Close httplib2 connections.
create(parent, body=None, x__xgafv=None)
Creates a config for discovery to scan and profile storage.
Deletes a discovery configuration.
Gets a discovery configuration.
list(parent, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Lists discovery configurations.
Retrieves the next page of results.
patch(name, body=None, x__xgafv=None)
Updates a discovery configuration.
close()
Close httplib2 connections.
create(parent, body=None, x__xgafv=None)
Creates a config for discovery to scan and profile storage.
Args:
parent: string, Required. Parent resource name. The format of this value varies depending on the scope of the request (project or organization): + Projects scope: `projects/{project_id}/locations/{location_id}` + Organizations scope: `organizations/{org_id}/locations/{location_id}` The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)
body: object, The request body.
The object takes the form of:
{ # Request message for CreateDiscoveryConfig.
"configId": "A String", # The config ID can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.
"discoveryConfig": { # Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project. The generated data profiles are retained according to the [data retention policy] (https://cloud.google.com/sensitive-data-protection/docs/data-profiles#retention). # Required. The DiscoveryConfig to create.
"actions": [ # Actions to execute at the completion of scanning.
{ # A task to execute when a data profile has been generated.
"exportData": { # If set, the detailed data profiles will be persisted to the location of your choice whenever updated. # Export data profiles into a provided location.
"profileTable": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification.
"datasetId": "A String", # Dataset ID of the table.
"projectId": "A String", # The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
},
},
"pubSubNotification": { # Send a Pub/Sub message into the given Pub/Sub topic to connect other systems to data profile generation. The message payload data will be the byte serialization of `DataProfilePubSubMessage`. # Publish a message into the Pub/Sub topic.
"detailOfMessage": "A String", # How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
"event": "A String", # The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.
"pubsubCondition": { # A condition for determining whether a Pub/Sub should be triggered. # Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
"expressions": { # An expression, consisting of an operator and conditions. # An expression.
"conditions": [ # Conditions to apply to the expression.
{ # A condition consisting of a value.
"minimumRiskScore": "A String", # The minimum data risk score that triggers the condition.
"minimumSensitivityScore": "A String", # The minimum sensitivity level that triggers the condition.
},
],
"logicalOperator": "A String", # The operator to apply to the collection of conditions.
},
},
"topic": "A String", # Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
},
"publishToChronicle": { # Message expressing intention to publish to Google Security Operations. # Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
},
"publishToScc": { # If set, a summary finding will be created or updated in Security Command Center for each profile. # Publishes findings to Security Command Center for each data profile.
},
"tagResources": { # If set, attaches the [tags] (https://cloud.google.com/resource-manager/docs/tags/tags-overview) provided to profiled resources. Tags support [access control](https://cloud.google.com/iam/docs/tags-access-control). You can conditionally grant or deny access to a resource based on whether the resource has a specific tag. # Tags the profiled resources with the specified tag values.
"lowerDataRiskToLow": True or False, # Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
"profileGenerationsToTag": [ # The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
"A String",
],
"tagConditions": [ # The tags to associate with different conditions.
{ # The tag to attach to profiles matching the condition. At most one `TagCondition` can be specified per sensitivity level.
"sensitivityScore": { # Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. # Conditions attaching the tag to a resource on its profile having this sensitivity score.
"score": "A String", # The sensitivity score applied to the resource.
},
"tag": { # A value of a tag. # The tag value to attach to resources.
"namespacedValue": "A String", # The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
},
},
],
},
},
],
"createTime": "A String", # Output only. The creation timestamp of a DiscoveryConfig.
"displayName": "A String", # Display name (max 100 chars)
"errors": [ # Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
{ # Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger.
"details": { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Detailed error codes and messages.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
"message": "A String", # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
},
"extraInfo": "A String", # Additional information about the error.
"timestamps": [ # The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
"A String",
],
},
],
"inspectTemplates": [ # Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
"A String",
],
"lastRunTime": "A String", # Output only. The timestamp of the last time this config was executed.
"name": "A String", # Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`.
"orgConfig": { # Project and scan location information. Only set when the parent is an org. # Only set when the parent is an org.
"location": { # The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization. # The data to scan: folder, org, or project
"folderId": "A String", # The ID of the folder within an organization to be scanned.
"organizationId": "A String", # The ID of an organization to scan.
},
"projectId": "A String", # The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
},
"otherCloudStartingLocation": { # The other cloud starting location for discovery. # Must be set only when scanning other clouds.
"awsLocation": { # The AWS starting location for discovery. # The AWS starting location for discovery.
"accountId": "A String", # The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
"allAssetInventoryAssets": True or False, # All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs.
},
},
"status": "A String", # Required. A status for this configuration.
"targets": [ # Target to match against for determining what to scan and how frequently.
{ # Target used to match against for Discovery.
"bigQueryTarget": { # Target used to match against for discovery with BigQuery tables # BigQuery target for Discovery. The first target to match a table will be the one applied.
"cadence": { # What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
"schemaModifiedCadence": { # The cadence at which to update data profiles when a schema is modified. # Governs when to update data profiles when a schema is modified.
"frequency": "A String", # How frequently profiles may be updated when schemas are modified. Defaults to monthly.
"types": [ # The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
"A String",
],
},
"tableModifiedCadence": { # The cadence at which to update data profiles when a table is modified. # Governs when to update data profiles when a table is modified.
"frequency": "A String", # How frequently data profiles can be updated when tables are modified. Defaults to never.
"types": [ # The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
"A String",
],
},
},
"conditions": { # Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age). # In addition to matching the filter, these conditions must be true before a profile is generated.
"createdAfter": "A String", # BigQuery table must have been created after this date. Used to avoid backfilling.
"orConditions": { # There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery. # At least one of the conditions must be true for a table to be scanned.
"minAge": "A String", # Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
"minRowCount": 42, # Minimum number of rows that should be present before Cloud DLP profiles a table
},
"typeCollection": "A String", # Restrict discovery to categories of table types.
"types": { # The types of BigQuery tables supported by Cloud DLP. # Restrict discovery to specific table types.
"types": [ # A set of BigQuery table types.
"A String",
],
},
},
"disabled": { # Do not profile the tables. # Tables that match this filter will not have profiles created.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"otherTables": { # Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target. # Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"tableReference": { # Message defining the location of a BigQuery table with the projectId inferred from the parent project. # The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
"datasetId": "A String", # Dataset ID of the table.
"tableId": "A String", # Name of the table.
},
"tables": { # Specifies a collection of BigQuery tables. Used for Discovery. # A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
"includeRegexes": { # A collection of regular expressions to determine what tables to match against. # A collection of regular expressions to match a BigQuery table against.
"patterns": [ # A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
{ # A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"datasetIdRegex": "A String", # If unset, this property matches all datasets.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
"tableIdRegex": "A String", # If unset, this property matches all tables.
},
],
},
},
},
},
"cloudSqlTarget": { # Target used to match against for discovery with Cloud SQL tables. # Cloud SQL target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a table is profiled for the first time. # In addition to matching the filter, these conditions must be true before a profile is generated.
"databaseEngines": [ # Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
"A String",
],
"types": [ # Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
"A String",
],
},
"disabled": { # Do not profile the tables. # Disable profiling for database resources that match this filter.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"collection": { # Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures. # A specific set of database resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what database resources to match against. # A collection of regular expressions to match a database resource against.
"patterns": [ # A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"databaseRegex": "A String", # Regex to test the database name against. If empty, all databases match.
"databaseResourceNameRegex": "A String", # Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.
"instanceRegex": "A String", # Regex to test the instance name against. If empty, all instances match.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
},
],
},
},
"databaseResourceReference": { # Identifies a single database resource, like a table within a database. # The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
"database": "A String", # Required. Name of a database within the instance.
"databaseResource": "A String", # Required. Name of a database resource, for example, a table within the database.
"instance": "A String", # Required. The instance where this resource is located. For example: Cloud SQL instance ID.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project ID.
},
"others": { # Match database resources not covered by any other filter. # Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
"schemaModifiedCadence": { # How frequently to modify the profile when the table's schema is modified. # When to reprofile if the schema has changed.
"frequency": "A String", # Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
"types": [ # The types of schema modifications to consider. Defaults to NEW_COLUMNS.
"A String",
],
},
},
},
"cloudStorageTarget": { # Target used to match against for discovery with Cloud Storage buckets. # Cloud Storage target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"cloudStorageConditions": { # Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. Cloud Storage conditions.
