REST Resource: organizations.locations.discoveryConfigs

Resource: DiscoveryConfig

Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project.

The generated data profiles are retained according to the data retention policy.

JSON representation 
{
  "name": string,
  "displayName": string,
  "orgConfig": {
    object (OrgConfig)
  },
  "otherCloudStartingLocation": {
    object (OtherCloudDiscoveryStartingLocation)
  },
  "inspectTemplates": [
    string
  ],
  "actions": [
    {
      object (DataProfileAction)
    }
  ],
  "targets": [
    {
      object (DiscoveryTarget)
    }
  ],
  "errors": [
    {
      object (Error)
    }
  ],
  "createTime": string,
  "updateTime": string,
  "lastRunTime": string,
  "status": enum (Status)
}
Fields
name

string

Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example projects/dlp-test-project/locations/global/discoveryConfigs/53234423.
displayName

string

Display name (max 100 chars)
orgConfig

object (OrgConfig)

Only set when the parent is an org.
otherCloudStartingLocation

object (OtherCloudDiscoveryStartingLocation)

Must be set only when scanning other clouds.
inspectTemplates[]

string

Detection logic for profile generation.

Not all template features are used by Discovery. FindingLimits, includeQuote and excludeInfoTypes have no impact on Discovery.

Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned.

For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
actions[]

object (DataProfileAction)

Actions to execute at the completion of scanning.
targets[]

object (DiscoveryTarget)

Target to match against for determining what to scan and how frequently.
errors[]

object (Error)

Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
createTime

string (Timestamp format)

Output only. The creation timestamp of a DiscoveryConfig.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
updateTime

string (Timestamp format)

Output only. The last update timestamp of a DiscoveryConfig.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
lastRunTime

string (Timestamp format)

Output only. The timestamp of the last time this config was executed.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
status

enum (Status)

Required. A status for this configuration.

OrgConfig

Project and scan location information. Only set when the parent is an org.

JSON representation 
{
  "location": {
    object (DiscoveryStartingLocation)
  },
  "projectId": string
}
Fields
location

object (DiscoveryStartingLocation)

The data to scan: folder, org, or project
projectId

string

The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.

DiscoveryStartingLocation

The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization.

JSON representation 
{

  // Union field location can be only one of the following:
  "organizationId": string,
  "folderId": string
  // End of list of possible types for union field location.
}
Fields
Union field location. The location to be scanned. location can be only one of the following:
organizationId

string (int64 format)

The ID of an organization to scan.
folderId

string (int64 format)

The ID of the folder within an organization to be scanned.

DiscoveryTarget

Target used to match against for Discovery.

JSON representation 
{

  // Union field target can be only one of the following:
  "bigQueryTarget": {
    object (BigQueryDiscoveryTarget)
  },
  "cloudSqlTarget": {
    object (CloudSqlDiscoveryTarget)
  },
  "secretsTarget": {
    object (SecretsDiscoveryTarget)
  },
  "cloudStorageTarget": {
    object (CloudStorageDiscoveryTarget)
  },
  "otherCloudTarget": {
    object (OtherCloudDiscoveryTarget)
  }
  // End of list of possible types for union field target.
}
Fields
Union field target. A target to match against for Discovery. target can be only one of the following:
bigQueryTarget

object (BigQueryDiscoveryTarget)

BigQuery target for Discovery. The first target to match a table will be the one applied.
cloudSqlTarget

object (CloudSqlDiscoveryTarget)

Cloud SQL target for Discovery. The first target to match a table will be the one applied.
secretsTarget

object (SecretsDiscoveryTarget)

Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
cloudStorageTarget

object (CloudStorageDiscoveryTarget)

Cloud Storage target for Discovery. The first target to match a table will be the one applied.
otherCloudTarget

object (OtherCloudDiscoveryTarget)

Other clouds target for discovery. The first target to match a resource will be the one applied.

