REST Resource: organizations.locations.workloads

Resource: Workload

A Workload object for managing highly regulated workloads of cloud customers.

JSON representation 
{
  "name": string,
  "displayName": string,
  "resources": [
    {
      object (ResourceInfo)
    }
  ],
  "complianceRegime": enum (ComplianceRegime),
  "createTime": string,
  "billingAccount": string,
  "etag": string,
  "labels": {
    string: string,
    ...
  },
  "provisionedResourcesParent": string,
  "kmsSettings": {
    object (KMSSettings)
  },
  "resourceSettings": [
    {
      object (ResourceSettings)
    }
  ],
  "kajEnrollmentState": enum (KajEnrollmentState),
  "enableSovereignControls": boolean,
  "saaEnrollmentResponse": {
    object (SaaEnrollmentResponse)
  },
  "complianceStatus": {
    object (ComplianceStatus)
  },
  "compliantButDisallowedServices": [
    string
  ],
  "partner": enum (Partner),
  "partnerPermissions": {
    object (PartnerPermissions)
  },
  "partnerServicesBillingAccount": string,
  "ekmProvisioningResponse": {
    object (EkmProvisioningResponse)
  },
  "resourceMonitoringEnabled": boolean,
  "complianceUpdatesEnabled": boolean,
  "availableUpdates": integer,
  "workloadOptions": {
    object (WorkloadOptions)
  },

  // Union field compliance_regime_settings can be only one of the following:
  "il4Settings": {
    object (IL4Settings)
  },
  "cjisSettings": {
    object (CJISSettings)
  },
  "fedrampHighSettings": {
    object (FedrampHighSettings)
  },
  "fedrampModerateSettings": {
    object (FedrampModerateSettings)
  }
  // End of list of possible types for union field compliance_regime_settings.
  "violationNotificationsEnabled": boolean
}
Fields
name

string

Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload}

Read-only.
displayName

string

Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces.

Example: My Workload
resources[]

object (ResourceInfo)

Output only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only.
complianceRegime

enum (ComplianceRegime)

Required. Immutable. Compliance Regime associated with this workload.
createTime

string (Timestamp format)

Output only. Immutable. The Workload creation timestamp.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
billingAccount

string

Optional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form billingAccounts/{billing_account_id}. For example, billingAccounts/012345-567890-ABCDEF.
etag

string

Optional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations.
labels

map (key: string, value: string)

Optional. Labels applied to the workload.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
provisionedResourcesParent

string

Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folderId}
kmsSettings
(deprecated)

object (KMSSettings)

Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
resourceSettings[]

object (ResourceSettings)

Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional.
kajEnrollmentState

enum (KajEnrollmentState)

Output only. Represents the KAJ enrollment state of the given workload.
enableSovereignControls

boolean

Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers.
saaEnrollmentResponse

object (SaaEnrollmentResponse)

Output only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during workloads.get call. In failure cases, user friendly error message is shown in SAA details page.
complianceStatus

object (ComplianceStatus)

Output only. Count of active Violations in the Workload.
compliantButDisallowedServices[]

string

Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke workloads.restrictAllowedResources endpoint to allow your project developers to use these services in their environment.
partner

enum (Partner)

Optional. Partner regime associated with this workload.
partnerPermissions

object (PartnerPermissions)

Optional. Permissions granted to the AW Partner SA account for the customer workload
partnerServicesBillingAccount

string

Optional. Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC
ekmProvisioningResponse

object (EkmProvisioningResponse)

Output only. Represents the Ekm Provisioning State of the given workload.
resourceMonitoringEnabled

boolean

Output only. Indicates whether resource monitoring is enabled for workload or not. It is true when Resource feed is subscribed to AWM topic and AWM Service Agent Role is binded to AW Service Account for resource Assured workload.
complianceUpdatesEnabled

boolean

Output only. Indicates whether the compliance updates feature is enabled for a workload. The compliance updates feature can be enabled via the workloads.enableComplianceUpdates endpoint.
availableUpdates

integer

Output only. The number of updates available for the workload.
workloadOptions

object (WorkloadOptions)