"includedBucketAttributes": [ # Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
"A String",
],
"includedObjectAttributes": [ # Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
"A String",
],
},
"createdAfter": "A String", # Optional. File store must have been created after this date. Used to avoid backfilling.
"minAge": "A String", # Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
},
"disabled": { # Do not profile the tables. # Optional. Disable profiling for buckets that match this filter.
},
"filter": { # Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name. # Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
"cloudStorageResourceReference": { # Identifies a single Cloud Storage bucket. # Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
"bucketName": "A String", # Required. The bucket to scan.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project id.
},
"collection": { # Match file stores (e.g. buckets) using regex filters. # Optional. A specific set of buckets for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what file store to match against. # Optional. A collection of regular expressions to match a file store against.
"patterns": [ # Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more file stores.
"cloudStorageRegex": { # A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. # Optional. Regex for Cloud Storage.
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
"projectIdRegex": "A String", # Optional. For organizations, if unset, will match all projects.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity. # Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
},
},
"otherCloudTarget": { # Target used to match against for discovery of resources from other clouds. An [AWS connector in Security Command Center (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws) is required to use this feature. # Other clouds target for discovery. The first target to match a resource will be the one applied.
"conditions": { # Requirements that must be true before a resource is profiled for the first time. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"amazonS3BucketConditions": { # Amazon S3 bucket conditions. # Amazon S3 bucket conditions.
"bucketTypes": [ # Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
"A String",
],
"objectStorageClasses": [ # Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
"A String",
],
},
"minAge": "A String", # Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
},
"dataSourceType": { # Message used to identify the type of resource being profiled. # Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
"dataSource": "A String", # Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
},
"disabled": { # Do not profile the tables. # Disable profiling for resources that match this filter.
},
"filter": { # Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names. # Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
"collection": { # Match resources using regex filters. # A collection of resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what resources to match against. # A collection of regular expressions to match a resource against.
"patterns": [ # A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"amazonS3BucketRegex": { # Amazon S3 bucket regex. # Regex for Amazon S3 buckets.
"awsAccountRegex": { # AWS account regex. # The AWS account regex.
"accountIdRegex": "A String", # Optional. Regex to test the AWS account ID against. If empty, all accounts match.
},
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"singleResource": { # Identifies a single resource, like a single Amazon S3 bucket. # The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
"amazonS3Bucket": { # Amazon S3 bucket. # Amazon S3 bucket.
"awsAccount": { # AWS account. # The AWS account.
"accountId": "A String", # Required. AWS account ID.
},
"bucketName": "A String", # Required. The bucket name.
},
},
},
"generationCadence": { # How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity. # How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
},
},
"secretsTarget": { # Discovery target for credentials and secrets in cloud resource metadata. This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily. No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets). Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center. # Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
},
},
],
"updateTime": "A String", # Output only. The last update timestamp of a DiscoveryConfig.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project. The generated data profiles are retained according to the [data retention policy] (https://cloud.google.com/sensitive-data-protection/docs/data-profiles#retention).
"actions": [ # Actions to execute at the completion of scanning.
{ # A task to execute when a data profile has been generated.
"exportData": { # If set, the detailed data profiles will be persisted to the location of your choice whenever updated. # Export data profiles into a provided location.
"profileTable": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification.
"datasetId": "A String", # Dataset ID of the table.
"projectId": "A String", # The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
},
},
"pubSubNotification": { # Send a Pub/Sub message into the given Pub/Sub topic to connect other systems to data profile generation. The message payload data will be the byte serialization of `DataProfilePubSubMessage`. # Publish a message into the Pub/Sub topic.
"detailOfMessage": "A String", # How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
"event": "A String", # The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.
"pubsubCondition": { # A condition for determining whether a Pub/Sub should be triggered. # Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
"expressions": { # An expression, consisting of an operator and conditions. # An expression.
"conditions": [ # Conditions to apply to the expression.
{ # A condition consisting of a value.
"minimumRiskScore": "A String", # The minimum data risk score that triggers the condition.
"minimumSensitivityScore": "A String", # The minimum sensitivity level that triggers the condition.
},
],
"logicalOperator": "A String", # The operator to apply to the collection of conditions.
},
},
"topic": "A String", # Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
},
"publishToChronicle": { # Message expressing intention to publish to Google Security Operations. # Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
},
"publishToScc": { # If set, a summary finding will be created or updated in Security Command Center for each profile. # Publishes findings to Security Command Center for each data profile.
},
"tagResources": { # If set, attaches the [tags] (https://cloud.google.com/resource-manager/docs/tags/tags-overview) provided to profiled resources. Tags support [access control](https://cloud.google.com/iam/docs/tags-access-control). You can conditionally grant or deny access to a resource based on whether the resource has a specific tag. # Tags the profiled resources with the specified tag values.
"lowerDataRiskToLow": True or False, # Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
"profileGenerationsToTag": [ # The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
"A String",
],
"tagConditions": [ # The tags to associate with different conditions.
{ # The tag to attach to profiles matching the condition. At most one `TagCondition` can be specified per sensitivity level.
"sensitivityScore": { # Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. # Conditions attaching the tag to a resource on its profile having this sensitivity score.
"score": "A String", # The sensitivity score applied to the resource.
},
"tag": { # A value of a tag. # The tag value to attach to resources.
"namespacedValue": "A String", # The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
},
},
],
},
},
],
"createTime": "A String", # Output only. The creation timestamp of a DiscoveryConfig.
"displayName": "A String", # Display name (max 100 chars)
"errors": [ # Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
{ # Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger.
"details": { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Detailed error codes and messages.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
"message": "A String", # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
},
"extraInfo": "A String", # Additional information about the error.
"timestamps": [ # The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
"A String",
],
},
],
"inspectTemplates": [ # Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
"A String",
],
"lastRunTime": "A String", # Output only. The timestamp of the last time this config was executed.
"name": "A String", # Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`.
"orgConfig": { # Project and scan location information. Only set when the parent is an org. # Only set when the parent is an org.
"location": { # The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization. # The data to scan: folder, org, or project
"folderId": "A String", # The ID of the folder within an organization to be scanned.
"organizationId": "A String", # The ID of an organization to scan.
},
"projectId": "A String", # The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
},
"otherCloudStartingLocation": { # The other cloud starting location for discovery. # Must be set only when scanning other clouds.
"awsLocation": { # The AWS starting location for discovery. # The AWS starting location for discovery.
"accountId": "A String", # The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
"allAssetInventoryAssets": True or False, # All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs.
},
},
"status": "A String", # Required. A status for this configuration.
"targets": [ # Target to match against for determining what to scan and how frequently.
{ # Target used to match against for Discovery.
"bigQueryTarget": { # Target used to match against for discovery with BigQuery tables # BigQuery target for Discovery. The first target to match a table will be the one applied.
"cadence": { # What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
"schemaModifiedCadence": { # The cadence at which to update data profiles when a schema is modified. # Governs when to update data profiles when a schema is modified.
"frequency": "A String", # How frequently profiles may be updated when schemas are modified. Defaults to monthly.
"types": [ # The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
"A String",
],
},
"tableModifiedCadence": { # The cadence at which to update data profiles when a table is modified. # Governs when to update data profiles when a table is modified.
"frequency": "A String", # How frequently data profiles can be updated when tables are modified. Defaults to never.
"types": [ # The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
"A String",
],
},
},
"conditions": { # Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age). # In addition to matching the filter, these conditions must be true before a profile is generated.
"createdAfter": "A String", # BigQuery table must have been created after this date. Used to avoid backfilling.
"orConditions": { # There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery. # At least one of the conditions must be true for a table to be scanned.
"minAge": "A String", # Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
"minRowCount": 42, # Minimum number of rows that should be present before Cloud DLP profiles a table
},
"typeCollection": "A String", # Restrict discovery to categories of table types.
"types": { # The types of BigQuery tables supported by Cloud DLP. # Restrict discovery to specific table types.
"types": [ # A set of BigQuery table types.
"A String",
],
},
},
"disabled": { # Do not profile the tables. # Tables that match this filter will not have profiles created.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"otherTables": { # Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target. # Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"tableReference": { # Message defining the location of a BigQuery table with the projectId inferred from the parent project. # The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
"datasetId": "A String", # Dataset ID of the table.
"tableId": "A String", # Name of the table.
},
"tables": { # Specifies a collection of BigQuery tables. Used for Discovery. # A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
"includeRegexes": { # A collection of regular expressions to determine what tables to match against. # A collection of regular expressions to match a BigQuery table against.