BigQueryDiscoveryTarget

Target used to match against for discovery with BigQuery tables

JSON representation 
{
  "filter": {
    object (DiscoveryBigQueryFilter)
  },
  "conditions": {
    object (DiscoveryBigQueryConditions)
  },

  // Union field frequency can be only one of the following:
  "cadence": {
    object (DiscoveryGenerationCadence)
  },
  "disabled": {
    object (Disabled)
  }
  // End of list of possible types for union field frequency.
}
Fields
filter

object (DiscoveryBigQueryFilter)

Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
conditions

object (DiscoveryBigQueryConditions)

In addition to matching the filter, these conditions must be true before a profile is generated.
Union field frequency. The generation rule includes the logic on how frequently to update the data profiles. If not specified, discovery will re-run and update no more than once a month if new columns appear in the table. frequency can be only one of the following:
cadence

object (DiscoveryGenerationCadence)

How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
disabled

object (Disabled)

Tables that match this filter will not have profiles created.

DiscoveryBigQueryFilter

Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID.

JSON representation 
{

  // Union field filter can be only one of the following:
  "tables": {
    object (BigQueryTableCollection)
  },
  "otherTables": {
    object (AllOtherBigQueryTables)
  },
  "tableReference": {
    object (TableReference)
  }
  // End of list of possible types for union field filter.
}
Fields
Union field filter. Whether the filter applies to a specific set of tables or all other tables within the location being profiled. The first filter to match will be applied, regardless of the condition. If none is set, will default to other_tables. filter can be only one of the following:
tables

object (BigQueryTableCollection)

A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
otherTables

object (AllOtherBigQueryTables)

Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
tableReference

object (TableReference)

The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).

BigQueryTableCollection

Specifies a collection of BigQuery tables. Used for Discovery.

JSON representation 
{

  // Union field pattern can be only one of the following:
  "includeRegexes": {
    object (BigQueryRegexes)
  }
  // End of list of possible types for union field pattern.
}
Fields
Union field pattern. Maximum of 100 entries. The first filter containing a pattern that matches a table will be used. pattern can be only one of the following:
includeRegexes

object (BigQueryRegexes)

A collection of regular expressions to match a BigQuery table against.

BigQueryRegexes

A collection of regular expressions to determine what tables to match against.

JSON representation 
{
  "patterns": [
    {
      object (BigQueryRegex)
    }
  ]
}
Fields
patterns[]

object (BigQueryRegex)

A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.

BigQueryRegex

A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

JSON representation 
{
  "projectIdRegex": string,
  "datasetIdRegex": string,
  "tableIdRegex": string
}
Fields
projectIdRegex

string

For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
datasetIdRegex

string

If unset, this property matches all datasets.
tableIdRegex

string

If unset, this property matches all tables.

AllOtherBigQueryTables

This type has no fields.

Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target.

TableReference

Message defining the location of a BigQuery table with the projectId inferred from the parent project.

JSON representation 
{
  "datasetId": string,
  "tableId": string
}
Fields
datasetId

string

Dataset ID of the table.
tableId

string

Name of the table.

DiscoveryBigQueryConditions

Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age).

JSON representation 
{
  "createdAfter": string,
  "orConditions": {
    object (OrConditions)
  },

  // Union field included_types can be only one of the following:
  "types": {
    object (BigQueryTableTypes)
  },
  "typeCollection": enum (BigQueryTableTypeCollection)
  // End of list of possible types for union field included_types.
}
Fields
createdAfter

string (Timestamp format)

BigQuery table must have been created after this date. Used to avoid backfilling.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
orConditions

object (OrConditions)

At least one of the conditions must be true for a table to be scanned.
Union field included_types. The type of BigQuery tables to scan. If nothing is set the default behavior is to scan only tables of type TABLE and to give errors for all unsupported tables. included_types can be only one of the following:
types

object (BigQueryTableTypes)

Restrict discovery to specific table types.
typeCollection

enum (BigQueryTableTypeCollection)

Restrict discovery to categories of table types.

BigQueryTableTypes

The types of BigQuery tables supported by Cloud DLP.

JSON representation 
{
  "types": [
    enum (BigQueryTableType)
  ]
}
Fields
types[]

enum (BigQueryTableType)

A set of BigQuery table types.

