Resource
import type { Resource } from "https://googleapis.deno.dev/v1/iap:v1.ts";
§Properties
The proto or JSON formatted expected next state of the resource, wrapped
in a google.protobuf.Any proto, against which the policy rules are
evaluated. Services not integrated with custom org policy can omit this
field. Services integrated with custom org policy must populate this field
for all requests where the API call changes the state of the resource.
Custom org policy backend uses these attributes to enforce custom org
policies. When a proto is wrapped, it is generally the One Platform API
proto. When a JSON string is wrapped, use google.protobuf.StringValue
for
the inner value. For create operations, GCP service is expected to pass
resource from customer request as is. For update/patch operations, GCP
service is expected to compute the next state with the patch provided by
the user. See go/custom-constraints-org-policy-integration-guide for
additional details.
The service defined labels of the resource on which the conditions will be
evaluated. The semantics - including the key names - are vague to IAM. If
the effective condition has a reference to a resource.labels[foo]
construct, IAM consults with this map to retrieve the values associated
with foo
key for Conditions evaluation. If the provided key is not found
in the labels map, the condition would evaluate to false. This field is in
limited use. If your intended use case is not expected to express
resource.labels attribute in IAM Conditions, leave this field empty. Before
planning on using this attribute please: * Read
go/iam-conditions-labels-comm and ensure your service can meet the data
availability and management requirements. * Talk to iam-conditions-eng@
about your use case.
The relative name of the resource, which is the URI path of the
resource without the leading "/". See
https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name
for examples used by other GCP Services. This field is required for
services integrated with resource-attribute-based IAM conditions and/or
CustomOrgPolicy. This field requires special handling for parents-only
permissions such as create
and list
. See the document linked below for
further details. See go/iam-conditions-sig-g3#populate-resource-attributes
for specific details on populating this field.
The name of the service this resource belongs to. It is configured using
the official_service_name of the Service as defined in service
configurations under //configs/cloud/resourcetypes. For example, the
official_service_name of cloud resource manager service is set as
'cloudresourcemanager.googleapis.com' according to
//configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml This
field is required for services integrated with resource-attribute-based
IAM conditions and/or CustomOrgPolicy. This field requires special handling
for parents-only permissions such as create
and list
. See the document
linked below for further details. See
go/iam-conditions-sig-g3#populate-resource-attributes for specific details
on populating this field.
The public resource type name of the resource. It is configured using the
official_name of the ResourceType as defined in service configurations
under //configs/cloud/resourcetypes. For example, the official_name for GCP
projects is set as 'cloudresourcemanager.googleapis.com/Project' according
to //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml
This field is required for services integrated with
resource-attribute-based IAM conditions and/or CustomOrgPolicy. This field
requires special handling for parents-only permissions such as create
and
list
. See the document linked below for further details. See
go/iam-conditions-sig-g3#populate-resource-attributes for specific details
on populating this field.