diff --git a/librarian.yaml b/librarian.yaml
index 82614adb9b3a..1e7d73db8f88 100644
--- a/librarian.yaml
+++ b/librarian.yaml
@@ -279,7 +279,6 @@ libraries:
- path: google/cloud/asset/v1p2beta1
- path: google/cloud/asset/v1p1beta1
copyright_year: "2026"
- skip_generate: true
nodejs:
default_version: v1
- name: google-cloud-assuredworkloads
diff --git a/packages/google-cloud-asset/.OwlBot.yaml b/packages/google-cloud-asset/.OwlBot.yaml
deleted file mode 100644
index ea0b44b50f99..000000000000
--- a/packages/google-cloud-asset/.OwlBot.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-# Copyright 2021 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-deep-remove-regex:
- - /owl-bot-staging
-deep-preserve-regex:
- - /owl-bot-staging/v1p7beta1
-deep-copy-regex:
- - source: /google/cloud/asset/google-cloud-asset-nodejs
- dest: /owl-bot-staging/google-cloud-asset
-api-name: asset
diff --git a/packages/google-cloud-asset/.repo-metadata.json b/packages/google-cloud-asset/.repo-metadata.json
index 0bfea3bf2dc9..481b2e11d95d 100644
--- a/packages/google-cloud-asset/.repo-metadata.json
+++ b/packages/google-cloud-asset/.repo-metadata.json
@@ -1,17 +1,16 @@
{
+ "api_description": "The Cloud Asset API manages the history and inventory of Google Cloud\nresources.",
"api_id": "cloudasset.googleapis.com",
"api_shortname": "cloudasset",
"client_documentation": "https://cloud.google.com/nodejs/docs/reference/asset/latest",
- "codeowner_team": "@googleapis/cloud-asset-team",
"default_version": "v1",
"distribution_name": "@google-cloud/asset",
"issue_tracker": "https://issuetracker.google.com/savedsearches/559757",
"language": "nodejs",
"library_type": "GAPIC_AUTO",
"name": "cloudasset",
- "name_pretty": "Cloud Asset Inventory",
- "product_documentation": "https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview",
+ "name_pretty": "Cloud Asset",
+ "product_documentation": "https://cloud.google.com/resource-manager/docs",
"release_level": "stable",
- "repo": "googleapis/google-cloud-node",
- "requires_billing": true
+ "repo": "googleapis/google-cloud-node"
}
\ No newline at end of file
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy.proto
deleted file mode 100644
index 7a58e1b26c39..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy.proto
+++ /dev/null
@@ -1,548 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/field_behavior.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_multiple_files = true;
-option java_outer_classname = "OsPolicyProto";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// An OS policy defines the desired state configuration for a VM.
-message OSPolicy {
- // Policy mode
- enum Mode {
- // Invalid mode
- MODE_UNSPECIFIED = 0;
-
- // This mode checks if the configuration resources in the policy are in
- // their desired state. No actions are performed if they are not in the
- // desired state. This mode is used for reporting purposes.
- VALIDATION = 1;
-
- // This mode checks if the configuration resources in the policy are in
- // their desired state, and if not, enforces the desired state.
- ENFORCEMENT = 2;
- }
-
- // Filtering criteria to select VMs based on inventory details.
- message InventoryFilter {
- // Required. The OS short name
- string os_short_name = 1 [(google.api.field_behavior) = REQUIRED];
-
- // The OS version
- //
- // Prefix matches are supported if asterisk(*) is provided as the
- // last character. For example, to match all versions with a major
- // version of `7`, specify the following value for this field `7.*`
- //
- // An empty string matches all OS versions.
- string os_version = 2;
- }
-
- // An OS policy resource is used to define the desired state configuration
- // and provides a specific functionality like installing/removing packages,
- // executing a script etc.
- //
- // The system ensures that resources are always in their desired state by
- // taking necessary actions if they have drifted from their desired state.
- message Resource {
- // A remote or local file.
- message File {
- // Specifies a file available via some URI.
- message Remote {
- // Required. URI from which to fetch the object. It should contain both
- // the protocol and path following the format `{protocol}://{location}`.
- string uri = 1 [(google.api.field_behavior) = REQUIRED];
-
- // SHA256 checksum of the remote file.
- string sha256_checksum = 2;
- }
-
- // Specifies a file available as a Cloud Storage Object.
- message Gcs {
- // Required. Bucket of the Cloud Storage object.
- string bucket = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Name of the Cloud Storage object.
- string object = 2 [(google.api.field_behavior) = REQUIRED];
-
- // Generation number of the Cloud Storage object.
- int64 generation = 3;
- }
-
- // A specific type of file.
- oneof type {
- // A generic remote file.
- Remote remote = 1;
-
- // A Cloud Storage object.
- Gcs gcs = 2;
-
- // A local path within the VM to use.
- string local_path = 3;
- }
-
- // Defaults to false. When false, files are subject to validations
- // based on the file type:
- //
- // Remote: A checksum must be specified.
- // Cloud Storage: An object generation number must be specified.
- bool allow_insecure = 4;
- }
-
- // A resource that manages a system package.
- message PackageResource {
- // The desired state that the OS Config agent maintains on the VM.
- enum DesiredState {
- // Unspecified is invalid.
- DESIRED_STATE_UNSPECIFIED = 0;
-
- // Ensure that the package is installed.
- INSTALLED = 1;
-
- // The agent ensures that the package is not installed and
- // uninstalls it if detected.
- REMOVED = 2;
- }
-
- // A deb package file. dpkg packages only support INSTALLED state.
- message Deb {
- // Required. A deb package.
- File source = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Whether dependencies should also be installed.
- // - install when false: `dpkg -i package`
- // - install when true: `apt-get update && apt-get -y install
- // package.deb`
- bool pull_deps = 2;
- }
-
- // A package managed by APT.
- // - install: `apt-get update && apt-get -y install [name]`
- // - remove: `apt-get -y remove [name]`
- message APT {
- // Required. Package name.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
-
- // An RPM package file. RPM packages only support INSTALLED state.
- message RPM {
- // Required. An rpm package.
- File source = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Whether dependencies should also be installed.
- // - install when false: `rpm --upgrade --replacepkgs package.rpm`
- // - install when true: `yum -y install package.rpm` or
- // `zypper -y install package.rpm`
- bool pull_deps = 2;
- }
-
- // A package managed by YUM.
- // - install: `yum -y install package`
- // - remove: `yum -y remove package`
- message YUM {
- // Required. Package name.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
-
- // A package managed by Zypper.
- // - install: `zypper -y install package`
- // - remove: `zypper -y rm package`
- message Zypper {
- // Required. Package name.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
-
- // A package managed by GooGet.
- // - install: `googet -noconfirm install package`
- // - remove: `googet -noconfirm remove package`
- message GooGet {
- // Required. Package name.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
-
- // An MSI package. MSI packages only support INSTALLED state.
- message MSI {
- // Required. The MSI package.
- File source = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Additional properties to use during installation.
- // This should be in the format of Property=Setting.
- // Appended to the defaults of `ACTION=INSTALL
- // REBOOT=ReallySuppress`.
- repeated string properties = 2;
- }
-
- // Required. The desired state the agent should maintain for this package.
- DesiredState desired_state = 1 [(google.api.field_behavior) = REQUIRED];
-
- // A system package.
- oneof system_package {
- // A package managed by Apt.
- APT apt = 2;
-
- // A deb package file.
- Deb deb = 3;
-
- // A package managed by YUM.
- YUM yum = 4;
-
- // A package managed by Zypper.
- Zypper zypper = 5;
-
- // An rpm package file.
- RPM rpm = 6;
-
- // A package managed by GooGet.
- GooGet googet = 7;
-
- // An MSI package.
- MSI msi = 8;
- }
- }
-
- // A resource that manages a package repository.
- message RepositoryResource {
- // Represents a single apt package repository. These will be added to
- // a repo file that will be managed at
- // `/etc/apt/sources.list.d/google_osconfig.list`.
- message AptRepository {
- // Type of archive.
- enum ArchiveType {
- // Unspecified is invalid.
- ARCHIVE_TYPE_UNSPECIFIED = 0;
-
- // Deb indicates that the archive contains binary files.
- DEB = 1;
-
- // Deb-src indicates that the archive contains source files.
- DEB_SRC = 2;
- }
-
- // Required. Type of archive files in this repository.
- ArchiveType archive_type = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. URI for this repository.
- string uri = 2 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Distribution of this repository.
- string distribution = 3 [(google.api.field_behavior) = REQUIRED];
-
- // Required. List of components for this repository. Must contain at
- // least one item.
- repeated string components = 4 [(google.api.field_behavior) = REQUIRED];
-
- // URI of the key file for this repository. The agent maintains a
- // keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`.
- string gpg_key = 5;
- }
-
- // Represents a single yum package repository. These are added to a
- // repo file that is managed at
- // `/etc/yum.repos.d/google_osconfig.repo`.
- message YumRepository {
- // Required. A one word, unique name for this repository. This is the
- // `repo id` in the yum config file and also the `display_name` if
- // `display_name` is omitted. This id is also used as the unique
- // identifier when checking for resource conflicts.
- string id = 1 [(google.api.field_behavior) = REQUIRED];
-
- // The display name of the repository.
- string display_name = 2;
-
- // Required. The location of the repository directory.
- string base_url = 3 [(google.api.field_behavior) = REQUIRED];
-
- // URIs of GPG keys.
- repeated string gpg_keys = 4;
- }
-
- // Represents a single zypper package repository. These are added to a
- // repo file that is managed at
- // `/etc/zypp/repos.d/google_osconfig.repo`.
- message ZypperRepository {
- // Required. A one word, unique name for this repository. This is the
- // `repo id` in the zypper config file and also the `display_name` if
- // `display_name` is omitted. This id is also used as the unique
- // identifier when checking for GuestPolicy conflicts.
- string id = 1 [(google.api.field_behavior) = REQUIRED];
-
- // The display name of the repository.
- string display_name = 2;
-
- // Required. The location of the repository directory.
- string base_url = 3 [(google.api.field_behavior) = REQUIRED];
-
- // URIs of GPG keys.
- repeated string gpg_keys = 4;
- }
-
- // Represents a Goo package repository. These are added to a repo file
- // that is managed at
- // `C:/ProgramData/GooGet/repos/google_osconfig.repo`.
- message GooRepository {
- // Required. The name of the repository.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. The url of the repository.
- string url = 2 [(google.api.field_behavior) = REQUIRED];
- }
-
- // A specific type of repository.
- oneof repository {
- // An Apt Repository.
- AptRepository apt = 1;
-
- // A Yum Repository.
- YumRepository yum = 2;
-
- // A Zypper Repository.
- ZypperRepository zypper = 3;
-
- // A Goo Repository.
- GooRepository goo = 4;
- }
- }
-
- // A resource that allows executing scripts on the VM.
- //
- // The `ExecResource` has 2 stages: `validate` and `enforce` and both stages
- // accept a script as an argument to execute.
- //
- // When the `ExecResource` is applied by the agent, it first executes the
- // script in the `validate` stage. The `validate` stage can signal that the
- // `ExecResource` is already in the desired state by returning an exit code
- // of `100`. If the `ExecResource` is not in the desired state, it should
- // return an exit code of `101`. Any other exit code returned by this stage
- // is considered an error.
- //
- // If the `ExecResource` is not in the desired state based on the exit code
- // from the `validate` stage, the agent proceeds to execute the script from
- // the `enforce` stage. If the `ExecResource` is already in the desired
- // state, the `enforce` stage will not be run.
- // Similar to `validate` stage, the `enforce` stage should return an exit
- // code of `100` to indicate that the resource in now in its desired state.
- // Any other exit code is considered an error.
- //
- // NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to
- // have an explicit indicator of `in desired state`, `not in desired state`
- // and errors. Because, for example, Powershell will always return an exit
- // code of `0` unless an `exit` statement is provided in the script. So, for
- // reasons of consistency and being explicit, exit codes `100` and `101`
- // were chosen.
- message ExecResource {
- // A file or script to execute.
- message Exec {
- // The interpreter to use.
- enum Interpreter {
- // Invalid value, the request will return validation error.
- INTERPRETER_UNSPECIFIED = 0;
-
- // If an interpreter is not specified, the
- // source is executed directly. This execution, without an
- // interpreter, only succeeds for executables and scripts that have shebang lines.
- NONE = 1;
-
- // Indicates that the script runs with `/bin/sh` on Linux and
- // `cmd.exe` on Windows.
- SHELL = 2;
-
- // Indicates that the script runs with PowerShell.
- POWERSHELL = 3;
- }
-
- // What to execute.
- oneof source {
- // A remote or local file.
- File file = 1;
-
- // An inline script.
- // The size of the script is limited to 1024 characters.
- string script = 2;
- }
-
- // Optional arguments to pass to the source during execution.
- repeated string args = 3;
-
- // Required. The script interpreter to use.
- Interpreter interpreter = 4 [(google.api.field_behavior) = REQUIRED];
-
- // Only recorded for enforce Exec.
- // Path to an output file (that is created by this Exec) whose
- // content will be recorded in OSPolicyResourceCompliance after a
- // successful run. Absence or failure to read this file will result in
- // this ExecResource being non-compliant. Output file size is limited to
- // 100K bytes.
- string output_file_path = 5;
- }
-
- // Required. What to run to validate this resource is in the desired
- // state. An exit code of 100 indicates "in desired state", and exit code
- // of 101 indicates "not in desired state". Any other exit code indicates
- // a failure running validate.
- Exec validate = 1 [(google.api.field_behavior) = REQUIRED];
-
- // What to run to bring this resource into the desired state.
- // An exit code of 100 indicates "success", any other exit code indicates
- // a failure running enforce.
- Exec enforce = 2;
- }
-
- // A resource that manages the state of a file.
- message FileResource {
- // Desired state of the file.
- enum DesiredState {
- // Unspecified is invalid.
- DESIRED_STATE_UNSPECIFIED = 0;
-
- // Ensure file at path is present.
- PRESENT = 1;
-
- // Ensure file at path is absent.
- ABSENT = 2;
-
- // Ensure the contents of the file at path matches. If the file does
- // not exist it will be created.
- CONTENTS_MATCH = 3;
- }
-
- // The source for the contents of the file.
- oneof source {
- // A remote or local source.
- File file = 1;
-
- // A a file with this content.
- // The size of the content is limited to 1024 characters.
- string content = 2;
- }
-
- // Required. The absolute path of the file within the VM.
- string path = 3 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Desired state of the file.
- DesiredState state = 4 [(google.api.field_behavior) = REQUIRED];
-
- // Consists of three octal digits which represent, in
- // order, the permissions of the owner, group, and other users for the
- // file (similarly to the numeric mode used in the linux chmod
- // utility). Each digit represents a three bit number with the 4 bit
- // corresponding to the read permissions, the 2 bit corresponds to the
- // write bit, and the one bit corresponds to the execute permission.
- // Default behavior is 755.
- //
- // Below are some examples of permissions and their associated values:
- // read, write, and execute: 7
- // read and execute: 5
- // read and write: 6
- // read only: 4
- string permissions = 5;
- }
-
- // Required. The id of the resource with the following restrictions:
- //
- // * Must contain only lowercase letters, numbers, and hyphens.
- // * Must start with a letter.
- // * Must be between 1-63 characters.
- // * Must end with a number or a letter.
- // * Must be unique within the OS policy.
- string id = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Resource type.
- oneof resource_type {
- // Package resource
- PackageResource pkg = 2;
-
- // Package repository resource
- RepositoryResource repository = 3;
-
- // Exec resource
- ExecResource exec = 4;
-
- // File resource
- FileResource file = 5;
- }
- }
-
- // Resource groups provide a mechanism to group OS policy resources.
- //
- // Resource groups enable OS policy authors to create a single OS policy
- // to be applied to VMs running different operating Systems.
- //
- // When the OS policy is applied to a target VM, the appropriate resource
- // group within the OS policy is selected based on the `OSFilter` specified
- // within the resource group.
- message ResourceGroup {
- // List of inventory filters for the resource group.
- //
- // The resources in this resource group are applied to the target VM if it
- // satisfies at least one of the following inventory filters.
- //
- // For example, to apply this resource group to VMs running either `RHEL` or
- // `CentOS` operating systems, specify 2 items for the list with following
- // values:
- // inventory_filters[0].os_short_name='rhel' and
- // inventory_filters[1].os_short_name='centos'
- //
- // If the list is empty, this resource group will be applied to the target
- // VM unconditionally.
- repeated InventoryFilter inventory_filters = 1;
-
- // Required. List of resources configured for this resource group.
- // The resources are executed in the exact order specified here.
- repeated Resource resources = 2 [(google.api.field_behavior) = REQUIRED];
- }
-
- // Required. The id of the OS policy with the following restrictions:
- //
- // * Must contain only lowercase letters, numbers, and hyphens.
- // * Must start with a letter.
- // * Must be between 1-63 characters.
- // * Must end with a number or a letter.
- // * Must be unique within the assignment.
- string id = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Policy description.
- // Length of the description is limited to 1024 characters.
- string description = 2;
-
- // Required. Policy mode
- Mode mode = 3 [(google.api.field_behavior) = REQUIRED];
-
- // Required. List of resource groups for the policy.
- // For a particular VM, resource groups are evaluated in the order specified
- // and the first resource group that is applicable is selected and the rest
- // are ignored.
