REST Resource: organizations.locations.workloads

Resource: Workload

An Workload object for managing highly regulated workloads of cloud customers.

JSON representation 
{
  "name": string,
  "displayName": string,
  "resources": [
    {
      object (ResourceInfo)
    }
  ],
  "complianceRegime": enum (ComplianceRegime),
  "createTime": string,
  "billingAccount": string,
  "etag": string,
  "labels": {
    string: string,
    ...
  },
  "provisionedResourcesParent": string,
  "kmsSettings": {
    object (KMSSettings)
  },
  "resourceSettings": [
    {
      object (ResourceSettings)
    }
  ],
  "kajEnrollmentState": enum (KajEnrollmentState),
  "enableSovereignControls": boolean,
  "saaEnrollmentResponse": {
    object (SaaEnrollmentResponse)
  },

  // Union field compliance_regime_settings can be only one of the following:
  "il4Settings": {
    object (IL4Settings)
  },
  "cjisSettings": {
    object (CJISSettings)
  },
  "fedrampHighSettings": {
    object (FedrampHighSettings)
  },
  "fedrampModerateSettings": {
    object (FedrampModerateSettings)
  }
  // End of list of possible types for union field compliance_regime_settings.
}
Fields
name

string

Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload}

Read-only.
displayName

string

Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces.

Example: My Workload
resources[]

object (ResourceInfo)

Output only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only.
complianceRegime

enum (ComplianceRegime)

Required. Immutable. Compliance Regime associated with this workload.
createTime

string (Timestamp format)

Output only. Immutable. The Workload creation timestamp.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
billingAccount

string

Input only. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form billingAccounts/{billing_account_id}. For example, billingAccounts/012345-567890-ABCDEF.
etag

string

Optional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations.
labels

map (key: string, value: string)

Optional. Labels applied to the workload.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
provisionedResourcesParent

string

Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id}
kmsSettings
(deprecated)

object (KMSSettings)

Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
resourceSettings[]

object (ResourceSettings)

Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional.
kajEnrollmentState

enum (KajEnrollmentState)

Output only. Represents the KAJ enrollment state of the given workload.
enableSovereignControls

boolean

Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers.
saaEnrollmentResponse

object (SaaEnrollmentResponse)

Output only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during workloads.get call. In failure cases, user friendly error message is shown in SAA details page.
Union field compliance_regime_settings. Settings specific to the selected [compliance_regime] compliance_regime_settings can be only one of the following:
il4Settings
(deprecated)

object (IL4Settings)

Input only. Immutable. Settings specific to resources needed for IL4.
cjisSettings
(deprecated)

object (CJISSettings)

Input only. Immutable. Settings specific to resources needed for CJIS.
fedrampHighSettings
(deprecated)

object (FedrampHighSettings)

Input only. Immutable. Settings specific to resources needed for FedRAMP High.
fedrampModerateSettings
(deprecated)

object (FedrampModerateSettings)

Input only. Immutable. Settings specific to resources needed for FedRAMP Moderate.

ResourceInfo

Represent the resources that are children of this Workload.

JSON representation 
{
  "resourceId": string,
  "resourceType": enum (ResourceType)
}
Fields
resourceId

string (int64 format)

Resource identifier. For a project this represents project_number.
resourceType

enum (ResourceType)

Indicates the type of resource.

ResourceType

The type of resource.

Enums
RESOURCE_TYPE_UNSPECIFIED Unknown resource type.
CONSUMER_PROJECT

Deprecated. Existing workloads will continue to support this, but new CreateWorkloadRequests should not specify this as an input value.
CONSUMER_FOLDER Consumer Folder.
ENCRYPTION_KEYS_PROJECT Consumer project containing encryption keys.
KEYRING Keyring resource that hosts encryption keys.

ComplianceRegime

Supported Compliance Regimes.