BigQueryTableType

Over time new types may be added. Currently VIEW, MATERIALIZED_VIEW, and non-BigLake external tables are not supported.

Enums
BIG_QUERY_TABLE_TYPE_UNSPECIFIED Unused.
BIG_QUERY_TABLE_TYPE_TABLE A normal BigQuery table.
BIG_QUERY_TABLE_TYPE_EXTERNAL_BIG_LAKE A table that references data stored in Cloud Storage.
BIG_QUERY_TABLE_TYPE_SNAPSHOT A snapshot of a BigQuery table.

BigQueryTableTypeCollection

Over time new types may be added. Currently VIEW, MATERIALIZED_VIEW, and non-BigLake external tables are not supported.

Enums
BIG_QUERY_COLLECTION_UNSPECIFIED Unused.
BIG_QUERY_COLLECTION_ALL_TYPES Automatically generate profiles for all tables, even if the table type is not yet fully supported for analysis. Profiles for unsupported tables will be generated with errors to indicate their partial support. When full support is added, the tables will automatically be profiled during the next scheduled run.
BIG_QUERY_COLLECTION_ONLY_SUPPORTED_TYPES Only those types fully supported will be profiled. Will expand automatically as Cloud DLP adds support for new table types. Unsupported table types will not have partial profiles generated.

OrConditions

There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery.

JSON representation 
{
  "minRowCount": integer,
  "minAge": string
}
Fields
minRowCount

integer

Minimum number of rows that should be present before Cloud DLP profiles a table
minAge

string (Duration format)

Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

DiscoveryGenerationCadence

What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity.

JSON representation 
{
  "schemaModifiedCadence": {
    object (DiscoverySchemaModifiedCadence)
  },
  "tableModifiedCadence": {
    object (DiscoveryTableModifiedCadence)
  },
  "inspectTemplateModifiedCadence": {
    object (DiscoveryInspectTemplateModifiedCadence)
  },
  "refreshFrequency": enum (DataProfileUpdateFrequency)
}
Fields
schemaModifiedCadence

object (DiscoverySchemaModifiedCadence)

Governs when to update data profiles when a schema is modified.
tableModifiedCadence

object (DiscoveryTableModifiedCadence)

Governs when to update data profiles when a table is modified.
inspectTemplateModifiedCadence

object (DiscoveryInspectTemplateModifiedCadence)

Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.
refreshFrequency

enum (DataProfileUpdateFrequency)

Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.

DiscoverySchemaModifiedCadence

The cadence at which to update data profiles when a schema is modified.

JSON representation 
{
  "types": [
    enum (BigQuerySchemaModification)
  ],
  "frequency": enum (DataProfileUpdateFrequency)
}
Fields
types[]

enum (BigQuerySchemaModification)

The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
frequency

enum (DataProfileUpdateFrequency)

How frequently profiles may be updated when schemas are modified. Defaults to monthly.

BigQuerySchemaModification

Attributes evaluated to determine if a schema has been modified. New values may be added at a later time.

Enums
SCHEMA_MODIFICATION_UNSPECIFIED Unused
SCHEMA_NEW_COLUMNS Profiles should be regenerated when new columns are added to the table. Default.
SCHEMA_REMOVED_COLUMNS Profiles should be regenerated when columns are removed from the table.

DataProfileUpdateFrequency

How frequently data profiles can be updated. New options can be added at a later time.

Enums
UPDATE_FREQUENCY_UNSPECIFIED Unspecified.
UPDATE_FREQUENCY_NEVER After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY The data profile can be updated up to once every 30 days. Default.

DiscoveryTableModifiedCadence

The cadence at which to update data profiles when a table is modified.

JSON representation 
{
  "types": [
    enum (BigQueryTableModification)
  ],
  "frequency": enum (DataProfileUpdateFrequency)
}
Fields
types[]

enum (BigQueryTableModification)

The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
frequency

enum (DataProfileUpdateFrequency)

How frequently data profiles can be updated when tables are modified. Defaults to never.

BigQueryTableModification

Attributes evaluated to determine if a table has been modified. New values may be added at a later time.

