Updates an existing workload. Currently allows updating of workload display_name and labels. For force updates don't set etag field in the Workload. Only one update operation per workload can be in progress.

Scopes

You will need authorization for the https://www.googleapis.com/auth/cloud-platform scope to make a valid call.

If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform. You can set the scope for this method like this: assuredworkloads1 --scope <scope> organizations locations-workloads-patch ...

Required Scalar Argument

  • <name> (string)
    • Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload} Read-only.

Required Request Value

The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.

For example, a structure like this:

GoogleCloudAssuredworkloadsV1Workload:
  billing-account: string
  compliance-regime: string
  compliance-status:
    acknowledged-resource-violation-count: integer
    acknowledged-violation-count: integer
    active-resource-violation-count: integer
    active-violation-count: integer
  compliant-but-disallowed-services: [string]
  create-time: string
  display-name: string
  ekm-provisioning-response:
    ekm-provisioning-error-domain: string
    ekm-provisioning-error-mapping: string
    ekm-provisioning-state: string
  enable-sovereign-controls: boolean
  etag: string
  kaj-enrollment-state: string
  kms-settings:
    next-rotation-time: string
    rotation-period: string
  labels: { string: string }
  name: string
  partner: string
  partner-permissions:
    assured-workloads-monitoring: boolean
    data-logs-viewer: boolean
    service-access-approver: boolean
  provisioned-resources-parent: string
  resource-monitoring-enabled: boolean
  saa-enrollment-response:
    setup-errors: [string]
    setup-status: string
  violation-notifications-enabled: boolean

can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.

  • -r . billing-account=duo
    • Optional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form billingAccounts/{billing_account_id}. For example, billingAccounts/012345-567890-ABCDEF.
  • compliance-regime=sed
    • Required. Immutable. Compliance Regime associated with this workload.
  • compliance-status acknowledged-resource-violation-count=40
    • Number of current resource violations which are not acknowledged.
  • acknowledged-violation-count=86
    • Number of current orgPolicy violations which are acknowledged.
  • active-resource-violation-count=88
    • Number of current resource violations which are acknowledged.

  • active-violation-count=77

    • Number of current orgPolicy violations which are not acknowledged.

  • .. compliant-but-disallowed-services=sed

    • Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke RestrictAllowedResources endpoint to allow your project developers to use these services in their environment.
    • Each invocation of this argument appends the given value to the array.
  • create-time=et
    • Output only. Immutable. The Workload creation timestamp.
  • display-name=et
    • Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload
  • ekm-provisioning-response ekm-provisioning-error-domain=vero
    • Indicates Ekm provisioning error if any.
  • ekm-provisioning-error-mapping=erat
    • Detailed error message if Ekm provisioning fails

  • ekm-provisioning-state=sed

    • Indicates Ekm enrollment Provisioning of a given workload.

  • .. enable-sovereign-controls=false

    • Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers.
  • etag=diam
    • Optional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations.
  • kaj-enrollment-state=dolor
    • Output only. Represents the KAJ enrollment state of the given workload.
  • kms-settings next-rotation-time=et
    • Required. Input only. Immutable. The time at which the Key Management Service will automatically create a new version of the crypto key and mark it as the primary.

  • rotation-period=et

    • Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key Management Service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

  • .. labels=key=sadipscing

    • Optional. Labels applied to the workload.
    • the value will be associated with the given key
  • name=stet
    • Optional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload} Read-only.
  • partner=dolor
    • Optional. Partner regime associated with this workload.
  • partner-permissions assured-workloads-monitoring=false
    • Optional. Allow partner to view violation alerts.
  • data-logs-viewer=false
    • Allow the partner to view inspectability logs and monitoring violations.

  • service-access-approver=false

    • Optional. Allow partner to view access approval logs.

  • .. provisioned-resources-parent=stet

    • Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id}
  • resource-monitoring-enabled=false
    • Output only. Indicates whether resource monitoring is enabled for workload or not. It is true when Resource feed is subscribed to AWM topic and AWM Service Agent Role is binded to AW Service Account for resource Assured workload.
  • saa-enrollment-response setup-errors=elitr
    • Indicates SAA enrollment setup error if any.
    • Each invocation of this argument appends the given value to the array.

  • setup-status=lorem

    • Indicates SAA enrollment status of a given workload.

  • .. violation-notifications-enabled=true

    • Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload.

About Cursors

The cursor position is key to comfortably set complex nested structures. The following rules apply:

  • The cursor position is always set relative to the current one, unless the field name starts with the . character. Fields can be nested such as in -r f.s.o .
  • The cursor position is set relative to the top-level structure if it starts with ., e.g. -r .s.s
  • You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify -r struct.sub_struct=bar.
  • You can move the cursor one level up by using ... Each additional . moves it up one additional level. E.g. ... would go three levels up.

Optional Output Flags

The method's return value a JSON encoded structure, which will be written to standard output by default.

  • -o out
    • out specifies the destination to which to write the server's result to. It will be a JSON-encoded structure. The destination may be - to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.

Optional Method Properties

You may set the following properties to further configure the call. Please note that -p is followed by one or more key-value-pairs, and is called like this -p k1=v1 k2=v2 even though the listing below repeats the -p for completeness.

  • -p update-mask=string
    • Required. The list of fields to be updated.

Optional General Properties

The following properties can configure any call, and are not specific to this method.

  • -p $-xgafv=string

    • V1 error format.

  • -p access-token=string

    • OAuth access token.

  • -p alt=string

    • Data format for response.

  • -p callback=string

    • JSONP

  • -p fields=string

    • Selector specifying which fields to include in a partial response.

  • -p key=string

    • API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.

  • -p oauth-token=string

    • OAuth 2.0 token for the current user.

  • -p pretty-print=boolean

    • Returns response with indentations and line breaks.

  • -p quota-user=string

    • Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.

  • -p upload-type=string

    • Legacy upload protocol for media (e.g. "media", "multipart").

  • -p upload-protocol=string

    • Upload protocol for media (e.g. "raw", "multipart").