- //
- // If none of the resource groups are applicable for a VM, the VM is
- // considered to be non-compliant w.r.t this policy. This behavior can be
- // toggled by the flag `allow_no_resource_group_match`
- repeated ResourceGroup resource_groups = 4
- [(google.api.field_behavior) = REQUIRED];
-
- // This flag determines the OS policy compliance status when none of the
- // resource groups within the policy are applicable for a VM. Set this value
- // to `true` if the policy needs to be reported as compliant even if the
- // policy has nothing to validate or enforce.
- bool allow_no_resource_group_match = 5;
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy_assignment_reports.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy_assignment_reports.proto
deleted file mode 100644
index eb70300b3af1..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy_assignment_reports.proto
+++ /dev/null
@@ -1,296 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/protobuf/timestamp.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_multiple_files = true;
-option java_outer_classname = "OSPolicyAssignmentReportsProto";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-option (google.api.resource_definition) = {
- type: "osconfig.googleapis.com/InstanceOSPolicyAssignment"
- pattern: "projects/{project}/locations/{location}/instances/{instance}/osPolicyAssignments/{assignment}"
-};
-
-// Get a report of the OS policy assignment for a VM instance.
-message GetOSPolicyAssignmentReportRequest {
- // Required. API resource name for OS policy assignment report.
- //
- // Format:
- // `/projects/{project}/locations/{location}/instances/{instance}/osPolicyAssignments/{assignment}/report`
- //
- // For `{project}`, either `project-number` or `project-id` can be provided.
- // For `{instance_id}`, either Compute Engine `instance-id` or `instance-name`
- // can be provided.
- // For `{assignment_id}`, the OSPolicyAssignment id must be provided.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/OSPolicyAssignmentReport"
- }
- ];
-}
-
-// List the OS policy assignment reports for VM instances.
-message ListOSPolicyAssignmentReportsRequest {
- // Required. The parent resource name.
- //
- // Format:
- // `projects/{project}/locations/{location}/instances/{instance}/osPolicyAssignments/{assignment}/reports`
- //
- // For `{project}`, either `project-number` or `project-id` can be provided.
- // For `{instance}`, either `instance-name`, `instance-id`, or `-` can be
- // provided. If '-' is provided, the response will include
- // OSPolicyAssignmentReports for all instances in the project/location.
- // For `{assignment}`, either `assignment-id` or `-` can be provided. If '-'
- // is provided, the response will include OSPolicyAssignmentReports for all
- // OSPolicyAssignments in the project/location.
- // Either {instance} or {assignment} must be `-`.
- //
- // For example:
- // `projects/{project}/locations/{location}/instances/{instance}/osPolicyAssignments/-/reports`
- // returns all reports for the instance
- // `projects/{project}/locations/{location}/instances/-/osPolicyAssignments/{assignment-id}/reports`
- // returns all the reports for the given assignment across all instances.
- // `projects/{project}/locations/{location}/instances/-/osPolicyAssignments/-/reports`
- // returns all the reports for all assignments across all instances.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/InstanceOSPolicyAssignment"
- }
- ];
-
- // The maximum number of results to return.
- int32 page_size = 2;
-
- // If provided, this field specifies the criteria that must be met by the
- // `OSPolicyAssignmentReport` API resource that is included in the response.
- string filter = 3;
-
- // A pagination token returned from a previous call to the
- // `ListOSPolicyAssignmentReports` method that indicates where this listing
- // should continue from.
- string page_token = 4;
-}
-
-// A response message for listing OS Policy assignment reports including the
-// page of results and page token.
-message ListOSPolicyAssignmentReportsResponse {
- // List of OS policy assignment reports.
- repeated OSPolicyAssignmentReport os_policy_assignment_reports = 1;
-
- // The pagination token to retrieve the next page of OS policy assignment
- // report objects.
- string next_page_token = 2;
-}
-
-// A report of the OS policy assignment status for a given instance.
-message OSPolicyAssignmentReport {
- option (google.api.resource) = {
- type: "osconfig.googleapis.com/OSPolicyAssignmentReport"
- pattern: "projects/{project}/locations/{location}/instances/{instance}/osPolicyAssignments/{assignment}/report"
- };
-
- // Compliance data for an OS policy
- message OSPolicyCompliance {
- // Possible compliance states for an os policy.
- enum ComplianceState {
- // The policy is in an unknown compliance state.
- //
- // Refer to the field `compliance_state_reason` to learn the exact reason
- // for the policy to be in this compliance state.
- UNKNOWN = 0;
-
- // Policy is compliant.
- //
- // The policy is compliant if all the underlying resources are also
- // compliant.
- COMPLIANT = 1;
-
- // Policy is non-compliant.
- //
- // The policy is non-compliant if one or more underlying resources are
- // non-compliant.
- NON_COMPLIANT = 2;
- }
-
- // Compliance data for an OS policy resource.
- message OSPolicyResourceCompliance {
- // Step performed by the OS Config agent for configuring an
- // `OSPolicy` resource to its desired state.
- message OSPolicyResourceConfigStep {
- // Supported configuration step types
- enum Type {
- // Default value. This value is unused.
- TYPE_UNSPECIFIED = 0;
-
- // Checks for resource conflicts such as schema errors.
- VALIDATION = 1;
-
- // Checks the current status of the desired state for a resource.
- DESIRED_STATE_CHECK = 2;
-
- // Enforces the desired state for a resource that is not in desired
- // state.
- DESIRED_STATE_ENFORCEMENT = 3;
-
- // Re-checks the status of the desired state. This check is done
- // for a resource after the enforcement of all OS policies.
- //
- // This step is used to determine the final desired state status for
- // the resource. It accounts for any resources that might have drifted
- // from their desired state due to side effects from executing other
- // resources.
- DESIRED_STATE_CHECK_POST_ENFORCEMENT = 4;
- }
-
- // Configuration step type.
- Type type = 1;
-
- // An error message recorded during the execution of this step.
- // Only populated if errors were encountered during this step execution.
- string error_message = 2;
- }
-
- // Possible compliance states for a resource.
- enum ComplianceState {
- // The resource is in an unknown compliance state.
- //
- // To get more details about why the policy is in this state, review
- // the output of the `compliance_state_reason` field.
- UNKNOWN = 0;
-
- // Resource is compliant.
- COMPLIANT = 1;
-
- // Resource is non-compliant.
- NON_COMPLIANT = 2;
- }
-
- // ExecResource specific output.
- message ExecResourceOutput {
- // Output from enforcement phase output file (if run).
- // Output size is limited to 100K bytes.
- bytes enforcement_output = 2;
- }
-
- // The ID of the OS policy resource.
- string os_policy_resource_id = 1;
-
- // Ordered list of configuration completed by the agent for the OS policy
- // resource.
- repeated OSPolicyResourceConfigStep config_steps = 2;
-
- // The compliance state of the resource.
- ComplianceState compliance_state = 3;
-
- // A reason for the resource to be in the given compliance state.
- // This field is always populated when `compliance_state` is `UNKNOWN`.
- //
- // The following values are supported when `compliance_state == UNKNOWN`
- //
- // * `execution-errors`: Errors were encountered by the agent while
- // executing the resource and the compliance state couldn't be
- // determined.
- // * `execution-skipped-by-agent`: Resource execution was skipped by the
- // agent because errors were encountered while executing prior resources
- // in the OS policy.
- // * `os-policy-execution-attempt-failed`: The execution of the OS policy
- // containing this resource failed and the compliance state couldn't be
- // determined.
- string compliance_state_reason = 4;
-
- // Resource specific output.
- oneof output {
- // ExecResource specific output.
- ExecResourceOutput exec_resource_output = 5;
- }
- }
-
- // The OS policy id
- string os_policy_id = 1;
-
- // The compliance state of the OS policy.
- ComplianceState compliance_state = 2;
-
- // The reason for the OS policy to be in an unknown compliance state.
- // This field is always populated when `compliance_state` is `UNKNOWN`.
- //
- // If populated, the field can contain one of the following values:
- //
- // * `vm-not-running`: The VM was not running.
- // * `os-policies-not-supported-by-agent`: The version of the OS Config
- // agent running on the VM does not support running OS policies.
- // * `no-agent-detected`: The OS Config agent is not detected for the VM.
- // * `resource-execution-errors`: The OS Config agent encountered errors
- // while executing one or more resources in the policy. See
- // `os_policy_resource_compliances` for details.
- // * `task-timeout`: The task sent to the agent to apply the policy timed
- // out.
- // * `unexpected-agent-state`: The OS Config agent did not report the final
- // status of the task that attempted to apply the policy. Instead, the agent
- // unexpectedly started working on a different task. This mostly happens
- // when the agent or VM unexpectedly restarts while applying OS policies.
- // * `internal-service-errors`: Internal service errors were encountered
- // while attempting to apply the policy.
- string compliance_state_reason = 3;
-
- // Compliance data for each resource within the policy that is applied to
- // the VM.
- repeated OSPolicyResourceCompliance os_policy_resource_compliances = 4;
- }
-
- // The `OSPolicyAssignmentReport` API resource name.
- //
- // Format:
- // `projects/{project_number}/locations/{location}/instances/{instance_id}/osPolicyAssignments/{os_policy_assignment_id}/report`
- string name = 1;
-
- // The Compute Engine VM instance name.
- string instance = 2;
-
- // Reference to the `OSPolicyAssignment` API resource that the `OSPolicy`
- // belongs to.
- //
- // Format:
- // `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id@revision_id}`
- string os_policy_assignment = 3 [(google.api.resource_reference) = {
- type: "osconfig.googleapis.com/OSPolicyAssignment"
- }];
-
- // Compliance data for each `OSPolicy` that is applied to the VM.
- repeated OSPolicyCompliance os_policy_compliances = 4;
-
- // Timestamp for when the report was last generated.
- google.protobuf.Timestamp update_time = 5;
-
- // Unique identifier of the last attempted run to apply the OS policies
- // associated with this assignment on the VM.
- //
- // This ID is logged by the OS Config agent while applying the OS
- // policies associated with this assignment on the VM.
- // NOTE: If the service is unable to successfully connect to the agent for
- // this run, then this id will not be available in the agent logs.
- string last_run_id = 6;
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy_assignments.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy_assignments.proto
deleted file mode 100644
index 79b32a386c2d..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/os_policy_assignments.proto
+++ /dev/null
@@ -1,386 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/cloud/osconfig/v1/os_policy.proto";
-import "google/cloud/osconfig/v1/osconfig_common.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/field_mask.proto";
-import "google/protobuf/timestamp.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_multiple_files = true;
-option java_outer_classname = "OsPolicyAssignmentsProto";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// OS policy assignment is an API resource that is used to
-// apply a set of OS policies to a dynamically targeted group of Compute Engine
-// VM instances.
-//
-// An OS policy is used to define the desired state configuration for a
-// Compute Engine VM instance through a set of configuration resources that
-// provide capabilities such as installing or removing software packages, or
-// executing a script.
-//
-// For more information, see [OS policy and OS policy
-// assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies).
-message OSPolicyAssignment {
- option (google.api.resource) = {
- type: "osconfig.googleapis.com/OSPolicyAssignment"
- pattern: "projects/{project}/locations/{location}/osPolicyAssignments/{os_policy_assignment}"
- };
-
- // Message representing label set.
- // * A label is a key value pair set for a VM.
- // * A LabelSet is a set of labels.
- // * Labels within a LabelSet are ANDed. In other words, a LabelSet is
- // applicable for a VM only if it matches all the labels in the
- // LabelSet.
- // * Example: A LabelSet with 2 labels: `env=prod` and `type=webserver` will
- // only be applicable for those VMs with both labels
- // present.
- message LabelSet {
- // Labels are identified by key/value pairs in this map.
- // A VM should contain all the key/value pairs specified in this
- // map to be selected.
- map labels = 1;
- }
-
- // Filters to select target VMs for an assignment.
- //
- // If more than one filter criteria is specified below, a VM will be selected
- // if and only if it satisfies all of them.
- message InstanceFilter {
- // VM inventory details.
- message Inventory {
- // Required. The OS short name
- string os_short_name = 1 [(google.api.field_behavior) = REQUIRED];
-
- // The OS version
- //
- // Prefix matches are supported if asterisk(*) is provided as the
- // last character. For example, to match all versions with a major
- // version of `7`, specify the following value for this field `7.*`
- //
- // An empty string matches all OS versions.
- string os_version = 2;
- }
-
- // Target all VMs in the project. If true, no other criteria is
- // permitted.
- bool all = 1;
-
- // List of label sets used for VM inclusion.
- //
- // If the list has more than one `LabelSet`, the VM is included if any
- // of the label sets are applicable for the VM.
- repeated LabelSet inclusion_labels = 2;
-
- // List of label sets used for VM exclusion.
- //
- // If the list has more than one label set, the VM is excluded if any
- // of the label sets are applicable for the VM.
- repeated LabelSet exclusion_labels = 3;
-
- // List of inventories to select VMs.
- //
- // A VM is selected if its inventory data matches at least one of the
- // following inventories.
- repeated Inventory inventories = 4;
- }
-
- // Message to configure the rollout at the zonal level for the OS policy
- // assignment.
- message Rollout {
- // Required. The maximum number (or percentage) of VMs per zone to disrupt
- // at any given moment.
- FixedOrPercent disruption_budget = 1
- [(google.api.field_behavior) = REQUIRED];
-
- // Required. This determines the minimum duration of time to wait after the
- // configuration changes are applied through the current rollout. A
- // VM continues to count towards the `disruption_budget` at least
- // until this duration of time has passed after configuration changes are
- // applied.
- google.protobuf.Duration min_wait_duration = 2
- [(google.api.field_behavior) = REQUIRED];
- }
-
- // OS policy assignment rollout state
- enum RolloutState {
- // Invalid value
- ROLLOUT_STATE_UNSPECIFIED = 0;
-
- // The rollout is in progress.
- IN_PROGRESS = 1;
-
- // The rollout is being cancelled.
- CANCELLING = 2;
-
- // The rollout is cancelled.
- CANCELLED = 3;
-
- // The rollout has completed successfully.
- SUCCEEDED = 4;
- }
-
- // Resource name.
- //
- // Format:
- // `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}`
- //
- // This field is ignored when you create an OS policy assignment.
- string name = 1;
-
- // OS policy assignment description.
- // Length of the description is limited to 1024 characters.
- string description = 2;
-
- // Required. List of OS policies to be applied to the VMs.
- repeated OSPolicy os_policies = 3 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Filter to select VMs.
- InstanceFilter instance_filter = 4 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Rollout to deploy the OS policy assignment.
- // A rollout is triggered in the following situations:
- // 1) OSPolicyAssignment is created.
- // 2) OSPolicyAssignment is updated and the update contains changes to one of
- // the following fields:
- // - instance_filter
- // - os_policies
- // 3) OSPolicyAssignment is deleted.
- Rollout rollout = 5 [(google.api.field_behavior) = REQUIRED];
-
- // Output only. The assignment revision ID
- // A new revision is committed whenever a rollout is triggered for a OS policy
- // assignment
- string revision_id = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. The timestamp that the revision was created.
- google.protobuf.Timestamp revision_create_time = 7
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // The etag for this OS policy assignment.
- // If this is provided on update, it must match the server's etag.
- string etag = 8;
-
- // Output only. OS policy assignment rollout state
- RolloutState rollout_state = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. Indicates that this revision has been successfully rolled out
- // in this zone and new VMs will be assigned OS policies from this revision.
- //
- // For a given OS policy assignment, there is only one revision with a value
- // of `true` for this field.
- bool baseline = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. Indicates that this revision deletes the OS policy assignment.
- bool deleted = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. Indicates that reconciliation is in progress for the revision.
- // This value is `true` when the `rollout_state` is one of:
- // * IN_PROGRESS
- // * CANCELLING
- bool reconciling = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. Server generated unique id for the OS policy assignment
- // resource.
- string uid = 13 [(google.api.field_behavior) = OUTPUT_ONLY];
-}
-
-// OS policy assignment operation metadata provided by OS policy assignment API
-// methods that return long running operations.
-message OSPolicyAssignmentOperationMetadata {
- // The OS policy assignment API method.
- enum APIMethod {
- // Invalid value
- API_METHOD_UNSPECIFIED = 0;
-
- // Create OS policy assignment API method
- CREATE = 1;
-
- // Update OS policy assignment API method
- UPDATE = 2;
-
- // Delete OS policy assignment API method
- DELETE = 3;
- }
-
- // State of the rollout
- enum RolloutState {
- // Invalid value
- ROLLOUT_STATE_UNSPECIFIED = 0;
-
- // The rollout is in progress.
- IN_PROGRESS = 1;
-
- // The rollout is being cancelled.
- CANCELLING = 2;
-
- // The rollout is cancelled.
- CANCELLED = 3;
-
- // The rollout has completed successfully.
- SUCCEEDED = 4;
- }
-
- // Reference to the `OSPolicyAssignment` API resource.
- //
- // Format:
- // `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id@revision_id}`
- string os_policy_assignment = 1 [(google.api.resource_reference) = {
- type: "osconfig.googleapis.com/OSPolicyAssignment"
- }];
-
- // The OS policy assignment API method.