Enums
TABLE_MODIFICATION_UNSPECIFIED Unused.
TABLE_MODIFIED_TIMESTAMP A table will be considered modified when the lastModifiedTime from BigQuery has been updated.

DiscoveryInspectTemplateModifiedCadence

The cadence at which to update data profiles when the inspection rules defined by the InspectTemplate change.

JSON representation 
{
  "frequency": enum (DataProfileUpdateFrequency)
}
Fields
frequency

enum (DataProfileUpdateFrequency)

How frequently data profiles can be updated when the template is modified. Defaults to never.

Disabled

This type has no fields.

Do not profile the tables.

CloudSqlDiscoveryTarget

Target used to match against for discovery with Cloud SQL tables.

JSON representation 
{
  "filter": {
    object (DiscoveryCloudSqlFilter)
  },
  "conditions": {
    object (DiscoveryCloudSqlConditions)
  },

  // Union field cadence can be only one of the following:
  "generationCadence": {
    object (DiscoveryCloudSqlGenerationCadence)
  },
  "disabled": {
    object (Disabled)
  }
  // End of list of possible types for union field cadence.
}
Fields
filter

object (DiscoveryCloudSqlFilter)

Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
conditions

object (DiscoveryCloudSqlConditions)

In addition to matching the filter, these conditions must be true before a profile is generated.
Union field cadence. Type of schedule. cadence can be only one of the following:
generationCadence

object (DiscoveryCloudSqlGenerationCadence)

How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
disabled

object (Disabled)

Disable profiling for database resources that match this filter.

DiscoveryCloudSqlFilter

Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name.

JSON representation 
{

  // Union field filter can be only one of the following:
  "collection": {
    object (DatabaseResourceCollection)
  },
  "others": {
    object (AllOtherDatabaseResources)
  },
  "databaseResourceReference": {
    object (DatabaseResourceReference)
  }
  // End of list of possible types for union field filter.
}
Fields
Union field filter. Whether the filter applies to a specific set of database resources or all other database resources within the location being profiled. The first filter to match will be applied, regardless of the condition. If none is set, will default to others. filter can be only one of the following:
collection

object (DatabaseResourceCollection)

A specific set of database resources for this filter to apply to.
others

object (AllOtherDatabaseResources)

Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
databaseResourceReference

object (DatabaseResourceReference)

The database resource to scan. Targets including this can only include one target (the target with this database resource reference).

DatabaseResourceCollection

Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures.

JSON representation 
{

  // Union field pattern can be only one of the following:
  "includeRegexes": {
    object (DatabaseResourceRegexes)
  }
  // End of list of possible types for union field pattern.
}
Fields
Union field pattern. The first filter containing a pattern that matches a database resource will be used. pattern can be only one of the following:
includeRegexes

object (DatabaseResourceRegexes)

A collection of regular expressions to match a database resource against.

DatabaseResourceRegexes

A collection of regular expressions to determine what database resources to match against.

JSON representation 
{
  "patterns": [
    {
      object (DatabaseResourceRegex)
    }
  ]
}
Fields
patterns[]

object (DatabaseResourceRegex)

A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.

DatabaseResourceRegex

A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

JSON representation 
{
  "projectIdRegex": string,
  "instanceRegex": string,
  "databaseRegex": string,
  "databaseResourceNameRegex": string
}
Fields
projectIdRegex

string

For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
instanceRegex

string

Regex to test the instance name against. If empty, all instances match.
databaseRegex

string

Regex to test the database name against. If empty, all databases match.
databaseResourceNameRegex

string

Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.

AllOtherDatabaseResources

This type has no fields.

Match database resources not covered by any other filter.

DatabaseResourceReference

Identifies a single database resource, like a table within a database.

JSON representation 
{
  "projectId": string,
  "instance": string,
  "database": string,
  "databaseResource": string
}
Fields
projectId

string

Required. If within a project-level config, then this must match the config's project ID.
instance

string

Required. The instance where this resource is located. For example: Cloud SQL instance ID.
database

string

Required. Name of a database within the instance.
databaseResource

string

Required. Name of a database resource, for example, a table within the database.

