This product is not supported for your selected
Datadog site. (
).
gcp_dlp_discovery_config
actions
Type: UNORDERED_LIST_STRUCT
Provider name: actions
Description: Actions to execute at the completion of scanning.
export_data
Type: STRUCT
Provider name: exportData
Description: Export data profiles into a provided location.
profile_table
Type: STRUCT
Provider name: profileTable
Description: Store all profiles to BigQuery. * The system will create a new dataset and table for you if none are are provided. The dataset will be named sensitive_data_protection_discovery and table will be named discovery_profiles. This table will be placed in the same project as the container project running the scan. After the first profile is generated and the dataset and table are created, the discovery scan configuration will be updated with the dataset and table names. * See Analyze data profiles stored in BigQuery. * See Sample queries for your BigQuery table. * Data is inserted using streaming insert and so data may be in the buffer for a period of time after the profile has finished. * The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification. * The best practice is to use the same table for an entire organization so that you can take advantage of the provided Looker reports. If you use VPC Service Controls to define security perimeters, then you must use a separate table for each boundary.
dataset_id
Type: STRING
Provider name: datasetId
Description: Dataset ID of the table.
project_id
Type: STRING
Provider name: projectId
Description: The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
table_id
Type: STRING
Provider name: tableId
Description: Name of the table.
sample_findings_table
Type: STRUCT
Provider name: sampleFindingsTable
Description: Store sample data profile findings in an existing table or a new table in an existing dataset. Each regeneration will result in new rows in BigQuery. Data is inserted using streaming insert and so data may be in the buffer for a period of time after the profile has finished.
dataset_id
Type: STRING
Provider name: datasetId
Description: Dataset ID of the table.
project_id
Type: STRING
Provider name: projectId
Description: The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call.
table_id
Type: STRING
Provider name: tableId
Description: Name of the table.
pub_sub_notification
Type: STRUCT
Provider name: pubSubNotification
Description: Publish a message into the Pub/Sub topic.
detail_of_message
Type: STRING
Provider name: detailOfMessage
Description: How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).
Possible values:
DETAIL_LEVEL_UNSPECIFIED - Unused.
TABLE_PROFILE - The full table data profile.
RESOURCE_NAME - The name of the profiled resource.
FILE_STORE_PROFILE - The full file store data profile.
event
Type: STRING
Provider name: event
Description: The type of event that triggers a Pub/Sub. At most one PubSubNotification per EventType is permitted.
Possible values:
EVENT_TYPE_UNSPECIFIED - Unused.
NEW_PROFILE - New profile (not a re-profile).
CHANGED_PROFILE - One of the following profile metrics changed: Data risk score, Sensitivity score, Resource visibility, Encryption type, Predicted infoTypes, Other infoTypes
SCORE_INCREASED - Table data risk score or sensitivity score increased.
ERROR_CHANGED - A user (non-internal) error occurred.
pubsub_condition
Type: STRUCT
Provider name: pubsubCondition
Description: Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub.
expressions
Type: STRUCT
Provider name: expressions
Description: An expression.
conditions
Type: UNORDERED_LIST_STRUCT
Provider name: conditions
Description: Conditions to apply to the expression.
minimum_risk_score
Type: STRING
Provider name: minimumRiskScore
Description: The minimum data risk score that triggers the condition.
Possible values:
PROFILE_SCORE_BUCKET_UNSPECIFIED - Unused.
HIGH - High risk/sensitivity detected.
MEDIUM_OR_HIGH - Medium or high risk/sensitivity detected.
minimum_sensitivity_score
Type: STRING
Provider name: minimumSensitivityScore
Description: The minimum sensitivity level that triggers the condition.
Possible values:
PROFILE_SCORE_BUCKET_UNSPECIFIED - Unused.
HIGH - High risk/sensitivity detected.
MEDIUM_OR_HIGH - Medium or high risk/sensitivity detected.
logical_operator
Type: STRING
Provider name: logicalOperator
Description: The operator to apply to the collection of conditions.