"patterns": [ # A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
{ # A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"datasetIdRegex": "A String", # If unset, this property matches all datasets.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
"tableIdRegex": "A String", # If unset, this property matches all tables.
},
],
},
},
},
},
"cloudSqlTarget": { # Target used to match against for discovery with Cloud SQL tables. # Cloud SQL target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a table is profiled for the first time. # In addition to matching the filter, these conditions must be true before a profile is generated.
"databaseEngines": [ # Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
"A String",
],
"types": [ # Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
"A String",
],
},
"disabled": { # Do not profile the tables. # Disable profiling for database resources that match this filter.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"collection": { # Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures. # A specific set of database resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what database resources to match against. # A collection of regular expressions to match a database resource against.
"patterns": [ # A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"databaseRegex": "A String", # Regex to test the database name against. If empty, all databases match.
"databaseResourceNameRegex": "A String", # Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.
"instanceRegex": "A String", # Regex to test the instance name against. If empty, all instances match.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
},
],
},
},
"databaseResourceReference": { # Identifies a single database resource, like a table within a database. # The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
"database": "A String", # Required. Name of a database within the instance.
"databaseResource": "A String", # Required. Name of a database resource, for example, a table within the database.
"instance": "A String", # Required. The instance where this resource is located. For example: Cloud SQL instance ID.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project ID.
},
"others": { # Match database resources not covered by any other filter. # Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
"schemaModifiedCadence": { # How frequently to modify the profile when the table's schema is modified. # When to reprofile if the schema has changed.
"frequency": "A String", # Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
"types": [ # The types of schema modifications to consider. Defaults to NEW_COLUMNS.
"A String",
],
},
},
},
"cloudStorageTarget": { # Target used to match against for discovery with Cloud Storage buckets. # Cloud Storage target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"cloudStorageConditions": { # Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. Cloud Storage conditions.
"includedBucketAttributes": [ # Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
"A String",
],
"includedObjectAttributes": [ # Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
"A String",
],
},
"createdAfter": "A String", # Optional. File store must have been created after this date. Used to avoid backfilling.
"minAge": "A String", # Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
},
"disabled": { # Do not profile the tables. # Optional. Disable profiling for buckets that match this filter.
},
"filter": { # Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name. # Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
"cloudStorageResourceReference": { # Identifies a single Cloud Storage bucket. # Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
"bucketName": "A String", # Required. The bucket to scan.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project id.
},
"collection": { # Match file stores (e.g. buckets) using regex filters. # Optional. A specific set of buckets for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what file store to match against. # Optional. A collection of regular expressions to match a file store against.
"patterns": [ # Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more file stores.
"cloudStorageRegex": { # A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. # Optional. Regex for Cloud Storage.
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
"projectIdRegex": "A String", # Optional. For organizations, if unset, will match all projects.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity. # Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
},
},
"otherCloudTarget": { # Target used to match against for discovery of resources from other clouds. An [AWS connector in Security Command Center (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws) is required to use this feature. # Other clouds target for discovery. The first target to match a resource will be the one applied.
"conditions": { # Requirements that must be true before a resource is profiled for the first time. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"amazonS3BucketConditions": { # Amazon S3 bucket conditions. # Amazon S3 bucket conditions.
"bucketTypes": [ # Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
"A String",
],
"objectStorageClasses": [ # Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
"A String",
],
},
"minAge": "A String", # Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
},
"dataSourceType": { # Message used to identify the type of resource being profiled. # Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
"dataSource": "A String", # Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
},
"disabled": { # Do not profile the tables. # Disable profiling for resources that match this filter.
},
"filter": { # Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names. # Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
"collection": { # Match resources using regex filters. # A collection of resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what resources to match against. # A collection of regular expressions to match a resource against.
"patterns": [ # A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"amazonS3BucketRegex": { # Amazon S3 bucket regex. # Regex for Amazon S3 buckets.
"awsAccountRegex": { # AWS account regex. # The AWS account regex.
"accountIdRegex": "A String", # Optional. Regex to test the AWS account ID against. If empty, all accounts match.
},
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"singleResource": { # Identifies a single resource, like a single Amazon S3 bucket. # The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
"amazonS3Bucket": { # Amazon S3 bucket. # Amazon S3 bucket.
"awsAccount": { # AWS account. # The AWS account.
"accountId": "A String", # Required. AWS account ID.
},
"bucketName": "A String", # Required. The bucket name.
},
},
},
"generationCadence": { # How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity. # How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
},
},
"secretsTarget": { # Discovery target for credentials and secrets in cloud resource metadata. This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily. No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets). Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center. # Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
},
},
],
"updateTime": "A String", # Output only. The last update timestamp of a DiscoveryConfig.
}
delete(name, x__xgafv=None)
Deletes a discovery configuration.
Args:
name: string, Required. Resource name of the project and the config, for example `projects/dlp-test-project/discoveryConfigs/53234423`. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
}
get(name, x__xgafv=None)
Gets a discovery configuration.
Args:
name: string, Required. Resource name of the project and the configuration, for example `projects/dlp-test-project/discoveryConfigs/53234423`. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project. The generated data profiles are retained according to the [data retention policy] (https://cloud.google.com/sensitive-data-protection/docs/data-profiles#retention).
"actions": [ # Actions to execute at the completion of scanning.
{ # A task to execute when a data profile has been generated.
"exportData": { # If set, the detailed data profiles will be persisted to the location of your choice whenever updated. # Export data profiles into a provided location.
"profileTable": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification.
"datasetId": "A String", # Dataset ID of the table.
"projectId": "A String", # The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
},
},
"pubSubNotification": { # Send a Pub/Sub message into the given Pub/Sub topic to connect other systems to data profile generation. The message payload data will be the byte serialization of `DataProfilePubSubMessage`. # Publish a message into the Pub/Sub topic.
"detailOfMessage": "A String", # How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
"event": "A String", # The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.
"pubsubCondition": { # A condition for determining whether a Pub/Sub should be triggered. # Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
"expressions": { # An expression, consisting of an operator and conditions. # An expression.
"conditions": [ # Conditions to apply to the expression.
{ # A condition consisting of a value.
"minimumRiskScore": "A String", # The minimum data risk score that triggers the condition.
"minimumSensitivityScore": "A String", # The minimum sensitivity level that triggers the condition.
},
],
"logicalOperator": "A String", # The operator to apply to the collection of conditions.
},
},
"topic": "A String", # Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
},
"publishToChronicle": { # Message expressing intention to publish to Google Security Operations. # Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
},
"publishToScc": { # If set, a summary finding will be created or updated in Security Command Center for each profile. # Publishes findings to Security Command Center for each data profile.
},
"tagResources": { # If set, attaches the [tags] (https://cloud.google.com/resource-manager/docs/tags/tags-overview) provided to profiled resources. Tags support [access control](https://cloud.google.com/iam/docs/tags-access-control). You can conditionally grant or deny access to a resource based on whether the resource has a specific tag. # Tags the profiled resources with the specified tag values.
"lowerDataRiskToLow": True or False, # Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
"profileGenerationsToTag": [ # The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
"A String",
],
"tagConditions": [ # The tags to associate with different conditions.
{ # The tag to attach to profiles matching the condition. At most one `TagCondition` can be specified per sensitivity level.
"sensitivityScore": { # Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. # Conditions attaching the tag to a resource on its profile having this sensitivity score.
"score": "A String", # The sensitivity score applied to the resource.
},
"tag": { # A value of a tag. # The tag value to attach to resources.
"namespacedValue": "A String", # The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
},
},
],
},
},
],
"createTime": "A String", # Output only. The creation timestamp of a DiscoveryConfig.
"displayName": "A String", # Display name (max 100 chars)
"errors": [ # Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
{ # Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger.
"details": { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Detailed error codes and messages.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
"message": "A String", # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
},
"extraInfo": "A String", # Additional information about the error.
"timestamps": [ # The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
"A String",
],
},
],
"inspectTemplates": [ # Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
"A String",
],
"lastRunTime": "A String", # Output only. The timestamp of the last time this config was executed.
"name": "A String", # Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`.
"orgConfig": { # Project and scan location information. Only set when the parent is an org. # Only set when the parent is an org.
"location": { # The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization. # The data to scan: folder, org, or project
"folderId": "A String", # The ID of the folder within an organization to be scanned.
"organizationId": "A String", # The ID of an organization to scan.
