- Resource: Workload
- ResourceInfo
- ResourceType
- KMSSettings
- ResourceSettings
- KajEnrollmentState
- SaaEnrollmentResponse
- SetupState
- SetupError
- ComplianceStatus
- Partner
- PartnerPermissions
- EkmProvisioningResponse
- EkmProvisioningState
- EkmProvisioningErrorDomain
- EkmProvisioningErrorMapping
- WorkloadOptions
- Methods
Resource: Workload
A Workload object for managing highly regulated workloads of cloud customers.
JSON representation |
---|
{ "name": string, "displayName": string, "resources": [ { object ( |
Fields | |
---|---|
name |
Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload} Read-only. |
displayName |
Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload |
resources[] |
Output only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only. |
complianceRegime |
Required. Immutable. Compliance Regime associated with this workload. |
createTime |
Output only. Immutable. The Workload creation timestamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
billingAccount |
Optional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form |
etag |
Optional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations. |
labels |
Optional. Labels applied to the workload. An object containing a list of |
provisionedResourcesParent |
Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folderId} |
kmsSettings |
Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. |
resourceSettings[] |
Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional. |
kajEnrollmentState |
Output only. Represents the KAJ enrollment state of the given workload. |
enableSovereignControls |
Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers. |
saaEnrollmentResponse |
Output only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during workloads.get call. In failure cases, user friendly error message is shown in SAA details page. |
complianceStatus |
Output only. Count of active Violations in the Workload. |
compliantButDisallowedServices[] |
Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke workloads.restrictAllowedResources endpoint to allow your project developers to use these services in their environment. |
partner |
Optional. Partner regime associated with this workload. |
partnerPermissions |
Optional. Permissions granted to the AW Partner SA account for the customer workload |
partnerServicesBillingAccount |
Optional. Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC |
ekmProvisioningResponse |
Output only. Represents the Ekm Provisioning State of the given workload. |
resourceMonitoringEnabled |
Output only. Indicates whether resource monitoring is enabled for workload or not. It is true when Resource feed is subscribed to AWM topic and AWM Service Agent Role is binded to AW Service Account for resource Assured workload. |
workloadOptions |
Optional. Options to be set for the given created workload. |
violationNotificationsEnabled |
Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload. |
ResourceInfo
Represent the resources that are children of this Workload.
JSON representation |
---|
{
"resourceId": string,
"resourceType": enum ( |
Fields | |
---|---|
resourceId |
Resource identifier. For a project this represents project_number. |
resourceType |
Indicates the type of resource. |
ResourceType
The type of resource.
Enums | |
---|---|
RESOURCE_TYPE_UNSPECIFIED |
Unknown resource type. |
CONSUMER_PROJECT |
Deprecated. Existing workloads will continue to support this, but new CreateWorkloadRequests should not specify this as an input value. |
CONSUMER_FOLDER |
Consumer Folder. |
ENCRYPTION_KEYS_PROJECT |
Consumer project containing encryption keys. |
KEYRING |
Keyring resource that hosts encryption keys. |
KMSSettings
Settings specific to the Key Management Service.
JSON representation |
---|
{ "nextRotationTime": string, "rotationPeriod": string } |
Fields | |
---|---|
nextRotationTime |
Required. Input only. Immutable. The time at which the Key Management Service will automatically create a new version of the crypto key and mark it as the primary. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
rotationPeriod |
Required. Input only. Immutable. [nextRotationTime] will be advanced by this period when the Key Management Service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. A duration in seconds with up to nine fractional digits, ending with ' |
ResourceSettings
Represent the custom settings for the resources to be created.
JSON representation |
---|
{
"resourceId": string,
"resourceType": enum ( |
Fields | |
---|---|
resourceId |
Resource identifier. For a project this represents projectId. If the project is already taken, the workload creation will fail. For KeyRing, this represents the keyring_id. For a folder, don't set this value as folderId is assigned by Google. |
resourceType |
Indicates the type of resource. This field should be specified to correspond the id to the right project type (CONSUMER_PROJECT or ENCRYPTION_KEYS_PROJECT) |
displayName |
User-assigned resource display name. If not empty it will be used to create a resource with the specified name. |
KajEnrollmentState
Key Access Justifications(KAJ) Enrollment State.
Enums | |
---|---|
KAJ_ENROLLMENT_STATE_UNSPECIFIED |
Default State for KAJ Enrollment. |
KAJ_ENROLLMENT_STATE_PENDING |
Pending State for KAJ Enrollment. |
KAJ_ENROLLMENT_STATE_COMPLETE |
Complete State for KAJ Enrollment. |
SaaEnrollmentResponse
Signed Access Approvals (SAA) enrollment response.
JSON representation |
---|
{ "setupErrors": [ enum ( |
Fields | |
---|---|
setupErrors[] |
Indicates SAA enrollment setup error if any. |
setupStatus |
Indicates SAA enrollment status of a given workload. |
SetupState
Setup state of SAA enrollment.
Enums | |
---|---|
SETUP_STATE_UNSPECIFIED |
Unspecified. |
STATUS_PENDING |
SAA enrollment pending. |
STATUS_COMPLETE |
SAA enrollment comopleted. |
SetupError
Setup error of SAA enrollment.