Possible values:
LOGICAL_OPERATOR_UNSPECIFIED - Unused.
OR - Conditional OR.
AND - Conditional AND.
topic
Type: STRING
Provider name: topic
Description: Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}.
publish_to_chronicle
Type: STRUCT
Provider name: publishToChronicle
Description: Publishes generated data profiles to Google Security Operations. For more information, see Use Sensitive Data Protection data in context-aware analytics.
publish_to_dataplex_catalog
Type: STRUCT
Provider name: publishToDataplexCatalog
Description: Publishes a portion of each profile to Dataplex Catalog with the aspect type Sensitive Data Protection Profile.
lower_data_risk_to_low
Type: BOOLEAN
Provider name: lowerDataRiskToLow
Description: Whether creating a Dataplex Catalog aspect for a profiled resource should lower the risk of the profile for that resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
publish_to_scc
Type: STRUCT
Provider name: publishToScc
Description: Publishes findings to Security Command Center for each data profile.
tag_resources
Type: STRUCT
Provider name: tagResources
Description: Tags the profiled resources with the specified tag values.
lower_data_risk_to_low
Type: BOOLEAN
Provider name: lowerDataRiskToLow
Description: Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an IAM deny policy, you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles.
profile_generations_to_tag
Type: UNORDERED_LIST_STRING
Provider name: profileGenerationsToTag
Description: The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn’t change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both PROFILE_GENERATION_NEW and PROFILE_GENERATION_UPDATE.
tag_conditions
Type: UNORDERED_LIST_STRUCT
Provider name: tagConditions
Description: The tags to associate with different conditions.
sensitivity_score
Type: STRUCT
Provider name: sensitivityScore
Description: Conditions attaching the tag to a resource on its profile having this sensitivity score.
score
Type: STRING
Provider name: score
Description: The sensitivity score applied to the resource.
Possible values:
SENSITIVITY_SCORE_UNSPECIFIED - Unused.
SENSITIVITY_LOW - No sensitive information detected. The resource isn’t publicly accessible.
SENSITIVITY_UNKNOWN - Unable to determine sensitivity.
SENSITIVITY_MODERATE - Medium risk. Contains personally identifiable information (PII), potentially sensitive data, or fields with free-text data that are at a higher risk of having intermittent sensitive data. Consider limiting access.
SENSITIVITY_HIGH - High risk. Sensitive personally identifiable information (SPII) can be present. Exfiltration of data can lead to user data loss. Re-identification of users might be possible. Consider limiting usage and or removing SPII.
tag
Type: STRUCT
Provider name: tag
Description: The tag value to attach to resources.
namespaced_value
Type: STRING
Provider name: namespacedValue
Description: The namespaced name for the tag value to attach to resources. Must be in the format {parent_id}/{tag_key_short_name}/{short_name}, for example, “123456/environment/prod”.
ancestors
Type: UNORDERED_LIST_STRING
create_time
Type: TIMESTAMP
Provider name: createTime
Description: Output only. The creation timestamp of a DiscoveryConfig.
errors
Type: UNORDERED_LIST_STRUCT
Provider name: errors
Description: Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared.
details
Type: STRUCT
Provider name: details
Description: Detailed error codes and messages.
code
Type: INT32
Provider name: code
Description: The status code, which should be an enum value of google.rpc.Code.
message
Type: STRING
Provider name: message
Description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
extra_info
Type: STRING
Provider name: extraInfo
Description: Additional information about the error.
Possible values:
ERROR_INFO_UNSPECIFIED - Unused.
IMAGE_SCAN_UNAVAILABLE_IN_REGION - Image scan is not available in the region.