DiscoveryCloudSqlConditions

Requirements that must be true before a table is profiled for the first time.

JSON representation 
{
  "databaseEngines": [
    enum (DatabaseEngine)
  ],
  "types": [
    enum (DatabaseResourceType)
  ]
}
Fields
databaseEngines[]

enum (DatabaseEngine)

Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
types[]

enum (DatabaseResourceType)

Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].

DatabaseEngine

The database engines that should be profiled.

Enums
DATABASE_ENGINE_UNSPECIFIED Unused.
ALL_SUPPORTED_DATABASE_ENGINES Include all supported database engines.
MYSQL MySQL database.
POSTGRES PostgreSQL database.

DatabaseResourceType

Cloud SQL database resource types. New values can be added at a later time.

Enums
DATABASE_RESOURCE_TYPE_UNSPECIFIED Unused.
DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES Includes database resource types that become supported at a later time.
DATABASE_RESOURCE_TYPE_TABLE Tables.

DiscoveryCloudSqlGenerationCadence

How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity.

JSON representation 
{
  "schemaModifiedCadence": {
    object (SchemaModifiedCadence)
  },
  "refreshFrequency": enum (DataProfileUpdateFrequency),
  "inspectTemplateModifiedCadence": {
    object (DiscoveryInspectTemplateModifiedCadence)
  }
}
Fields
schemaModifiedCadence

object (SchemaModifiedCadence)

When to reprofile if the schema has changed.
refreshFrequency

enum (DataProfileUpdateFrequency)

Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
inspectTemplateModifiedCadence

object (DiscoveryInspectTemplateModifiedCadence)

Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.

SchemaModifiedCadence

How frequently to modify the profile when the table's schema is modified.

JSON representation 
{
  "types": [
    enum (CloudSqlSchemaModification)
  ],
  "frequency": enum (DataProfileUpdateFrequency)
}
Fields
types[]

enum (CloudSqlSchemaModification)

The types of schema modifications to consider. Defaults to NEW_COLUMNS.
frequency

enum (DataProfileUpdateFrequency)

Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.

CloudSqlSchemaModification

The type of modification that causes a profile update.

Enums
SQL_SCHEMA_MODIFICATION_UNSPECIFIED Unused.
NEW_COLUMNS New columns have appeared.
REMOVED_COLUMNS Columns have been removed from the table.

SecretsDiscoveryTarget

This type has no fields.

Discovery target for credentials and secrets in cloud resource metadata.

This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily.

No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets).

Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center.

CloudStorageDiscoveryTarget

Target used to match against for discovery with Cloud Storage buckets.

JSON representation 
{
  "filter": {
    object (DiscoveryCloudStorageFilter)
  },
  "conditions": {
    object (DiscoveryFileStoreConditions)
  },

  // Union field cadence can be only one of the following:
  "generationCadence": {
    object (DiscoveryCloudStorageGenerationCadence)
  },
  "disabled": {
    object (Disabled)
  }
  // End of list of possible types for union field cadence.
}
Fields
filter

object (DiscoveryCloudStorageFilter)

Required. The buckets the generationCadence applies to. The first target with a matching filter will be the one to apply to a bucket.
conditions

object (DiscoveryFileStoreConditions)

Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
Union field cadence. How often and when to update profiles. cadence can be only one of the following:
generationCadence

object (DiscoveryCloudStorageGenerationCadence)

Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
disabled

object (Disabled)

Optional. Disable profiling for buckets that match this filter.

DiscoveryCloudStorageFilter

Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name.

JSON representation 
{

  // Union field filter can be only one of the following:
  "collection": {
    object (FileStoreCollection)
  },
  "cloudStorageResourceReference": {
    object (CloudStorageResourceReference)
  },
  "others": {
    object (AllOtherResources)
  }
  // End of list of possible types for union field filter.
}
Fields
Union field filter. Whether the filter applies to a specific set of buckets or all other buckets within the location being profiled. The first filter to match will be applied, regardless of the condition. If none is set, will default to others. filter can be only one of the following:
collection

object (FileStoreCollection)

Optional. A specific set of buckets for this filter to apply to.
cloudStorageResourceReference

object (CloudStorageResourceReference)

Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
others

object (AllOtherResources)

Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.