Enums | |
---|---|
SETUP_ERROR_UNSPECIFIED |
Unspecified. |
ERROR_INVALID_BASE_SETUP |
Invalid states for all customers, to be redirected to AA UI for additional details. |
ERROR_MISSING_EXTERNAL_SIGNING_KEY |
Returned when there is not an EKM key configured. |
ERROR_NOT_ALL_SERVICES_ENROLLED |
Returned when there are no enrolled services or the customer is enrolled in CAA only for a subset of services. |
ERROR_SETUP_CHECK_FAILED |
Returned when exception was encountered during evaluation of other criteria. |
ComplianceStatus
Represents the Compliance Status of this workload
JSON representation |
---|
{ "activeViolationCount": integer, "acknowledgedViolationCount": integer, "activeResourceViolationCount": integer, "acknowledgedResourceViolationCount": integer } |
Fields | |
---|---|
activeViolationCount |
Number of current orgPolicy violations which are not acknowledged. |
acknowledgedViolationCount |
Number of current orgPolicy violations which are acknowledged. |
activeResourceViolationCount |
Number of current resource violations which are acknowledged. |
acknowledgedResourceViolationCount |
Number of current resource violations which are not acknowledged. |
Partner
Supported Assured Workloads Partners.
Enums | |
---|---|
PARTNER_UNSPECIFIED |
|
LOCAL_CONTROLS_BY_S3NS |
Enum representing S3NS (Thales) partner. |
SOVEREIGN_CONTROLS_BY_T_SYSTEMS |
Enum representing T_SYSTEM (TSI) partner. |
SOVEREIGN_CONTROLS_BY_SIA_MINSAIT |
Enum representing SIA_MINSAIT (Indra) partner. |
SOVEREIGN_CONTROLS_BY_PSN |
Enum representing PSN (TIM) partner. |
SOVEREIGN_CONTROLS_BY_CNTXT |
Enum representing CNTXT (Kingdom of Saudi Arabia) partner. |
SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM |
Enum representing CNTXT (Kingdom of Saudi Arabia) partner offering without EKM. |
PartnerPermissions
Permissions granted to the AW Partner SA account for the customer workload
JSON representation |
---|
{ "dataLogsViewer": boolean, "serviceAccessApprover": boolean, "assuredWorkloadsMonitoring": boolean, "accessTransparencyLogsSupportCaseViewer": boolean } |
Fields | |
---|---|
dataLogsViewer |
Allow the partner to view inspectability logs and monitoring violations. |
serviceAccessApprover |
Optional. Allow partner to view access approval logs. |
assuredWorkloadsMonitoring |
Optional. Allow partner to view violation alerts. |
accessTransparencyLogsSupportCaseViewer |
Optional. Allow partner to view support case details for an AXT log |
EkmProvisioningResponse
External key management systems(EKM) Provisioning response
JSON representation |
---|
{ "ekmProvisioningState": enum ( |
Fields | |
---|---|
ekmProvisioningState |
Indicates Ekm enrollment Provisioning of a given workload. |
ekmProvisioningErrorDomain |
Indicates Ekm provisioning error if any. |
ekmProvisioningErrorMapping |
Detailed error message if Ekm provisioning fails |
EkmProvisioningState
External key management systems(EKM) Provisioning State
Enums | |
---|---|
EKM_PROVISIONING_STATE_UNSPECIFIED |
Default State for Ekm Provisioning |
EKM_PROVISIONING_STATE_PENDING |
Pending State for Ekm Provisioning |
EKM_PROVISIONING_STATE_FAILED |
Failed State for Ekm Provisioning |
EKM_PROVISIONING_STATE_COMPLETED |
Completed State for Ekm Provisioning |
EkmProvisioningErrorDomain
Provisioning error of EKM resources
Enums | |
---|---|
EKM_PROVISIONING_ERROR_DOMAIN_UNSPECIFIED |
No error domain |
UNSPECIFIED_ERROR |
Error but domain is unspecified. |
GOOGLE_SERVER_ERROR |
Internal logic breaks within provisioning code. |
EXTERNAL_USER_ERROR |
Error occurred with the customer not granting permission/creating resource. |
EXTERNAL_PARTNER_ERROR |
Error occurred within the partner's provisioning cluster. |
TIMEOUT_ERROR |
Resource wasn't provisioned in the required 7 day time period |
EkmProvisioningErrorMapping
Error Mapping if Ekm provisioning fails
Enums | |
---|---|
EKM_PROVISIONING_ERROR_MAPPING_UNSPECIFIED |
Error is unspecified. |
INVALID_SERVICE_ACCOUNT |
Service account is used is invalid. |
MISSING_METRICS_SCOPE_ADMIN_PERMISSION |
Iam permission monitoring.MetricsScopeAdmin wasn't applied. |
MISSING_EKM_CONNECTION_ADMIN_PERMISSION |
Iam permission cloudkms.ekmConnectionsAdmin wasn't applied. |
Methods |
|
---|---|
|
Analyzes a hypothetical move of a source resource to a target workload to surface compliance risks. |
|
Creates Assured Workload. |
|
Deletes the workload. |
|
Enable resource violation monitoring for a workload. |
|
Gets Assured Workload associated with a CRM Node |
|
Lists Assured Workloads under a CRM Node. |
|
Update the permissions settings for an existing partner workload. |
|
Updates an existing workload. |
|
Restrict the list of resources allowed in the Workload environment. |