FILE_STORE_CLUSTER_UNSUPPORTED - File store cluster is not supported for profile generation.
timestamps
Type: UNORDERED_LIST_TIMESTAMP
Provider name: timestamps
Description: The times the error occurred. List includes the oldest timestamp and the last 9 timestamps.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Display name (max 100 chars)
gcp_status
Type: STRING
Provider name: status
Description: Required. A status for this configuration.
Possible values:
STATUS_UNSPECIFIED - Unused
RUNNING - The discovery config is currently active.
PAUSED - The discovery config is paused temporarily.
inspect_templates
Type: UNORDERED_LIST_STRING
Provider name: inspectTemplates
Description: Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including “global”). Each region is scanned using the applicable template. If no region-specific template is specified, but a “global” template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region’s data will not be scanned. For more information, see https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency.
labels
Type: UNORDERED_LIST_STRING
last_run_time
Type: TIMESTAMP
Provider name: lastRunTime
Description: Output only. The timestamp of the last time this config was executed.
name
Type: STRING
Provider name: name
Description: Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example projects/dlp-test-project/locations/global/discoveryConfigs/53234423.
org_config
Type: STRUCT
Provider name: orgConfig
Description: Only set when the parent is an org.
location
Type: STRUCT
Provider name: location
Description: The data to scan: folder, org, or project
folder_id
Type: INT64
Provider name: folderId
Description: The ID of the folder within an organization to be scanned.
organization_id
Type: INT64
Provider name: organizationId
Description: The ID of an organization to scan.
project_id
Type: STRING
Provider name: projectId
Description: The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled.
organization_id
Type: STRING
other_cloud_starting_location
Type: STRUCT
Provider name: otherCloudStartingLocation
Description: Must be set only when scanning other clouds.
aws_location
Type: STRUCT
Provider name: awsLocation
Description: The AWS starting location for discovery.
account_id
Type: STRING
Provider name: accountId
Description: The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
all_asset_inventory_assets
Type: BOOLEAN
Provider name: allAssetInventoryAssets
Description: All AWS assets stored in Asset Inventory that didn’t match other AWS discovery configs.
parent
Type: STRING
processing_location
Type: STRUCT
Provider name: processingLocation
Description: Optional. Processing location configuration. Vertex AI dataset scanning will set processing_location.image_fallback_type to MultiRegionProcessing by default.
document_fallback_location
Type: STRUCT
Provider name: documentFallbackLocation
Description: Document processing falls back using this configuration.
global_processing
Type: STRUCT
Provider name: globalProcessing
Description: Processing occurs in the global region.
multi_region_processing
Type: STRUCT
Provider name: multiRegionProcessing
Description: Processing occurs in a multi-region that contains the current region if available.
image_fallback_location
Type: STRUCT
Provider name: imageFallbackLocation
Description: Image processing falls back using this configuration.
global_processing
Type: STRUCT
Provider name: globalProcessing
Description: Processing occurs in the global region.
multi_region_processing
Type: STRUCT
Provider name: multiRegionProcessing
Description: Processing occurs in a multi-region that contains the current region if available.
project_id
Type: STRING
project_number
Type: STRING
resource_name
Type: STRING
Type: UNORDERED_LIST_STRING
targets
Type: UNORDERED_LIST_STRUCT
Provider name: targets
Description: Target to match against for determining what to scan and how frequently.
big_query_target
Type: STRUCT
Provider name: bigQueryTarget
Description: BigQuery target for Discovery. The first target to match a table will be the one applied.
cadence
Type: STRUCT
Provider name: cadence
Description: How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
inspect_template_modified_cadence
Type: STRUCT
Provider name: inspectTemplateModifiedCadence
Description: Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.
frequency
Type: STRING
Provider name: frequency
Description: How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
refresh_frequency
Type: STRING
Provider name: refreshFrequency
Description: Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
schema_modified_cadence
Type: STRUCT
Provider name: schemaModifiedCadence
Description: Governs when to update data profiles when a schema is modified.