FileStoreCollection

Match file stores (e.g. buckets) using regex filters.

JSON representation 
{

  // Union field pattern can be only one of the following:
  "includeRegexes": {
    object (FileStoreRegexes)
  }
  // End of list of possible types for union field pattern.
}
Fields
Union field pattern. The first filter containing a pattern that matches a file store will be used. pattern can be only one of the following:
includeRegexes

object (FileStoreRegexes)

Optional. A collection of regular expressions to match a file store against.

FileStoreRegexes

A collection of regular expressions to determine what file store to match against.

JSON representation 
{
  "patterns": [
    {
      object (FileStoreRegex)
    }
  ]
}
Fields
patterns[]

object (FileStoreRegex)

Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.

FileStoreRegex

A pattern to match against one or more file stores.

JSON representation 
{

  // Union field resource_regex can be only one of the following:
  "cloudStorageRegex": {
    object (CloudStorageRegex)
  }
  // End of list of possible types for union field resource_regex.
}
Fields
Union field resource_regex. The type of resource regex to use. resource_regex can be only one of the following:
cloudStorageRegex

object (CloudStorageRegex)

Optional. Regex for Cloud Storage.

CloudStorageRegex

A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

JSON representation 
{
  "projectIdRegex": string,
  "bucketNameRegex": string
}
Fields
projectIdRegex

string

Optional. For organizations, if unset, will match all projects.
bucketNameRegex

string

Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021

CloudStorageResourceReference

Identifies a single Cloud Storage bucket.

JSON representation 
{
  "bucketName": string,
  "projectId": string
}
Fields
bucketName

string

Required. The bucket to scan.
projectId

string

Required. If within a project-level config, then this must match the config's project id.

AllOtherResources

This type has no fields.

Match discovery resources not covered by any other filter.

DiscoveryFileStoreConditions

Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes.

JSON representation 
{
  "createdAfter": string,
  "minAge": string,

  // Union field conditions can be only one of the following:
  "cloudStorageConditions": {
    object (DiscoveryCloudStorageConditions)
  }
  // End of list of possible types for union field conditions.
}
Fields
createdAfter

string (Timestamp format)

Optional. File store must have been created after this date. Used to avoid backfilling.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
minAge

string (Duration format)

Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
Union field conditions. File store specific conditions. conditions can be only one of the following:
cloudStorageConditions

object (DiscoveryCloudStorageConditions)

Optional. Cloud Storage conditions.

DiscoveryCloudStorageConditions

Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes.

JSON representation 
{
  "includedObjectAttributes": [
    enum (CloudStorageObjectAttribute)
  ],
  "includedBucketAttributes": [
    enum (CloudStorageBucketAttribute)
  ]
}
Fields
includedObjectAttributes[]

enum (CloudStorageObjectAttribute)

Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the includedObjectAttributes.
includedBucketAttributes[]

enum (CloudStorageBucketAttribute)

Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.

CloudStorageObjectAttribute

The attribute of an object. See https://cloud.google.com/storage/docs/storage-classes for more information on storage classes.

Enums
CLOUD_STORAGE_OBJECT_ATTRIBUTE_UNSPECIFIED Unused.
ALL_SUPPORTED_OBJECTS Scan objects regardless of the attribute.
STANDARD Scan objects with the standard storage class.
NEARLINE Scan objects with the nearline storage class. This will incur retrieval fees.
COLDLINE Scan objects with the coldline storage class. This will incur retrieval fees.
ARCHIVE Scan objects with the archive storage class. This will incur retrieval fees.
REGIONAL Scan objects with the regional storage class.
MULTI_REGIONAL Scan objects with the multi-regional storage class.
DURABLE_REDUCED_AVAILABILITY Scan objects with the dual-regional storage class. This will incur retrieval fees.

CloudStorageBucketAttribute

The attribute of a bucket.