- APIMethod api_method = 2;
-
- // State of the rollout
- RolloutState rollout_state = 3;
-
- // Rollout start time
- google.protobuf.Timestamp rollout_start_time = 4;
-
- // Rollout update time
- google.protobuf.Timestamp rollout_update_time = 5;
-}
-
-// A request message to create an OS policy assignment
-message CreateOSPolicyAssignmentRequest {
- // Required. The parent resource name in the form:
- // projects/{project}/locations/{location}
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "locations.googleapis.com/Location"
- }
- ];
-
- // Required. The OS policy assignment to be created.
- OSPolicyAssignment os_policy_assignment = 2
- [(google.api.field_behavior) = REQUIRED];
-
- // Required. The logical name of the OS policy assignment in the project
- // with the following restrictions:
- //
- // * Must contain only lowercase letters, numbers, and hyphens.
- // * Must start with a letter.
- // * Must be between 1-63 characters.
- // * Must end with a number or a letter.
- // * Must be unique within the project.
- string os_policy_assignment_id = 3 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request message to update an OS policy assignment
-message UpdateOSPolicyAssignmentRequest {
- // Required. The updated OS policy assignment.
- OSPolicyAssignment os_policy_assignment = 1
- [(google.api.field_behavior) = REQUIRED];
-
- // Optional. Field mask that controls which fields of the assignment should be
- // updated.
- google.protobuf.FieldMask update_mask = 2
- [(google.api.field_behavior) = OPTIONAL];
-}
-
-// A request message to get an OS policy assignment
-message GetOSPolicyAssignmentRequest {
- // Required. The resource name of OS policy assignment.
- //
- // Format:
- // `projects/{project}/locations/{location}/osPolicyAssignments/{os_policy_assignment}@{revisionId}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/OSPolicyAssignment"
- }
- ];
-}
-
-// A request message to list OS policy assignments for a parent resource
-message ListOSPolicyAssignmentsRequest {
- // Required. The parent resource name.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "locations.googleapis.com/Location"
- }
- ];
-
- // The maximum number of assignments to return.
- int32 page_size = 2;
-
- // A pagination token returned from a previous call to
- // `ListOSPolicyAssignments` that indicates where this listing should continue
- // from.
- string page_token = 3;
-}
-
-// A response message for listing all assignments under given parent.
-message ListOSPolicyAssignmentsResponse {
- // The list of assignments
- repeated OSPolicyAssignment os_policy_assignments = 1;
-
- // The pagination token to retrieve the next page of OS policy assignments.
- string next_page_token = 2;
-}
-
-// A request message to list revisions for a OS policy assignment
-message ListOSPolicyAssignmentRevisionsRequest {
- // Required. The name of the OS policy assignment to list revisions for.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/OSPolicyAssignment"
- }
- ];
-
- // The maximum number of revisions to return.
- int32 page_size = 2;
-
- // A pagination token returned from a previous call to
- // `ListOSPolicyAssignmentRevisions` that indicates where this listing should
- // continue from.
- string page_token = 3;
-}
-
-// A response message for listing all revisions for a OS policy assignment.
-message ListOSPolicyAssignmentRevisionsResponse {
- // The OS policy assignment revisions
- repeated OSPolicyAssignment os_policy_assignments = 1;
-
- // The pagination token to retrieve the next page of OS policy assignment
- // revisions.
- string next_page_token = 2;
-}
-
-// A request message for deleting a OS policy assignment.
-message DeleteOSPolicyAssignmentRequest {
- // Required. The name of the OS policy assignment to be deleted
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/OSPolicyAssignment"
- }
- ];
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_common.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_common.proto
deleted file mode 100644
index 376e9d711d9b..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_common.proto
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_outer_classname = "Common";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// Message encapsulating a value that can be either absolute ("fixed") or
-// relative ("percent") to a value.
-message FixedOrPercent {
- // Type of the value.
- oneof mode {
- // Specifies a fixed value.
- int32 fixed = 1;
-
- // Specifies the relative value defined as a percentage, which will be
- // multiplied by a reference value.
- int32 percent = 2;
- }
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_service.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_service.proto
deleted file mode 100644
index b6e0ed23349f..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_service.proto
+++ /dev/null
@@ -1,158 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/client.proto";
-import "google/api/resource.proto";
-import "google/cloud/osconfig/v1/patch_deployments.proto";
-import "google/cloud/osconfig/v1/patch_jobs.proto";
-import "google/protobuf/empty.proto";
-import "google/api/annotations.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_outer_classname = "OsConfigProto";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-option (google.api.resource_definition) = {
- type: "compute.googleapis.com/Instance"
- pattern: "projects/{project}/zones/{zone}/instances/{instance}"
- pattern: "projects/{project}/locations/{location}/instances/{instance}"
-};
-
-// OS Config API
-//
-// The OS Config service is a server-side component that you can use to
-// manage package installations and patch jobs for virtual machine instances.
-service OsConfigService {
- option (google.api.default_host) = "osconfig.googleapis.com";
- option (google.api.oauth_scopes) =
- "https://www.googleapis.com/auth/cloud-platform";
-
- // Patch VM instances by creating and running a patch job.
- rpc ExecutePatchJob(ExecutePatchJobRequest) returns (PatchJob) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*}/patchJobs:execute"
- body: "*"
- };
- }
-
- // Get the patch job. This can be used to track the progress of an
- // ongoing patch job or review the details of completed jobs.
- rpc GetPatchJob(GetPatchJobRequest) returns (PatchJob) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/patchJobs/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Cancel a patch job. The patch job must be active. Canceled patch jobs
- // cannot be restarted.
- rpc CancelPatchJob(CancelPatchJobRequest) returns (PatchJob) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/patchJobs/*}:cancel"
- body: "*"
- };
- }
-
- // Get a list of patch jobs.
- rpc ListPatchJobs(ListPatchJobsRequest) returns (ListPatchJobsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*}/patchJobs"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Get a list of instance details for a given patch job.
- rpc ListPatchJobInstanceDetails(ListPatchJobInstanceDetailsRequest)
- returns (ListPatchJobInstanceDetailsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/patchJobs/*}/instanceDetails"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Create an OS Config patch deployment.
- rpc CreatePatchDeployment(CreatePatchDeploymentRequest)
- returns (PatchDeployment) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*}/patchDeployments"
- body: "patch_deployment"
- };
- option (google.api.method_signature) =
- "parent,patch_deployment,patch_deployment_id";
- }
-
- // Get an OS Config patch deployment.
- rpc GetPatchDeployment(GetPatchDeploymentRequest) returns (PatchDeployment) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/patchDeployments/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Get a page of OS Config patch deployments.
- rpc ListPatchDeployments(ListPatchDeploymentsRequest)
- returns (ListPatchDeploymentsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*}/patchDeployments"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Delete an OS Config patch deployment.
- rpc DeletePatchDeployment(DeletePatchDeploymentRequest)
- returns (google.protobuf.Empty) {
- option (google.api.http) = {
- delete: "/v1/{name=projects/*/patchDeployments/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Update an OS Config patch deployment.
- rpc UpdatePatchDeployment(UpdatePatchDeploymentRequest)
- returns (PatchDeployment) {
- option (google.api.http) = {
- patch: "/v1/{patch_deployment.name=projects/*/patchDeployments/*}"
- body: "patch_deployment"
- };
- option (google.api.method_signature) = "patch_deployment,update_mask";
- }
-
- // Change state of patch deployment to "PAUSED".
- // Patch deployment in paused state doesn't generate patch jobs.
- rpc PausePatchDeployment(PausePatchDeploymentRequest)
- returns (PatchDeployment) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/patchDeployments/*}:pause"
- body: "*"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Change state of patch deployment back to "ACTIVE".
- // Patch deployment in active state continues to generate patch jobs.
- rpc ResumePatchDeployment(ResumePatchDeploymentRequest)
- returns (PatchDeployment) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/patchDeployments/*}:resume"
- body: "*"
- };
- option (google.api.method_signature) = "name";
- }
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_zonal_service.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_zonal_service.proto
deleted file mode 100644
index 21523186d3ef..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/osconfig_zonal_service.proto
+++ /dev/null
@@ -1,202 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/annotations.proto";
-import "google/api/client.proto";
-import "google/cloud/osconfig/v1/inventory.proto";
-import "google/cloud/osconfig/v1/os_policy_assignment_reports.proto";
-import "google/cloud/osconfig/v1/os_policy_assignments.proto";
-import "google/cloud/osconfig/v1/vulnerability.proto";
-import "google/longrunning/operations.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_multiple_files = true;
-option java_outer_classname = "OsConfigZonalServiceProto";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// Zonal OS Config API
-//
-// The OS Config service is the server-side component that allows users to
-// manage package installations and patch jobs for Compute Engine VM instances.
-service OsConfigZonalService {
- option (google.api.default_host) = "osconfig.googleapis.com";
- option (google.api.oauth_scopes) =
- "https://www.googleapis.com/auth/cloud-platform";
-
- // Create an OS policy assignment.
- //
- // This method also creates the first revision of the OS policy assignment.
- //
- // This method returns a long running operation (LRO) that contains the
- // rollout details. The rollout can be cancelled by cancelling the LRO.
- //
- // For more information, see [Method:
- // projects.locations.osPolicyAssignments.operations.cancel](https://cloud.google.com/compute/docs/osconfig/rest/v1/projects.locations.osPolicyAssignments.operations/cancel).
- rpc CreateOSPolicyAssignment(CreateOSPolicyAssignmentRequest)
- returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/locations/*}/osPolicyAssignments"
- body: "os_policy_assignment"
- };
- option (google.api.method_signature) =
- "parent,os_policy_assignment,os_policy_assignment_id";
- option (google.longrunning.operation_info) = {
- response_type: "OSPolicyAssignment"
- metadata_type: "OSPolicyAssignmentOperationMetadata"
- };
- }
-
- // Update an existing OS policy assignment.
- //
- // This method creates a new revision of the OS policy assignment.
- //
- // This method returns a long running operation (LRO) that contains the
- // rollout details. The rollout can be cancelled by cancelling the LRO.
- //
- // For more information, see [Method:
- // projects.locations.osPolicyAssignments.operations.cancel](https://cloud.google.com/compute/docs/osconfig/rest/v1/projects.locations.osPolicyAssignments.operations/cancel).
- rpc UpdateOSPolicyAssignment(UpdateOSPolicyAssignmentRequest)
- returns (google.longrunning.Operation) {
- option (google.api.http) = {
- patch: "/v1/{os_policy_assignment.name=projects/*/locations/*/osPolicyAssignments/*}"
- body: "os_policy_assignment"
- };
- option (google.api.method_signature) = "os_policy_assignment,update_mask";
- option (google.longrunning.operation_info) = {
- response_type: "OSPolicyAssignment"
- metadata_type: "OSPolicyAssignmentOperationMetadata"
- };
- }
-
- // Retrieve an existing OS policy assignment.
- //
- // This method always returns the latest revision. In order to retrieve a
- // previous revision of the assignment, also provide the revision ID in the
- // `name` parameter.
- rpc GetOSPolicyAssignment(GetOSPolicyAssignmentRequest)
- returns (OSPolicyAssignment) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/osPolicyAssignments/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // List the OS policy assignments under the parent resource.
- //
- // For each OS policy assignment, the latest revision is returned.
- rpc ListOSPolicyAssignments(ListOSPolicyAssignmentsRequest)
- returns (ListOSPolicyAssignmentsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*}/osPolicyAssignments"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // List the OS policy assignment revisions for a given OS policy assignment.
- rpc ListOSPolicyAssignmentRevisions(ListOSPolicyAssignmentRevisionsRequest)
- returns (ListOSPolicyAssignmentRevisionsResponse) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/osPolicyAssignments/*}:listRevisions"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Delete the OS policy assignment.
- //
- // This method creates a new revision of the OS policy assignment.
- //
- // This method returns a long running operation (LRO) that contains the
- // rollout details. The rollout can be cancelled by cancelling the LRO.
- //
- // If the LRO completes and is not cancelled, all revisions associated with
- // the OS policy assignment are deleted.
- //
- // For more information, see [Method:
- // projects.locations.osPolicyAssignments.operations.cancel](https://cloud.google.com/compute/docs/osconfig/rest/v1/projects.locations.osPolicyAssignments.operations/cancel).
- rpc DeleteOSPolicyAssignment(DeleteOSPolicyAssignmentRequest)
- returns (google.longrunning.Operation) {
- option (google.api.http) = {
- delete: "/v1/{name=projects/*/locations/*/osPolicyAssignments/*}"
- };
- option (google.api.method_signature) = "name";
- option (google.longrunning.operation_info) = {
- response_type: "google.protobuf.Empty"
- metadata_type: "OSPolicyAssignmentOperationMetadata"
- };
- }
-
- // Get the OS policy asssignment report for the specified Compute Engine VM
- // instance.
- rpc GetOSPolicyAssignmentReport(GetOSPolicyAssignmentReportRequest)
- returns (OSPolicyAssignmentReport) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/instances/*/osPolicyAssignments/*/report}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // List OS policy asssignment reports for all Compute Engine VM instances in
- // the specified zone.
- rpc ListOSPolicyAssignmentReports(ListOSPolicyAssignmentReportsRequest)
- returns (ListOSPolicyAssignmentReportsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*/instances/*/osPolicyAssignments/*}/reports"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Get inventory data for the specified VM instance. If the VM has no
- // associated inventory, the message `NOT_FOUND` is returned.
- rpc GetInventory(GetInventoryRequest) returns (Inventory) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/instances/*/inventory}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // List inventory data for all VM instances in the specified zone.
- rpc ListInventories(ListInventoriesRequest)
- returns (ListInventoriesResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*/instances/*}/inventories"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Gets the vulnerability report for the specified VM instance. Only VMs with
- // inventory data have vulnerability reports associated with them.
- rpc GetVulnerabilityReport(GetVulnerabilityReportRequest)
- returns (VulnerabilityReport) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/instances/*/vulnerabilityReport}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // List vulnerability reports for all VM instances in the specified zone.
- rpc ListVulnerabilityReports(ListVulnerabilityReportsRequest)
- returns (ListVulnerabilityReportsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*/instances/*}/vulnerabilityReports"
- };
- option (google.api.method_signature) = "parent";
- }
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/patch_deployments.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/patch_deployments.proto
deleted file mode 100644
index 9a547dc53672..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/patch_deployments.proto
+++ /dev/null
@@ -1,339 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/cloud/osconfig/v1/patch_jobs.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/field_mask.proto";
-import "google/protobuf/timestamp.proto";
-import "google/type/datetime.proto";
-import "google/type/dayofweek.proto";
-import "google/type/timeofday.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_outer_classname = "PatchDeployments";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// Patch deployments are configurations that individual patch jobs use to
-// complete a patch. These configurations include instance filter, package
-// repository settings, and a schedule. For more information about creating and
-// managing patch deployments, see [Scheduling patch
-// jobs](https://cloud.google.com/compute/docs/os-patch-management/schedule-patch-jobs).
-message PatchDeployment {
- option (google.api.resource) = {
- type: "osconfig.googleapis.com/PatchDeployment"
- pattern: "projects/{project}/patchDeployments/{patch_deployment}"
- };
-
- // Represents state of patch peployment.
- enum State {
- // The default value. This value is used if the state is omitted.
- STATE_UNSPECIFIED = 0;
-
- // Active value means that patch deployment generates Patch Jobs.
- ACTIVE = 1;
-
- // Paused value means that patch deployment does not generate
- // Patch jobs. Requires user action to move in and out from this state.
- PAUSED = 2;
- }
-
- // Unique name for the patch deployment resource in a project. The patch
- // deployment name is in the form:
- // `projects/{project_id}/patchDeployments/{patch_deployment_id}`.
- // This field is ignored when you create a new patch deployment.
- string name = 1;
-
- // Optional. Description of the patch deployment. Length of the description is
- // limited to 1024 characters.
- string description = 2 [(google.api.field_behavior) = OPTIONAL];
-
- // Required. VM instances to patch.
- PatchInstanceFilter instance_filter = 3
- [(google.api.field_behavior) = REQUIRED];
-
- // Optional. Patch configuration that is applied.
- PatchConfig patch_config = 4 [(google.api.field_behavior) = OPTIONAL];
-
- // Optional. Duration of the patch. After the duration ends, the patch times
- // out.
- google.protobuf.Duration duration = 5
- [(google.api.field_behavior) = OPTIONAL];
-
- // Schedule for the patch.
- oneof schedule {
- // Required. Schedule a one-time execution.
- OneTimeSchedule one_time_schedule = 6
- [(google.api.field_behavior) = REQUIRED];
-
- // Required. Schedule recurring executions.
- RecurringSchedule recurring_schedule = 7
- [(google.api.field_behavior) = REQUIRED];
- }
-
- // Output only. Time the patch deployment was created. Timestamp is in
- // [RFC3339](https://www.ietf.org/rfc/rfc3339.txt) text format.
- google.protobuf.Timestamp create_time = 8
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. Time the patch deployment was last updated. Timestamp is in
- // [RFC3339](https://www.ietf.org/rfc/rfc3339.txt) text format.
- google.protobuf.Timestamp update_time = 9
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. The last time a patch job was started by this deployment.
- // Timestamp is in [RFC3339](https://www.ietf.org/rfc/rfc3339.txt) text
- // format.
- google.protobuf.Timestamp last_execute_time = 10
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Optional. Rollout strategy of the patch job.
- PatchRollout rollout = 11 [(google.api.field_behavior) = OPTIONAL];
-
- // Output only. Current state of the patch deployment.
- State state = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
-}
-
-// Sets the time for a one time patch deployment. Timestamp is in
-// [RFC3339](https://www.ietf.org/rfc/rfc3339.txt) text format.