},
"projectId": "A String", # The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
},
"otherCloudStartingLocation": { # The other cloud starting location for discovery. # Must be set only when scanning other clouds.
"awsLocation": { # The AWS starting location for discovery. # The AWS starting location for discovery.
"accountId": "A String", # The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
"allAssetInventoryAssets": True or False, # All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs.
},
},
"status": "A String", # Required. A status for this configuration.
"targets": [ # Target to match against for determining what to scan and how frequently.
{ # Target used to match against for Discovery.
"bigQueryTarget": { # Target used to match against for discovery with BigQuery tables # BigQuery target for Discovery. The first target to match a table will be the one applied.
"cadence": { # What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
"schemaModifiedCadence": { # The cadence at which to update data profiles when a schema is modified. # Governs when to update data profiles when a schema is modified.
"frequency": "A String", # How frequently profiles may be updated when schemas are modified. Defaults to monthly.
"types": [ # The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
"A String",
],
},
"tableModifiedCadence": { # The cadence at which to update data profiles when a table is modified. # Governs when to update data profiles when a table is modified.
"frequency": "A String", # How frequently data profiles can be updated when tables are modified. Defaults to never.
"types": [ # The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
"A String",
],
},
},
"conditions": { # Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age). # In addition to matching the filter, these conditions must be true before a profile is generated.
"createdAfter": "A String", # BigQuery table must have been created after this date. Used to avoid backfilling.
"orConditions": { # There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery. # At least one of the conditions must be true for a table to be scanned.
"minAge": "A String", # Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
"minRowCount": 42, # Minimum number of rows that should be present before Cloud DLP profiles a table
},
"typeCollection": "A String", # Restrict discovery to categories of table types.
"types": { # The types of BigQuery tables supported by Cloud DLP. # Restrict discovery to specific table types.
"types": [ # A set of BigQuery table types.
"A String",
],
},
},
"disabled": { # Do not profile the tables. # Tables that match this filter will not have profiles created.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"otherTables": { # Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target. # Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"tableReference": { # Message defining the location of a BigQuery table with the projectId inferred from the parent project. # The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
"datasetId": "A String", # Dataset ID of the table.
"tableId": "A String", # Name of the table.
},
"tables": { # Specifies a collection of BigQuery tables. Used for Discovery. # A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
"includeRegexes": { # A collection of regular expressions to determine what tables to match against. # A collection of regular expressions to match a BigQuery table against.
"patterns": [ # A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
{ # A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"datasetIdRegex": "A String", # If unset, this property matches all datasets.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
"tableIdRegex": "A String", # If unset, this property matches all tables.
},
],
},
},
},
},
"cloudSqlTarget": { # Target used to match against for discovery with Cloud SQL tables. # Cloud SQL target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a table is profiled for the first time. # In addition to matching the filter, these conditions must be true before a profile is generated.
"databaseEngines": [ # Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
"A String",
],
"types": [ # Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
"A String",
],
},
"disabled": { # Do not profile the tables. # Disable profiling for database resources that match this filter.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"collection": { # Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures. # A specific set of database resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what database resources to match against. # A collection of regular expressions to match a database resource against.
"patterns": [ # A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"databaseRegex": "A String", # Regex to test the database name against. If empty, all databases match.
"databaseResourceNameRegex": "A String", # Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.
"instanceRegex": "A String", # Regex to test the instance name against. If empty, all instances match.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
},
],
},
},
"databaseResourceReference": { # Identifies a single database resource, like a table within a database. # The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
"database": "A String", # Required. Name of a database within the instance.
"databaseResource": "A String", # Required. Name of a database resource, for example, a table within the database.
"instance": "A String", # Required. The instance where this resource is located. For example: Cloud SQL instance ID.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project ID.
},
"others": { # Match database resources not covered by any other filter. # Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
"schemaModifiedCadence": { # How frequently to modify the profile when the table's schema is modified. # When to reprofile if the schema has changed.
"frequency": "A String", # Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
"types": [ # The types of schema modifications to consider. Defaults to NEW_COLUMNS.
"A String",
],
},
},
},
"cloudStorageTarget": { # Target used to match against for discovery with Cloud Storage buckets. # Cloud Storage target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"cloudStorageConditions": { # Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. Cloud Storage conditions.
"includedBucketAttributes": [ # Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
"A String",
],
"includedObjectAttributes": [ # Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
"A String",
],
},
"createdAfter": "A String", # Optional. File store must have been created after this date. Used to avoid backfilling.
"minAge": "A String", # Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
},
"disabled": { # Do not profile the tables. # Optional. Disable profiling for buckets that match this filter.
},
"filter": { # Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name. # Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
"cloudStorageResourceReference": { # Identifies a single Cloud Storage bucket. # Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
"bucketName": "A String", # Required. The bucket to scan.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project id.
},
"collection": { # Match file stores (e.g. buckets) using regex filters. # Optional. A specific set of buckets for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what file store to match against. # Optional. A collection of regular expressions to match a file store against.
"patterns": [ # Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more file stores.
"cloudStorageRegex": { # A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. # Optional. Regex for Cloud Storage.
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
"projectIdRegex": "A String", # Optional. For organizations, if unset, will match all projects.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity. # Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
},
},
"otherCloudTarget": { # Target used to match against for discovery of resources from other clouds. An [AWS connector in Security Command Center (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws) is required to use this feature. # Other clouds target for discovery. The first target to match a resource will be the one applied.
"conditions": { # Requirements that must be true before a resource is profiled for the first time. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"amazonS3BucketConditions": { # Amazon S3 bucket conditions. # Amazon S3 bucket conditions.
"bucketTypes": [ # Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
"A String",
],
"objectStorageClasses": [ # Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
"A String",
],
},
"minAge": "A String", # Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
},
"dataSourceType": { # Message used to identify the type of resource being profiled. # Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
"dataSource": "A String", # Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
},
"disabled": { # Do not profile the tables. # Disable profiling for resources that match this filter.
},
"filter": { # Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names. # Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
"collection": { # Match resources using regex filters. # A collection of resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what resources to match against. # A collection of regular expressions to match a resource against.
"patterns": [ # A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"amazonS3BucketRegex": { # Amazon S3 bucket regex. # Regex for Amazon S3 buckets.
"awsAccountRegex": { # AWS account regex. # The AWS account regex.
"accountIdRegex": "A String", # Optional. Regex to test the AWS account ID against. If empty, all accounts match.
},
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"singleResource": { # Identifies a single resource, like a single Amazon S3 bucket. # The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
"amazonS3Bucket": { # Amazon S3 bucket. # Amazon S3 bucket.
"awsAccount": { # AWS account. # The AWS account.
"accountId": "A String", # Required. AWS account ID.
},
"bucketName": "A String", # Required. The bucket name.
},
},
},
"generationCadence": { # How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity. # How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
},
},
"secretsTarget": { # Discovery target for credentials and secrets in cloud resource metadata. This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily. No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets). Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center. # Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
},
},
],
"updateTime": "A String", # Output only. The last update timestamp of a DiscoveryConfig.
}
list(parent, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Lists discovery configurations.
Args:
parent: string, Required. Parent resource name. The format of this value is as follows: `projects/{project_id}/locations/{location_id}` The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)
orderBy: string, Comma-separated list of config fields to order by, followed by `asc` or `desc` postfix. This list is case insensitive. The default sorting order is ascending. Redundant space characters are insignificant. Example: `name asc,update_time, create_time desc` Supported fields are: - `last_run_time`: corresponds to the last time the DiscoveryConfig ran. - `name`: corresponds to the DiscoveryConfig's name. - `status`: corresponds to DiscoveryConfig's status.
pageSize: integer, Size of the page. This value can be limited by a server.
pageToken: string, Page token to continue retrieval. Comes from the previous call to ListDiscoveryConfigs. `order_by` field must not change for subsequent calls.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for ListDiscoveryConfigs.
"discoveryConfigs": [ # List of configs, up to page_size in ListDiscoveryConfigsRequest.
{ # Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project. The generated data profiles are retained according to the [data retention policy] (https://cloud.google.com/sensitive-data-protection/docs/data-profiles#retention).
"actions": [ # Actions to execute at the completion of scanning.
{ # A task to execute when a data profile has been generated.
"exportData": { # If set, the detailed data profiles will be persisted to the location of your choice whenever updated. # Export data profiles into a provided location.
"profileTable": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification.
"datasetId": "A String", # Dataset ID of the table.