Enums
CLOUD_STORAGE_BUCKET_ATTRIBUTE_UNSPECIFIED Unused.
ALL_SUPPORTED_BUCKETS Scan buckets regardless of the attribute.
AUTOCLASS_DISABLED Buckets with autoclass disabled (https://cloud.google.com/storage/docs/autoclass). Only one of AUTOCLASS_DISABLED or AUTOCLASS_ENABLED should be set.
AUTOCLASS_ENABLED Buckets with autoclass enabled (https://cloud.google.com/storage/docs/autoclass). Only one of AUTOCLASS_DISABLED or AUTOCLASS_ENABLED should be set. Scanning Autoclass-enabled buckets can affect object storage classes.

DiscoveryCloudStorageGenerationCadence

How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity.

JSON representation 
{
  "refreshFrequency": enum (DataProfileUpdateFrequency),
  "inspectTemplateModifiedCadence": {
    object (DiscoveryInspectTemplateModifiedCadence)
  }
}
Fields
refreshFrequency

enum (DataProfileUpdateFrequency)

Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
inspectTemplateModifiedCadence

object (DiscoveryInspectTemplateModifiedCadence)

Optional. Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.

OtherCloudDiscoveryTarget

Target used to match against for discovery of resources from other clouds. An AWS connector in Security Command Center (Enterprise is required to use this feature.

JSON representation 
{
  "dataSourceType": {
    object (DataSourceType)
  },
  "filter": {
    object (DiscoveryOtherCloudFilter)
  },
  "conditions": {
    object (DiscoveryOtherCloudConditions)
  },

  // Union field cadence can be only one of the following:
  "generationCadence": {
    object (DiscoveryOtherCloudGenerationCadence)
  },
  "disabled": {
    object (Disabled)
  }
  // End of list of possible types for union field cadence.
}
Fields
dataSourceType

object (DataSourceType)

Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
filter

object (DiscoveryOtherCloudFilter)

Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
conditions

object (DiscoveryOtherCloudConditions)

Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
Union field cadence. Type of cadence. cadence can be only one of the following:
generationCadence

object (DiscoveryOtherCloudGenerationCadence)

How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
disabled

object (Disabled)

Disable profiling for resources that match this filter.

DiscoveryOtherCloudFilter

Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names.

JSON representation 
{

  // Union field filter can be only one of the following:
  "collection": {
    object (OtherCloudResourceCollection)
  },
  "singleResource": {
    object (OtherCloudSingleResourceReference)
  },
  "others": {
    object (AllOtherResources)
  }
  // End of list of possible types for union field filter.
}
Fields
Union field filter. Whether the filter applies to a specific set of resources or all other resources. The first filter to match will be applied, regardless of the condition. Defaults to others if none is set. filter can be only one of the following:
collection

object (OtherCloudResourceCollection)

A collection of resources for this filter to apply to.
singleResource

object (OtherCloudSingleResourceReference)

The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
others

object (AllOtherResources)

Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.

OtherCloudResourceCollection

Match resources using regex filters.

JSON representation 
{

  // Union field pattern can be only one of the following:
  "includeRegexes": {
    object (OtherCloudResourceRegexes)
  }
  // End of list of possible types for union field pattern.
}
Fields
Union field pattern. The first filter containing a pattern that matches a resource will be used. pattern can be only one of the following:
includeRegexes

object (OtherCloudResourceRegexes)

A collection of regular expressions to match a resource against.

OtherCloudResourceRegexes

A collection of regular expressions to determine what resources to match against.

JSON representation 
{
  "patterns": [
    {
      object (OtherCloudResourceRegex)
    }
  ]
}
Fields
patterns[]

object (OtherCloudResourceRegex)

A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.

OtherCloudResourceRegex

A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

JSON representation 
{

  // Union field resource_regex can be only one of the following:
  "amazonS3BucketRegex": {
    object (AmazonS3BucketRegex)
  }
  // End of list of possible types for union field resource_regex.
}
Fields
Union field resource_regex. The type of resource regex to use. resource_regex can be only one of the following:
amazonS3BucketRegex

object (AmazonS3BucketRegex)

Regex for Amazon S3 buckets.

AmazonS3BucketRegex

Amazon S3 bucket regex.

