It is now read-only.

Commit

Permalink
feat: add Cloud Asset List API, add access time as condition context …
Browse files Browse the repository at this point in the history 
…in request and evaluation value in response for Cloud Asset AnalyzeIamPolicy API, add more info (folders, organizations, kms_key, create_time, update_time, state, parent_full_resource_name, parent_asset_type) in response for Cloud Asset SearchAllResources API (#196)

* feat: add Cloud Asset List API, add access time as condition context in request and evaluation value in response for Cloud Asset AnalyzeIamPolicy API, add more info (folders, organizations, kms_key, create_time, update_time, state, parent_full_resource_name, parent_asset_type) in response for Cloud Asset SearchAllResources API

Committer: @peter-zheng-g
PiperOrigin-RevId: 375731640

Source-Link: googleapis/googleapis@de04592

Source-Link: googleapis/googleapis-gen@7b343f4

* 🦉 Updates from OwlBot

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
  • Loading branch information
@gcf-owl-bot
gcf-owl-bot[bot] and gcf-owl-bot[bot] committed May 25, 2021
1 parent 245050a commit 69ecd23
Show file tree
Hide file tree
Showing 14 changed files with 1,208 additions and 88 deletions.
6 changes: 6 additions & 0 deletions google/cloud/asset/__init__.py
View file
Expand Up @@ -39,6 +39,8 @@
from google.cloud.asset_v1.types.asset_service import GetFeedRequest
from google.cloud.asset_v1.types.asset_service import IamPolicyAnalysisOutputConfig
from google.cloud.asset_v1.types.asset_service import IamPolicyAnalysisQuery
from google.cloud.asset_v1.types.asset_service import ListAssetsRequest
from google.cloud.asset_v1.types.asset_service import ListAssetsResponse
from google.cloud.asset_v1.types.asset_service import ListFeedsRequest
from google.cloud.asset_v1.types.asset_service import ListFeedsResponse
from google.cloud.asset_v1.types.asset_service import OutputConfig
Expand All @@ -52,6 +54,7 @@
from google.cloud.asset_v1.types.asset_service import UpdateFeedRequest
from google.cloud.asset_v1.types.asset_service import ContentType
from google.cloud.asset_v1.types.assets import Asset
from google.cloud.asset_v1.types.assets import ConditionEvaluation
from google.cloud.asset_v1.types.assets import IamPolicyAnalysisResult
from google.cloud.asset_v1.types.assets import IamPolicyAnalysisState
from google.cloud.asset_v1.types.assets import IamPolicySearchResult
Expand Down Expand Up @@ -81,6 +84,8 @@
"GetFeedRequest",
"IamPolicyAnalysisOutputConfig",
"IamPolicyAnalysisQuery",
"ListAssetsRequest",
"ListAssetsResponse",
"ListFeedsRequest",
"ListFeedsResponse",
"OutputConfig",
Expand All @@ -94,6 +99,7 @@
"UpdateFeedRequest",
"ContentType",
"Asset",
"ConditionEvaluation",
"IamPolicyAnalysisResult",
"IamPolicyAnalysisState",
"IamPolicySearchResult",
Expand Down
6 changes: 6 additions & 0 deletions google/cloud/asset_v1/__init__.py
View file
Expand Up @@ -35,6 +35,8 @@
from .types.asset_service import GetFeedRequest
from .types.asset_service import IamPolicyAnalysisOutputConfig
from .types.asset_service import IamPolicyAnalysisQuery
from .types.asset_service import ListAssetsRequest
from .types.asset_service import ListAssetsResponse
from .types.asset_service import ListFeedsRequest
from .types.asset_service import ListFeedsResponse
from .types.asset_service import OutputConfig
Expand All @@ -48,6 +50,7 @@
from .types.asset_service import UpdateFeedRequest
from .types.asset_service import ContentType
from .types.assets import Asset
from .types.assets import ConditionEvaluation
from .types.assets import IamPolicyAnalysisResult
from .types.assets import IamPolicyAnalysisState
from .types.assets import IamPolicySearchResult
Expand All @@ -67,6 +70,7 @@
"BatchGetAssetsHistoryRequest",
"BatchGetAssetsHistoryResponse",
"BigQueryDestination",
"ConditionEvaluation",
"ContentType",
"CreateFeedRequest",
"DeleteFeedRequest",
Expand All @@ -82,6 +86,8 @@
"IamPolicyAnalysisResult",
"IamPolicyAnalysisState",
"IamPolicySearchResult",
"ListAssetsRequest",
"ListAssetsResponse",
"ListFeedsRequest",
"ListFeedsResponse",
"OutputConfig",
Expand Down
10 changes: 10 additions & 0 deletions google/cloud/asset_v1/gapic_metadata.json
View file
Expand Up @@ -45,6 +45,11 @@
"get_feed"
]
},
"ListAssets": {
"methods": [
"list_assets"
]
},
"ListFeeds": {
"methods": [
"list_feeds"
Expand Down Expand Up @@ -105,6 +110,11 @@
"get_feed"
]
},
"ListAssets": {
"methods": [
"list_assets"
]
},
"ListFeeds": {
"methods": [
"list_feeds"
Expand Down
172 changes: 151 additions & 21 deletions google/cloud/asset_v1/services/asset_service/async_client.py
View file
Expand Up @@ -236,6 +236,98 @@ async def export_assets(
# Done; return the response.
return response