"projectId": "A String", # The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
},
},
"pubSubNotification": { # Send a Pub/Sub message into the given Pub/Sub topic to connect other systems to data profile generation. The message payload data will be the byte serialization of `DataProfilePubSubMessage`. # Publish a message into the Pub/Sub topic.
"detailOfMessage": "A String", # How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
"event": "A String", # The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.
"pubsubCondition": { # A condition for determining whether a Pub/Sub should be triggered. # Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
"expressions": { # An expression, consisting of an operator and conditions. # An expression.
"conditions": [ # Conditions to apply to the expression.
{ # A condition consisting of a value.
"minimumRiskScore": "A String", # The minimum data risk score that triggers the condition.
"minimumSensitivityScore": "A String", # The minimum sensitivity level that triggers the condition.
},
],
"logicalOperator": "A String", # The operator to apply to the collection of conditions.
},
},
"topic": "A String", # Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
},
"publishToChronicle": { # Message expressing intention to publish to Google Security Operations. # Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
},
"publishToScc": { # If set, a summary finding will be created or updated in Security Command Center for each profile. # Publishes findings to Security Command Center for each data profile.
},
"tagResources": { # If set, attaches the [tags] (https://cloud.google.com/resource-manager/docs/tags/tags-overview) provided to profiled resources. Tags support [access control](https://cloud.google.com/iam/docs/tags-access-control). You can conditionally grant or deny access to a resource based on whether the resource has a specific tag. # Tags the profiled resources with the specified tag values.
"lowerDataRiskToLow": True or False, # Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
"profileGenerationsToTag": [ # The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
"A String",
],
"tagConditions": [ # The tags to associate with different conditions.
{ # The tag to attach to profiles matching the condition. At most one `TagCondition` can be specified per sensitivity level.
"sensitivityScore": { # Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. # Conditions attaching the tag to a resource on its profile having this sensitivity score.
"score": "A String", # The sensitivity score applied to the resource.
},
"tag": { # A value of a tag. # The tag value to attach to resources.
"namespacedValue": "A String", # The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
},
},
],
},
},
],
"createTime": "A String", # Output only. The creation timestamp of a DiscoveryConfig.
"displayName": "A String", # Display name (max 100 chars)
"errors": [ # Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
{ # Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger.
"details": { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Detailed error codes and messages.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
"message": "A String", # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
},
"extraInfo": "A String", # Additional information about the error.
"timestamps": [ # The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
"A String",
],
},
],
"inspectTemplates": [ # Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
"A String",
],
"lastRunTime": "A String", # Output only. The timestamp of the last time this config was executed.
"name": "A String", # Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`.
"orgConfig": { # Project and scan location information. Only set when the parent is an org. # Only set when the parent is an org.
"location": { # The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization. # The data to scan: folder, org, or project
"folderId": "A String", # The ID of the folder within an organization to be scanned.
"organizationId": "A String", # The ID of an organization to scan.
},
"projectId": "A String", # The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
},
"otherCloudStartingLocation": { # The other cloud starting location for discovery. # Must be set only when scanning other clouds.
"awsLocation": { # The AWS starting location for discovery. # The AWS starting location for discovery.
"accountId": "A String", # The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
"allAssetInventoryAssets": True or False, # All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs.
},
},
"status": "A String", # Required. A status for this configuration.
"targets": [ # Target to match against for determining what to scan and how frequently.
{ # Target used to match against for Discovery.
"bigQueryTarget": { # Target used to match against for discovery with BigQuery tables # BigQuery target for Discovery. The first target to match a table will be the one applied.
"cadence": { # What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
"schemaModifiedCadence": { # The cadence at which to update data profiles when a schema is modified. # Governs when to update data profiles when a schema is modified.
"frequency": "A String", # How frequently profiles may be updated when schemas are modified. Defaults to monthly.
"types": [ # The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
"A String",
],
},
"tableModifiedCadence": { # The cadence at which to update data profiles when a table is modified. # Governs when to update data profiles when a table is modified.
"frequency": "A String", # How frequently data profiles can be updated when tables are modified. Defaults to never.
"types": [ # The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
"A String",
],
},
},
"conditions": { # Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age). # In addition to matching the filter, these conditions must be true before a profile is generated.
"createdAfter": "A String", # BigQuery table must have been created after this date. Used to avoid backfilling.
"orConditions": { # There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery. # At least one of the conditions must be true for a table to be scanned.
"minAge": "A String", # Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
"minRowCount": 42, # Minimum number of rows that should be present before Cloud DLP profiles a table
},
"typeCollection": "A String", # Restrict discovery to categories of table types.
"types": { # The types of BigQuery tables supported by Cloud DLP. # Restrict discovery to specific table types.
"types": [ # A set of BigQuery table types.
"A String",
],
},
},
"disabled": { # Do not profile the tables. # Tables that match this filter will not have profiles created.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"otherTables": { # Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target. # Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"tableReference": { # Message defining the location of a BigQuery table with the projectId inferred from the parent project. # The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
"datasetId": "A String", # Dataset ID of the table.
"tableId": "A String", # Name of the table.
},
"tables": { # Specifies a collection of BigQuery tables. Used for Discovery. # A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
"includeRegexes": { # A collection of regular expressions to determine what tables to match against. # A collection of regular expressions to match a BigQuery table against.
"patterns": [ # A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
{ # A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"datasetIdRegex": "A String", # If unset, this property matches all datasets.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
"tableIdRegex": "A String", # If unset, this property matches all tables.
},
],
},
},
},
},
"cloudSqlTarget": { # Target used to match against for discovery with Cloud SQL tables. # Cloud SQL target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a table is profiled for the first time. # In addition to matching the filter, these conditions must be true before a profile is generated.
"databaseEngines": [ # Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
"A String",
],
"types": [ # Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
"A String",
],
},
"disabled": { # Do not profile the tables. # Disable profiling for database resources that match this filter.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"collection": { # Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures. # A specific set of database resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what database resources to match against. # A collection of regular expressions to match a database resource against.
"patterns": [ # A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"databaseRegex": "A String", # Regex to test the database name against. If empty, all databases match.
"databaseResourceNameRegex": "A String", # Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.
"instanceRegex": "A String", # Regex to test the instance name against. If empty, all instances match.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
},
],
},
},
"databaseResourceReference": { # Identifies a single database resource, like a table within a database. # The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
"database": "A String", # Required. Name of a database within the instance.
"databaseResource": "A String", # Required. Name of a database resource, for example, a table within the database.
"instance": "A String", # Required. The instance where this resource is located. For example: Cloud SQL instance ID.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project ID.
},
"others": { # Match database resources not covered by any other filter. # Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
"schemaModifiedCadence": { # How frequently to modify the profile when the table's schema is modified. # When to reprofile if the schema has changed.
"frequency": "A String", # Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
"types": [ # The types of schema modifications to consider. Defaults to NEW_COLUMNS.
"A String",
],
},
},
},
"cloudStorageTarget": { # Target used to match against for discovery with Cloud Storage buckets. # Cloud Storage target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"cloudStorageConditions": { # Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. Cloud Storage conditions.
"includedBucketAttributes": [ # Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
"A String",
],
"includedObjectAttributes": [ # Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
"A String",
],
},
"createdAfter": "A String", # Optional. File store must have been created after this date. Used to avoid backfilling.
"minAge": "A String", # Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
},
"disabled": { # Do not profile the tables. # Optional. Disable profiling for buckets that match this filter.
},
"filter": { # Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name. # Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
"cloudStorageResourceReference": { # Identifies a single Cloud Storage bucket. # Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
"bucketName": "A String", # Required. The bucket to scan.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project id.
},
"collection": { # Match file stores (e.g. buckets) using regex filters. # Optional. A specific set of buckets for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what file store to match against. # Optional. A collection of regular expressions to match a file store against.
"patterns": [ # Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more file stores.
"cloudStorageRegex": { # A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. # Optional. Regex for Cloud Storage.
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
"projectIdRegex": "A String", # Optional. For organizations, if unset, will match all projects.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity. # Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
},
},
"otherCloudTarget": { # Target used to match against for discovery of resources from other clouds. An [AWS connector in Security Command Center (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws) is required to use this feature. # Other clouds target for discovery. The first target to match a resource will be the one applied.
"conditions": { # Requirements that must be true before a resource is profiled for the first time. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"amazonS3BucketConditions": { # Amazon S3 bucket conditions. # Amazon S3 bucket conditions.