frequency
Type: STRING
Provider name: frequency
Description: How frequently profiles may be updated when schemas are modified. Defaults to monthly.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
types
Type: UNORDERED_LIST_STRING
Provider name: types
Description: The type of events to consider when deciding if the table’s schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS.
table_modified_cadence
Type: STRUCT
Provider name: tableModifiedCadence
Description: Governs when to update data profiles when a table is modified.
frequency
Type: STRING
Provider name: frequency
Description: How frequently data profiles can be updated when tables are modified. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
types
Type: UNORDERED_LIST_STRING
Provider name: types
Description: The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP.
conditions
Type: STRUCT
Provider name: conditions
Description: In addition to matching the filter, these conditions must be true before a profile is generated.
created_after
Type: TIMESTAMP
Provider name: createdAfter
Description: BigQuery table must have been created after this date. Used to avoid backfilling.
or_conditions
Type: STRUCT
Provider name: orConditions
Description: At least one of the conditions must be true for a table to be scanned.
min_age
Type: STRING
Provider name: minAge
Description: Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater.
min_row_count
Type: INT32
Provider name: minRowCount
Description: Minimum number of rows that should be present before Cloud DLP profiles a table
type_collection
Type: STRING
Provider name: typeCollection
Description: Restrict discovery to categories of table types.
Possible values:
BIG_QUERY_COLLECTION_UNSPECIFIED - Unused.
BIG_QUERY_COLLECTION_ALL_TYPES - Automatically generate profiles for all tables, even if the table type is not yet fully supported for analysis. Profiles for unsupported tables will be generated with errors to indicate their partial support. When full support is added, the tables will automatically be profiled during the next scheduled run.
BIG_QUERY_COLLECTION_ONLY_SUPPORTED_TYPES - Only those types fully supported will be profiled. Will expand automatically as Cloud DLP adds support for new table types. Unsupported table types will not have partial profiles generated.
types
Type: STRUCT
Provider name: types
Description: Restrict discovery to specific table types.
types
Type: UNORDERED_LIST_STRING
Provider name: types
Description: A set of BigQuery table types.
disabled
Type: STRUCT
Provider name: disabled
Description: Tables that match this filter will not have profiles created.
filter
Type: STRUCT
Provider name: filter
Description: Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
other_tables
Type: STRUCT
Provider name: otherTables
Description: Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
table_reference
Type: STRUCT
Provider name: tableReference
Description: The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference).
dataset_id
Type: STRING
Provider name: datasetId
Description: Dataset ID of the table.
project_id
Type: STRING
Provider name: projectId
Description: The Google Cloud project ID of the project containing the table. If omitted, the project ID is inferred from the parent project. This field is required if the parent resource is an organization.
table_id
Type: STRING
Provider name: tableId
Description: Name of the table.
tables
Type: STRUCT
Provider name: tables
Description: A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID.
include_regexes
Type: STRUCT
Provider name: includeRegexes
Description: A collection of regular expressions to match a BigQuery table against.
patterns
Type: UNORDERED_LIST_STRUCT
Provider name: patterns
Description: A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables.
dataset_id_regex
Type: STRING
Provider name: datasetIdRegex
Description: If unset, this property matches all datasets.
project_id_regex
Type: STRING
Provider name: projectIdRegex
Description: For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project.
table_id_regex
Type: STRING
Provider name: tableIdRegex
Description: If unset, this property matches all tables.
cloud_sql_target
Type: STRUCT
Provider name: cloudSqlTarget
Description: Cloud SQL target for Discovery. The first target to match a table will be the one applied.
conditions
Type: STRUCT
Provider name: conditions
Description: In addition to matching the filter, these conditions must be true before a profile is generated.
database_engines
Type: UNORDERED_LIST_STRING
Provider name: databaseEngines
Description: Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified.
types
Type: UNORDERED_LIST_STRING
Provider name: types
Description: Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES].
disabled
Type: STRUCT
Provider name: disabled
Description: Disable profiling for database resources that match this filter.
