--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_dlp_discovery_config{% #gcp_dlp_discovery_config %} ## `actions`{% #actions %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `actions`**Description**: Actions to execute at the completion of scanning. - `export_data`**Type**: `STRUCT`**Provider name**: `exportData`**Description**: Export data profiles into a provided location. - `profile_table`**Type**: `STRUCT`**Provider name**: `profileTable`**Description**: Store all profiles to BigQuery. * The system will create a new dataset and table for you if none are are provided. The dataset will be named `sensitive_data_protection_discovery` and table will be named `discovery_profiles`. This table will be placed in the same project as the container project running the scan. After the first profile is generated and the dataset and table are created, the discovery scan configuration will be updated with the dataset and table names. * See [Analyze data profiles stored in BigQuery](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles). * See [Sample queries for your BigQuery table](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#sample_sql_queries). * Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. * The Pub/Sub notification is sent before the streaming buffer is guaranteed to be written, so data may not be instantly visible to queries by the time your topic receives the Pub/Sub notification. * The best practice is to use the same table for an entire organization so that you can take advantage of the [provided Looker reports](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#use_a_premade_report). If you use VPC Service Controls to define security perimeters, then you must use a separate table for each boundary. - `dataset_id`**Type**: `STRING`**Provider name**: `datasetId`**Description**: Dataset ID of the table. - `project_id`**Type**: `STRING`**Provider name**: `projectId`**Description**: The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call. - `table_id`**Type**: `STRING`**Provider name**: `tableId`**Description**: Name of the table. - `sample_findings_table`**Type**: `STRUCT`**Provider name**: `sampleFindingsTable`**Description**: Store sample data profile findings in an existing table or a new table in an existing dataset. Each regeneration will result in new rows in BigQuery. Data is inserted using [streaming insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert) and so data may be in the buffer for a period of time after the profile has finished. - `dataset_id`**Type**: `STRING`**Provider name**: `datasetId`**Description**: Dataset ID of the table. - `project_id`**Type**: `STRING`**Provider name**: `projectId`**Description**: The Google Cloud project ID of the project containing the table. If omitted, project ID is inferred from the API call. - `table_id`**Type**: `STRING`**Provider name**: `tableId`**Description**: Name of the table. - `pub_sub_notification`**Type**: `STRUCT`**Provider name**: `pubSubNotification`**Description**: Publish a message into the Pub/Sub topic. - `detail_of_message`**Type**: `STRING`**Provider name**: `detailOfMessage`**Description**: How much data to include in the Pub/Sub message. If the user wishes to limit the size of the message, they can use resource_name and fetch the profile fields they wish to. Per table profile (not per column).**Possible values**: - `DETAIL_LEVEL_UNSPECIFIED` - Unused. - `TABLE_PROFILE` - The full table data profile. - `RESOURCE_NAME` - The name of the profiled resource. - `FILE_STORE_PROFILE` - The full file store data profile. - `event`**Type**: `STRING`**Provider name**: `event`**Description**: The type of event that triggers a Pub/Sub. At most one `PubSubNotification` per EventType is permitted.**Possible values**: - `EVENT_TYPE_UNSPECIFIED` - Unused. - `NEW_PROFILE` - New profile (not a re-profile). - `CHANGED_PROFILE` - One of the following profile metrics changed: Data risk score, Sensitivity score, Resource visibility, Encryption type, Predicted infoTypes, Other infoTypes - `SCORE_INCREASED` - Table data risk score or sensitivity score increased. - `ERROR_CHANGED` - A user (non-internal) error occurred. - `pubsub_condition`**Type**: `STRUCT`**Provider name**: `pubsubCondition`**Description**: Conditions (e.g., data risk or sensitivity level) for triggering a Pub/Sub. - `expressions`**Type**: `STRUCT`**Provider name**: `expressions`**Description**: An expression. - `conditions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `conditions`**Description**: Conditions to apply to the expression. - `minimum_risk_score`**Type**: `STRING`**Provider name**: `minimumRiskScore`**Description**: The minimum data risk score that triggers the condition.**Possible values**: - `PROFILE_SCORE_BUCKET_UNSPECIFIED` - Unused. - `HIGH` - High risk/sensitivity detected. - `MEDIUM_OR_HIGH` - Medium or high risk/sensitivity detected. - `minimum_sensitivity_score`**Type**: `STRING`**Provider name**: `minimumSensitivityScore`**Description**: The minimum sensitivity level that triggers the condition.