Enums
COMPLIANCE_REGIME_UNSPECIFIED Unknown compliance regime.
IL4 Information protection as per DoD IL4 requirements.
CJIS Criminal Justice Information Services (CJIS) Security policies.
FEDRAMP_HIGH FedRAMP High data protection controls
FEDRAMP_MODERATE FedRAMP Moderate data protection controls
US_REGIONAL_ACCESS Assured Workloads For US Regions data protection controls
HIPAA Health Insurance Portability and Accountability Act controls
HITRUST Health Information Trust Alliance controls
EU_REGIONS_AND_SUPPORT Assured Workloads For EU Regions and Support controls
CA_REGIONS_AND_SUPPORT Assured Workloads For Canada Regions and Support controls

IL4Settings

Settings specific to resources needed for IL4.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

KMSSettings

Settings specific to the Key Management Service.

JSON representation 
{
  "nextRotationTime": string,
  "rotationPeriod": string
}
Fields
nextRotationTime

string (Timestamp format)

Required. Input only. Immutable. The time at which the Key Management Service will automatically create a new version of the crypto key and mark it as the primary.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
rotationPeriod

string (Duration format)

Required. Input only. Immutable. [nextRotationTime] will be advanced by this period when the Key Management Service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

CJISSettings

Settings specific to resources needed for CJIS.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

FedrampHighSettings

Settings specific to resources needed for FedRAMP High.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

FedrampModerateSettings

Settings specific to resources needed for FedRAMP Moderate.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

ResourceSettings

Represent the custom settings for the resources to be created.

JSON representation 
{
  "resourceId": string,
  "resourceType": enum (ResourceType),
  "displayName": string
}
Fields
resourceId

string

Resource identifier. For a project this represents project_id. If the project is already taken, the workload creation will fail. For KeyRing, this represents the keyring_id. For a folder, don't set this value as folder_id is assigned by Google.
resourceType

enum (ResourceType)

Indicates the type of resource. This field should be specified to correspond the id to the right project type (CONSUMER_PROJECT or ENCRYPTION_KEYS_PROJECT)
displayName

string

User-assigned resource display name. If not empty it will be used to create a resource with the specified name.

KajEnrollmentState

Key Access Justifications(KAJ) Enrollment State.

Enums
KAJ_ENROLLMENT_STATE_UNSPECIFIED Default State for KAJ Enrollment.
KAJ_ENROLLMENT_STATE_PENDING Pending State for KAJ Enrollment.
KAJ_ENROLLMENT_STATE_COMPLETE Complete State for KAJ Enrollment.

SaaEnrollmentResponse

Signed Access Approvals (SAA) enrollment response.

JSON representation 
{
  "setupErrors": [
    enum (SetupError)
  ],
  "setupStatus": enum (SetupState)
}
Fields
setupErrors[]

enum (SetupError)

Indicates SAA enrollment setup error if any.
setupStatus

enum (SetupState)

Indicates SAA enrollment status of a given workload.

SetupState

Setup state of SAA enrollment.

Enums
SETUP_STATE_UNSPECIFIED Unspecified.
STATUS_PENDING SAA enrollment pending.
STATUS_COMPLETE SAA enrollment comopleted.

SetupError

Setup error of SAA enrollment.

Enums
SETUP_ERROR_UNSPECIFIED Unspecified.
ERROR_INVALID_BASE_SETUP Invalid states for all customers, to be redirected to AA UI for additional details.
ERROR_MISSING_EXTERNAL_SIGNING_KEY Returned when there is not an EKM key configured.
ERROR_NOT_ALL_SERVICES_ENROLLED Returned when there are no enrolled services or the customer is enrolled in CAA only for a subset of services.
ERROR_SETUP_CHECK_FAILED Returned when exception was encountered during evaluation of other criteria.

Methods

create

 Creates Assured Workload.

delete

 Deletes the workload.

get

 Gets Assured Workload associated with a CRM Node

list

 Lists Assured Workloads under a CRM Node.

patch

 Updates an existing workload.

restrictAllowedServices

 Restrict the list of services allowed in the Workload environment.