filter
Type: STRUCT
Provider name: filter
Description: Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table.
collection
Type: STRUCT
Provider name: collection
Description: A specific set of database resources for this filter to apply to.
include_regexes
Type: STRUCT
Provider name: includeRegexes
Description: A collection of regular expressions to match a database resource against.
patterns
Type: UNORDERED_LIST_STRUCT
Provider name: patterns
Description: A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression’s length can’t exceed 10 KiB.
database_regex
Type: STRING
Provider name: databaseRegex
Description: Regex to test the database name against. If empty, all databases match.
database_resource_name_regex
Type: STRING
Provider name: databaseResourceNameRegex
Description: Regex to test the database resource’s name against. An example of a database resource name is a table’s name. Other database resource names like view names could be included in the future. If empty, all database resources match.
instance_regex
Type: STRING
Provider name: instanceRegex
Description: Regex to test the instance name against. If empty, all instances match.
project_id_regex
Type: STRING
Provider name: projectIdRegex
Description: For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
database_resource_reference
Type: STRUCT
Provider name: databaseResourceReference
Description: The database resource to scan. Targets including this can only include one target (the target with this database resource reference).
database
Type: STRING
Provider name: database
Description: Required. Name of a database within the instance.
database_resource
Type: STRING
Provider name: databaseResource
Description: Required. Name of a database resource, for example, a table within the database.
instance
Type: STRING
Provider name: instance
Description: Required. The instance where this resource is located. For example: Cloud SQL instance ID.
project_id
Type: STRING
Provider name: projectId
Description: Required. If within a project-level config, then this must match the config’s project ID.
others
Type: STRUCT
Provider name: others
Description: Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
generation_cadence
Type: STRUCT
Provider name: generationCadence
Description: How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
inspect_template_modified_cadence
Type: STRUCT
Provider name: inspectTemplateModifiedCadence
Description: Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.
frequency
Type: STRING
Provider name: frequency
Description: How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
refresh_frequency
Type: STRING
Provider name: refreshFrequency
Description: Data changes (non-schema changes) in Cloud SQL tables can’t trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
schema_modified_cadence
Type: STRUCT
Provider name: schemaModifiedCadence
Description: When to reprofile if the schema has changed.
frequency
Type: STRING
Provider name: frequency
Description: Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
types
Type: UNORDERED_LIST_STRING
Provider name: types
Description: The types of schema modifications to consider. Defaults to NEW_COLUMNS.
cloud_storage_target
Type: STRUCT
Provider name: cloudStorageTarget
Description: Cloud Storage target for Discovery. The first target to match a table will be the one applied.
conditions
Type: STRUCT
Provider name: conditions
Description: Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
cloud_storage_conditions
Type: STRUCT
Provider name: cloudStorageConditions
Description: Optional. Cloud Storage conditions.
included_bucket_attributes
Type: UNORDERED_LIST_STRING
Provider name: includedBucketAttributes
Description: Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset.
included_object_attributes
Type: UNORDERED_LIST_STRING
Provider name: includedObjectAttributes
Description: Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes.
created_after
Type: TIMESTAMP
Provider name: createdAfter
Description: Optional. File store must have been created after this date. Used to avoid backfilling.
min_age
Type: STRING
Provider name: minAge
Description: Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater.
disabled
Type: STRUCT
Provider name: disabled
Description: Optional. Disable profiling for buckets that match this filter.
filter
Type: STRUCT
Provider name: filter
Description: Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket.
cloud_storage_resource_reference
Type: STRUCT
Provider name: cloudStorageResourceReference
Description: Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization.
bucket_name
Type: STRING
Provider name: bucketName
Description: Required. The bucket to scan.
project_id
Type: STRING
Provider name: projectId
Description: Required. If within a project-level config, then this must match the config’s project id.
collection
Type: STRUCT
Provider name: collection
Description: Optional. A specific set of buckets for this filter to apply to.