-message OneTimeSchedule {
- // Required. The desired patch job execution time.
- google.protobuf.Timestamp execute_time = 1
- [(google.api.field_behavior) = REQUIRED];
-}
-
-// Sets the time for recurring patch deployments.
-message RecurringSchedule {
- // Specifies the frequency of the recurring patch deployments.
- enum Frequency {
- // Invalid. A frequency must be specified.
- FREQUENCY_UNSPECIFIED = 0;
-
- // Indicates that the frequency of recurrence should be expressed in terms
- // of weeks.
- WEEKLY = 1;
-
- // Indicates that the frequency of recurrence should be expressed in terms
- // of months.
- MONTHLY = 2;
-
- // Indicates that the frequency of recurrence should be expressed in terms
- // of days.
- DAILY = 3;
- }
-
- // Required. Defines the time zone that `time_of_day` is relative to.
- // The rules for daylight saving time are determined by the chosen time zone.
- google.type.TimeZone time_zone = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Optional. The time that the recurring schedule becomes effective.
- // Defaults to `create_time` of the patch deployment.
- google.protobuf.Timestamp start_time = 2
- [(google.api.field_behavior) = OPTIONAL];
-
- // Optional. The end time at which a recurring patch deployment schedule is no
- // longer active.
- google.protobuf.Timestamp end_time = 3
- [(google.api.field_behavior) = OPTIONAL];
-
- // Required. Time of the day to run a recurring deployment.
- google.type.TimeOfDay time_of_day = 4
- [(google.api.field_behavior) = REQUIRED];
-
- // Required. The frequency unit of this recurring schedule.
- Frequency frequency = 5 [(google.api.field_behavior) = REQUIRED];
-
- // Configurations for this recurring schedule.
- // Configurations must match frequency.
- oneof schedule_config {
- // Required. Schedule with weekly executions.
- WeeklySchedule weekly = 6 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Schedule with monthly executions.
- MonthlySchedule monthly = 7 [(google.api.field_behavior) = REQUIRED];
- }
-
- // Output only. The time the last patch job ran successfully.
- google.protobuf.Timestamp last_execute_time = 9
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. The time the next patch job is scheduled to run.
- google.protobuf.Timestamp next_execute_time = 10
- [(google.api.field_behavior) = OUTPUT_ONLY];
-}
-
-// Represents a weekly schedule.
-message WeeklySchedule {
- // Required. Day of the week.
- google.type.DayOfWeek day_of_week = 1
- [(google.api.field_behavior) = REQUIRED];
-}
-
-// Represents a monthly schedule. An example of a valid monthly schedule is
-// "on the third Tuesday of the month" or "on the 15th of the month".
-message MonthlySchedule {
- // One day in a month.
- oneof day_of_month {
- // Required. Week day in a month.
- WeekDayOfMonth week_day_of_month = 1
- [(google.api.field_behavior) = REQUIRED];
-
- // Required. One day of the month. 1-31 indicates the 1st to the 31st day.
- // -1 indicates the last day of the month. Months without the target day
- // will be skipped. For example, a schedule to run "every month on the 31st"
- // will not run in February, April, June, etc.
- int32 month_day = 2 [(google.api.field_behavior) = REQUIRED];
- }
-}
-
-// Represents one week day in a month. An example is "the 4th Sunday".
-message WeekDayOfMonth {
- // Required. Week number in a month. 1-4 indicates the 1st to 4th week of the
- // month. -1 indicates the last week of the month.
- int32 week_ordinal = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. A day of the week.
- google.type.DayOfWeek day_of_week = 2
- [(google.api.field_behavior) = REQUIRED];
-
- // Optional. Represents the number of days before or after the given week day
- // of month that the patch deployment is scheduled for. For example if
- // `week_ordinal` and `day_of_week` values point to the second day of the
- // month and this `day_offset` value is set to `3`, the patch deployment takes
- // place three days after the second Tuesday of the month. If this value is
- // negative, for example -5, the patches are deployed five days before before
- // the second Tuesday of the month. Allowed values are in range [-30, 30].
- int32 day_offset = 3 [(google.api.field_behavior) = OPTIONAL];
-}
-
-// A request message for creating a patch deployment.
-message CreatePatchDeploymentRequest {
- // Required. The project to apply this patch deployment to in the form
- // `projects/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Project"
- }
- ];
-
- // Required. A name for the patch deployment in the project. When creating a
- // name the following rules apply:
- // * Must contain only lowercase letters, numbers, and hyphens.
- // * Must start with a letter.
- // * Must be between 1-63 characters.
- // * Must end with a number or a letter.
- // * Must be unique within the project.
- string patch_deployment_id = 2 [(google.api.field_behavior) = REQUIRED];
-
- // Required. The patch deployment to create.
- PatchDeployment patch_deployment = 3 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request message for retrieving a patch deployment.
-message GetPatchDeploymentRequest {
- // Required. The resource name of the patch deployment in the form
- // `projects/*/patchDeployments/*`.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchDeployment"
- }
- ];
-}
-
-// A request message for listing patch deployments.
-message ListPatchDeploymentsRequest {
- // Required. The resource name of the parent in the form `projects/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Project"
- }
- ];
-
- // Optional. The maximum number of patch deployments to return. Default is
- // 100.
- int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
-
- // Optional. A pagination token returned from a previous call to
- // ListPatchDeployments that indicates where this listing should continue
- // from.
- string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
-}
-
-// A response message for listing patch deployments.
-message ListPatchDeploymentsResponse {
- // The list of patch deployments.
- repeated PatchDeployment patch_deployments = 1;
-
- // A pagination token that can be used to get the next page of patch
- // deployments.
- string next_page_token = 2;
-}
-
-// A request message for deleting a patch deployment.
-message DeletePatchDeploymentRequest {
- // Required. The resource name of the patch deployment in the form
- // `projects/*/patchDeployments/*`.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchDeployment"
- }
- ];
-}
-
-// A request message for updating a patch deployment.
-message UpdatePatchDeploymentRequest {
- // Required. The patch deployment to Update.
- PatchDeployment patch_deployment = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Optional. Field mask that controls which fields of the patch deployment
- // should be updated.
- google.protobuf.FieldMask update_mask = 2
- [(google.api.field_behavior) = OPTIONAL];
-}
-
-// A request message for pausing a patch deployment.
-message PausePatchDeploymentRequest {
- // Required. The resource name of the patch deployment in the form
- // `projects/*/patchDeployments/*`.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchDeployment"
- }
- ];
-}
-
-// A request message for resuming a patch deployment.
-message ResumePatchDeploymentRequest {
- // Required. The resource name of the patch deployment in the form
- // `projects/*/patchDeployments/*`.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchDeployment"
- }
- ];
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/patch_jobs.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/patch_jobs.proto
deleted file mode 100644
index 01bb23d76a6f..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/patch_jobs.proto
+++ /dev/null
@@ -1,742 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/cloud/osconfig/v1/osconfig_common.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/timestamp.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_outer_classname = "PatchJobs";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// A request message to initiate patching across Compute Engine
-// instances.
-message ExecutePatchJobRequest {
- // Required. The project in which to run this patch in the form `projects/*`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Project"
- }
- ];
-
- // Description of the patch job. Length of the description is limited
- // to 1024 characters.
- string description = 2;
-
- // Required. Instances to patch, either explicitly or filtered by some
- // criteria such as zone or labels.
- PatchInstanceFilter instance_filter = 7
- [(google.api.field_behavior) = REQUIRED];
-
- // Patch configuration being applied. If omitted, instances are
- // patched using the default configurations.
- PatchConfig patch_config = 4;
-
- // Duration of the patch job. After the duration ends, the patch job
- // times out.
- google.protobuf.Duration duration = 5;
-
- // If this patch is a dry-run only, instances are contacted but
- // will do nothing.
- bool dry_run = 6;
-
- // Display name for this patch job. This does not have to be unique.
- string display_name = 8;
-
- // Rollout strategy of the patch job.
- PatchRollout rollout = 9;
-}
-
-// Request to get an active or completed patch job.
-message GetPatchJobRequest {
- // Required. Name of the patch in the form `projects/*/patchJobs/*`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchJob"
- }
- ];
-}
-
-// Request to list details for all instances that are part of a patch job.
-message ListPatchJobInstanceDetailsRequest {
- // Required. The parent for the instances are in the form of
- // `projects/*/patchJobs/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchJob"
- }
- ];
-
- // The maximum number of instance details records to return. Default is 100.
- int32 page_size = 2;
-
- // A pagination token returned from a previous call
- // that indicates where this listing should continue from.
- string page_token = 3;
-
- // A filter expression that filters results listed in the response. This
- // field supports filtering results by instance zone, name, state, or
- // `failure_reason`.
- string filter = 4;
-}
-
-// A response message for listing the instances details for a patch job.
-message ListPatchJobInstanceDetailsResponse {
- // A list of instance status.
- repeated PatchJobInstanceDetails patch_job_instance_details = 1;
-
- // A pagination token that can be used to get the next page of results.
- string next_page_token = 2;
-}
-
-// Patch details for a VM instance. For more information about reviewing VM
-// instance details, see
-// [Listing all VM instance details for a specific patch
-// job](https://cloud.google.com/compute/docs/os-patch-management/manage-patch-jobs#list-instance-details).
-message PatchJobInstanceDetails {
- // The instance name in the form `projects/*/zones/*/instances/*`
- string name = 1 [(google.api.resource_reference) = {
- type: "compute.googleapis.com/Instance"
- }];
-
- // The unique identifier for the instance. This identifier is
- // defined by the server.
- string instance_system_id = 2;
-
- // Current state of instance patch.
- Instance.PatchState state = 3;
-
- // If the patch fails, this field provides the reason.
- string failure_reason = 4;
-
- // The number of times the agent that the agent attempts to apply the patch.
- int64 attempt_count = 5;
-}
-
-// A request message for listing patch jobs.
-message ListPatchJobsRequest {
- // Required. In the form of `projects/*`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Project"
- }
- ];
-
- // The maximum number of instance status to return.
- int32 page_size = 2;
-
- // A pagination token returned from a previous call
- // that indicates where this listing should continue from.
- string page_token = 3;
-
- // If provided, this field specifies the criteria that must be met by patch
- // jobs to be included in the response.
- // Currently, filtering is only available on the patch_deployment field.
- string filter = 4;
-}
-
-// A response message for listing patch jobs.
-message ListPatchJobsResponse {
- // The list of patch jobs.
- repeated PatchJob patch_jobs = 1;
-
- // A pagination token that can be used to get the next page of results.
- string next_page_token = 2;
-}
-
-// A high level representation of a patch job that is either in progress
-// or has completed.
-//
-// Instance details are not included in the job. To paginate through instance
-// details, use ListPatchJobInstanceDetails.
-//
-// For more information about patch jobs, see
-// [Creating patch
-// jobs](https://cloud.google.com/compute/docs/os-patch-management/create-patch-job).
-message PatchJob {
- option (google.api.resource) = {
- type: "osconfig.googleapis.com/PatchJob"
- pattern: "projects/{project}/patchJobs/{patch_job}"
- };
-
- // Enumeration of the various states a patch job passes through as it
- // executes.
- enum State {
- // State must be specified.
- STATE_UNSPECIFIED = 0;
-
- // The patch job was successfully initiated.
- STARTED = 1;
-
- // The patch job is looking up instances to run the patch on.
- INSTANCE_LOOKUP = 2;
-
- // Instances are being patched.
- PATCHING = 3;
-
- // Patch job completed successfully.
- SUCCEEDED = 4;
-
- // Patch job completed but there were errors.
- COMPLETED_WITH_ERRORS = 5;
-
- // The patch job was canceled.
- CANCELED = 6;
-
- // The patch job timed out.
- TIMED_OUT = 7;
- }
-
- // A summary of the current patch state across all instances that this patch
- // job affects. Contains counts of instances in different states. These states
- // map to `InstancePatchState`. List patch job instance details to see the
- // specific states of each instance.
- message InstanceDetailsSummary {
- // Number of instances pending patch job.
- int64 pending_instance_count = 1;
-
- // Number of instances that are inactive.
- int64 inactive_instance_count = 2;
-
- // Number of instances notified about patch job.
- int64 notified_instance_count = 3;
-
- // Number of instances that have started.
- int64 started_instance_count = 4;
-
- // Number of instances that are downloading patches.
- int64 downloading_patches_instance_count = 5;
-
- // Number of instances that are applying patches.
- int64 applying_patches_instance_count = 6;
-
- // Number of instances rebooting.
- int64 rebooting_instance_count = 7;
-
- // Number of instances that have completed successfully.
- int64 succeeded_instance_count = 8;
-
- // Number of instances that require reboot.
- int64 succeeded_reboot_required_instance_count = 9;
-
- // Number of instances that failed.
- int64 failed_instance_count = 10;
-
- // Number of instances that have acked and will start shortly.
- int64 acked_instance_count = 11;
-
- // Number of instances that exceeded the time out while applying the patch.
- int64 timed_out_instance_count = 12;
-
- // Number of instances that are running the pre-patch step.
- int64 pre_patch_step_instance_count = 13;
-
- // Number of instances that are running the post-patch step.
- int64 post_patch_step_instance_count = 14;
-
- // Number of instances that do not appear to be running the agent. Check to
- // ensure that the agent is installed, running, and able to communicate with
- // the service.
- int64 no_agent_detected_instance_count = 15;
- }
-
- // Unique identifier for this patch job in the form
- // `projects/*/patchJobs/*`
- string name = 1;
-
- // Display name for this patch job. This is not a unique identifier.
- string display_name = 14;
-
- // Description of the patch job. Length of the description is limited
- // to 1024 characters.
- string description = 2;
-
- // Time this patch job was created.
- google.protobuf.Timestamp create_time = 3;
-
- // Last time this patch job was updated.
- google.protobuf.Timestamp update_time = 4;
-
- // The current state of the PatchJob.
- State state = 5;
-
- // Instances to patch.
- PatchInstanceFilter instance_filter = 13;
-
- // Patch configuration being applied.
- PatchConfig patch_config = 7;
-
- // Duration of the patch job. After the duration ends, the
- // patch job times out.
- google.protobuf.Duration duration = 8;
-
- // Summary of instance details.
- InstanceDetailsSummary instance_details_summary = 9;
-
- // If this patch job is a dry run, the agent reports that it has
- // finished without running any updates on the VM instance.
- bool dry_run = 10;
-
- // If this patch job failed, this message provides information about the
- // failure.
- string error_message = 11;
-
- // Reflects the overall progress of the patch job in the range of
- // 0.0 being no progress to 100.0 being complete.
- double percent_complete = 12;
-
- // Output only. Name of the patch deployment that created this patch job.
- string patch_deployment = 15 [
- (google.api.field_behavior) = OUTPUT_ONLY,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchDeployment"
- }
- ];
-
- // Rollout strategy being applied.
- PatchRollout rollout = 16;
-}
-
-// Patch configuration specifications. Contains details on how to apply the
-// patch(es) to a VM instance.
-message PatchConfig {
- // Post-patch reboot settings.
- enum RebootConfig {
- // The default behavior is DEFAULT.
- REBOOT_CONFIG_UNSPECIFIED = 0;
-
- // The agent decides if a reboot is necessary by checking signals such as
- // registry keys on Windows or `/var/run/reboot-required` on APT based
- // systems. On RPM based systems, a set of core system package install times
- // are compared with system boot time.
- DEFAULT = 1;
-
- // Always reboot the machine after the update completes.
- ALWAYS = 2;
-
- // Never reboot the machine after the update completes.
- NEVER = 3;
- }
-
- // Post-patch reboot settings.
- RebootConfig reboot_config = 1;
-
- // Apt update settings. Use this setting to override the default `apt` patch
- // rules.
- AptSettings apt = 3;
-
- // Yum update settings. Use this setting to override the default `yum` patch
- // rules.
- YumSettings yum = 4;
-
- // Goo update settings. Use this setting to override the default `goo` patch
- // rules.
- GooSettings goo = 5;
-
- // Zypper update settings. Use this setting to override the default `zypper`
- // patch rules.
- ZypperSettings zypper = 6;
-
- // Windows update settings. Use this override the default windows patch rules.
- WindowsUpdateSettings windows_update = 7;
-
- // The `ExecStep` to run before the patch update.
- ExecStep pre_step = 8;
-
- // The `ExecStep` to run after the patch update.
- ExecStep post_step = 9;
-
- // Allows the patch job to run on Managed instance groups (MIGs).
- bool mig_instances_allowed = 10;
-}
-
-// Namespace for instance state enums.
-message Instance {
- // Patch state of an instance.
- enum PatchState {
- // Unspecified.
- PATCH_STATE_UNSPECIFIED = 0;
-
- // The instance is not yet notified.
- PENDING = 1;
-
- // Instance is inactive and cannot be patched.
- INACTIVE = 2;
-
- // The instance is notified that it should be patched.
- NOTIFIED = 3;
-
- // The instance has started the patching process.
- STARTED = 4;
-
- // The instance is downloading patches.
- DOWNLOADING_PATCHES = 5;
-
- // The instance is applying patches.
- APPLYING_PATCHES = 6;
-
- // The instance is rebooting.
- REBOOTING = 7;
-
- // The instance has completed applying patches.
- SUCCEEDED = 8;
-
- // The instance has completed applying patches but a reboot is required.