**Possible values**: - `PROFILE_SCORE_BUCKET_UNSPECIFIED` - Unused. - `HIGH` - High risk/sensitivity detected. - `MEDIUM_OR_HIGH` - Medium or high risk/sensitivity detected. - `logical_operator`**Type**: `STRING`**Provider name**: `logicalOperator`**Description**: The operator to apply to the collection of conditions.**Possible values**: - `LOGICAL_OPERATOR_UNSPECIFIED` - Unused. - `OR` - Conditional OR. - `AND` - Conditional AND. - `topic`**Type**: `STRING`**Provider name**: `topic`**Description**: Cloud Pub/Sub topic to send notifications to. Format is projects/{project}/topics/{topic}. - `publish_to_chronicle`**Type**: `STRUCT`**Provider name**: `publishToChronicle`**Description**: Publishes generated data profiles to Google Security Operations. For more information, see [Use Sensitive Data Protection data in context-aware analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download). - `publish_to_dataplex_catalog`**Type**: `STRUCT`**Provider name**: `publishToDataplexCatalog`**Description**: Publishes a portion of each profile to Dataplex Catalog with the aspect type Sensitive Data Protection Profile. - `lower_data_risk_to_low`**Type**: `BOOLEAN`**Provider name**: `lowerDataRiskToLow`**Description**: Whether creating a Dataplex Catalog aspect for a profiled resource should lower the risk of the profile for that resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles. - `publish_to_scc`**Type**: `STRUCT`**Provider name**: `publishToScc`**Description**: Publishes findings to Security Command Center for each data profile. - `tag_resources`**Type**: `STRUCT`**Provider name**: `tagResources`**Description**: Tags the profiled resources with the specified tag values. - `lower_data_risk_to_low`**Type**: `BOOLEAN`**Provider name**: `lowerDataRiskToLow`**Description**: Whether applying a tag to a resource should lower the risk of the profile for that resource. For example, in conjunction with an [IAM deny policy](https://cloud.google.com/iam/docs/deny-overview), you can deny all principals a permission if a tag value is present, mitigating the risk of the resource. This also lowers the data risk of resources at the lower levels of the resource hierarchy. For example, reducing the data risk of a table data profile also reduces the data risk of the constituent column data profiles. - `profile_generations_to_tag`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `profileGenerationsToTag`**Description**: The profile generations for which the tag should be attached to resources. If you attach a tag to only new profiles, then if the sensitivity score of a profile subsequently changes, its tag doesn't change. By default, this field includes only new profiles. To include both new and updated profiles for tagging, this field should explicitly include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`. - `tag_conditions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `tagConditions`**Description**: The tags to associate with different conditions. - `sensitivity_score`**Type**: `STRUCT`**Provider name**: `sensitivityScore`**Description**: Conditions attaching the tag to a resource on its profile having this sensitivity score. - `score`**Type**: `STRING`**Provider name**: `score`**Description**: The sensitivity score applied to the resource.**Possible values**: - `SENSITIVITY_SCORE_UNSPECIFIED` - Unused. - `SENSITIVITY_LOW` - No sensitive information detected. The resource isn't publicly accessible. - `SENSITIVITY_UNKNOWN` - Unable to determine sensitivity. - `SENSITIVITY_MODERATE` - Medium risk. Contains personally identifiable information (PII), potentially sensitive data, or fields with free-text data that are at a higher risk of having intermittent sensitive data. Consider limiting access. - `SENSITIVITY_HIGH` - High risk. Sensitive personally identifiable information (SPII) can be present. Exfiltration of data can lead to user data loss. Re-identification of users might be possible. Consider limiting usage and or removing SPII. - `tag`**Type**: `STRUCT`**Provider name**: `tag`**Description**: The tag value to attach to resources. - `namespaced_value`**Type**: `STRING`**Provider name**: `namespacedValue`**Description**: The namespaced name for the tag value to attach to resources. Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for example, "123456/environment/prod". ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `create_time`{% #create_time %} **Type**: `TIMESTAMP`**Provider name**: `createTime`**Description**: Output only. The creation timestamp of a DiscoveryConfig. ## `errors`{% #errors %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `errors`**Description**: Output only. A stream of errors encountered when the config was activated. Repeated errors may result in the config automatically being paused. Output only field. Will return the last 100 errors. Whenever the config is modified this list will be cleared. - `details`**Type**: `STRUCT`**Provider name**: `details`**Description**: Detailed error codes and messages. - `code`**Type**: `INT32`**Provider name**: `code`**Description**: The status code, which should be an enum value of google.rpc.Code. - `message`**Type**: `STRING`**Provider name**: `message`**Description**: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - `extra_info`**Type**: `STRING`**Provider name**: `extraInfo`**Description**: Additional information about the error.