feat: Add SavedQuery CURD support (#627)

* feat: Add SavedQuery CURD support
feat: Add tags support
feat!：*Add RelatedAsset and deprecate RelatedAssets for relationship GA

*The previous representation of the relationship feature is deprecated and unimplemented. The RelatedAsset message represents the new stable format.

PiperOrigin-RevId: 449306805

Source-Link: googleapis/googleapis@3d7bd9d

Source-Link: googleapis/googleapis-gen@71a93d0
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNzFhOTNkMDVkNjA3NjI3MWQwNGI3NTkyZjdmYWQwZDNmMGM3YTA0MCJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

packages/google-cloud-asset/protos/google/cloud/asset/v1/asset_service.proto

@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,18 +16,17 @@ syntax = "proto3";
 
 package google.cloud.asset.v1;
 
+import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/orgpolicy/v1/orgpolicy.proto";
+import "google/cloud/osconfig/v1/inventory.proto";
 import "google/iam/v1/policy.proto";
 import "google/identity/accesscontextmanager/v1/access_level.proto";
 import "google/identity/accesscontextmanager/v1/access_policy.proto";
-import "google/cloud/osconfig/v1/inventory.proto";
 import "google/identity/accesscontextmanager/v1/service_perimeter.proto";
-import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
 import "google/rpc/code.proto";
-import "google/api/annotations.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.Asset.V1";
@@ -152,17 +151,24 @@ message Asset {
 
     // Please also refer to the [service perimeter user
     // guide](https://cloud.google.com/vpc-service-controls/docs/overview).
-    google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter = 9;
+    google.identity.accesscontextmanager.v1.ServicePerimeter service_perimeter =
+        9;
   }
 
   // A representation of runtime OS Inventory information. See [this
   // topic](https://cloud.google.com/compute/docs/instances/os-inventory-management)
   // for more information.
   google.cloud.osconfig.v1.Inventory os_inventory = 12;
 
-  // The related assets of the asset of one relationship type.
-  // One asset only represents one type of relationship.
-  RelatedAssets related_assets = 13;
+  // DEPRECATED. This field only presents for the purpose of
+  // backward-compatibility. The server will never generate responses with this
+  // field.
+  // The related assets of the asset of one relationship type. One asset
+  // only represents one type of relationship.
+  RelatedAssets related_assets = 13 [deprecated = true];
+
+  // One related asset of the current asset.
+  RelatedAsset related_asset = 15;
 
   // The ancestry path of an asset in Google Cloud [resource
   // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
@@ -225,18 +231,28 @@ message Resource {
   string location = 8;
 }
 
+// DEPRECATED. This message only presents for the purpose of
+// backward-compatibility. The server will never populate this message in
+// responses.
 // The detailed related assets with the `relationship_type`.
 message RelatedAssets {
+  option deprecated = true;
+
   // The detailed relationship attributes.
   RelationshipAttributes relationship_attributes = 1;
 
   // The peer resources of the relationship.
   repeated RelatedAsset assets = 2;
 }
 
+// DEPRECATED. This message only presents for the purpose of
+// backward-compatibility. The server will never populate this message in
+// responses.
 // The relationship attributes which include  `type`, `source_resource_type`,
 // `target_resource_type` and `action`.
 message RelationshipAttributes {
+  option deprecated = true;
+
   // The unique identifier of the relationship type. Example:
   // `INSTANCE_TO_INSTANCEGROUP`
   string type = 4;
@@ -251,7 +267,7 @@ message RelationshipAttributes {
   string action = 3;
 }
 
-// An asset identify in Google Cloud which contains its name, type and
+// An asset identifier in Google Cloud which contains its name, type and
 // ancestors. An asset can be any resource in the Google Cloud [resource
 // hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy),
 // a resource outside the Google Cloud resource hierarchy (such as Google
@@ -267,8 +283,8 @@ message RelatedAsset {
   // names](https://cloud.google.com/apis/design/resource_names#full_resource_name)
   // for more information.
   string asset = 1 [(google.api.resource_reference) = {
-                      type: "cloudasset.googleapis.com/Asset"
-                    }];
+    type: "cloudasset.googleapis.com/Asset"
+  }];
 