JSON representation 
{
  "awsAccountRegex": {
    object (AwsAccountRegex)
  },
  "bucketNameRegex": string
}
Fields
awsAccountRegex

object (AwsAccountRegex)

The AWS account regex.
bucketNameRegex

string

Optional. Regex to test the bucket name against. If empty, all buckets match.

AwsAccountRegex

AWS account regex.

JSON representation 
{
  "accountIdRegex": string
}
Fields
accountIdRegex

string

Optional. Regex to test the AWS account ID against. If empty, all accounts match.

OtherCloudSingleResourceReference

Identifies a single resource, like a single Amazon S3 bucket.

JSON representation 
{

  // Union field resource can be only one of the following:
  "amazonS3Bucket": {
    object (AmazonS3Bucket)
  }
  // End of list of possible types for union field resource.
}
Fields
Union field resource. The resource to scan. resource can be only one of the following:
amazonS3Bucket

object (AmazonS3Bucket)

Amazon S3 bucket.

AmazonS3Bucket

Amazon S3 bucket.

JSON representation 
{
  "awsAccount": {
    object (AwsAccount)
  },
  "bucketName": string
}
Fields
awsAccount

object (AwsAccount)

The AWS account.
bucketName

string

Required. The bucket name.

AwsAccount

AWS account.

JSON representation 
{
  "accountId": string
}
Fields
accountId

string

Required. AWS account ID.

DiscoveryOtherCloudConditions

Requirements that must be true before a resource is profiled for the first time.

JSON representation 
{
  "minAge": string,

  // Union field conditions can be only one of the following:
  "amazonS3BucketConditions": {
    object (AmazonS3BucketConditions)
  }
  // End of list of possible types for union field conditions.
}
Fields
minAge

string (Duration format)

Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
Union field conditions. The conditions to apply. conditions can be only one of the following:
amazonS3BucketConditions

object (AmazonS3BucketConditions)

Amazon S3 bucket conditions.

AmazonS3BucketConditions

Amazon S3 bucket conditions.

JSON representation 
{
  "bucketTypes": [
    enum (BucketType)
  ],
  "objectStorageClasses": [
    enum (ObjectStorageClass)
  ]
}
Fields
bucketTypes[]

enum (BucketType)

Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
objectStorageClasses[]

enum (ObjectStorageClass)

Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.

BucketType

Supported Amazon S3 bucket types. Defaults to TYPE_ALL_SUPPORTED.

Enums
TYPE_UNSPECIFIED Unused.
TYPE_ALL_SUPPORTED All supported classes.
TYPE_GENERAL_PURPOSE A general purpose Amazon S3 bucket.

ObjectStorageClass

Supported Amazon S3 object storage classes. Defaults to ALL_SUPPORTED_CLASSES.

Enums
UNSPECIFIED Unused.
ALL_SUPPORTED_CLASSES All supported classes.
STANDARD Standard object class.
STANDARD_INFREQUENT_ACCESS Standard - infrequent access object class.
GLACIER_INSTANT_RETRIEVAL Glacier - instant retrieval object class.
INTELLIGENT_TIERING Objects in the S3 Intelligent-Tiering access tiers.

DiscoveryOtherCloudGenerationCadence

How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity.

JSON representation 
{
  "refreshFrequency": enum (DataProfileUpdateFrequency),
  "inspectTemplateModifiedCadence": {
    object (DiscoveryInspectTemplateModifiedCadence)
  }
}
Fields
refreshFrequency

enum (DataProfileUpdateFrequency)

Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
inspectTemplateModifiedCadence

object (DiscoveryInspectTemplateModifiedCadence)

Optional. Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.

Status

Whether the discovery config is currently active. New options may be added at a later time.

Enums
STATUS_UNSPECIFIED Unused
RUNNING The discovery config is currently active.
PAUSED The discovery config is paused temporarily.

Methods

create

 Creates a config for discovery to scan and profile storage.

delete

 Deletes a discovery configuration.

get

 Gets a discovery configuration.

list

 Lists discovery configurations.

patch

 Updates a discovery configuration.