include_regexes
Type: STRUCT
Provider name: includeRegexes
Description: Optional. A collection of regular expressions to match a file store against.
patterns
Type: UNORDERED_LIST_STRUCT
Provider name: patterns
Description: Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression’s length can’t exceed 10 KiB.
cloud_storage_regex
Type: STRUCT
Provider name: cloudStorageRegex
Description: Optional. Regex for Cloud Storage.
bucket_name_regex
Type: STRING
Provider name: bucketNameRegex
Description: Optional. Regex to test the bucket name against. If empty, all buckets match. Example: “marketing2021” or “(marketing)\d{4}” will both match the bucket gs://marketing2021
project_id_regex
Type: STRING
Provider name: projectIdRegex
Description: Optional. For organizations, if unset, will match all projects.
others
Type: STRUCT
Provider name: others
Description: Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
generation_cadence
Type: STRUCT
Provider name: generationCadence
Description: Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
inspect_template_modified_cadence
Type: STRUCT
Provider name: inspectTemplateModifiedCadence
Description: Optional. Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.
frequency
Type: STRING
Provider name: frequency
Description: How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
refresh_frequency
Type: STRING
Provider name: refreshFrequency
Description: Optional. Data changes in Cloud Storage can’t trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
other_cloud_target
Type: STRUCT
Provider name: otherCloudTarget
Description: Other clouds target for discovery. The first target to match a resource will be the one applied.
conditions
Type: STRUCT
Provider name: conditions
Description: Optional. In addition to matching the filter, these conditions must be true before a profile is generated.
amazon_s3_bucket_conditions
Type: STRUCT
Provider name: amazonS3BucketConditions
Description: Amazon S3 bucket conditions.
bucket_types
Type: UNORDERED_LIST_STRING
Provider name: bucketTypes
Description: Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
object_storage_classes
Type: UNORDERED_LIST_STRING
Provider name: objectStorageClasses
Description: Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
min_age
Type: STRING
Provider name: minAge
Description: Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater.
data_source_type
Type: STRUCT
Provider name: dataSourceType
Description: Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket
data_source
Type: STRING
Provider name: dataSource
Description: Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket
disabled
Type: STRUCT
Provider name: disabled
Description: Disable profiling for resources that match this filter.
filter
Type: STRUCT
Provider name: filter
Description: Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource.
collection
Type: STRUCT
Provider name: collection
Description: A collection of resources for this filter to apply to.
include_regexes
Type: STRUCT
Provider name: includeRegexes
Description: A collection of regular expressions to match a resource against.
patterns
Type: UNORDERED_LIST_STRUCT
Provider name: patterns
Description: A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression’s length can’t exceed 10 KiB.
amazon_s3_bucket_regex
Type: STRUCT
Provider name: amazonS3BucketRegex
Description: Regex for Amazon S3 buckets.
aws_account_regex
Type: STRUCT
Provider name: awsAccountRegex
Description: The AWS account regex.
account_id_regex
Type: STRING
Provider name: accountIdRegex
Description: Optional. Regex to test the AWS account ID against. If empty, all accounts match.
bucket_name_regex
Type: STRING
Provider name: bucketNameRegex
Description: Optional. Regex to test the bucket name against. If empty, all buckets match.
others
Type: STRUCT
Provider name: others
Description: Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
single_resource
Type: STRUCT
Provider name: singleResource
Description: The resource to scan. Configs using this filter can only have one target (the target with this single resource reference).
amazon_s3_bucket
Type: STRUCT
Provider name: amazonS3Bucket
Description: Amazon S3 bucket.
aws_account
Type: STRUCT
Provider name: awsAccount
Description: The AWS account.
account_id
Type: STRING
Provider name: accountId
Description: Required. AWS account ID.
bucket_name
Type: STRING
Provider name: bucketName
Description: Required. The bucket name.