   // The type of the asset. Example: `compute.googleapis.com/Disk`
   //
@@ -284,6 +300,10 @@ message RelatedAsset {
   //
   // Example: `["projects/123456789", "folders/5432", "organizations/1234"]`
   repeated string ancestors = 3;
+
+  // The unique identifier of the relationship type. Example:
+  // `INSTANCE_TO_INSTANCEGROUP`
+  string relationship_type = 4;
 }
 
 // A result of Resource Search, containing information of a cloud resource.
@@ -341,7 +361,7 @@ message ResourceSearchResult {
   string organization = 18;
 
   // The display name of this resource. This field is available only when the
-  // resource's proto contains it.
+  // resource's Protobuf contains it.
   //
   // To search against the `display_name`:
   //
@@ -351,7 +371,7 @@ message ResourceSearchResult {
 
   // One or more paragraphs of text description of this resource. Maximum length
   // could be up to 1M bytes. This field is available only when the resource's
-  // proto contains it.
+  // Protobuf contains it.
   //
   // To search against the `description`:
   //
@@ -360,7 +380,7 @@ message ResourceSearchResult {
   string description = 5;
 
   // Location can be `global`, regional like `us-east1`, or zonal like
-  // `us-west1-b`. This field is available only when the resource's proto
+  // `us-west1-b`. This field is available only when the resource's Protobuf
   // contains it.
   //
   // To search against the `location`:
@@ -372,7 +392,7 @@ message ResourceSearchResult {
   // Labels associated with this resource. See [Labelling and grouping GCP
   // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
   // for more information. This field is available only when the resource's
-  // proto contains it.
+  // Protobuf contains it.
   //
   // To search against the `labels`:
   //
@@ -387,7 +407,7 @@ message ResourceSearchResult {
   // type of annotations used to group GCP resources. See [Labelling GCP
   // resources](https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources)
   // for more information. This field is available only when the resource's
-  // proto contains it.
+  // Protobuf contains it.
   //
   // To search against the `network_tags`:
   //
@@ -396,10 +416,11 @@ message ResourceSearchResult {
   repeated string network_tags = 8;
 
   // The Cloud KMS
-  // [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys?hl=en)
+  // [CryptoKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
   // name or
-  // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions?hl=en)
-  // name. This field is available only when the resource's proto contains it.
+  // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions)
+  // name. This field is available only when the resource's Protobuf contains
+  // it.
   //
   // To search against the `kms_key`:
   //
@@ -409,7 +430,7 @@ message ResourceSearchResult {
 
   // The create timestamp of this resource, at which the resource was created.
   // The granularity is in seconds. Timestamp.nanos will always be 0. This field
-  // is available only when the resource's proto contains it.
+  // is available only when the resource's Protobuf contains it.
   //
   // To search against `create_time`:
   //
@@ -422,7 +443,7 @@ message ResourceSearchResult {
 
   // The last update timestamp of this resource, at which the resource was last
   // modified or deleted. The granularity is in seconds. Timestamp.nanos will
-  // always be 0. This field is available only when the resource's proto
+  // always be 0. This field is available only when the resource's Protobuf
   // contains it.
   //
   // To search against `update_time`:
@@ -436,7 +457,8 @@ message ResourceSearchResult {
 
   // The state of this resource. Different resources types have different state
   // definitions that are mapped from various fields of different resource
-  // types. This field is available only when the resource's proto contains it.
+  // types. This field is available only when the resource's Protobuf contains
+  // it.
   //
   // Example:
   // If the resource is an instance provided by Compute Engine,
@@ -511,6 +533,43 @@ message ResourceSearchResult {
   // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_relationship_types).
   map<string, RelatedResources> relationships = 21;
 