- SUCCEEDED_REBOOT_REQUIRED = 9;
-
- // The instance has failed to apply the patch.
- FAILED = 10;
-
- // The instance acked the notification and will start shortly.
- ACKED = 11;
-
- // The instance exceeded the time out while applying the patch.
- TIMED_OUT = 12;
-
- // The instance is running the pre-patch step.
- RUNNING_PRE_PATCH_STEP = 13;
-
- // The instance is running the post-patch step.
- RUNNING_POST_PATCH_STEP = 14;
-
- // The service could not detect the presence of the agent. Check to ensure
- // that the agent is installed, running, and able to communicate with the
- // service.
- NO_AGENT_DETECTED = 15;
- }
-}
-
-// Message for canceling a patch job.
-message CancelPatchJobRequest {
- // Required. Name of the patch in the form `projects/*/patchJobs/*`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/PatchJob"
- }
- ];
-}
-
-// Apt patching is completed by executing `apt-get update && apt-get
-// upgrade`. Additional options can be set to control how this is executed.
-message AptSettings {
- // Apt patch type.
- enum Type {
- // By default, upgrade will be performed.
- TYPE_UNSPECIFIED = 0;
-
- // Runs `apt-get dist-upgrade`.
- DIST = 1;
-
- // Runs `apt-get upgrade`.
- UPGRADE = 2;
- }
-
- // By changing the type to DIST, the patching is performed
- // using `apt-get dist-upgrade` instead.
- Type type = 1;
-
- // List of packages to exclude from update. These packages will be excluded
- repeated string excludes = 2;
-
- // An exclusive list of packages to be updated. These are the only packages
- // that will be updated. If these packages are not installed, they will be
- // ignored. This field cannot be specified with any other patch configuration
- // fields.
- repeated string exclusive_packages = 3;
-}
-
-// Yum patching is performed by executing `yum update`. Additional options
-// can be set to control how this is executed.
-//
-// Note that not all settings are supported on all platforms.
-message YumSettings {
- // Adds the `--security` flag to `yum update`. Not supported on
- // all platforms.
- bool security = 1;
-
- // Will cause patch to run `yum update-minimal` instead.
- bool minimal = 2;
-
- // List of packages to exclude from update. These packages are excluded by
- // using the yum `--exclude` flag.
- repeated string excludes = 3;
-
- // An exclusive list of packages to be updated. These are the only packages
- // that will be updated. If these packages are not installed, they will be
- // ignored. This field must not be specified with any other patch
- // configuration fields.
- repeated string exclusive_packages = 4;
-}
-
-// Googet patching is performed by running `googet update`.
-message GooSettings {}
-
-// Zypper patching is performed by running `zypper patch`.
-// See also https://en.opensuse.org/SDB:Zypper_manual.
-message ZypperSettings {
- // Adds the `--with-optional` flag to `zypper patch`.
- bool with_optional = 1;
-
- // Adds the `--with-update` flag, to `zypper patch`.
- bool with_update = 2;
-
- // Install only patches with these categories.
- // Common categories include security, recommended, and feature.
- repeated string categories = 3;
-
- // Install only patches with these severities.
- // Common severities include critical, important, moderate, and low.
- repeated string severities = 4;
-
- // List of patches to exclude from update.
- repeated string excludes = 5;
-
- // An exclusive list of patches to be updated. These are the only patches
- // that will be installed using 'zypper patch patch:' command.
- // This field must not be used with any other patch configuration fields.
- repeated string exclusive_patches = 6;
-}
-
-// Windows patching is performed using the Windows Update Agent.
-message WindowsUpdateSettings {
- // Microsoft Windows update classifications as defined in
- // [1]
- // https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro
- enum Classification {
- // Invalid. If classifications are included, they must be specified.
- CLASSIFICATION_UNSPECIFIED = 0;
-
- // "A widely released fix for a specific problem that addresses a critical,
- // non-security-related bug." [1]
- CRITICAL = 1;
-
- // "A widely released fix for a product-specific, security-related
- // vulnerability. Security vulnerabilities are rated by their severity. The
- // severity rating is indicated in the Microsoft security bulletin as
- // critical, important, moderate, or low." [1]
- SECURITY = 2;
-
- // "A widely released and frequent software update that contains additions
- // to a product's definition database. Definition databases are often used
- // to detect objects that have specific attributes, such as malicious code,
- // phishing websites, or junk mail." [1]
- DEFINITION = 3;
-
- // "Software that controls the input and output of a device." [1]
- DRIVER = 4;
-
- // "New product functionality that is first distributed outside the context
- // of a product release and that is typically included in the next full
- // product release." [1]
- FEATURE_PACK = 5;
-
- // "A tested, cumulative set of all hotfixes, security updates, critical
- // updates, and updates. Additionally, service packs may contain additional
- // fixes for problems that are found internally since the release of the
- // product. Service packs my also contain a limited number of
- // customer-requested design changes or features." [1]
- SERVICE_PACK = 6;
-
- // "A utility or feature that helps complete a task or set of tasks." [1]
- TOOL = 7;
-
- // "A tested, cumulative set of hotfixes, security updates, critical
- // updates, and updates that are packaged together for easy deployment. A
- // rollup generally targets a specific area, such as security, or a
- // component of a product, such as Internet Information Services (IIS)." [1]
- UPDATE_ROLLUP = 8;
-
- // "A widely released fix for a specific problem. An update addresses a
- // noncritical, non-security-related bug." [1]
- UPDATE = 9;
- }
-
- // Only apply updates of these windows update classifications. If empty, all
- // updates are applied.
- repeated Classification classifications = 1;
-
- // List of KBs to exclude from update.
- repeated string excludes = 2;
-
- // An exclusive list of kbs to be updated. These are the only patches
- // that will be updated. This field must not be used with other
- // patch configurations.
- repeated string exclusive_patches = 3;
-}
-
-// A step that runs an executable for a PatchJob.
-message ExecStep {
- // The ExecStepConfig for all Linux VMs targeted by the PatchJob.
- ExecStepConfig linux_exec_step_config = 1;
-
- // The ExecStepConfig for all Windows VMs targeted by the PatchJob.
- ExecStepConfig windows_exec_step_config = 2;
-}
-
-// Common configurations for an ExecStep.
-message ExecStepConfig {
- // The interpreter used to execute the a file.
- enum Interpreter {
- // Invalid for a Windows ExecStepConfig. For a Linux ExecStepConfig, the
- // interpreter will be parsed from the shebang line of the script if
- // unspecified.
- INTERPRETER_UNSPECIFIED = 0;
-
- // Indicates that the script is run with `/bin/sh` on Linux and `cmd`
- // on Windows.
- SHELL = 1;
-
- // Indicates that the file is run with PowerShell flags
- // `-NonInteractive`, `-NoProfile`, and `-ExecutionPolicy Bypass`.
- POWERSHELL = 2;
- }
-
- // Location of the executable.
- oneof executable {
- // An absolute path to the executable on the VM.
- string local_path = 1;
-
- // A Cloud Storage object containing the executable.
- GcsObject gcs_object = 2;
- }
-
- // Defaults to [0]. A list of possible return values that the
- // execution can return to indicate a success.
- repeated int32 allowed_success_codes = 3;
-
- // The script interpreter to use to run the script. If no interpreter is
- // specified the script will be executed directly, which will likely
- // only succeed for scripts with [shebang lines]
- // (https://en.wikipedia.org/wiki/Shebang_\(Unix\)).
- Interpreter interpreter = 4;
-}
-
-// Cloud Storage object representation.
-message GcsObject {
- // Required. Bucket of the Cloud Storage object.
- string bucket = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Name of the Cloud Storage object.
- string object = 2 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Generation number of the Cloud Storage object. This is used to
- // ensure that the ExecStep specified by this PatchJob does not change.
- int64 generation_number = 3 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A filter to target VM instances for patching. The targeted
-// VMs must meet all criteria specified. So if both labels and zones are
-// specified, the patch job targets only VMs with those labels and in those
-// zones.
-message PatchInstanceFilter {
- // Targets a group of VM instances by using their [assigned
- // labels](https://cloud.google.com/compute/docs/labeling-resources). Labels
- // are key-value pairs. A `GroupLabel` is a combination of labels
- // that is used to target VMs for a patch job.
- //
- // For example, a patch job can target VMs that have the following
- // `GroupLabel`: `{"env":"test", "app":"web"}`. This means that the patch job
- // is applied to VMs that have both the labels `env=test` and `app=web`.
- message GroupLabel {
- // Compute Engine instance labels that must be present for a VM
- // instance to be targeted by this filter.
- map labels = 1;
- }
-
- // Target all VM instances in the project. If true, no other criteria is
- // permitted.
- bool all = 1;
-
- // Targets VM instances matching ANY of these GroupLabels. This allows
- // targeting of disparate groups of VM instances.
- repeated GroupLabel group_labels = 2;
-
- // Targets VM instances in ANY of these zones. Leave empty to target VM
- // instances in any zone.
- repeated string zones = 3;
-
- // Targets any of the VM instances specified. Instances are specified by their
- // URI in the form `zones/[ZONE]/instances/[INSTANCE_NAME]`,
- // `projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]`, or
- // `https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]`
- repeated string instances = 4;
-
- // Targets VMs whose name starts with one of these prefixes. Similar to
- // labels, this is another way to group VMs when targeting configs, for
- // example prefix="prod-".
- repeated string instance_name_prefixes = 5;
-}
-
-// Patch rollout configuration specifications. Contains details on the
-// concurrency control when applying patch(es) to all targeted VMs.
-message PatchRollout {
- // Type of the rollout.
- enum Mode {
- // Mode must be specified.
- MODE_UNSPECIFIED = 0;
-
- // Patches are applied one zone at a time. The patch job begins in the
- // region with the lowest number of targeted VMs. Within the region,
- // patching begins in the zone with the lowest number of targeted VMs. If
- // multiple regions (or zones within a region) have the same number of
- // targeted VMs, a tie-breaker is achieved by sorting the regions or zones
- // in alphabetical order.
- ZONE_BY_ZONE = 1;
-
- // Patches are applied to VMs in all zones at the same time.
- CONCURRENT_ZONES = 2;
- }
-
- // Mode of the patch rollout.
- Mode mode = 1;
-
- // The maximum number (or percentage) of VMs per zone to disrupt at any given
- // moment. The number of VMs calculated from multiplying the percentage by the
- // total number of VMs in a zone is rounded up.
- //
- // During patching, a VM is considered disrupted from the time the agent is
- // notified to begin until patching has completed. This disruption time
- // includes the time to complete reboot and any post-patch steps.
- //
- // A VM contributes to the disruption budget if its patching operation fails
- // either when applying the patches, running pre or post patch steps, or if it
- // fails to respond with a success notification before timing out. VMs that
- // are not running or do not have an active agent do not count toward this
- // disruption budget.
- //
- // For zone-by-zone rollouts, if the disruption budget in a zone is exceeded,
- // the patch job stops, because continuing to the next zone requires
- // completion of the patch process in the previous zone.
- //
- // For example, if the disruption budget has a fixed value of `10`, and 8 VMs
- // fail to patch in the current zone, the patch job continues to patch 2 VMs
- // at a time until the zone is completed. When that zone is completed
- // successfully, patching begins with 10 VMs at a time in the next zone. If 10
- // VMs in the next zone fail to patch, the patch job stops.
- FixedOrPercent disruption_budget = 2;
-}
diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto
deleted file mode 100644
index 70bb7f21b6f6..000000000000
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto
+++ /dev/null
@@ -1,415 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.cloud.osconfig.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/protobuf/timestamp.proto";
-
-option csharp_namespace = "Google.Cloud.OsConfig.V1";
-option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb";
-option java_multiple_files = true;
-option java_outer_classname = "VulnerabilityProto";
-option java_package = "com.google.cloud.osconfig.v1";
-option php_namespace = "Google\\Cloud\\OsConfig\\V1";
-option ruby_package = "Google::Cloud::OsConfig::V1";
-
-// This API resource represents the vulnerability report for a specified
-// Compute Engine virtual machine (VM) instance at a given point in time.
-//
-// For more information, see [Vulnerability
-// reports](https://cloud.google.com/compute/docs/instances/os-inventory-management#vulnerability-reports).
-message VulnerabilityReport {
- option (google.api.resource) = {
- type: "osconfig.googleapis.com/VulnerabilityReport"
- pattern: "projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport"
- };
-
- // A vulnerability affecting the VM instance.
- message Vulnerability {
- // Contains metadata information for the vulnerability. This information is
- // collected from the upstream feed of the operating system.
- message Details {
- // A reference for this vulnerability.
- message Reference {
- // The url of the reference.
- string url = 1;
-
- // The source of the reference e.g. NVD.
- string source = 2;
- }
-
- // The CVE of the vulnerability. CVE cannot be
- // empty and the combination of should be unique
- // across vulnerabilities for a VM.
- string cve = 1;
-
- // The CVSS V2 score of this vulnerability. CVSS V2 score is on a scale of
- // 0 - 10 where 0 indicates low severity and 10 indicates high severity.
- float cvss_v2_score = 2;
-
- // The full description of the CVSSv3 for this vulnerability from NVD.
- CVSSv3 cvss_v3 = 3;
-
- // Assigned severity/impact ranking from the distro.
- string severity = 4;
-
- // The note or description describing the vulnerability from the distro.
- string description = 5;
-
- // Corresponds to the references attached to the `VulnerabilityDetails`.
- repeated Reference references = 6;
- }
-
- // OS inventory item that is affected by a vulnerability or fixed as a
- // result of a vulnerability.
- message Item {
- // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM.
- // This field displays the inventory items affected by this vulnerability.
- // If the vulnerability report was not updated after the VM inventory
- // update, these values might not display in VM inventory. For some
- // operating systems, this field might be empty.
- string installed_inventory_item_id = 1;
-
- // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM.
- // If the vulnerability report was not updated after the VM inventory
- // update, these values might not display in VM inventory. If there is no
- // available fix, the field is empty. The `inventory_item` value specifies
- // the latest `SoftwarePackage` available to the VM that fixes the
- // vulnerability.
- string available_inventory_item_id = 2;
-
- // The recommended [CPE URI](https://cpe.mitre.org/specification/) update
- // that contains a fix for this vulnerability.
- string fixed_cpe_uri = 3;
-
- // The upstream OS patch, packages or KB that fixes the vulnerability.
- string upstream_fix = 4;
- }
-
- // Contains metadata as per the upstream feed of the operating system and
- // NVD.
- Details details = 1;
-
- // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM.
- // This field displays the inventory items affected by this vulnerability.
- // If the vulnerability report was not updated after the VM inventory
- // update, these values might not display in VM inventory. For some distros,
- // this field may be empty.
- repeated string installed_inventory_item_ids = 2 [deprecated = true];
-
- // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM.
- // If the vulnerability report was not updated after the VM inventory
- // update, these values might not display in VM inventory. If there is no
- // available fix, the field is empty. The `inventory_item` value specifies
- // the latest `SoftwarePackage` available to the VM that fixes the
- // vulnerability.
- repeated string available_inventory_item_ids = 3 [deprecated = true];
-
- // The timestamp for when the vulnerability was first detected.
- google.protobuf.Timestamp create_time = 4;
-
- // The timestamp for when the vulnerability was last modified.
- google.protobuf.Timestamp update_time = 5;
-
- // List of items affected by the vulnerability.
- repeated Item items = 6;
- }
-
- // Severity levels for vulnerabilities.
- enum VulnerabilitySeverityLevel {
- // Default SeverityLevel. This value is unused.
- VULNERABILITY_SEVERITY_LEVEL_UNSPECIFIED = 0;
-
- // Vulnerability has no severity level.
- NONE = 1;
-
- // Vulnerability severity level is minimal. This is level below the low
- // severity level.
- MINIMAL = 2;
-
- // Vulnerability severity level is low. This is level below the medium
- // severity level.
- LOW = 3;
-
- // Vulnerability severity level is medium. This is level below the high
- // severity level.
- MEDIUM = 4;
-
- // Vulnerability severity level is high. This is level below the critical
- // severity level.
- HIGH = 5;
-
- // Vulnerability severity level is critical. This is the highest severity
- // level.
- CRITICAL = 6;
- }
-
- // Output only. The `vulnerabilityReport` API resource name.
- //
- // Format:
- // `projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport`
- string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. List of vulnerabilities affecting the VM.
- repeated Vulnerability vulnerabilities = 2
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. The timestamp for when the last vulnerability report was
- // generated for the VM.
- google.protobuf.Timestamp update_time = 3
- [(google.api.field_behavior) = OUTPUT_ONLY];
-
- // Output only. Highest level of severity among all the upgradable
- // vulnerabilities with CVEs attached.
- VulnerabilitySeverityLevel highest_upgradable_cve_severity = 4
- [(google.api.field_behavior) = OUTPUT_ONLY];
-}
-
-// A request message for getting the vulnerability report for the specified VM.
-message GetVulnerabilityReportRequest {
- // Required. API resource name for vulnerability resource.
- //
- // Format:
- // `projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport`
- //
- // For `{project}`, either `project-number` or `project-id` can be provided.
- // For `{instance}`, either Compute Engine `instance-id` or `instance-name`
- // can be provided.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "osconfig.googleapis.com/VulnerabilityReport"
- }
- ];
-}
-
-// A request message for listing vulnerability reports for all VM instances in
-// the specified location.
-message ListVulnerabilityReportsRequest {
- // Required. The parent resource name.