"bucketTypes": [ # Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
"A String",
],
"objectStorageClasses": [ # Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
"A String",
],
},
"minAge": "A String", # Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
},
"dataSourceType": { # Message used to identify the type of resource being profiled. # Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
"dataSource": "A String", # Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
},
"disabled": { # Do not profile the tables. # Disable profiling for resources that match this filter.
},
"filter": { # Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names. # Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
"collection": { # Match resources using regex filters. # A collection of resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what resources to match against. # A collection of regular expressions to match a resource against.
"patterns": [ # A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"amazonS3BucketRegex": { # Amazon S3 bucket regex. # Regex for Amazon S3 buckets.
"awsAccountRegex": { # AWS account regex. # The AWS account regex.
"accountIdRegex": "A String", # Optional. Regex to test the AWS account ID against. If empty, all accounts match.
},
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"singleResource": { # Identifies a single resource, like a single Amazon S3 bucket. # The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
"amazonS3Bucket": { # Amazon S3 bucket. # Amazon S3 bucket.
"awsAccount": { # AWS account. # The AWS account.
"accountId": "A String", # Required. AWS account ID.
},
"bucketName": "A String", # Required. The bucket name.
},
},
},
"generationCadence": { # How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity. # How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
},
},
"secretsTarget": { # Discovery target for credentials and secrets in cloud resource metadata. This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily. No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets). Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center. # Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
},
},
],
"updateTime": "A String", # Output only. The last update timestamp of a DiscoveryConfig.
},
],
"nextPageToken": "A String", # If the next page is available then this value is the next page token to be used in the following ListDiscoveryConfigs request.
}
list_next()
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
patch(name, body=None, x__xgafv=None)
Updates a discovery configuration.
Args:
name: string, Required. Resource name of the project and the configuration, for example `projects/dlp-test-project/discoveryConfigs/53234423`. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for UpdateDiscoveryConfig.
"discoveryConfig": { # Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project. The generated data profiles are retained according to the [data retention policy] (https://cloud.google.com/sensitive-data-protection/docs/data-profiles#retention). # Required. New DiscoveryConfig value.
"actions": [ # Actions to execute at the completion of scanning.
{ # A task to execute when a data profile has been generated.
"exportData": { # If set, the detailed data profiles will be persisted to the location of your choice whenever updated. # Export data profiles into a provided location.
"profileTable": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification.
"datasetId": "A String", # Dataset ID of the table.
"projectId": "A String", # The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
},
},
"pubSubNotification": { # Send a Pub/Sub message into the given Pub/Sub topic to connect other systems to data profile generation. The message payload data will be the byte serialization of `DataProfilePubSubMessage`. # Publish a message into the Pub/Sub topic.
"detailOfMessage": "A String", # How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
"event": "A String", # The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.
"pubsubCondition": { # A condition for determining whether a Pub/Sub should be triggered. # Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
"expressions": { # An expression, consisting of an operator and conditions. # An expression.
"conditions": [ # Conditions to apply to the expression.
{ # A condition consisting of a value.
"minimumRiskScore": "A String", # The minimum data risk score that triggers the condition.
"minimumSensitivityScore": "A String", # The minimum sensitivity level that triggers the condition.
},
],
"logicalOperator": "A String", # The operator to apply to the collection of conditions.
},
},
"topic": "A String", # Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
},
"publishToChronicle": { # Message expressing intention to publish to Google Security Operations. # Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
},
"publishToScc": { # If set, a summary finding will be created or updated in Security Command Center for each profile. # Publishes findings to Security Command Center for each data profile.
},
"tagResources": { # If set, attaches the [tags] (https://cloud.google.com/resource-manager/docs/tags/tags-overview) provided to profiled resources. Tags support [access control](https://cloud.google.com/iam/docs/tags-access-control). You can conditionally grant or deny access to a resource based on whether the resource has a specific tag. # Tags the profiled resources with the specified tag values.
"lowerDataRiskToLow": True or False, # Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
"profileGenerationsToTag": [ # The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
"A String",
],
"tagConditions": [ # The tags to associate with different conditions.
{ # The tag to attach to profiles matching the condition. At most one `TagCondition` can be specified per sensitivity level.
"sensitivityScore": { # Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. # Conditions attaching the tag to a resource on its profile having this sensitivity score.
"score": "A String", # The sensitivity score applied to the resource.
},
"tag": { # A value of a tag. # The tag value to attach to resources.
"namespacedValue": "A String", # The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
},
},
],
},
},
],
"createTime": "A String", # Output only. The creation timestamp of a DiscoveryConfig.
"displayName": "A String", # Display name (max 100 chars)
"errors": [ # Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
{ # Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger.
"details": { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Detailed error codes and messages.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
"message": "A String", # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
},
"extraInfo": "A String", # Additional information about the error.
"timestamps": [ # The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
"A String",
],
},
],
"inspectTemplates": [ # Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
"A String",
],
"lastRunTime": "A String", # Output only. The timestamp of the last time this config was executed.
"name": "A String", # Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`.
"orgConfig": { # Project and scan location information. Only set when the parent is an org. # Only set when the parent is an org.
"location": { # The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization. # The data to scan: folder, org, or project
"folderId": "A String", # The ID of the folder within an organization to be scanned.
"organizationId": "A String", # The ID of an organization to scan.
},
"projectId": "A String", # The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
},
"otherCloudStartingLocation": { # The other cloud starting location for discovery. # Must be set only when scanning other clouds.
"awsLocation": { # The AWS starting location for discovery. # The AWS starting location for discovery.
"accountId": "A String", # The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
"allAssetInventoryAssets": True or False, # All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs.
},
},
"status": "A String", # Required. A status for this configuration.
"targets": [ # Target to match against for determining what to scan and how frequently.
{ # Target used to match against for Discovery.
"bigQueryTarget": { # Target used to match against for discovery with BigQuery tables # BigQuery target for Discovery. The first target to match a table will be the one applied.
"cadence": { # What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
"schemaModifiedCadence": { # The cadence at which to update data profiles when a schema is modified. # Governs when to update data profiles when a schema is modified.
"frequency": "A String", # How frequently profiles may be updated when schemas are modified. Defaults to monthly.
"types": [ # The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
"A String",
],
},
"tableModifiedCadence": { # The cadence at which to update data profiles when a table is modified. # Governs when to update data profiles when a table is modified.
"frequency": "A String", # How frequently data profiles can be updated when tables are modified. Defaults to never.
"types": [ # The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
"A String",
],
},
},
"conditions": { # Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age). # In addition to matching the filter, these conditions must be true before a profile is generated.
"createdAfter": "A String", # BigQuery table must have been created after this date. Used to avoid backfilling.
"orConditions": { # There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery. # At least one of the conditions must be true for a table to be scanned.
"minAge": "A String", # Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
"minRowCount": 42, # Minimum number of rows that should be present before Cloud DLP profiles a table
},
"typeCollection": "A String", # Restrict discovery to categories of table types.
"types": { # The types of BigQuery tables supported by Cloud DLP. # Restrict discovery to specific table types.
"types": [ # A set of BigQuery table types.
"A String",
],
},
},
"disabled": { # Do not profile the tables. # Tables that match this filter will not have profiles created.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"otherTables": { # Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target. # Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"tableReference": { # Message defining the location of a BigQuery table with the projectId inferred from the parent project. # The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
"datasetId": "A String", # Dataset ID of the table.
"tableId": "A String", # Name of the table.
},
"tables": { # Specifies a collection of BigQuery tables. Used for Discovery. # A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
"includeRegexes": { # A collection of regular expressions to determine what tables to match against. # A collection of regular expressions to match a BigQuery table against.
"patterns": [ # A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
{ # A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"datasetIdRegex": "A String", # If unset, this property matches all datasets.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
"tableIdRegex": "A String", # If unset, this property matches all tables.
},
],
},
},
},
},
"cloudSqlTarget": { # Target used to match against for discovery with Cloud SQL tables. # Cloud SQL target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a table is profiled for the first time. # In addition to matching the filter, these conditions must be true before a profile is generated.
"databaseEngines": [ # Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
"A String",
],
"types": [ # Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
"A String",
],
},
"disabled": { # Do not profile the tables. # Disable profiling for database resources that match this filter.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"collection": { # Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures. # A specific set of database resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what database resources to match against. # A collection of regular expressions to match a database resource against.
"patterns": [ # A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"databaseRegex": "A String", # Regex to test the database name against. If empty, all databases match.
"databaseResourceNameRegex": "A String", # Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.