**Possible values**: - `ERROR_INFO_UNSPECIFIED` - Unused. - `IMAGE_SCAN_UNAVAILABLE_IN_REGION` - Image scan is not available in the region. - `FILE_STORE_CLUSTER_UNSUPPORTED` - File store cluster is not supported for profile generation. - `timestamps`**Type**: `UNORDERED_LIST_TIMESTAMP`**Provider name**: `timestamps`**Description**: The times the error occurred. List includes the oldest timestamp and the last 9 timestamps. ## `gcp_display_name`{% #gcp_display_name %} **Type**: `STRING`**Provider name**: `displayName`**Description**: Display name (max 100 chars) ## `gcp_status`{% #gcp_status %} **Type**: `STRING`**Provider name**: `status`**Description**: Required. A status for this configuration.**Possible values**: - `STATUS_UNSPECIFIED` - Unused - `RUNNING` - The discovery config is currently active. - `PAUSED` - The discovery config is paused temporarily. ## `inspect_templates`{% #inspect_templates %} **Type**: `UNORDERED_LIST_STRING`**Provider name**: `inspectTemplates`**Description**: Detection logic for profile generation. Not all template features are used by Discovery. FindingLimits, include_quote and exclude_info_types have no impact on Discovery. Multiple templates may be provided if there is data in multiple regions. At most one template must be specified per-region (including "global"). Each region is scanned using the applicable template. If no region-specific template is specified, but a "global" template is specified, it will be copied to that region and used instead. If no global or region-specific template is provided for a region with data, that region's data will not be scanned. For more information, see [https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency](https://cloud.google.com/sensitive-data-protection/docs/data-profiles#data-residency). ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `last_run_time`{% #last_run_time %} **Type**: `TIMESTAMP`**Provider name**: `lastRunTime`**Description**: Output only. The timestamp of the last time this config was executed. ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Unique resource name for the DiscoveryConfig, assigned by the service when the DiscoveryConfig is created, for example `projects/dlp-test-project/locations/global/discoveryConfigs/53234423`. ## `org_config`{% #org_config %} **Type**: `STRUCT`**Provider name**: `orgConfig`**Description**: Only set when the parent is an org. - `location`**Type**: `STRUCT`**Provider name**: `location`**Description**: The data to scan: folder, org, or project - `folder_id`**Type**: `INT64`**Provider name**: `folderId`**Description**: The ID of the folder within an organization to be scanned. - `organization_id`**Type**: `INT64`**Provider name**: `organizationId`**Description**: The ID of an organization to scan. - `project_id`**Type**: `STRING`**Provider name**: `projectId`**Description**: The project that will run the scan. The DLP service account that exists within this project must have access to all resources that are profiled, and the DLP API must be enabled. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `other_cloud_starting_location`{% #other_cloud_starting_location %} **Type**: `STRUCT`**Provider name**: `otherCloudStartingLocation`**Description**: Must be set only when scanning other clouds. - `aws_location`**Type**: `STRUCT`**Provider name**: `awsLocation`**Description**: The AWS starting location for discovery. - `account_id`**Type**: `STRING`**Provider name**: `accountId`**Description**: The AWS account ID that this discovery config applies to. Within an AWS organization, you can find the AWS account ID inside an AWS account ARN. Example: arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id} - `all_asset_inventory_assets`**Type**: `BOOLEAN`**Provider name**: `allAssetInventoryAssets`**Description**: All AWS assets stored in Asset Inventory that didn't match other AWS discovery configs. ## `parent`{% #parent %} **Type**: `STRING` ## `processing_location`{% #processing_location %} **Type**: `STRUCT`**Provider name**: `processingLocation`**Description**: Optional. Processing location configuration. Vertex AI dataset scanning will set processing_location.image_fallback_type to MultiRegionProcessing by default. - `document_fallback_location`**Type**: `STRUCT`**Provider name**: `documentFallbackLocation`**Description**: Document processing falls back using this configuration. - `global_processing`**Type**: `STRUCT`**Provider name**: `globalProcessing`**Description**: Processing occurs in the global region. - `multi_region_processing`**Type**: `STRUCT`**Provider name**: `multiRegionProcessing`**Description**: Processing occurs in a multi-region that contains the current region if available. - `image_fallback_location`**Type**: `STRUCT`**Provider name**: `imageFallbackLocation`**Description**: Image processing falls back using this configuration. - `global_processing`**Type**: `STRUCT`**Provider name**: `globalProcessing`**Description**: Processing occurs in the global region. - `multi_region_processing`**Type**: `STRUCT`**Provider name**: `multiRegionProcessing`**Description**: Processing occurs in a multi-region that contains the current region if available. ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `region_id`{% #region_id %} **Type**: `STRING` ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `targets`{% #targets %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `targets`**Description**: Target to match against for determining what to scan and how frequently. - `big_query_target`**Type**: `STRUCT`**Provider name**: `bigQueryTarget`**Description**: BigQuery target for Discovery. The first target to match a table will be the one applied. - `cadence`**Type**: `STRUCT`**Provider name**: `cadence`**Description**: How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity. - `inspect_template_modified_cadence`**Type**: `STRUCT`**Provider name**: `inspectTemplateModifiedCadence`**Description**: Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently data profiles can be updated when the template is modified. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `refresh_frequency`**Type**: `STRING`**Provider name**: `refreshFrequency`**Description**: Frequency at which profiles should be updated, regardless of whether the underlying resource has changed. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `schema_modified_cadence`**Type**: `STRUCT`**Provider name**: `schemaModifiedCadence`**Description**: Governs when to update data profiles when a schema is modified. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently profiles may be updated when schemas are modified. Defaults to monthly.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `types`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `types`**Description**: The type of events to consider when deciding if the table's schema has been modified and should have the profile updated. Defaults to NEW_COLUMNS. - `table_modified_cadence`**Type**: `STRUCT`**Provider name**: `tableModifiedCadence`**Description**: Governs when to update data profiles when a table is modified. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently data profiles can be updated when tables are modified. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `types`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `types`**Description**: The type of events to consider when deciding if the table has been modified and should have the profile updated. Defaults to MODIFIED_TIMESTAMP. - `conditions`**Type**: `STRUCT`**Provider name**: `conditions`**Description**: In addition to matching the filter, these conditions must be true before a profile is generated. - `created_after`**Type**: `TIMESTAMP`**Provider name**: `createdAfter`**Description**: BigQuery table must have been created after this date. Used to avoid backfilling. - `or_conditions`**Type**: `STRUCT`**Provider name**: `orConditions`**Description**: At least one of the conditions must be true for a table to be scanned. - `min_age`**Type**: `STRING`**Provider name**: `minAge`**Description**: Minimum age a table must have before Cloud DLP can profile it. Value must be 1 hour or greater. - `min_row_count`**Type**: `INT32`**Provider name**: `minRowCount`**Description**: Minimum number of rows that should be present before Cloud DLP profiles a table - `type_collection`**Type**: `STRING`**Provider name**: `typeCollection`**Description**: Restrict discovery to categories of table types.**Possible values**: - `BIG_QUERY_COLLECTION_UNSPECIFIED` - Unused. - `BIG_QUERY_COLLECTION_ALL_TYPES` - Automatically generate profiles for all tables, even if the table type is not yet fully supported for analysis. Profiles for unsupported tables will be generated with errors to indicate their partial support. When full support is added, the tables will automatically be profiled during the next scheduled run. - `BIG_QUERY_COLLECTION_ONLY_SUPPORTED_TYPES` - Only those types fully supported will be profiled. Will expand automatically as Cloud DLP adds support for new table types. Unsupported table types will not have partial profiles generated. - `types`**Type**: `STRUCT`**Provider name**: `types`**Description**: Restrict discovery to specific table types. - `types`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `types`**Description**: A set of BigQuery table types. - `disabled`**Type**: `STRUCT`**Provider name**: `disabled`**Description**: Tables that match this filter will not have profiles created. - `filter`**Type**: `STRUCT`**Provider name**: `filter`**Description**: Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table. - `other_tables`**Type**: `STRUCT`**Provider name**: `otherTables`**Description**: Catch-all. This should always be the last filter in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically. - `table_reference`**Type**: `STRUCT`**Provider name**: `tableReference`**Description**: The table to scan. Discovery configurations including this can only include one DiscoveryTarget (the DiscoveryTarget with this TableReference). - `dataset_id`**Type**: `STRING`**Provider name**: `datasetId`**Description**: Dataset ID of the table. - `project_id`**Type**: `STRING`**Provider name**: `projectId`**Description**: The Google Cloud project ID of the project containing the table. If omitted, the project ID is inferred from the parent project. This field is required if the parent resource is an organization. - `table_id`**Type**: `STRING`**Provider name**: `tableId`**Description**: Name of the table. - `tables`**Type**: `STRUCT`**Provider name**: `tables`**Description**: A specific set of tables for this filter to apply to. A table collection must be specified in only one filter per config. If a table id or dataset is empty, Cloud DLP assumes all tables in that collection must be profiled. Must specify a project ID. - `include_regexes`**Type**: `STRUCT`**Provider name**: `includeRegexes`**Description**: A collection of regular expressions to match a BigQuery table against. - `patterns`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `patterns`**Description**: A single BigQuery regular expression pattern to match against one or more tables, datasets, or projects that contain BigQuery tables. - `dataset_id_regex`**Type**: `STRING`**Provider name**: `datasetIdRegex`**Description**: If unset, this property matches all datasets. - `project_id_regex`**Type**: `STRING`**Provider name**: `projectIdRegex`**Description**: For organizations, if unset, will match all projects. Has no effect for data profile configurations created within a project. - `table_id_regex`**Type**: `STRING`**Provider name**: `tableIdRegex`**Description**: If unset, this property matches all tables. - `cloud_sql_target`**Type**: `STRUCT`**Provider name**: `cloudSqlTarget`**Description**: Cloud SQL target for Discovery. The first target to match a table will be the one applied. - `conditions`**Type**: `STRUCT`**Provider name**: `conditions`**Description**: In addition to matching the filter, these conditions must be true before a profile is generated. - `database_engines`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `databaseEngines`**Description**: Optional. Database engines that should be profiled. Optional. Defaults to ALL_SUPPORTED_DATABASE_ENGINES if unspecified. - `types`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `types`**Description**: Data profiles will only be generated for the database resource types specified in this field. If not specified, defaults to [DATABASE_RESOURCE_TYPE_ALL_SUPPORTED_TYPES]. - `disabled`**Type**: `STRUCT`**Provider name**: `disabled`**Description**: Disable profiling for database resources that match this filter. - `filter`**Type**: `STRUCT`**Provider name**: `filter`**Description**: Required. The tables the discovery cadence applies to. The first target with a matching filter will be the one to apply to a table. - `collection`**Type**: `STRUCT`**Provider name**: `collection`**Description**: A specific set of database resources for this filter to apply to. - `include_regexes`**Type**: `STRUCT`**Provider name**: `includeRegexes`**Description**: A collection of regular expressions to match a database resource against. - `patterns`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `patterns`**Description**: A group of regular expression patterns to match against one or more database resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB. - `database_regex`**Type**: `STRING`**Provider name**: `databaseRegex`**Description**: Regex to test the database name against. If empty, all databases match. - `database_resource_name_regex`**Type**: `STRING`**Provider name**: `databaseResourceNameRegex`**Description**: Regex to test the database resource's name against. An example of a database resource name is a table's name. Other database resource names like view names could be included in the future. If empty, all database resources match. - `instance_regex`**Type**: `STRING`**Provider name**: `instanceRegex`**Description**: Regex to test the instance name against. If empty, all instances match. - `project_id_regex`**Type**: `STRING`**Provider name**: `projectIdRegex`**Description**: For organizations, if unset, will match all projects. Has no effect for configurations created within a project. - `database_resource_reference`**Type**: `STRUCT`**Provider name**: `databaseResourceReference`**Description**: The database resource to scan. Targets including this can only include one target (the target with this database resource reference). - `database`**Type**: `STRING`**Provider name**: `database`**Description**: Required. Name of a database within the instance. - `database_resource`**Type**: `STRING`**Provider name**: `databaseResource`**Description**: Required. Name of a database resource, for example, a table within the database. - `instance`**Type**: `STRING`**Provider name**: `instance`**Description**: Required. The instance where this resource is located. For example: Cloud SQL instance ID. - `project_id`**Type**: `STRING`**Provider name**: `projectId`**Description**: Required. If within a project-level config, then this must match the config's project ID. - `others`**Type**: `STRUCT`**Provider name**: `others`**Description**: Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically. - `generation_cadence`**Type**: `STRUCT`**Provider name**: `generationCadence`**Description**: How often and when to update profiles. New tables that match both the filter and conditions are scanned as quickly as possible depending on system capacity. - `inspect_template_modified_cadence`**Type**: `STRUCT`**Provider name**: `inspectTemplateModifiedCadence`**Description**: Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently data profiles can be updated when the template is modified. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `refresh_frequency`**Type**: `STRING`**Provider name**: `refreshFrequency`**Description**: Data changes (non-schema changes) in Cloud SQL tables can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying tables have changed. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `schema_modified_cadence`**Type**: `STRUCT`**Provider name**: `schemaModifiedCadence`**Description**: When to reprofile if the schema has changed. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: Frequency to regenerate data profiles when the schema is modified. Defaults to monthly.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `types`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `types`**Description**: The types of schema modifications to consider. Defaults to NEW_COLUMNS. - `cloud_storage_target`**Type**: `STRUCT`**Provider name**: `cloudStorageTarget`**Description**: Cloud Storage target for Discovery. The first target to match a table will be the one applied. - `conditions`**Type**: `STRUCT`**Provider name**: `conditions`**Description**: Optional. In addition to matching the filter, these conditions must be true before a profile is generated. - `cloud_storage_conditions`**Type**: `STRUCT`**Provider name**: `cloudStorageConditions`**Description**: Optional. Cloud Storage conditions. - `included_bucket_attributes`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `includedBucketAttributes`**Description**: Required. Only objects with the specified attributes will be scanned. Defaults to [ALL_SUPPORTED_BUCKETS] if unset. - `included_object_attributes`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `includedObjectAttributes`**Description**: Required. Only objects with the specified attributes will be scanned. If an object has one of the specified attributes but is inside an excluded bucket, it will not be scanned. Defaults to [ALL_SUPPORTED_OBJECTS]. A profile will be created even if no objects match the included_object_attributes. - `created_after`**Type**: `TIMESTAMP`**Provider name**: `createdAfter`**Description**: Optional. File store must have been created after this date. Used to avoid backfilling. - `min_age`**Type**: `STRING`**Provider name**: `minAge`**Description**: Optional. Minimum age a file store must have. If set, the value must be 1 hour or greater. - `disabled`**Type**: `STRUCT`**Provider name**: `disabled`**Description**: Optional. Disable profiling for buckets that match this filter. - `filter`**Type**: `STRUCT`**Provider name**: `filter`**Description**: Required. The buckets the generation_cadence applies to. The first target with a matching filter will be the one to apply to a bucket. - `cloud_storage_resource_reference`**Type**: `STRUCT`**Provider name**: `cloudStorageResourceReference`**Description**: Optional. The bucket to scan. Targets including this can only include one target (the target with this bucket). This enables profiling the contents of a single bucket, while the other options allow for easy profiling of many bucets within a project or an organization. - `bucket_name`**Type**: `STRING`**Provider name**: `bucketName`**Description**: Required. The bucket to scan. - `project_id`**Type**: `STRING`**Provider name**: `projectId`**Description**: Required. If within a project-level config, then this must match the config's project id. - `collection`**Type**: `STRUCT`**Provider name**: `collection`**Description**: Optional. A specific set of buckets for this filter to apply to. - `include_regexes`**Type**: `STRUCT`**Provider name**: `includeRegexes`**Description**: Optional. A collection of regular expressions to match a file store against. - `patterns`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `patterns`**Description**: Required. The group of regular expression patterns to match against one or more file stores. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB. - `cloud_storage_regex`**Type**: `STRUCT`**Provider name**: `cloudStorageRegex`**Description**: Optional. Regex for Cloud Storage. - `bucket_name_regex`**Type**: `STRING`**Provider name**: `bucketNameRegex`**Description**: Optional. Regex to test the bucket name against. If empty, all buckets match. Example: "marketing2021" or "(marketing)\d{4}" will both match the bucket gs://marketing2021 - `project_id_regex`**Type**: `STRING`**Provider name**: `projectIdRegex`**Description**: Optional. For organizations, if unset, will match all projects. - `others`**Type**: `STRUCT`**Provider name**: `others`**Description**: Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically. - `generation_cadence`**Type**: `STRUCT`**Provider name**: `generationCadence`**Description**: Optional. How often and when to update profiles. New buckets that match both the filter and conditions are scanned as quickly as possible depending on system capacity. - `inspect_template_modified_cadence`**Type**: `STRUCT`**Provider name**: `inspectTemplateModifiedCadence`**Description**: Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently data profiles can be updated when the template is modified. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `refresh_frequency`**Type**: `STRING`**Provider name**: `refreshFrequency`**Description**: Optional. Data changes in Cloud Storage can't trigger reprofiling. If you set this field, profiles are refreshed at this frequency regardless of whether the underlying buckets have changed. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `other_cloud_target`**Type**: `STRUCT`**Provider name**: `otherCloudTarget`**Description**: Other clouds target for discovery. The first target to match a resource will be the one applied. - `conditions`**Type**: `STRUCT`**Provider name**: `conditions`**Description**: Optional. In addition to matching the filter, these conditions must be true before a profile is generated. - `amazon_s3_bucket_conditions`**Type**: `STRUCT`**Provider name**: `amazonS3BucketConditions`**Description**: Amazon S3 bucket conditions. - `bucket_types`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `bucketTypes`**Description**: Optional. Bucket types that should be profiled. Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified. - `object_storage_classes`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `objectStorageClasses`**Description**: Optional. Object classes that should be profiled. Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified. - `min_age`**Type**: `STRING`**Provider name**: `minAge`**Description**: Minimum age a resource must be before Cloud DLP can profile it. Value must be 1 hour or greater. - `data_source_type`**Type**: `STRUCT`**Provider name**: `dataSourceType`**Description**: Required. The type of data profiles generated by this discovery target. Supported values are: * aws/s3/bucket - `data_source`**Type**: `STRING`**Provider name**: `dataSource`**Description**: Output only. An identifying string to the type of resource being profiled. Current values: * google/bigquery/table * google/project * google/sql/table * google/gcs/bucket - `disabled`**Type**: `STRUCT`**Provider name**: `disabled`**Description**: Disable profiling for resources that match this filter. - `filter`**Type**: `STRUCT`**Provider name**: `filter`**Description**: Required. The resources that the discovery cadence applies to. The first target with a matching filter will be the one to apply to a resource. - `collection`**Type**: `STRUCT`**Provider name**: `collection`**Description**: A collection of resources for this filter to apply to. - `include_regexes`**Type**: `STRUCT`**Provider name**: `includeRegexes`**Description**: A collection of regular expressions to match a resource against. - `patterns`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `patterns`**Description**: A group of regular expression patterns to match against one or more resources. Maximum of 100 entries. The sum of all regular expression's length can't exceed 10 KiB. - `amazon_s3_bucket_regex`**Type**: `STRUCT`**Provider name**: `amazonS3BucketRegex`**Description**: Regex for Amazon S3 buckets. - `aws_account_regex`**Type**: `STRUCT`**Provider name**: `awsAccountRegex`**Description**: The AWS account regex. - `account_id_regex`**Type**: `STRING`**Provider name**: `accountIdRegex`**Description**: Optional. Regex to test the AWS account ID against. If empty, all accounts match. - `bucket_name_regex`**Type**: `STRING`**Provider name**: `bucketNameRegex`**Description**: Optional. Regex to test the bucket name against. If empty, all buckets match. - `others`**Type**: `STRUCT`**Provider name**: `others`**Description**: Optional. Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically. - `single_resource`**Type**: `STRUCT`**Provider name**: `singleResource`**Description**: The resource to scan. Configs using this filter can only have one target (the target with this single resource reference). - `amazon_s3_bucket`**Type**: `STRUCT`**Provider name**: `amazonS3Bucket`**Description**: Amazon S3 bucket. - `aws_account`**Type**: `STRUCT`**Provider name**: `awsAccount`**Description**: The AWS account. - `account_id`**Type**: `STRING`**Provider name**: `accountId`**Description**: Required. AWS account ID. - `bucket_name`**Type**: `STRING`**Provider name**: `bucketName`**Description**: Required. The bucket name. - `generation_cadence`**Type**: `STRUCT`**Provider name**: `generationCadence`**Description**: How often and when to update data profiles. New resources that match both the filter and conditions are scanned as quickly as possible depending on system capacity. - `inspect_template_modified_cadence`**Type**: `STRUCT`**Provider name**: `inspectTemplateModifiedCadence`**Description**: Optional. Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to update. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently data profiles can be updated when the template is modified. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `refresh_frequency`**Type**: `STRING`**Provider name**: `refreshFrequency`**Description**: Optional. Frequency to update profiles regardless of whether the underlying resource has changes. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `secrets_target`**Type**: `STRUCT`**Provider name**: `secretsTarget`**Description**: Discovery target that looks for credentials and secrets stored in cloud resource metadata and reports them as vulnerabilities to Security Command Center. Only one target of this type is allowed. - `vertex_dataset_target`**Type**: `STRUCT`**Provider name**: `vertexDatasetTarget`**Description**: Vertex AI dataset target for Discovery. The first target to match a dataset will be the one applied. Note that discovery for Vertex AI can incur Cloud Storage Class B operation charges for storage.objects.get operations and retrieval fees. For more information, see [Cloud Storage pricing](https://cloud.google.com/storage/pricing#price-tables). Note that discovery for Vertex AI dataset will not be able to scan images unless DiscoveryConfig.processing_location.image_fallback_location has multi_region_processing or global_processing configured. - `conditions`**Type**: `STRUCT`**Provider name**: `conditions`**Description**: In addition to matching the filter, these conditions must be true before a profile is generated. - `created_after`**Type**: `TIMESTAMP`**Provider name**: `createdAfter`**Description**: Vertex AI dataset must have been created after this date. Used to avoid backfilling. - `min_age`**Type**: `STRING`**Provider name**: `minAge`**Description**: Minimum age a Vertex AI dataset must have. If set, the value must be 1 hour or greater. - `disabled`**Type**: `STRUCT`**Provider name**: `disabled`**Description**: Disable profiling for datasets that match this filter. - `filter`**Type**: `STRUCT`**Provider name**: `filter`**Description**: Required. The datasets the discovery cadence applies to. The first target with a matching filter will be the one to apply to a dataset. - `collection`**Type**: `STRUCT`**Provider name**: `collection`**Description**: A specific set of Vertex AI datasets for this filter to apply to. - `vertex_dataset_regexes`**Type**: `STRUCT`**Provider name**: `vertexDatasetRegexes`**Description**: The regex used to filter dataset resources. - `patterns`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `patterns`**Description**: Required. The group of regular expression patterns to match against one or more datasets. Maximum of 100 entries. The sum of the lengths of all regular expressions can't exceed 10 KiB. - `project_id_regex`**Type**: `STRING`**Provider name**: `projectIdRegex`**Description**: For organizations, if unset, will match all projects. Has no effect for configurations created within a project. - `others`**Type**: `STRUCT`**Provider name**: `others`**Description**: Catch-all. This should always be the last target in the list because anything above it will apply first. Should only appear once in a configuration. If none is specified, a default one will be added automatically. - `vertex_dataset_resource_reference`**Type**: `STRUCT`**Provider name**: `vertexDatasetResourceReference`**Description**: The dataset resource to scan. Targets including this can only include one target (the target with this dataset resource reference). - `dataset_resource_name`**Type**: `STRING`**Provider name**: `datasetResourceName`**Description**: Required. The name of the dataset resource. If set within a project-level configuration, the specified resource must be within the project. - `generation_cadence`**Type**: `STRUCT`**Provider name**: `generationCadence`**Description**: How often and when to update profiles. New datasets that match both the filter and conditions are scanned as quickly as possible depending on system capacity. - `inspect_template_modified_cadence`**Type**: `STRUCT`**Provider name**: `inspectTemplateModifiedCadence`**Description**: Governs when to update data profiles when the inspection rules defined by the `InspectTemplate` change. If not set, changing the template will not cause a data profile to be updated. - `frequency`**Type**: `STRING`**Provider name**: `frequency`**Description**: How frequently data profiles can be updated when the template is modified. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. - `refresh_frequency`**Type**: `STRING`**Provider name**: `refreshFrequency`**Description**: If you set this field, profiles are refreshed at this frequency regardless of whether the underlying datasets have changed. Defaults to never.**Possible values**: - `UPDATE_FREQUENCY_UNSPECIFIED` - Unspecified. - `UPDATE_FREQUENCY_NEVER` - After the data profile is created, it will never be updated. - `UPDATE_FREQUENCY_DAILY` - The data profile can be updated up to once every 24 hours. - `UPDATE_FREQUENCY_MONTHLY` - The data profile can be updated up to once every 30 days. Default. ## `update_time`{% #update_time %} **Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. The last update timestamp of a DiscoveryConfig. ## `zone_id`{% #zone_id %} **Type**: `STRING`