- //
- // Format: `projects/{project}/locations/{location}/instances/-`
- //
- // For `{project}`, either `project-number` or `project-id` can be provided.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "compute.googleapis.com/Instance"
- }
- ];
-
- // The maximum number of results to return.
- int32 page_size = 2;
-
- // A pagination token returned from a previous call to
- // `ListVulnerabilityReports` that indicates where this listing
- // should continue from.
- string page_token = 3;
-
- // This field supports filtering by the severity level for the vulnerability.
- // For a list of severity levels, see [Severity levels for
- // vulnerabilities](https://cloud.google.com/container-analysis/docs/container-scanning-overview#severity_levels_for_vulnerabilities).
- //
- // The filter field follows the rules described in the
- // [AIP-160](https://google.aip.dev/160) guidelines as follows:
- //
- // + **Filter for a specific severity type**: you can list reports that
- // contain
- // vulnerabilities that are classified as medium by specifying
- // `vulnerabilities.details.severity:MEDIUM`.
- //
- // + **Filter for a range of severities** : you can list reports that have
- // vulnerabilities that are classified as critical or high by specifying
- // `vulnerabilities.details.severity:HIGH OR
- // vulnerabilities.details.severity:CRITICAL`
- string filter = 4;
-}
-
-// A response message for listing vulnerability reports for all VM instances in
-// the specified location.
-message ListVulnerabilityReportsResponse {
- // List of vulnerabilityReport objects.
- repeated VulnerabilityReport vulnerability_reports = 1;
-
- // The pagination token to retrieve the next page of vulnerabilityReports
- // object.
- string next_page_token = 2;
-}
-
-// Common Vulnerability Scoring System version 3.
-// For details, see https://www.first.org/cvss/specification-document
-message CVSSv3 {
- // This metric reflects the context by which vulnerability exploitation is
- // possible.
- enum AttackVector {
- // Invalid value.
- ATTACK_VECTOR_UNSPECIFIED = 0;
-
- // The vulnerable component is bound to the network stack and the set of
- // possible attackers extends beyond the other options listed below, up to
- // and including the entire Internet.
- ATTACK_VECTOR_NETWORK = 1;
-
- // The vulnerable component is bound to the network stack, but the attack is
- // limited at the protocol level to a logically adjacent topology.
- ATTACK_VECTOR_ADJACENT = 2;
-
- // The vulnerable component is not bound to the network stack and the
- // attacker's path is via read/write/execute capabilities.
- ATTACK_VECTOR_LOCAL = 3;
-
- // The attack requires the attacker to physically touch or manipulate the
- // vulnerable component.
- ATTACK_VECTOR_PHYSICAL = 4;
- }
-
- // This metric describes the conditions beyond the attacker's control that
- // must exist in order to exploit the vulnerability.
- enum AttackComplexity {
- // Invalid value.
- ATTACK_COMPLEXITY_UNSPECIFIED = 0;
-
- // Specialized access conditions or extenuating circumstances do not exist.
- // An attacker can expect repeatable success when attacking the vulnerable
- // component.
- ATTACK_COMPLEXITY_LOW = 1;
-
- // A successful attack depends on conditions beyond the attacker's control.
- // That is, a successful attack cannot be accomplished at will, but requires
- // the attacker to invest in some measurable amount of effort in preparation
- // or execution against the vulnerable component before a successful attack
- // can be expected.
- ATTACK_COMPLEXITY_HIGH = 2;
- }
-
- // This metric describes the level of privileges an attacker must possess
- // before successfully exploiting the vulnerability.
- enum PrivilegesRequired {
- // Invalid value.
- PRIVILEGES_REQUIRED_UNSPECIFIED = 0;
-
- // The attacker is unauthorized prior to attack, and therefore does not
- // require any access to settings or files of the vulnerable system to
- // carry out an attack.
- PRIVILEGES_REQUIRED_NONE = 1;
-
- // The attacker requires privileges that provide basic user capabilities
- // that could normally affect only settings and files owned by a user.
- // Alternatively, an attacker with Low privileges has the ability to access
- // only non-sensitive resources.
- PRIVILEGES_REQUIRED_LOW = 2;
-
- // The attacker requires privileges that provide significant (e.g.,
- // administrative) control over the vulnerable component allowing access to
- // component-wide settings and files.
- PRIVILEGES_REQUIRED_HIGH = 3;
- }
-
- // This metric captures the requirement for a human user, other than the
- // attacker, to participate in the successful compromise of the vulnerable
- // component.
- enum UserInteraction {
- // Invalid value.
- USER_INTERACTION_UNSPECIFIED = 0;
-
- // The vulnerable system can be exploited without interaction from any user.
- USER_INTERACTION_NONE = 1;
-
- // Successful exploitation of this vulnerability requires a user to take
- // some action before the vulnerability can be exploited.
- USER_INTERACTION_REQUIRED = 2;
- }
-
- // The Scope metric captures whether a vulnerability in one vulnerable
- // component impacts resources in components beyond its security scope.
- enum Scope {
- // Invalid value.
- SCOPE_UNSPECIFIED = 0;
-
- // An exploited vulnerability can only affect resources managed by the same
- // security authority.
- SCOPE_UNCHANGED = 1;
-
- // An exploited vulnerability can affect resources beyond the security scope
- // managed by the security authority of the vulnerable component.
- SCOPE_CHANGED = 2;
- }
-
- // The Impact metrics capture the effects of a successfully exploited
- // vulnerability on the component that suffers the worst outcome that is most
- // directly and predictably associated with the attack.
- enum Impact {
- // Invalid value.
- IMPACT_UNSPECIFIED = 0;
-
- // High impact.
- IMPACT_HIGH = 1;
-
- // Low impact.
- IMPACT_LOW = 2;
-
- // No impact.
- IMPACT_NONE = 3;
- }
-
- // The base score is a function of the base metric scores.
- // https://www.first.org/cvss/specification-document#Base-Metrics
- float base_score = 1;
-
- // The Exploitability sub-score equation is derived from the Base
- // Exploitability metrics.
- // https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics
- float exploitability_score = 2;
-
- // The Impact sub-score equation is derived from the Base Impact metrics.
- float impact_score = 3;
-
- // This metric reflects the context by which vulnerability exploitation is
- // possible.
- AttackVector attack_vector = 5;
-
- // This metric describes the conditions beyond the attacker's control that
- // must exist in order to exploit the vulnerability.
- AttackComplexity attack_complexity = 6;
-
- // This metric describes the level of privileges an attacker must possess
- // before successfully exploiting the vulnerability.
- PrivilegesRequired privileges_required = 7;
-
- // This metric captures the requirement for a human user, other than the
- // attacker, to participate in the successful compromise of the vulnerable
- // component.
- UserInteraction user_interaction = 8;
-
- // The Scope metric captures whether a vulnerability in one vulnerable
- // component impacts resources in components beyond its security scope.
- Scope scope = 9;
-
- // This metric measures the impact to the confidentiality of the information
- // resources managed by a software component due to a successfully exploited
- // vulnerability.
- Impact confidentiality_impact = 10;
-
- // This metric measures the impact to integrity of a successfully exploited
- // vulnerability.
- Impact integrity_impact = 11;
-
- // This metric measures the impact to the availability of the impacted
- // component resulting from a successfully exploited vulnerability.
- Impact availability_impact = 12;
-}
diff --git a/packages/google-cloud-asset/protos/google/iam/v1/policy.proto b/packages/google-cloud-asset/protos/google/iam/v1/policy.proto
deleted file mode 100644
index b5eac03c4427..000000000000
--- a/packages/google-cloud-asset/protos/google/iam/v1/policy.proto
+++ /dev/null
@@ -1,410 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.iam.v1;
-
-import "google/type/expr.proto";
-
-option cc_enable_arenas = true;
-option csharp_namespace = "Google.Cloud.Iam.V1";
-option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb";
-option java_multiple_files = true;
-option java_outer_classname = "PolicyProto";
-option java_package = "com.google.iam.v1";
-option php_namespace = "Google\\Cloud\\Iam\\V1";
-
-// An Identity and Access Management (IAM) policy, which specifies access
-// controls for Google Cloud resources.
-//
-//
-// A `Policy` is a collection of `bindings`. A `binding` binds one or more
-// `members`, or principals, to a single `role`. Principals can be user
-// accounts, service accounts, Google groups, and domains (such as G Suite). A
-// `role` is a named list of permissions; each `role` can be an IAM predefined
-// role or a user-created custom role.
-//
-// For some types of Google Cloud resources, a `binding` can also specify a
-// `condition`, which is a logical expression that allows access to a resource
-// only if the expression evaluates to `true`. A condition can add constraints
-// based on attributes of the request, the resource, or both. To learn which
-// resources support conditions in their IAM policies, see the
-// [IAM
-// documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
-//
-// **JSON example:**
-//
-// ```
-// {
-// "bindings": [
-// {
-// "role": "roles/resourcemanager.organizationAdmin",
-// "members": [
-// "user:mike@example.com",
-// "group:admins@example.com",
-// "domain:google.com",
-// "serviceAccount:my-project-id@appspot.gserviceaccount.com"
-// ]
-// },
-// {
-// "role": "roles/resourcemanager.organizationViewer",
-// "members": [
-// "user:eve@example.com"
-// ],
-// "condition": {
-// "title": "expirable access",
-// "description": "Does not grant access after Sep 2020",
-// "expression": "request.time <
-// timestamp('2020-10-01T00:00:00.000Z')",
-// }
-// }
-// ],
-// "etag": "BwWWja0YfJA=",
-// "version": 3
-// }
-// ```
-//
-// **YAML example:**
-//
-// ```
-// bindings:
-// - members:
-// - user:mike@example.com
-// - group:admins@example.com
-// - domain:google.com
-// - serviceAccount:my-project-id@appspot.gserviceaccount.com
-// role: roles/resourcemanager.organizationAdmin
-// - members:
-// - user:eve@example.com
-// role: roles/resourcemanager.organizationViewer
-// condition:
-// title: expirable access
-// description: Does not grant access after Sep 2020
-// expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
-// etag: BwWWja0YfJA=
-// version: 3
-// ```
-//
-// For a description of IAM and its features, see the
-// [IAM documentation](https://cloud.google.com/iam/docs/).
-message Policy {
- // Specifies the format of the policy.
- //
- // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
- // are rejected.
- //
- // Any operation that affects conditional role bindings must specify version
- // `3`. This requirement applies to the following operations:
- //
- // * Getting a policy that includes a conditional role binding
- // * Adding a conditional role binding to a policy
- // * Changing a conditional role binding in a policy
- // * Removing any role binding, with or without a condition, from a policy
- // that includes conditions
- //
- // **Important:** If you use IAM Conditions, you must include the `etag` field
- // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
- // you to overwrite a version `3` policy with a version `1` policy, and all of
- // the conditions in the version `3` policy are lost.
- //
- // If a policy does not include any conditions, operations on that policy may
- // specify any valid version or leave the field unset.
- //
- // To learn which resources support conditions in their IAM policies, see the
- // [IAM
- // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
- int32 version = 1;
-
- // Associates a list of `members`, or principals, with a `role`. Optionally,
- // may specify a `condition` that determines how and when the `bindings` are
- // applied. Each of the `bindings` must contain at least one principal.
- //
- // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
- // of these principals can be Google groups. Each occurrence of a principal
- // counts towards these limits. For example, if the `bindings` grant 50
- // different roles to `user:alice@example.com`, and not to any other
- // principal, then you can add another 1,450 principals to the `bindings` in
- // the `Policy`.
- repeated Binding bindings = 4;
-
- // Specifies cloud audit logging configuration for this policy.
- repeated AuditConfig audit_configs = 6;
-
- // `etag` is used for optimistic concurrency control as a way to help
- // prevent simultaneous updates of a policy from overwriting each other.
- // It is strongly suggested that systems make use of the `etag` in the
- // read-modify-write cycle to perform policy updates in order to avoid race
- // conditions: An `etag` is returned in the response to `getIamPolicy`, and
- // systems are expected to put that etag in the request to `setIamPolicy` to
- // ensure that their change will be applied to the same version of the policy.
- //
- // **Important:** If you use IAM Conditions, you must include the `etag` field
- // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
- // you to overwrite a version `3` policy with a version `1` policy, and all of
- // the conditions in the version `3` policy are lost.
- bytes etag = 3;
-}
-
-// Associates `members`, or principals, with a `role`.
-message Binding {
- // Role that is assigned to the list of `members`, or principals.
- // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- string role = 1;
-
- // Specifies the principals requesting access for a Google Cloud resource.
- // `members` can have the following values:
- //
- // * `allUsers`: A special identifier that represents anyone who is
- // on the internet; with or without a Google account.
- //
- // * `allAuthenticatedUsers`: A special identifier that represents anyone
- // who is authenticated with a Google account or a service account.
- //
- // * `user:{emailid}`: An email address that represents a specific Google
- // account. For example, `alice@example.com` .
- //
- //
- // * `serviceAccount:{emailid}`: An email address that represents a service
- // account. For example, `my-other-app@appspot.gserviceaccount.com`.
- //
- // * `group:{emailid}`: An email address that represents a Google group.
- // For example, `admins@example.com`.
- //
- // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
- // identifier) representing a user that has been recently deleted. For
- // example, `alice@example.com?uid=123456789012345678901`. If the user is
- // recovered, this value reverts to `user:{emailid}` and the recovered user
- // retains the role in the binding.
- //
- // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
- // unique identifier) representing a service account that has been recently
- // deleted. For example,
- // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
- // If the service account is undeleted, this value reverts to
- // `serviceAccount:{emailid}` and the undeleted service account retains the
- // role in the binding.
- //
- // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
- // identifier) representing a Google group that has been recently
- // deleted. For example, `admins@example.com?uid=123456789012345678901`. If
- // the group is recovered, this value reverts to `group:{emailid}` and the
- // recovered group retains the role in the binding.
- //
- //
- // * `domain:{domain}`: The G Suite domain (primary) that represents all the
- // users of that domain. For example, `google.com` or `example.com`.
- //
- //
- repeated string members = 2;
-
- // The condition that is associated with this binding.
- //
- // If the condition evaluates to `true`, then this binding applies to the
- // current request.
- //
- // If the condition evaluates to `false`, then this binding does not apply to
- // the current request. However, a different role binding might grant the same
- // role to one or more of the principals in this binding.
- //
- // To learn which resources support conditions in their IAM policies, see the
- // [IAM
- // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
- google.type.Expr condition = 3;
-}
-
-// Specifies the audit configuration for a service.
-// The configuration determines which permission types are logged, and what
-// identities, if any, are exempted from logging.
-// An AuditConfig must have one or more AuditLogConfigs.
-//
-// If there are AuditConfigs for both `allServices` and a specific service,
-// the union of the two AuditConfigs is used for that service: the log_types
-// specified in each AuditConfig are enabled, and the exempted_members in each
-// AuditLogConfig are exempted.
-//
-// Example Policy with multiple AuditConfigs:
-//
-// {
-// "audit_configs": [
-// {
-// "service": "allServices",
-// "audit_log_configs": [
-// {
-// "log_type": "DATA_READ",
-// "exempted_members": [
-// "user:jose@example.com"
-// ]
-// },
-// {
-// "log_type": "DATA_WRITE"
-// },
-// {
-// "log_type": "ADMIN_READ"
-// }
-// ]
-// },
-// {
-// "service": "sampleservice.googleapis.com",
-// "audit_log_configs": [
-// {
-// "log_type": "DATA_READ"
-// },
-// {
-// "log_type": "DATA_WRITE",
-// "exempted_members": [
-// "user:aliya@example.com"
-// ]
-// }
-// ]
-// }
-// ]
-// }
-//
-// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
-// logging. It also exempts `jose@example.com` from DATA_READ logging, and
-// `aliya@example.com` from DATA_WRITE logging.
-message AuditConfig {
- // Specifies a service that will be enabled for audit logging.
- // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- // `allServices` is a special value that covers all services.
- string service = 1;
-
- // The configuration for logging of each type of permission.
- repeated AuditLogConfig audit_log_configs = 3;
-}
-
-// Provides the configuration for logging a type of permissions.
-// Example:
-//
-// {
-// "audit_log_configs": [
-// {
-// "log_type": "DATA_READ",
-// "exempted_members": [
-// "user:jose@example.com"
-// ]
-// },
-// {
-// "log_type": "DATA_WRITE"
-// }
-// ]
-// }
-//
-// This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
-// jose@example.com from DATA_READ logging.
-message AuditLogConfig {
- // The list of valid permission types for which logging can be configured.
- // Admin writes are always logged, and are not configurable.
- enum LogType {
- // Default case. Should never be this.
- LOG_TYPE_UNSPECIFIED = 0;
-
- // Admin reads. Example: CloudIAM getIamPolicy
- ADMIN_READ = 1;
-
- // Data writes. Example: CloudSQL Users create
- DATA_WRITE = 2;
-
- // Data reads. Example: CloudSQL Users list
- DATA_READ = 3;
- }
-
- // The log type that this config enables.
- LogType log_type = 1;
-
- // Specifies the identities that do not cause logging for this type of
- // permission.
- // Follows the same format of
- // [Binding.members][google.iam.v1.Binding.members].
- repeated string exempted_members = 2;
-}
-
-// The difference delta between two policies.
-message PolicyDelta {
- // The delta for Bindings between two policies.
