Creates Assured Workload.
Scopes
You will need authorization for the https://www.googleapis.com/auth/cloud-platform scope to make a valid call.
If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform.
You can set the scope for this method like this: assuredworkloads1 --scope <scope> organizations locations-workloads-create ...
Required Scalar Argument
- <parent> (string)
- Required. The resource name of the new Workload's parent. Must be of the form
organizations/{org_id}/locations/{location_id}
.
- Required. The resource name of the new Workload's parent. Must be of the form
Required Request Value
The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.
For example, a structure like this:
GoogleCloudAssuredworkloadsV1Workload:
billing-account: string
compliance-regime: string
compliance-status:
acknowledged-resource-violation-count: integer
acknowledged-violation-count: integer
active-resource-violation-count: integer
active-violation-count: integer
compliant-but-disallowed-services: [string]
create-time: string
display-name: string
ekm-provisioning-response:
ekm-provisioning-error-domain: string
ekm-provisioning-error-mapping: string
ekm-provisioning-state: string
enable-sovereign-controls: boolean
etag: string
kaj-enrollment-state: string
kms-settings:
next-rotation-time: string
rotation-period: string
labels: { string: string }
name: string
partner: string
partner-permissions:
assured-workloads-monitoring: boolean
data-logs-viewer: boolean
service-access-approver: boolean
provisioned-resources-parent: string
resource-monitoring-enabled: boolean
saa-enrollment-response:
setup-errors: [string]
setup-status: string
violation-notifications-enabled: boolean
can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.
-r . billing-account=et
- Optional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form
billingAccounts/{billing_account_id}
. For example,billingAccounts/012345-567890-ABCDEF
.
- Optional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form
compliance-regime=magna
- Required. Immutable. Compliance Regime associated with this workload.
compliance-status acknowledged-resource-violation-count=90
- Number of current resource violations which are not acknowledged.
acknowledged-violation-count=46
- Number of current orgPolicy violations which are acknowledged.
active-resource-violation-count=73
- Number of current resource violations which are acknowledged.
-
active-violation-count=74
- Number of current orgPolicy violations which are not acknowledged.
-
.. compliant-but-disallowed-services=sanctus
- Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke RestrictAllowedResources endpoint to allow your project developers to use these services in their environment.
- Each invocation of this argument appends the given value to the array.
create-time=sed
- Output only. Immutable. The Workload creation timestamp.
display-name=amet.
- Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload
ekm-provisioning-response ekm-provisioning-error-domain=takimata
- Indicates Ekm provisioning error if any.
ekm-provisioning-error-mapping=amet.
- Detailed error message if Ekm provisioning fails
-
ekm-provisioning-state=duo
- Indicates Ekm enrollment Provisioning of a given workload.
-
.. enable-sovereign-controls=true
- Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers.
etag=gubergren
- Optional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations.
kaj-enrollment-state=lorem
- Output only. Represents the KAJ enrollment state of the given workload.
kms-settings next-rotation-time=gubergren
- Required. Input only. Immutable. The time at which the Key Management Service will automatically create a new version of the crypto key and mark it as the primary.
-
rotation-period=eos
- Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key Management Service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.
-
.. labels=key=dolor
- Optional. Labels applied to the workload.
- the value will be associated with the given
key
name=ea
- Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload} Read-only.
partner=ipsum
- Optional. Partner regime associated with this workload.
partner-permissions assured-workloads-monitoring=false
- Optional. Allow partner to view violation alerts.
data-logs-viewer=true
- Allow the partner to view inspectability logs and monitoring violations.
-
service-access-approver=true
- Optional. Allow partner to view access approval logs.
-
.. provisioned-resources-parent=sed
- Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id}
resource-monitoring-enabled=true
- Output only. Indicates whether resource monitoring is enabled for workload or not. It is true when Resource feed is subscribed to AWM topic and AWM Service Agent Role is binded to AW Service Account for resource Assured workload.
saa-enrollment-response setup-errors=ipsum
- Indicates SAA enrollment setup error if any.
- Each invocation of this argument appends the given value to the array.
-
setup-status=ipsum
- Indicates SAA enrollment status of a given workload.
-
.. violation-notifications-enabled=true
- Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload.
About Cursors
The cursor position is key to comfortably set complex nested structures. The following rules apply:
- The cursor position is always set relative to the current one, unless the field name starts with the
.
character. Fields can be nested such as in-r f.s.o
. - The cursor position is set relative to the top-level structure if it starts with
.
, e.g.-r .s.s
- You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify
-r struct.sub_struct=bar
. - You can move the cursor one level up by using
..
. Each additional.
moves it up one additional level. E.g....
would go three levels up.
Optional Output Flags
The method's return value a JSON encoded structure, which will be written to standard output by default.
- -o out
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
-
to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
Optional Method Properties
You may set the following properties to further configure the call. Please note that -p
is followed by one
or more key-value-pairs, and is called like this -p k1=v1 k2=v2
even though the listing below repeats the
-p
for completeness.
- -p external-id=string
- Optional. A identifier associated with the workload and underlying projects which allows for the break down of billing costs for a workload. The value provided for the identifier will add a label to the workload and contained projects with the identifier as the value.
Optional General Properties
The following properties can configure any call, and are not specific to this method.
-
-p $-xgafv=string
- V1 error format.
-
-p access-token=string
- OAuth access token.
-
-p alt=string
- Data format for response.
-
-p callback=string
- JSONP
-
-p fields=string
- Selector specifying which fields to include in a partial response.
-
-p key=string
- API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
-
-p oauth-token=string
- OAuth 2.0 token for the current user.
-
-p pretty-print=boolean
- Returns response with indentations and line breaks.
-
-p quota-user=string
- Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
-
-p upload-type=string
- Legacy upload protocol for media (e.g. "media", "multipart").
-
-p upload-protocol=string
- Upload protocol for media (e.g. "raw", "multipart").