"instanceRegex": "A String", # Regex to test the instance name against. If empty, all instances match.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
},
],
},
},
"databaseResourceReference": { # Identifies a single database resource, like a table within a database. # The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
"database": "A String", # Required. Name of a database within the instance.
"databaseResource": "A String", # Required. Name of a database resource, for example, a table within the database.
"instance": "A String", # Required. The instance where this resource is located. For example: Cloud SQL instance ID.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project ID.
},
"others": { # Match database resources not covered by any other filter. # Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
"schemaModifiedCadence": { # How frequently to modify the profile when the table's schema is modified. # When to reprofile if the schema has changed.
"frequency": "A String", # Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
"types": [ # The types of schema modifications to consider. Defaults to NEW_COLUMNS.
"A String",
],
},
},
},
"cloudStorageTarget": { # Target used to match against for discovery with Cloud Storage buckets. # Cloud Storage target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"cloudStorageConditions": { # Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. Cloud Storage conditions.
"includedBucketAttributes": [ # Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
"A String",
],
"includedObjectAttributes": [ # Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
"A String",
],
},
"createdAfter": "A String", # Optional. File store must have been created after this date. Used to avoid backfilling.
"minAge": "A String", # Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
},
"disabled": { # Do not profile the tables. # Optional. Disable profiling for buckets that match this filter.
},
"filter": { # Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name. # Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
"cloudStorageResourceReference": { # Identifies a single Cloud Storage bucket. # Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
"bucketName": "A String", # Required. The bucket to scan.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project id.
},
"collection": { # Match file stores (e.g. buckets) using regex filters. # Optional. A specific set of buckets for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what file store to match against. # Optional. A collection of regular expressions to match a file store against.
"patterns": [ # Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more file stores.
"cloudStorageRegex": { # A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. # Optional. Regex for Cloud Storage.
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
"projectIdRegex": "A String", # Optional. For organizations, if unset, will match all projects.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity. # Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
},
},
"otherCloudTarget": { # Target used to match against for discovery of resources from other clouds. An [AWS connector in Security Command Center (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws) is required to use this feature. # Other clouds target for discovery. The first target to match a resource will be the one applied.
"conditions": { # Requirements that must be true before a resource is profiled for the first time. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"amazonS3BucketConditions": { # Amazon S3 bucket conditions. # Amazon S3 bucket conditions.
"bucketTypes": [ # Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
"A String",
],
"objectStorageClasses": [ # Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
"A String",
],
},
"minAge": "A String", # Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
},
"dataSourceType": { # Message used to identify the type of resource being profiled. # Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
"dataSource": "A String", # Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
},
"disabled": { # Do not profile the tables. # Disable profiling for resources that match this filter.
},
"filter": { # Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names. # Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
"collection": { # Match resources using regex filters. # A collection of resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what resources to match against. # A collection of regular expressions to match a resource against.
"patterns": [ # A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"amazonS3BucketRegex": { # Amazon S3 bucket regex. # Regex for Amazon S3 buckets.
"awsAccountRegex": { # AWS account regex. # The AWS account regex.
"accountIdRegex": "A String", # Optional. Regex to test the AWS account ID against. If empty, all accounts match.
},
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"singleResource": { # Identifies a single resource, like a single Amazon S3 bucket. # The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
"amazonS3Bucket": { # Amazon S3 bucket. # Amazon S3 bucket.
"awsAccount": { # AWS account. # The AWS account.
"accountId": "A String", # Required. AWS account ID.
},
"bucketName": "A String", # Required. The bucket name.
},
},
},
"generationCadence": { # How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity. # How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
},
},
"secretsTarget": { # Discovery target for credentials and secrets in cloud resource metadata. This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily. No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets). Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center. # Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
},
},
],
"updateTime": "A String", # Output only. The last update timestamp of a DiscoveryConfig.
},
"updateMask": "A String", # Mask to control which fields get updated.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Configuration for discovery to scan resources for profile generation. Only one discovery configuration may exist per organization, folder, or project. The generated data profiles are retained according to the [data retention policy] (https://cloud.google.com/sensitive-data-protection/docs/data-profiles#retention).
"actions": [ # Actions to execute at the completion of scanning.
{ # A task to execute when a data profile has been generated.
"exportData": { # If set, the detailed data profiles will be persisted to the location of your choice whenever updated. # Export data profiles into a provided location.
"profileTable": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Store all table and column profiles in an existing table or a new table in an existing dataset. Each re-generation will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification.
"datasetId": "A String", # Dataset ID of the table.
"projectId": "A String", # The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
},
},
"pubSubNotification": { # Send a Pub/Sub message into the given Pub/Sub topic to connect other systems to data profile generation. The message payload data will be the byte serialization of `DataProfilePubSubMessage`. # Publish a message into the Pub/Sub topic.
"detailOfMessage": "A String", # How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
"event": "A String", # The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.
"pubsubCondition": { # A condition for determining whether a Pub/Sub should be triggered. # Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
"expressions": { # An expression, consisting of an operator and conditions. # An expression.
"conditions": [ # Conditions to apply to the expression.
{ # A condition consisting of a value.
"minimumRiskScore": "A String", # The minimum data risk score that triggers the condition.
"minimumSensitivityScore": "A String", # The minimum sensitivity level that triggers the condition.
},
],
"logicalOperator": "A String", # The operator to apply to the collection of conditions.
},
},
"topic": "A String", # Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
},
"publishToChronicle": { # Message expressing intention to publish to Google Security Operations. # Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
},
"publishToScc": { # If set, a summary finding will be created or updated in Security Command Center for each profile. # Publishes findings to Security Command Center for each data profile.
},
"tagResources": { # If set, attaches the [tags] (https://cloud.google.com/resource-manager/docs/tags/tags-overview) provided to profiled resources. Tags support [access control](https://cloud.google.com/iam/docs/tags-access-control). You can conditionally grant or deny access to a resource based on whether the resource has a specific tag. # Tags the profiled resources with the specified tag values.
"lowerDataRiskToLow": True or False, # Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
"profileGenerationsToTag": [ # The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
"A String",
],
"tagConditions": [ # The tags to associate with different conditions.
{ # The tag to attach to profiles matching the condition. At most one `TagCondition` can be specified per sensitivity level.
"sensitivityScore": { # Score is calculated from of all elements in the data profile. A higher level means the data is more sensitive. # Conditions attaching the tag to a resource on its profile having this sensitivity score.
"score": "A String", # The sensitivity score applied to the resource.
},
"tag": { # A value of a tag. # The tag value to attach to resources.
"namespacedValue": "A String", # The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod".
},
},
],
},
},
],
"createTime": "A String", # Output only. The creation timestamp of a DiscoveryConfig.
"displayName": "A String", # Display name (max 100 chars)
"errors": [ # Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
{ # Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger.
"details": { # The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). # Detailed error codes and messages.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
"message": "A String", # A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
},
"extraInfo": "A String", # Additional information about the error.
"timestamps": [ # The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
"A String",
],
},
],
"inspectTemplates": [ # Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
"A String",
],
"lastRunTime": "A String", # Output only. The timestamp of the last time this config was executed.
"name": "A String", # Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`.
"orgConfig": { # Project and scan location information. Only set when the parent is an org. # Only set when the parent is an org.
"location": { # The location to begin a discovery scan. Denotes an organization ID or folder ID within an organization. # The data to scan: folder, org, or project
"folderId": "A String", # The ID of the folder within an organization to be scanned.
"organizationId": "A String", # The ID of an organization to scan.
},
"projectId": "A String", # The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
},
"otherCloudStartingLocation": { # The other cloud starting location for discovery. # Must be set only when scanning other clouds.
"awsLocation": { # The AWS starting location for discovery. # The AWS starting location for discovery.
"accountId": "A String", # The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
"allAssetInventoryAssets": True or False, # All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs.
},
},
"status": "A String", # Required. A status for this configuration.
"targets": [ # Target to match against for determining what to scan and how frequently.
{ # Target used to match against for Discovery.
"bigQueryTarget": { # Target used to match against for discovery with BigQuery tables # BigQuery target for Discovery. The first target to match a table will be the one applied.
"cadence": { # What must take place for a profile to be updated and how frequently it should occur. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
"schemaModifiedCadence": { # The cadence at which to update data profiles when a schema is modified. # Governs when to update data profiles when a schema is modified.
"frequency": "A String", # How frequently profiles may be updated when schemas are modified. Defaults to monthly.