- repeated BindingDelta binding_deltas = 1;
-
- // The delta for AuditConfigs between two policies.
- repeated AuditConfigDelta audit_config_deltas = 2;
-}
-
-// One delta entry for Binding. Each individual change (only one member in each
-// entry) to a binding will be a separate entry.
-message BindingDelta {
- // The type of action performed on a Binding in a policy.
- enum Action {
- // Unspecified.
- ACTION_UNSPECIFIED = 0;
-
- // Addition of a Binding.
- ADD = 1;
-
- // Removal of a Binding.
- REMOVE = 2;
- }
-
- // The action that was performed on a Binding.
- // Required
- Action action = 1;
-
- // Role that is assigned to `members`.
- // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
- // Required
- string role = 2;
-
- // A single identity requesting access for a Google Cloud resource.
- // Follows the same format of Binding.members.
- // Required
- string member = 3;
-
- // The condition that is associated with this binding.
- google.type.Expr condition = 4;
-}
-
-// One delta entry for AuditConfig. Each individual change (only one
-// exempted_member in each entry) to a AuditConfig will be a separate entry.
-message AuditConfigDelta {
- // The type of action performed on an audit configuration in a policy.
- enum Action {
- // Unspecified.
- ACTION_UNSPECIFIED = 0;
-
- // Addition of an audit configuration.
- ADD = 1;
-
- // Removal of an audit configuration.
- REMOVE = 2;
- }
-
- // The action that was performed on an audit configuration in a policy.
- // Required
- Action action = 1;
-
- // Specifies a service that was configured for Cloud Audit Logging.
- // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
- // `allServices` is a special value that covers all services.
- // Required
- string service = 2;
-
- // A single identity that is exempted from "data access" audit
- // logging for the `service` specified above.
- // Follows the same format of Binding.members.
- string exempted_member = 3;
-
- // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
- // enabled, and cannot be configured.
- // Required
- string log_type = 4;
-}
diff --git a/packages/google-cloud-asset/protos/google/identity/accesscontextmanager/v1/access_context_manager.proto b/packages/google-cloud-asset/protos/google/identity/accesscontextmanager/v1/access_context_manager.proto
deleted file mode 100644
index 25b20d671c9d..000000000000
--- a/packages/google-cloud-asset/protos/google/identity/accesscontextmanager/v1/access_context_manager.proto
+++ /dev/null
@@ -1,986 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.identity.accesscontextmanager.v1;
-
-import "google/api/annotations.proto";
-import "google/api/client.proto";
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-import "google/iam/v1/iam_policy.proto";
-import "google/iam/v1/policy.proto";
-import "google/identity/accesscontextmanager/v1/access_level.proto";
-import "google/identity/accesscontextmanager/v1/access_policy.proto";
-import "google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto";
-import "google/identity/accesscontextmanager/v1/service_perimeter.proto";
-import "google/longrunning/operations.proto";
-import "google/protobuf/field_mask.proto";
-
-option csharp_namespace = "Google.Identity.AccessContextManager.V1";
-option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb";
-option java_multiple_files = true;
-option java_outer_classname = "AccessContextManagerProto";
-option java_package = "com.google.identity.accesscontextmanager.v1";
-option objc_class_prefix = "GACM";
-option php_namespace = "Google\\Identity\\AccessContextManager\\V1";
-option ruby_package = "Google::Identity::AccessContextManager::V1";
-
-// API for setting [access levels]
-// [google.identity.accesscontextmanager.v1.AccessLevel] and [service
-// perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
-// for Google Cloud projects. Each organization has one [access policy]
-// [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
-// [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
-// and [service perimeters]
-// [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
-// [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
-// applicable to all resources in the organization.
-// AccessPolicies
-service AccessContextManager {
- option (google.api.default_host) = "accesscontextmanager.googleapis.com";
- option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
-
- // Lists all [access policies]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] in an
- // organization.
- rpc ListAccessPolicies(ListAccessPoliciesRequest) returns (ListAccessPoliciesResponse) {
- option (google.api.http) = {
- get: "/v1/accessPolicies"
- };
- }
-
- // Returns an [access policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
- rpc GetAccessPolicy(GetAccessPolicyRequest) returns (AccessPolicy) {
- option (google.api.http) = {
- get: "/v1/{name=accessPolicies/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Creates an access policy. This method fails if the organization already has
- // an access policy. The long-running operation has a successful status
- // after the access policy propagates to long-lasting storage.
- // Syntactic and basic semantic errors are returned in `metadata` as a
- // BadRequest proto.
- rpc CreateAccessPolicy(AccessPolicy) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/accessPolicies"
- body: "*"
- };
- option (google.longrunning.operation_info) = {
- response_type: "AccessPolicy"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Updates an [access policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy]. The
- // long-running operation from this RPC has a successful status after the
- // changes to the [access policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
- // to long-lasting storage.
- rpc UpdateAccessPolicy(UpdateAccessPolicyRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- patch: "/v1/{policy.name=accessPolicies/*}"
- body: "policy"
- };
- option (google.api.method_signature) = "policy,update_mask";
- option (google.longrunning.operation_info) = {
- response_type: "AccessPolicy"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Deletes an [access policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
- // resource name. The long-running operation has a successful status after the
- // [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
- // is removed from long-lasting storage.
- rpc DeleteAccessPolicy(DeleteAccessPolicyRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- delete: "/v1/{name=accessPolicies/*}"
- };
- option (google.api.method_signature) = "name";
- option (google.longrunning.operation_info) = {
- response_type: "google.protobuf.Empty"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Lists all [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] for an access
- // policy.
- rpc ListAccessLevels(ListAccessLevelsRequest) returns (ListAccessLevelsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=accessPolicies/*}/accessLevels"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Gets an [access level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
- // name.
- rpc GetAccessLevel(GetAccessLevelRequest) returns (AccessLevel) {
- option (google.api.http) = {
- get: "/v1/{name=accessPolicies/*/accessLevels/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Creates an [access level]
- // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
- // operation from this RPC has a successful status after the [access
- // level] [google.identity.accesscontextmanager.v1.AccessLevel]
- // propagates to long-lasting storage. If [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] contain
- // errors, an error response is returned for the first error encountered.
- rpc CreateAccessLevel(CreateAccessLevelRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=accessPolicies/*}/accessLevels"
- body: "access_level"
- };
- option (google.api.method_signature) = "parent,access_level";
- option (google.longrunning.operation_info) = {
- response_type: "AccessLevel"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Updates an [access level]
- // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
- // operation from this RPC has a successful status after the changes to
- // the [access level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] propagate
- // to long-lasting storage. If [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] contain
- // errors, an error response is returned for the first error encountered.
- rpc UpdateAccessLevel(UpdateAccessLevelRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- patch: "/v1/{access_level.name=accessPolicies/*/accessLevels/*}"
- body: "access_level"
- };
- option (google.api.method_signature) = "access_level,update_mask";
- option (google.longrunning.operation_info) = {
- response_type: "AccessLevel"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Deletes an [access level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
- // name. The long-running operation from this RPC has a successful status
- // after the [access level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
- // from long-lasting storage.
- rpc DeleteAccessLevel(DeleteAccessLevelRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- delete: "/v1/{name=accessPolicies/*/accessLevels/*}"
- };
- option (google.api.method_signature) = "name";
- option (google.longrunning.operation_info) = {
- response_type: "google.protobuf.Empty"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Replaces all existing [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
- // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
- // the [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
- // is done atomically. The long-running operation from this RPC has a
- // successful status after all replacements propagate to long-lasting
- // storage. If the replacement contains errors, an error response is returned
- // for the first error encountered. Upon error, the replacement is cancelled,
- // and existing [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] are not
- // affected. The Operation.response field contains
- // ReplaceAccessLevelsResponse. Removing [access levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
- // [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
- // error.
- rpc ReplaceAccessLevels(ReplaceAccessLevelsRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=accessPolicies/*}/accessLevels:replaceAll"
- body: "*"
- };
- option (google.longrunning.operation_info) = {
- response_type: "ReplaceAccessLevelsResponse"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Lists all [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
- // access policy.
- rpc ListServicePerimeters(ListServicePerimetersRequest) returns (ListServicePerimetersResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=accessPolicies/*}/servicePerimeters"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Gets a [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
- // resource name.
- rpc GetServicePerimeter(GetServicePerimeterRequest) returns (ServicePerimeter) {
- option (google.api.http) = {
- get: "/v1/{name=accessPolicies/*/servicePerimeters/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Creates a [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
- // long-running operation from this RPC has a successful status after the
- // [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter]
- // propagates to long-lasting storage. If a [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
- // errors, an error response is returned for the first error encountered.
- rpc CreateServicePerimeter(CreateServicePerimeterRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=accessPolicies/*}/servicePerimeters"
- body: "service_perimeter"
- };
- option (google.api.method_signature) = "parent,service_perimeter";
- option (google.longrunning.operation_info) = {
- response_type: "ServicePerimeter"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Updates a [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
- // long-running operation from this RPC has a successful status after the
- // [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter]
- // propagates to long-lasting storage. If a [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
- // errors, an error response is returned for the first error encountered.
- rpc UpdateServicePerimeter(UpdateServicePerimeterRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- patch: "/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}"
- body: "service_perimeter"
- };
- option (google.api.method_signature) = "service_perimeter,update_mask";
- option (google.longrunning.operation_info) = {
- response_type: "ServicePerimeter"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Deletes a [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
- // resource name. The long-running operation from this RPC has a successful
- // status after the [service perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
- // long-lasting storage.
- rpc DeleteServicePerimeter(DeleteServicePerimeterRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- delete: "/v1/{name=accessPolicies/*/servicePerimeters/*}"
- };
- option (google.api.method_signature) = "name";
- option (google.longrunning.operation_info) = {
- response_type: "google.protobuf.Empty"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Replace all existing [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
- // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
- // [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
- // is done atomically. The long-running operation from this RPC has a
- // successful status after all replacements propagate to long-lasting storage.
- // Replacements containing errors result in an error response for the first
- // error encountered. Upon an error, replacement are cancelled and existing
- // [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
- // affected. The Operation.response field contains
- // ReplaceServicePerimetersResponse.
- rpc ReplaceServicePerimeters(ReplaceServicePerimetersRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=accessPolicies/*}/servicePerimeters:replaceAll"
- body: "*"
- };
- option (google.longrunning.operation_info) = {
- response_type: "ReplaceServicePerimetersResponse"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Commits the dry-run specification for all the [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
- // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
- // A commit operation on a service perimeter involves copying its `spec` field
- // to the `status` field of the service perimeter. Only [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] with
- // `use_explicit_dry_run_spec` field set to true are affected by a commit
- // operation. The long-running operation from this RPC has a successful
- // status after the dry-run specifications for all the [service perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
- // committed. If a commit fails, it causes the long-running operation to
- // return an error response and the entire commit operation is cancelled.
- // When successful, the Operation.response field contains
- // CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
- // cleared after a successful commit operation.
- rpc CommitServicePerimeters(CommitServicePerimetersRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=accessPolicies/*}/servicePerimeters:commit"
- body: "*"
- };
- option (google.longrunning.operation_info) = {
- response_type: "CommitServicePerimetersResponse"
- metadata_type: "AccessContextManagerOperationMetadata"
- };
- }
-
- // Lists all [GcpUserAccessBindings]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] for a
- // Google Cloud organization.
- rpc ListGcpUserAccessBindings(ListGcpUserAccessBindingsRequest) returns (ListGcpUserAccessBindingsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=organizations/*}/gcpUserAccessBindings"
- };
- option (google.api.method_signature) = "parent";
- }
-
- // Gets the [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] with
- // the given name.
- rpc GetGcpUserAccessBinding(GetGcpUserAccessBindingRequest) returns (GcpUserAccessBinding) {
- option (google.api.http) = {
- get: "/v1/{name=organizations/*/gcpUserAccessBindings/*}"
- };
- option (google.api.method_signature) = "name";
- }
-
- // Creates a [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the
- // client specifies a [name]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name],
- // the server ignores it. Fails if a resource already exists with the same
- // [group_key]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key].
- // Completion of this long-running operation does not necessarily signify that
- // the new binding is deployed onto all affected users, which may take more
- // time.
- rpc CreateGcpUserAccessBinding(CreateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- post: "/v1/{parent=organizations/*}/gcpUserAccessBindings"
- body: "gcp_user_access_binding"
- };
- option (google.api.method_signature) = "parent,gcp_user_access_binding";
- option (google.longrunning.operation_info) = {
- response_type: "GcpUserAccessBinding"
- metadata_type: "GcpUserAccessBindingOperationMetadata"
- };
- }
-
- // Updates a [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding].
- // Completion of this long-running operation does not necessarily signify that
- // the changed binding is deployed onto all affected users, which may take
- // more time.
- rpc UpdateGcpUserAccessBinding(UpdateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- patch: "/v1/{gcp_user_access_binding.name=organizations/*/gcpUserAccessBindings/*}"
- body: "gcp_user_access_binding"
- };
- option (google.api.method_signature) = "gcp_user_access_binding,update_mask";
- option (google.longrunning.operation_info) = {
- response_type: "GcpUserAccessBinding"
- metadata_type: "GcpUserAccessBindingOperationMetadata"
- };
- }
-
- // Deletes a [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding].
- // Completion of this long-running operation does not necessarily signify that
- // the binding deletion is deployed onto all affected users, which may take
- // more time.
- rpc DeleteGcpUserAccessBinding(DeleteGcpUserAccessBindingRequest) returns (google.longrunning.Operation) {
- option (google.api.http) = {
- delete: "/v1/{name=organizations/*/gcpUserAccessBindings/*}"
- };
- option (google.api.method_signature) = "name";
- option (google.longrunning.operation_info) = {
- response_type: "google.protobuf.Empty"
- metadata_type: "GcpUserAccessBindingOperationMetadata"
- };
- }
-
- // Sets the IAM policy for the specified Access Context Manager
- // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
- // This method replaces the existing IAM policy on the access policy. The IAM
- // policy controls the set of users who can perform specific operations on the
- // Access Context Manager [access
- // policy][google.identity.accesscontextmanager.v1.AccessPolicy].
- rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
- option (google.api.http) = {
- post: "/v1/{resource=accessPolicies/*}:setIamPolicy"
- body: "*"
- };
- }
-
- // Gets the IAM policy for the specified Access Context Manager
- // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
- rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
- option (google.api.http) = {
- post: "/v1/{resource=accessPolicies/*}:getIamPolicy"
- body: "*"
- };
- }
-
- // Returns the IAM permissions that the caller has on the specified Access
- // Context Manager resource. The resource can be an
- // [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
- // [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
- // [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
- // ]. This method does not support other resources.
- rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
- option (google.api.http) = {
- post: "/v1/{resource=accessPolicies/*}:testIamPermissions"
- body: "*"
- additional_bindings {
- post: "/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions"
- body: "*"
- }
- additional_bindings {
- post: "/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions"
- body: "*"
- }
- };
- }
-}
-
-// A request to list all `AccessPolicies` for a container.
-message ListAccessPoliciesRequest {
- // Required. Resource name for the container to list AccessPolicy instances
- // from.
- //
- // Format:
- // `organizations/{org_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Organization"
- }
- ];
-
- // Number of AccessPolicy instances to include in the list. Default 100.
- int32 page_size = 2;
-
- // Next page token for the next batch of AccessPolicy instances. Defaults to
- // the first page of results.
- string page_token = 3;
-}
-
-// A response to `ListAccessPoliciesRequest`.
-message ListAccessPoliciesResponse {
- // List of the AccessPolicy instances.
- repeated AccessPolicy access_policies = 1;
-
- // The pagination token to retrieve the next page of results. If the value is
- // empty, no further results remain.
- string next_page_token = 2;
-}
-
-// A request to get a particular `AccessPolicy`.
-message GetAccessPolicyRequest {
- // Required. Resource name for the access policy to get.
- //
- // Format `accessPolicies/{policy_id}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/AccessPolicy"
- }
- ];
-}
-
-// A request to update an `AccessPolicy`.
-message UpdateAccessPolicyRequest {
- // Required. The updated AccessPolicy.
- AccessPolicy policy = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Mask to control which fields get updated. Must be non-empty.
- google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request to delete an `AccessPolicy`.
-message DeleteAccessPolicyRequest {
- // Required. Resource name for the access policy to delete.
- //
- // Format `accessPolicies/{policy_id}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/AccessPolicy"
- }
- ];
-}
-
-// A request to list all `AccessLevels` in an `AccessPolicy`.
-message ListAccessLevelsRequest {
- // Required. Resource name for the access policy to list [Access Levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] from.
- //
- // Format:
- // `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/AccessLevel"
- }
- ];
-
- // Number of [Access Levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] to include in
- // the list. Default 100.
- int32 page_size = 2;
-
- // Next page token for the next batch of [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] instances.
- // Defaults to the first page of results.
- string page_token = 3;
-
- // Whether to return `BasicLevels` in the Cloud Common Expression language, as
- // `CustomLevels`, rather than as `BasicLevels`. Defaults to returning
- // `AccessLevels` in the format they were defined.
- LevelFormat access_level_format = 4;
-}
-
-// A response to `ListAccessLevelsRequest`.
-message ListAccessLevelsResponse {
- // List of the [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] instances.
- repeated AccessLevel access_levels = 1;
-
- // The pagination token to retrieve the next page of results. If the value is
- // empty, no further results remain.
- string next_page_token = 2;
-}
-
-// A request to get a particular `AccessLevel`.