Optional. Options to be set for the given created workload.
Union field compliance_regime_settings. Settings specific to the selected [compliance_regime] compliance_regime_settings can be only one of the following:
il4Settings
(deprecated)

object (IL4Settings)

Input only. Immutable. Settings specific to resources needed for IL4.
cjisSettings
(deprecated)

object (CJISSettings)

Input only. Immutable. Settings specific to resources needed for CJIS.
fedrampHighSettings
(deprecated)

object (FedrampHighSettings)

Input only. Immutable. Settings specific to resources needed for FedRAMP High.
fedrampModerateSettings
(deprecated)

object (FedrampModerateSettings)

Input only. Immutable. Settings specific to resources needed for FedRAMP Moderate.
violationNotificationsEnabled

boolean

Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload.

IL4Settings

Settings specific to resources needed for IL4.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

KMSSettings

Settings specific to the Key Management Service.

JSON representation 
{
  "nextRotationTime": string,
  "rotationPeriod": string
}
Fields
nextRotationTime

string (Timestamp format)

Required. Input only. Immutable. The time at which the Key Management Service will automatically create a new version of the crypto key and mark it as the primary.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
rotationPeriod

string (Duration format)

Required. Input only. Immutable. [nextRotationTime] will be advanced by this period when the Key Management Service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

CJISSettings

Settings specific to resources needed for CJIS.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

FedrampHighSettings

Settings specific to resources needed for FedRAMP High.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

FedrampModerateSettings

Settings specific to resources needed for FedRAMP Moderate.

JSON representation 
{
  "kmsSettings": {
    object (KMSSettings)
  }
}
Fields
kmsSettings

object (KMSSettings)

Input only. Immutable. Settings used to create a CMEK crypto key.

ResourceInfo

Represent the resources that are children of this Workload.

JSON representation 
{
  "resourceId": string,
  "resourceType": enum (ResourceType)
}
Fields
resourceId

string (int64 format)

Resource identifier. For a project this represents project_number.
resourceType

enum (ResourceType)

Indicates the type of resource.

KajEnrollmentState

Key Access Justifications(KAJ) Enrollment State.

Enums
KAJ_ENROLLMENT_STATE_UNSPECIFIED Default State for KAJ Enrollment.
KAJ_ENROLLMENT_STATE_PENDING Pending State for KAJ Enrollment.
KAJ_ENROLLMENT_STATE_COMPLETE Complete State for KAJ Enrollment.

SaaEnrollmentResponse

Signed Access Approvals (SAA) enrollment response.

JSON representation 
{
  "setupErrors": [
    enum (SetupError)
  ],
  "setupStatus": enum (SetupState)
}
Fields
setupErrors[]

enum (SetupError)

Indicates SAA enrollment setup error if any.
setupStatus

enum (SetupState)

Indicates SAA enrollment status of a given workload.

SetupState

Setup state of SAA enrollment.

Enums
SETUP_STATE_UNSPECIFIED Unspecified.
STATUS_PENDING SAA enrollment pending.
STATUS_COMPLETE SAA enrollment comopleted.

SetupError

Setup error of SAA enrollment.

Enums
SETUP_ERROR_UNSPECIFIED Unspecified.
ERROR_INVALID_BASE_SETUP Invalid states for all customers, to be redirected to AA UI for additional details.
ERROR_MISSING_EXTERNAL_SIGNING_KEY Returned when there is not an EKM key configured.
ERROR_NOT_ALL_SERVICES_ENROLLED Returned when there are no enrolled services or the customer is enrolled in CAA only for a subset of services.
ERROR_SETUP_CHECK_FAILED Returned when exception was encountered during evaluation of other criteria.

ComplianceStatus

Represents the Compliance Status of this workload

JSON representation 
{
  "activeViolationCount": integer,
  "acknowledgedViolationCount": integer,
  "activeResourceViolationCount": integer,
  "acknowledgedResourceViolationCount": integer
}
Fields
activeViolationCount

integer

Number of current orgPolicy violations which are not acknowledged.
acknowledgedViolationCount

integer

Number of current orgPolicy violations which are acknowledged.
activeResourceViolationCount

integer

Number of current resource violations which are acknowledged.
acknowledgedResourceViolationCount

integer

Number of current resource violations which are not acknowledged.