generation_cadence
Type: STRUCT
Provider name: generationCadence
Description: How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
inspect_template_modified_cadence
Type: STRUCT
Provider name: inspectTemplateModifiedCadence
Description: Optional. Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to update.
frequency
Type: STRING
Provider name: frequency
Description: How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
refresh_frequency
Type: STRING
Provider name: refreshFrequency
Description: Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
secrets_target
Type: STRUCT
Provider name: secretsTarget
Description: Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed.
vertex_dataset_target
Type: STRUCT
Provider name: vertexDatasetTarget
Description: Vertex AI dataset target for Discovery. The first target to match a dataset will be the one applied. Note that discovery for Vertex AI can incur Cloud Storage Class B operation charges for storage.objects.get operations and retrieval fees. For more information, see Cloud Storage pricing. Note that discovery for Vertex AI dataset will not be able to scan images unless DiscoveryConfig.processing_location.image_fallback_location has multi_region_processing or global_processing configured.
conditions
Type: STRUCT
Provider name: conditions
Description: In addition to matching the filter, these conditions must be true before a profile is generated.
created_after
Type: TIMESTAMP
Provider name: createdAfter
Description: Vertex AI dataset must have been created after this date. Used to avoid backfilling.
min_age
Type: STRING
Provider name: minAge
Description: Minimum age a Vertex AI dataset must have. If set, the value must be 1 hour or greater.
disabled
Type: STRUCT
Provider name: disabled
Description: Disable profiling for datasets that match this filter.
filter
Type: STRUCT
Provider name: filter
Description: Required. The datasets the discovery cadence applies to. The first target with a matching filter will be the one to apply to a dataset.
collection
Type: STRUCT
Provider name: collection
Description: A specific set of Vertex AI datasets for this filter to apply to.
vertex_dataset_regexes
Type: STRUCT
Provider name: vertexDatasetRegexes
Description: The regex used to filter dataset resources.
patterns
Type: UNORDERED_LIST_STRUCT
Provider name: patterns
Description: Required. The group of regular expression patterns to match against one or more datasets. Maximum of 100 entries. The sum of the lengths of all regular expressions can’t exceed 10 KiB.
project_id_regex
Type: STRING
Provider name: projectIdRegex
Description: For organizations, if unset, will match all projects. Has no effect for configurations created within a project.
others
Type: STRUCT
Provider name: others
Description: Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically.
vertex_dataset_resource_reference
Type: STRUCT
Provider name: vertexDatasetResourceReference
Description: The dataset resource to scan. Targets including this can only include one target (the target with this dataset resource reference).
dataset_resource_name
Type: STRING
Provider name: datasetResourceName
Description: Required. The name of the dataset resource. If set within a project-level configuration, the specified resource must be within the project.
generation_cadence
Type: STRUCT
Provider name: generationCadence
Description: How often and when to update profiles. New datasets that match both the filter and conditions are scanned as quickly as possible depending on system capacity.
inspect_template_modified_cadence
Type: STRUCT
Provider name: inspectTemplateModifiedCadence
Description: Governs when to update data profiles when the inspection rules defined by the InspectTemplate change. If not set, changing the template will not cause a data profile to be updated.
frequency
Type: STRING
Provider name: frequency
Description: How frequently data profiles can be updated when the template is modified. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
refresh_frequency
Type: STRING
Provider name: refreshFrequency
Description: If you set this field, profiles are refreshed at this frequency regardless of whether the underlying datasets have changed. Defaults to never.
Possible values:
UPDATE_FREQUENCY_UNSPECIFIED - Unspecified.
UPDATE_FREQUENCY_NEVER - After the data profile is created, it will never be updated.
UPDATE_FREQUENCY_DAILY - The data profile can be updated up to once every 24 hours.
UPDATE_FREQUENCY_MONTHLY - The data profile can be updated up to once every 30 days. Default.
update_time
Type: TIMESTAMP
Provider name: updateTime
Description: Output only. The last update timestamp of a DiscoveryConfig.