-message GetAccessLevelRequest {
- // Required. Resource name for the [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel].
- //
- // Format:
- // `accessPolicies/{policy_id}/accessLevels/{access_level_id}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/AccessLevel"
- }
- ];
-
- // Whether to return `BasicLevels` in the Cloud Common Expression
- // Language rather than as `BasicLevels`. Defaults to AS_DEFINED, where
- // [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
- // are returned as `BasicLevels` or `CustomLevels` based on how they were
- // created. If set to CEL, all [Access Levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] are returned as
- // `CustomLevels`. In the CEL case, `BasicLevels` are translated to equivalent
- // `CustomLevels`.
- LevelFormat access_level_format = 2;
-}
-
-// A request to create an `AccessLevel`.
-message CreateAccessLevelRequest {
- // Required. Resource name for the access policy which owns this [Access
- // Level] [google.identity.accesscontextmanager.v1.AccessLevel].
- //
- // Format: `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/AccessLevel"
- }
- ];
-
- // Required. The [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] to create.
- // Syntactic correctness of the [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] is a
- // precondition for creation.
- AccessLevel access_level = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request to update an `AccessLevel`.
-message UpdateAccessLevelRequest {
- // Required. The updated [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel]. Syntactic
- // correctness of the [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] is a
- // precondition for creation.
- AccessLevel access_level = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Mask to control which fields get updated. Must be non-empty.
- google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request to delete an `AccessLevel`.
-message DeleteAccessLevelRequest {
- // Required. Resource name for the [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel].
- //
- // Format:
- // `accessPolicies/{policy_id}/accessLevels/{access_level_id}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/AccessLevel"
- }
- ];
-}
-
-// A request to replace all existing Access Levels in an Access Policy with
-// the Access Levels provided. This is done atomically.
-message ReplaceAccessLevelsRequest {
- // Required. Resource name for the access policy which owns these
- // [Access Levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel].
- //
- // Format: `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/AccessLevel"
- }
- ];
-
- // Required. The desired [Access Levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] that should
- // replace all existing [Access Levels]
- // [google.identity.accesscontextmanager.v1.AccessLevel] in the
- // [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy].
- repeated AccessLevel access_levels = 2 [(google.api.field_behavior) = REQUIRED];
-
- // Optional. The etag for the version of the [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
- // replace operation is to be performed on. If, at the time of replace, the
- // etag for the Access Policy stored in Access Context Manager is different
- // from the specified etag, then the replace operation will not be performed
- // and the call will fail. This field is not required. If etag is not
- // provided, the operation will be performed as if a valid etag is provided.
- string etag = 4;
-}
-
-// A response to ReplaceAccessLevelsRequest. This will be put inside of
-// Operation.response field.
-message ReplaceAccessLevelsResponse {
- // List of the [Access Level]
- // [google.identity.accesscontextmanager.v1.AccessLevel] instances.
- repeated AccessLevel access_levels = 1;
-}
-
-// A request to list all `ServicePerimeters` in an `AccessPolicy`.
-message ListServicePerimetersRequest {
- // Required. Resource name for the access policy to list [Service Perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] from.
- //
- // Format:
- // `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
- }
- ];
-
- // Number of [Service Perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] to include
- // in the list. Default 100.
- int32 page_size = 2;
-
- // Next page token for the next batch of [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances.
- // Defaults to the first page of results.
- string page_token = 3;
-}
-
-// A response to `ListServicePerimetersRequest`.
-message ListServicePerimetersResponse {
- // List of the [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances.
- repeated ServicePerimeter service_perimeters = 1;
-
- // The pagination token to retrieve the next page of results. If the value is
- // empty, no further results remain.
- string next_page_token = 2;
-}
-
-// A request to get a particular `ServicePerimeter`.
-message GetServicePerimeterRequest {
- // Required. Resource name for the [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter].
- //
- // Format:
- // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeters_id}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/ServicePerimeter"
- }
- ];
-}
-
-// A request to create a `ServicePerimeter`.
-message CreateServicePerimeterRequest {
- // Required. Resource name for the access policy which owns this [Service
- // Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter].
- //
- // Format: `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
- }
- ];
-
- // Required. The [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] to create.
- // Syntactic correctness of the [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] is a
- // precondition for creation.
- ServicePerimeter service_perimeter = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request to update a `ServicePerimeter`.
-message UpdateServicePerimeterRequest {
- // Required. The updated `ServicePerimeter`. Syntactic correctness of the
- // `ServicePerimeter` is a precondition for creation.
- ServicePerimeter service_perimeter = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Mask to control which fields get updated. Must be non-empty.
- google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// A request to delete a `ServicePerimeter`.
-message DeleteServicePerimeterRequest {
- // Required. Resource name for the [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter].
- //
- // Format:
- // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeter_id}`
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/ServicePerimeter"
- }
- ];
-}
-
-// A request to replace all existing Service Perimeters in an Access Policy
-// with the Service Perimeters provided. This is done atomically.
-message ReplaceServicePerimetersRequest {
- // Required. Resource name for the access policy which owns these
- // [Service Perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter].
- //
- // Format: `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
- }
- ];
-
- // Required. The desired [Service Perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] that should
- // replace all existing [Service Perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] in the
- // [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy].
- repeated ServicePerimeter service_perimeters = 2 [(google.api.field_behavior) = REQUIRED];
-
- // Optional. The etag for the version of the [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
- // replace operation is to be performed on. If, at the time of replace, the
- // etag for the Access Policy stored in Access Context Manager is different
- // from the specified etag, then the replace operation will not be performed
- // and the call will fail. This field is not required. If etag is not
- // provided, the operation will be performed as if a valid etag is provided.
- string etag = 3;
-}
-
-// A response to ReplaceServicePerimetersRequest. This will be put inside of
-// Operation.response field.
-message ReplaceServicePerimetersResponse {
- // List of the [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances.
- repeated ServicePerimeter service_perimeters = 1;
-}
-
-// A request to commit dry-run specs in all [Service Perimeters]
-// [google.identity.accesscontextmanager.v1.ServicePerimeter] belonging to
-// an [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
-message CommitServicePerimetersRequest {
- // Required. Resource name for the parent [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] which owns all
- // [Service Perimeters]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] in scope for
- // the commit operation.
- //
- // Format: `accessPolicies/{policy_id}`
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
- }
- ];
-
- // Optional. The etag for the version of the [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
- // commit operation is to be performed on. If, at the time of commit, the
- // etag for the Access Policy stored in Access Context Manager is different
- // from the specified etag, then the commit operation will not be performed
- // and the call will fail. This field is not required. If etag is not
- // provided, the operation will be performed as if a valid etag is provided.
- string etag = 2;
-}
-
-// A response to CommitServicePerimetersRequest. This will be put inside of
-// Operation.response field.
-message CommitServicePerimetersResponse {
- // List of all the [Service Perimeter]
- // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances in
- // the [Access Policy]
- // [google.identity.accesscontextmanager.v1.AccessPolicy].
- repeated ServicePerimeter service_perimeters = 1;
-}
-
-// The format used in an `AccessLevel`.
-enum LevelFormat {
- // The format was not specified.
- LEVEL_FORMAT_UNSPECIFIED = 0;
-
- // Uses the format the resource was defined in. BasicLevels are returned as
- // BasicLevels, CustomLevels are returned as CustomLevels.
- AS_DEFINED = 1;
-
- // Use Cloud Common Expression Language when returning the resource. Both
- // BasicLevels and CustomLevels are returned as CustomLevels.
- CEL = 2;
-}
-
-// Request of [ListGcpUserAccessBindings]
-// [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
-message ListGcpUserAccessBindingsRequest {
- // Required. Example: "organizations/256"
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Organization"
- }
- ];
-
- // Optional. Maximum number of items to return. The server may return fewer items.
- // If left blank, the server may return any number of items.
- int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
-
- // Optional. If left blank, returns the first page. To enumerate all items, use the
- // [next_page_token]
- // [google.identity.accesscontextmanager.v1.ListGcpUserAccessBindingsResponse.next_page_token]
- // from your previous list operation.
- string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
-}
-
-// Response of [ListGcpUserAccessBindings]
-// [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
-message ListGcpUserAccessBindingsResponse {
- // [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]
- repeated GcpUserAccessBinding gcp_user_access_bindings = 1;
-
- // Token to get the next page of items. If blank, there are no more items.
- string next_page_token = 2;
-}
-
-// Request of [GetGcpUserAccessBinding]
-// [google.identity.accesscontextmanager.v1.AccessContextManager.GetGcpUserAccessBinding].
-message GetGcpUserAccessBindingRequest {
- // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding"
- }
- ];
-}
-
-// Request of [CreateGcpUserAccessBinding]
-// [google.identity.accesscontextmanager.v1.AccessContextManager.CreateGcpUserAccessBinding].
-message CreateGcpUserAccessBindingRequest {
- // Required. Example: "organizations/256"
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudresourcemanager.googleapis.com/Organization"
- }
- ];
-
- // Required. [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]
- GcpUserAccessBinding gcp_user_access_binding = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// Request of [UpdateGcpUserAccessBinding]
-// [google.identity.accesscontextmanager.v1.AccessContextManager.UpdateGcpUserAccessBinding].
-message UpdateGcpUserAccessBindingRequest {
- // Required. [GcpUserAccessBinding]
- // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]
- GcpUserAccessBinding gcp_user_access_binding = 1 [(google.api.field_behavior) = REQUIRED];
-
- // Required. Only the fields specified in this mask are updated. Because name and
- // group_key cannot be changed, update_mask is required and must always be:
- //
- // update_mask {
- // paths: "access_levels"
- // }
- google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
-}
-
-// Request of [DeleteGcpUserAccessBinding]
-// [google.identity.accesscontextmanager.v1.AccessContextManager.DeleteGcpUserAccessBinding].
-message DeleteGcpUserAccessBindingRequest {
- // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding"
- }
- ];
-}
-
-// Currently, a completed operation means nothing. In the future, this metadata
-// and a completed operation may indicate that the binding has taken effect and
-// is affecting access decisions for all users.
-message GcpUserAccessBindingOperationMetadata {
-
-}
-
-// Metadata of Access Context Manager's Long Running Operations.
-message AccessContextManagerOperationMetadata {
-
-}
diff --git a/packages/google-cloud-asset/protos/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto b/packages/google-cloud-asset/protos/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto
deleted file mode 100644
index be879bbbd92c..000000000000
--- a/packages/google-cloud-asset/protos/google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright 2025 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-syntax = "proto3";
-
-package google.identity.accesscontextmanager.v1;
-
-import "google/api/field_behavior.proto";
-import "google/api/resource.proto";
-
-option csharp_namespace = "Google.Identity.AccessContextManager.V1";
-option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb";
-option java_multiple_files = true;
-option java_outer_classname = "GcpUserAccessBindingProto";
-option java_package = "com.google.identity.accesscontextmanager.v1";
-option objc_class_prefix = "GACM";
-option php_namespace = "Google\\Identity\\AccessContextManager\\V1";
-option ruby_package = "Google::Identity::AccessContextManager::V1";
-
-// Restricts access to Cloud Console and Google Cloud APIs for a set of users
-// using Context-Aware Access.
-message GcpUserAccessBinding {
- option (google.api.resource) = {
- type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding"
- pattern: "organizations/{organization}/gcpUserAccessBindings/{gcp_user_access_binding}"
- };
-
- // Immutable. Assigned by the server during creation. The last segment has an arbitrary
- // length and has only URI unreserved characters (as defined by
- // [RFC 3986 Section 2.3](https://tools.ietf.org/html/rfc3986#section-2.3)).
- // Should not be specified by the client during creation.
- // Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- string name = 1 [(google.api.field_behavior) = IMMUTABLE];
-
- // Required. Immutable. Google Group id whose members are subject to this binding's restrictions.
- // See "id" in the [G Suite Directory API's Groups resource]
- // (https://developers.google.com/admin-sdk/directory/v1/reference/groups#resource).
- // If a group's email address/alias is changed, this resource will continue
- // to point at the changed group. This field does not accept group email
- // addresses or aliases.
- // Example: "01d520gv4vjcrht"
- string group_key = 2 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.field_behavior) = IMMUTABLE
- ];
-
- // Required. Access level that a user must have to be granted access. Only one access
- // level is supported, not multiple. This repeated field must have exactly
- // one element.
- // Example: "accessPolicies/9522/accessLevels/device_trusted"
- repeated string access_levels = 3 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "accesscontextmanager.googleapis.com/AccessLevel"
- }
- ];
-}
diff --git a/packages/google-cloud-asset/samples/generated/v1p4beta1/asset_service.analyze_iam_policy.js b/packages/google-cloud-asset/samples/generated/v1p4beta1/asset_service.analyze_iam_policy.js
deleted file mode 100644
index 8a990b2f63ca..000000000000
--- a/packages/google-cloud-asset/samples/generated/v1p4beta1/asset_service.analyze_iam_policy.js
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2026 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-// ** This file is automatically generated by gapic-generator-typescript. **
-// ** https://github.com/googleapis/gapic-generator-typescript **
-// ** All changes to this file may be overwritten. **
-
-
-
-'use strict';
-
-function main(analysisQuery) {
- // [START cloudasset_v1p4beta1_generated_AssetService_AnalyzeIamPolicy_async]
- /**
- * TODO(developer): Uncomment these variables before running the sample.
- */
- /**
- * Required. The request query.
- */
- // const analysisQuery = {}
- /**
- * Optional. The request options.
- */
- // const options = {}
-
- // Imports the Asset library
- const {AssetServiceClient} = require('@google-cloud/asset').v1p4beta1;
-
- // Instantiates a client
- const assetClient = new AssetServiceClient();
-
- async function callAnalyzeIamPolicy() {
- // Construct request
- const request = {
- analysisQuery,
- };
-
- // Run request
- const response = await assetClient.analyzeIamPolicy(request);
- console.log(response);
- }
-
- callAnalyzeIamPolicy();
- // [END cloudasset_v1p4beta1_generated_AssetService_AnalyzeIamPolicy_async]
-}
-
-process.on('unhandledRejection', err => {
- console.error(err.message);
- process.exitCode = 1;
-});
-main(...process.argv.slice(2));
diff --git a/packages/google-cloud-asset/samples/generated/v1p5beta1/asset_service.list_assets.js b/packages/google-cloud-asset/samples/generated/v1p5beta1/asset_service.list_assets.js
index 81f115c35b94..965c011bd5a5 100644
--- a/packages/google-cloud-asset/samples/generated/v1p5beta1/asset_service.list_assets.js
+++ b/packages/google-cloud-asset/samples/generated/v1p5beta1/asset_service.list_assets.js
@@ -78,7 +78,7 @@ function main(parent) {
// const pageToken = 'abc123'
// Imports the Asset library
- const {AssetServiceClient} = require('asset').v1p5beta1;
+ const {AssetServiceClient} = require('@google-cloud/asset').v1p5beta1;
// Instantiates a client
const assetClient = new AssetServiceClient();
diff --git a/packages/google-cloud-asset/samples/test/sample.test.js b/packages/google-cloud-asset/samples/test/sample.test.js
deleted file mode 100644
index b8a5f81ecc08..000000000000
--- a/packages/google-cloud-asset/samples/test/sample.test.js
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2026 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-'use strict';
-
-const {assert} = require('chai');
-const {before, describe, it} = require('mocha');
-const cp = require('child_process');
-
-const execSync = cmd => cp.execSync(cmd, {encoding: 'utf-8'});
-
-const compute = require('@google-cloud/compute');
-const instancesClient = new compute.InstancesClient();
-
-describe('quickstart sample tests', () => {
- let projectId;
- before(async () => {
- projectId = await instancesClient.getProjectId();
- });
-
- it('should list assets successfully', async () => {
- const assetType = 'storage.googleapis.com/Bucket';
- const stdout = execSync(
- `node quickstart ${assetType} 'RESOURCE' ${projectId}`
- );
- assert.include(stdout, assetType);
- });
-});
diff --git a/packages/google-cloud-asset/src/v1p5beta1/asset_service_client_config.json b/packages/google-cloud-asset/src/v1p5beta1/asset_service_client_config.json
index 1ac24652bc23..9fba9e9f4670 100644
--- a/packages/google-cloud-asset/src/v1p5beta1/asset_service_client_config.json
+++ b/packages/google-cloud-asset/src/v1p5beta1/asset_service_client_config.json
@@ -21,7 +21,8 @@
},
"methods": {
"ListAssets": {
- "retry_codes_name": "non_idempotent",
+ "timeout_millis": 60000,
+ "retry_codes_name": "idempotent",
"retry_params_name": "default"
}
}
diff --git a/packages/google-cloud-asset/src/v1p5beta1/gapic_metadata.json b/packages/google-cloud-asset/src/v1p5beta1/gapic_metadata.json
index cd06433c8d08..56f1db2887fc 100644
--- a/packages/google-cloud-asset/src/v1p5beta1/gapic_metadata.json
+++ b/packages/google-cloud-asset/src/v1p5beta1/gapic_metadata.json
@@ -3,7 +3,7 @@
"comment": "This file maps proto services/RPCs to the corresponding library clients/methods",
"language": "typescript",
"protoPackage": "google.cloud.asset.v1p5beta1",
- "libraryPackage": "asset",
+ "libraryPackage": "@google-cloud/asset",
"services": {
"AssetService": {
"clients": {