Partner

Supported Assured Workloads Partners.

Enums
PARTNER_UNSPECIFIED
LOCAL_CONTROLS_BY_S3NS Enum representing S3NS (Thales) partner.
SOVEREIGN_CONTROLS_BY_T_SYSTEMS Enum representing T_SYSTEM (TSI) partner.
SOVEREIGN_CONTROLS_BY_SIA_MINSAIT Enum representing SIA_MINSAIT (Indra) partner.
SOVEREIGN_CONTROLS_BY_PSN Enum representing PSN (TIM) partner.
SOVEREIGN_CONTROLS_BY_CNTXT Enum representing CNTXT (Kingdom of Saudi Arabia) partner.
SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM Enum representing CNTXT (Kingdom of Saudi Arabia) partner offering without EKM.

EkmProvisioningResponse

External key management systems(EKM) Provisioning response

JSON representation 
{
  "ekmProvisioningState": enum (EkmProvisioningState),
  "ekmProvisioningErrorDomain": enum (EkmProvisioningErrorDomain),
  "ekmProvisioningErrorMapping": enum (EkmProvisioningErrorMapping)
}
Fields
ekmProvisioningState

enum (EkmProvisioningState)

Indicates Ekm enrollment Provisioning of a given workload.
ekmProvisioningErrorDomain

enum (EkmProvisioningErrorDomain)

Indicates Ekm provisioning error if any.
ekmProvisioningErrorMapping

enum (EkmProvisioningErrorMapping)

Detailed error message if Ekm provisioning fails

EkmProvisioningState

External key management systems(EKM) Provisioning State

Enums
EKM_PROVISIONING_STATE_UNSPECIFIED Default State for Ekm Provisioning
EKM_PROVISIONING_STATE_PENDING Pending State for Ekm Provisioning
EKM_PROVISIONING_STATE_FAILED Failed State for Ekm Provisioning
EKM_PROVISIONING_STATE_COMPLETED Completed State for Ekm Provisioning

EkmProvisioningErrorDomain

Provisioning error of EKM resources

Enums
EKM_PROVISIONING_ERROR_DOMAIN_UNSPECIFIED No error domain
UNSPECIFIED_ERROR Error but domain is unspecified.
GOOGLE_SERVER_ERROR Internal logic breaks within provisioning code.
EXTERNAL_USER_ERROR Error occurred with the customer not granting permission/creating resource.
EXTERNAL_PARTNER_ERROR Error occurred within the partner's provisioning cluster.
TIMEOUT_ERROR Resource wasn't provisioned in the required 7 day time period

EkmProvisioningErrorMapping

Error Mapping if Ekm provisioning fails

Enums
EKM_PROVISIONING_ERROR_MAPPING_UNSPECIFIED Error is unspecified.
INVALID_SERVICE_ACCOUNT Service account is used is invalid.
MISSING_METRICS_SCOPE_ADMIN_PERMISSION Iam permission monitoring.MetricsScopeAdmin wasn't applied.
MISSING_EKM_CONNECTION_ADMIN_PERMISSION Iam permission cloudkms.ekmConnectionsAdmin wasn't applied.

Methods

analyzeWorkloadMove

 Analyzes a hypothetical move of a source resource to a target workload to surface compliance risks.

create

 Creates Assured Workload.

delete

 Deletes the workload.

enableComplianceUpdates

 This endpoint enables Assured Workloads service to offer compliance updates for the folder based assured workload.

enableResourceMonitoring

 Enable resource violation monitoring for a workload.

get

 Gets Assured Workload associated with a CRM Node

list

 Lists Assured Workloads under a CRM Node.

patch

 Updates an existing workload.

restrictAllowedResources

 Restrict the list of resources allowed in the Workload environment.