async def list_assets(
self,
request: asset_service.ListAssetsRequest = None,
*,
parent: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> pagers.ListAssetsAsyncPager:
r"""Lists assets with time and resource types and returns
paged results in response.
Args:
request (:class:`google.cloud.asset_v1.types.ListAssetsRequest`):
The request object. ListAssets request.
parent (:class:`str`):
Required. Name of the organization or project the assets
belong to. Format: "organizations/[organization-number]"
(such as "organizations/123"), "projects/[project-id]"
(such as "projects/my-project-id"), or
"projects/[project-number]" (such as "projects/12345").
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.asset_v1.services.asset_service.pagers.ListAssetsAsyncPager:
ListAssets response.
Iterating over this object will yield
results and resolve additional pages
automatically.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)

request = asset_service.ListAssetsRequest(request)

# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent

# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = gapic_v1.method_async.wrap_method(
self._client._transport.list_assets,
default_retry=retries.Retry(
initial=0.1,
maximum=60.0,
multiplier=1.3,
predicate=retries.if_exception_type(
core_exceptions.DeadlineExceeded,
core_exceptions.ServiceUnavailable,
),
deadline=60.0,
),
default_timeout=60.0,
client_info=DEFAULT_CLIENT_INFO,
)

# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)

# Send the request.
response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,)

# This method is paged; wrap the response in a pager, which provides
# an `__aiter__` convenience method.
response = pagers.ListAssetsAsyncPager(
method=rpc, request=request, response=response, metadata=metadata,
)

