@@ -4811,6 +4811,18 @@ message InspectJobConfig {
48114811 repeated Action actions = 4 ;
48124812}
48134813
4814+ // Whether a profile being created is the first generation or an update.
4815+ enum ProfileGeneration {
4816+ // Unused.
4817+ PROFILE_GENERATION_UNSPECIFIED = 0 ;
4818+
4819+ // The profile is the first profile for the resource.
4820+ PROFILE_GENERATION_NEW = 1 ;
4821+
4822+ // The profile is an update to a previous profile.
4823+ PROFILE_GENERATION_UPDATE = 2 ;
4824+ }
4825+
48144826// A task to execute when a data profile has been generated.
48154827message DataProfileAction {
48164828 // If set, the detailed data profiles will be persisted to the location
@@ -4885,13 +4897,70 @@ message DataProfileAction {
48854897 ERROR_CHANGED = 4 ;
48864898 }
48874899
4900+ // If set, attaches the [tags]
4901+ // (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
4902+ // provided to profiled resources. Tags support [access
4903+ // control](https://cloud.google.com/iam/docs/tags-access-control). You can
4904+ // conditionally grant or deny access to a resource based on whether the
4905+ // resource has a specific tag.
4906+ message TagResources {
4907+ // The tag to attach to profiles matching the condition. At most one
4908+ // `TagCondition` can be specified per sensitivity level.
4909+ message TagCondition {
4910+ // The tag value to attach to resources.
4911+ TagValue tag = 1 ;
4912+
4913+ // The type of condition on which attaching the tag will be predicated.
4914+ oneof type {
4915+ // Conditions attaching the tag to a resource on its profile having this
4916+ // sensitivity score.
4917+ SensitivityScore sensitivity_score = 2 ;
4918+ }
4919+ }
4920+
4921+ // A value of a tag.
4922+ message TagValue {
4923+ // The format of the tag value.
4924+ oneof format {
4925+ // The namespaced name for the tag value to attach to resources. Must be
4926+ // in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
4927+ // example, "123456/environment/prod".
4928+ string namespaced_value = 1 ;
4929+ }
4930+ }
4931+
4932+ // The tags to associate with different conditions.
4933+ repeated TagCondition tag_conditions = 1 ;
4934+
4935+ // The profile generations for which the tag should be attached to
4936+ // resources. If you attach a tag to only new profiles, then if the
4937+ // sensitivity score of a profile subsequently changes, its tag doesn't
4938+ // change. By default, this field includes only new profiles. To include
4939+ // both new and updated profiles for tagging, this field should explicitly
4940+ // include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
4941+ repeated ProfileGeneration profile_generations_to_tag = 2 ;
4942+
4943+ // Whether applying a tag to a resource should lower the risk of the profile
4944+ // for that resource. For example, in conjunction with an [IAM deny
4945+ // policy](https://cloud.google.com/iam/docs/deny-overview), you can deny
4946+ // all principals a permission if a tag value is present, mitigating the
4947+ // risk of the resource. This also lowers the data risk of resources at the
4948+ // lower levels of the resource hierarchy. For example, reducing the data
4949+ // risk of a table data profile also reduces the data risk of the
4950+ // constituent column data profiles.
4951+ bool lower_data_risk_to_low = 3 ;
4952+ }
4953+
48884954 // Type of action to execute when a profile is generated.
48894955 oneof action {
48904956 // Export data profiles into a provided location.
48914957 Export export_data = 1 ;
48924958
48934959 // Publish a message into the Pub/Sub topic.
48944960 PubSubNotification pub_sub_notification = 2 ;
4961+
4962+ // Tags the profiled resources with the specified tag values.
4963+ TagResources tag_resources = 8 ;
48954964 }
48964965}
48974966
0 commit comments