+  // TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}.
+  // To search against the `tagKeys`:
+  //
+  // * use a field query. Example:
+  //     - `tagKeys:"123456789/env*"`
+  //     - `tagKeys="123456789/env"`
+  //     - `tagKeys:"env"`
+  //
+  // * use a free text query. Example:
+  //     - `env`
+  repeated string tag_keys = 23;
+
+  // TagValue namespaced names, in the format of
+  // {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}.
+  // To search against the `tagValues`:
+  //
+  // * use a field query. Example:
+  //     - `tagValues:"env"`
+  //     - `tagValues:"env/prod"`
+  //     - `tagValues:"123456789/env/prod*"`
+  //     - `tagValues="123456789/env/prod"`
+  //
+  // * use a free text query. Example:
+  //     - `prod`
+  repeated string tag_values = 25;
+
+  // TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}.
+  // To search against the `tagValueIds`:
+  //
+  // * use a field query. Example:
+  //     - `tagValueIds:"456"`
+  //     - `tagValueIds="tagValues/456"`
+  //
+  // * use a free text query. Example:
+  //     - `456`
+  repeated string tag_value_ids = 26;
+
   // The type of this resource's immediate parent, if there is one.
   //
   // To search against the `parent_asset_type`:
@@ -798,8 +857,10 @@ message IamPolicyAnalysisResult {
     repeated Access accesses = 2;
 
     // Resource edges of the graph starting from the policy attached
-    // resource to any descendant resources. The [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node] contains
-    // the full resource name of a parent resource and [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node]
+    // resource to any descendant resources. The
+    // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node]
+    // contains the full resource name of a parent resource and
+    // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node]
     // contains the full resource name of a child resource. This field is
     // present only if the output_resource_edges option is enabled in request.
     repeated Edge resource_edges = 3;
@@ -818,32 +879,41 @@ message IamPolicyAnalysisResult {
     repeated Identity identities = 1;
 
     // Group identity edges of the graph starting from the binding's
-    // group members to any node of the [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node]
+    // group members to any node of the
+    // [identities][google.cloud.asset.v1.IamPolicyAnalysisResult.IdentityList.identities].
+    // The
+    // [Edge.source_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.source_node]
     // contains a group, such as `group:[email protected]`. The
-    // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group,
-    // such as `group:[email protected]` or `user:[email protected]`.
-    // This field is present only if the output_group_edges option is enabled in
-    // request.
+    // [Edge.target_node][google.cloud.asset.v1.IamPolicyAnalysisResult.Edge.target_node]
+    // contains a member of the group, such as `group:[email protected]` or
+    // `user:[email protected]`. This field is present only if the
+    // output_group_edges option is enabled in request.
     repeated Edge group_edges = 2;
   }
 
   // The [full resource
   // name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
-  // of the resource to which the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] policy attaches.
+  // of the resource to which the
+  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
+  // policy attaches.
   string attached_resource_full_name = 1;
 
   // The Cloud IAM policy binding under analysis.
   google.iam.v1.Binding iam_binding = 2;
 
-  // The access control lists derived from the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] that match or
-  // potentially match resource and access selectors specified in the request.
+  // The access control lists derived from the
+  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
+  // that match or potentially match resource and access selectors specified in
+  // the request.
   repeated AccessControlList access_control_lists = 3;
 
-  // The identity list derived from members of the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] that match or
-  // potentially match identity selector specified in the request.
+  // The identity list derived from members of the
+  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
+  // that match or potentially match identity selector specified in the request.
   IdentityList identity_list = 4;
 
-  // Represents whether all analyses on the [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding] have successfully
-  // finished.
+  // Represents whether all analyses on the
+  // [iam_binding][google.cloud.asset.v1.IamPolicyAnalysisResult.iam_binding]
+  // have successfully finished.
   bool fully_explored = 5;
 }