# Done; return the response.
return response

async def batch_get_assets_history(
self,
request: asset_service.BatchGetAssetsHistoryRequest = None,
Expand Down Expand Up @@ -730,7 +822,7 @@ async def search_all_resources(
Required. A scope can be a project, a folder, or an
organization. The search is limited to the resources
within the ``scope``. The caller must be granted the
```cloudasset.assets.searchAllResources`` <http://cloud.google.com/asset-inventory/docs/access-control#required_permissions>`__
```cloudasset.assets.searchAllResources`` <https://cloud.google.com/asset-inventory/docs/access-control#required_permissions>`__
permission on the desired scope.
The allowed values are:
Expand All @@ -746,40 +838,48 @@ async def search_all_resources(
should not be set.
query (:class:`str`):
Optional. The query statement. See `how to construct a
query <http://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query>`__
query <https://cloud.google.com/asset-inventory/docs/searching-resources#how_to_construct_a_query>`__
for more information. If not specified or empty, it will
search all the resources within the specified ``scope``.
Note that the query string is compared against each
Cloud IAM policy binding, including its members, roles,
and Cloud IAM conditions. The returned Cloud IAM
policies will only contain the bindings that match your
query. To learn more about the IAM policy structure, see
`IAM policy
doc <https://cloud.google.com/iam/docs/policies#structure>`__.
Examples:
- ``name:Important`` to find Cloud resources whose name
contains "Important" as a word.
- ``name=Important`` to find the Cloud resource whose
name is exactly "Important".
- ``displayName:Impor*`` to find Cloud resources whose
display name contains "Impor" as a prefix.
- ``description:*por*`` to find Cloud resources whose
description contains "por" as a substring.
display name contains "Impor" as a prefix of any word
in the field.
- ``location:us-west*`` to find Cloud resources whose
location is prefixed with "us-west".
location contains both "us" and "west" as prefixes.
- ``labels:prod`` to find Cloud resources whose labels
contain "prod" as a key or value.
- ``labels.env:prod`` to find Cloud resources that have
a label "env" and its value is "prod".
- ``labels.env:*`` to find Cloud resources that have a
label "env".
- ``kmsKey:key`` to find Cloud resources encrypted with
a customer-managed encryption key whose name contains
the word "key".
- ``state:ACTIVE`` to find Cloud resources whose state
contains "ACTIVE" as a word.
- ``NOT state:ACTIVE`` to find {{gcp_name}} resources
whose state doesn't contain "ACTIVE" as a word.
- ``createTime<1609459200`` to find Cloud resources
that were created before "2021-01-01 00:00:00 UTC".
1609459200 is the epoch timestamp of "2021-01-01
00:00:00 UTC" in seconds.
- ``updateTime>1609459200`` to find Cloud resources
that were updated after "2021-01-01 00:00:00 UTC".
1609459200 is the epoch timestamp of "2021-01-01
00:00:00 UTC" in seconds.
- ``Important`` to find Cloud resources that contain
"Important" as a word in any of the searchable
fields.
- ``Impor*`` to find Cloud resources that contain
"Impor" as a prefix in any of the searchable fields.
- ``*por*`` to find Cloud resources that contain "por"
as a substring in any of the searchable fields.
"Impor" as a prefix of any word in any of the
searchable fields.
- ``Important location:(us-west1 OR global)`` to find
Cloud resources that contain "Important" as a word in
any of the searchable fields and are also located in
Expand All @@ -794,6 +894,20 @@ async def search_all_resources(
`searchable asset
types <https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types>`__.
Regular expressions are also supported. For example:
- "compute.googleapis.com.*" snapshots resources whose
asset type starts with "compute.googleapis.com".
- ".*Instance" snapshots resources whose asset type
ends with "Instance".
- ".*Instance.*" snapshots resources whose asset type
contains "Instance".
See `RE2 <https://github.com/google/re2/wiki/Syntax>`__
for all supported regular expression syntax. If the
regular expression does not match any supported asset
type, an INVALID_ARGUMENT error will be returned.
This corresponds to the ``asset_types`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
Expand Down Expand Up @@ -890,7 +1004,7 @@ async def search_all_iam_policies(
Required. A scope can be a project, a folder, or an
organization. The search is limited to the IAM policies
within the ``scope``. The caller must be granted the
```cloudasset.assets.searchAllIamPolicies`` <http://cloud.google.com/asset-inventory/docs/access-control#required_permissions>`__
```cloudasset.assets.searchAllIamPolicies`` <https://cloud.google.com/asset-inventory/docs/access-control#required_permissions>`__
permission on the desired scope.
The allowed values are:
Expand All @@ -909,30 +1023,46 @@ async def search_all_iam_policies(
query <https://cloud.google.com/asset-inventory/docs/searching-iam-policies#how_to_construct_a_query>`__
for more information. If not specified or empty, it will
search all the IAM policies within the specified
``scope``.
``scope``. Note that the query string is compared
against each Cloud IAM policy binding, including its
members, roles, and Cloud IAM conditions. The returned
Cloud IAM policies will only contain the bindings that
match your query. To learn more about the IAM policy
structure, see `IAM policy
doc <https://cloud.google.com/iam/docs/policies#structure>`__.
Examples:
- ``policy:amy@gmail.com`` to find IAM policy bindings
that specify user "amy@gmail.com".
- ``policy:roles/compute.admin`` to find IAM policy
bindings that specify the Compute Admin role.
- ``policy:comp*`` to find IAM policy bindings that
contain "comp" as a prefix of any word in the
binding.
- ``policy.role.permissions:storage.buckets.update`` to
find IAM policy bindings that specify a role
containing "storage.buckets.update" permission. Note
that if callers don't have ``iam.roles.get`` access
to a role's included permissions, policy bindings
that specify this role will be dropped from the
search results.
- ``policy.role.permissions:upd*`` to find IAM policy
bindings that specify a role containing "upd" as a
prefix of any word in the role permission. Note that
if callers don't have ``iam.roles.get`` access to a
role's included permissions, policy bindings that
specify this role will be dropped from the search
results.
- ``resource:organizations/123456`` to find IAM policy
bindings that are set on "organizations/123456".
- ``resource=//cloudresourcemanager.googleapis.com/projects/myproject``
to find IAM policy bindings that are set on the
project named "myproject".
- ``Important`` to find IAM policy bindings that
contain "Important" as a word in any of the
searchable fields (except for the included
permissions).
- ``*por*`` to find IAM policy bindings that contain
"por" as a substring in any of the searchable fields
(except for the included permissions).
- ``resource:(instance1 OR instance2) policy:amy`` to
find IAM policy bindings that are set on resources
"instance1" or "instance2" and also specify user
Expand Down

0 comments on commit 69ecd23

Please sign in to comment.