"types": [ # The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
"A String",
],
},
"tableModifiedCadence": { # The cadence at which to update data profiles when a table is modified. # Governs when to update data profiles when a table is modified.
"frequency": "A String", # How frequently data profiles can be updated when tables are modified. Defaults to never.
"types": [ # The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
"A String",
],
},
},
"conditions": { # Requirements that must be true before a table is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. Additionally, minimum conditions with an OR relationship that must be met before Cloud DLP scans a table can be set (like a minimum row count or a minimum table age). # In addition to matching the filter, these conditions must be true before a profile is generated.
"createdAfter": "A String", # BigQuery table must have been created after this date. Used to avoid backfilling.
"orConditions": { # There is an OR relationship between these attributes. They are used to determine if a table should be scanned or not in Discovery. # At least one of the conditions must be true for a table to be scanned.
"minAge": "A String", # Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
"minRowCount": 42, # Minimum number of rows that should be present before Cloud DLP profiles a table
},
"typeCollection": "A String", # Restrict discovery to categories of table types.
"types": { # The types of BigQuery tables supported by Cloud DLP. # Restrict discovery to specific table types.
"types": [ # A set of BigQuery table types.
"A String",
],
},
},
"disabled": { # Do not profile the tables. # Tables that match this filter will not have profiles created.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, dataset ID, and table ID. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"otherTables": { # Catch-all for all other tables not specified by other filters. Should always be last, except for single-table configurations, which will only have a TableReference target. # Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"tableReference": { # Message defining the location of a BigQuery table with the projectId inferred from the parent project. # The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
"datasetId": "A String", # Dataset ID of the table.
"tableId": "A String", # Name of the table.
},
"tables": { # Specifies a collection of BigQuery tables. Used for Discovery. # A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
"includeRegexes": { # A collection of regular expressions to determine what tables to match against. # A collection of regular expressions to match a BigQuery table against.
"patterns": [ # A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
{ # A pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"datasetIdRegex": "A String", # If unset, this property matches all datasets.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
"tableIdRegex": "A String", # If unset, this property matches all tables.
},
],
},
},
},
},
"cloudSqlTarget": { # Target used to match against for discovery with Cloud SQL tables. # Cloud SQL target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a table is profiled for the first time. # In addition to matching the filter, these conditions must be true before a profile is generated.
"databaseEngines": [ # Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
"A String",
],
"types": [ # Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
"A String",
],
},
"disabled": { # Do not profile the tables. # Disable profiling for database resources that match this filter.
},
"filter": { # Determines what tables will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID, location, instance, database, and database resource name. # Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
"collection": { # Match database resources using regex filters. Examples of database resources are tables, views, and stored procedures. # A specific set of database resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what database resources to match against. # A collection of regular expressions to match a database resource against.
"patterns": [ # A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more database resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"databaseRegex": "A String", # Regex to test the database name against. If empty, all databases match.
"databaseResourceNameRegex": "A String", # Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match.
"instanceRegex": "A String", # Regex to test the instance name against. If empty, all instances match.
"projectIdRegex": "A String", # For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
},
],
},
},
"databaseResourceReference": { # Identifies a single database resource, like a table within a database. # The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
"database": "A String", # Required. Name of a database within the instance.
"databaseResource": "A String", # Required. Name of a database resource, for example, a table within the database.
"instance": "A String", # Required. The instance where this resource is located. For example: Cloud SQL instance ID.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project ID.
},
"others": { # Match database resources not covered by any other filter. # Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing tables should have their profiles refreshed. New tables are scanned as quickly as possible depending on system capacity. # How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
"schemaModifiedCadence": { # How frequently to modify the profile when the table's schema is modified. # When to reprofile if the schema has changed.
"frequency": "A String", # Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
"types": [ # The types of schema modifications to consider. Defaults to NEW_COLUMNS.
"A String",
],
},
},
},
"cloudStorageTarget": { # Target used to match against for discovery with Cloud Storage buckets. # Cloud Storage target for Discovery. The first target to match a table will be the one applied.
"conditions": { # Requirements that must be true before a file store is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"cloudStorageConditions": { # Requirements that must be true before a Cloud Storage bucket or object is scanned in discovery for the first time. There is an AND relationship between the top-level attributes. # Optional. Cloud Storage conditions.
"includedBucketAttributes": [ # Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
"A String",
],
"includedObjectAttributes": [ # Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
"A String",
],
},
"createdAfter": "A String", # Optional. File store must have been created after this date. Used to avoid backfilling.
"minAge": "A String", # Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
},
"disabled": { # Do not profile the tables. # Optional. Disable profiling for buckets that match this filter.
},
"filter": { # Determines which buckets will have profiles generated within an organization or project. Includes the ability to filter by regular expression patterns on project ID and bucket name. # Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
"cloudStorageResourceReference": { # Identifies a single Cloud Storage bucket. # Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
"bucketName": "A String", # Required. The bucket to scan.
"projectId": "A String", # Required. If within a project-level config, then this must match the config's project id.
},
"collection": { # Match file stores (e.g. buckets) using regex filters. # Optional. A specific set of buckets for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what file store to match against. # Optional. A collection of regular expressions to match a file store against.
"patterns": [ # Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more file stores.
"cloudStorageRegex": { # A pattern to match against one or more file stores. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. # Optional. Regex for Cloud Storage.
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021
"projectIdRegex": "A String", # Optional. For organizations, if unset, will match all projects.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
},
"generationCadence": { # How often existing buckets should have their profiles refreshed. New buckets are scanned as quickly as possible depending on system capacity. # Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
},
},
"otherCloudTarget": { # Target used to match against for discovery of resources from other clouds. An [AWS connector in Security Command Center (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws) is required to use this feature. # Other clouds target for discovery. The first target to match a resource will be the one applied.
"conditions": { # Requirements that must be true before a resource is profiled for the first time. # Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
"amazonS3BucketConditions": { # Amazon S3 bucket conditions. # Amazon S3 bucket conditions.
"bucketTypes": [ # Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
"A String",
],
"objectStorageClasses": [ # Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
"A String",
],
},
"minAge": "A String", # Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
},
"dataSourceType": { # Message used to identify the type of resource being profiled. # Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
"dataSource": "A String", # Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
},
"disabled": { # Do not profile the tables. # Disable profiling for resources that match this filter.
},
"filter": { # Determines which resources from the other cloud will have profiles generated. Includes the ability to filter by resource names. # Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
"collection": { # Match resources using regex filters. # A collection of resources for this filter to apply to.
"includeRegexes": { # A collection of regular expressions to determine what resources to match against. # A collection of regular expressions to match a resource against.
"patterns": [ # A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB.
{ # A pattern to match against one or more resources. At least one pattern must be specified. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.
"amazonS3BucketRegex": { # Amazon S3 bucket regex. # Regex for Amazon S3 buckets.
"awsAccountRegex": { # AWS account regex. # The AWS account regex.
"accountIdRegex": "A String", # Optional. Regex to test the AWS account ID against. If empty, all accounts match.
},
"bucketNameRegex": "A String", # Optional. Regex to test the bucket name against. If empty, all buckets match.
},
},
],
},
},
"others": { # Match discovery resources not covered by any other filter. # Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
},
"singleResource": { # Identifies a single resource, like a single Amazon S3 bucket. # The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
"amazonS3Bucket": { # Amazon S3 bucket. # Amazon S3 bucket.
"awsAccount": { # AWS account. # The AWS account.
"accountId": "A String", # Required. AWS account ID.
},
"bucketName": "A String", # Required. The bucket name.
},
},
},
"generationCadence": { # How often existing resources should have their profiles refreshed. New resources are scanned as quickly as possible depending on system capacity. # How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
"inspectTemplateModifiedCadence": { # The cadence at which to update data profiles when the inspection rules defined by the `InspectTemplate` change. # Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update.
"frequency": "A String", # How frequently data profiles can be updated when the template is modified. Defaults to never.
},
"refreshFrequency": "A String", # Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
},
},
"secretsTarget": { # Discovery target for credentials and secrets in cloud resource metadata. This target does not include any filtering or frequency controls. Cloud DLP will scan cloud resource metadata for secrets daily. No inspect template should be included in the discovery config for a security benchmarks scan. Instead, the built-in list of secrets and credentials infoTypes will be used (see https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets). Credentials and secrets discovered will be reported as vulnerabilities to Security Command Center. # Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
},
},
],
"updateTime": "A String", # Output only. The last update timestamp of a DiscoveryConfig.
}