violations
Creates, updates, deletes, gets or lists a violations resource.
Overview
| Name | violations |
| Type | Resource |
| Id | google.assuredworkloads.violations |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. Immutable. Name of the Violation. Format: organizations/{organization}/locations/{location}/workloads/{workload_id}/violations/{violations_id} |
acknowledged | boolean | A boolean that indicates if the violation is acknowledged |
acknowledgementTime | string (google-datetime) | Optional. Timestamp when this violation was acknowledged first. Check exception_contexts to find the last time the violation was acknowledged when there are more than one violations. This field will be absent when acknowledged field is marked as false. |
associatedOrgPolicyViolationId | string | Optional. Output only. Violation Id of the org-policy violation due to which the resource violation is caused. Empty for org-policy violations. |
auditLogLink | string | Output only. Immutable. Audit Log Link for violated resource Format: https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{timeRange}{folder} |
beginTime | string (google-datetime) | Output only. Time of the event which triggered the Violation. |
category | string | Output only. Category under which this violation is mapped. e.g. Location, Service Usage, Access, Encryption, etc. |
description | string | Output only. Description for the Violation. e.g. OrgPolicy gcp.resourceLocations has non compliant value. |
exceptionAuditLogLink | string | Output only. Immutable. Audit Log link to find business justification provided for violation exception. Format: https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{protoPayload.methodName}{timeRange}{organization} |
exceptionContexts | array | Output only. List of all the exception detail added for the violation. |
nonCompliantOrgPolicy | string | Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and resulted this violation. Format: projects/{project_number}/policies/{constraint_name} folders/{folder_id}/policies/{constraint_name} organizations/{organization_id}/policies/{constraint_name} |
orgPolicyConstraint | string | Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in this violation. |
parentProjectNumber | string | Optional. Output only. Parent project number where resource is present. Empty for org-policy violations. |
remediation | object | Output only. Compliance violation remediation (id: GoogleCloudAssuredworkloadsV1ViolationRemediation) |
resolveTime | string (google-datetime) | Output only. Time of the event which fixed the Violation. If the violation is ACTIVE this will be empty. |
resourceName | string | Optional. Output only. Name of the resource like //storage.googleapis.com/myprojectxyz-testbucket. Empty for org-policy violations. |
resourceType | string | Optional. Output only. Type of the resource like compute.googleapis.com/Disk, etc. Empty for org-policy violations. |
state | string | Output only. State of the violation |
updateTime | string (google-datetime) | Output only. The last time when the Violation record was updated. |
violationType | string | Output only. Type of the violation |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. Immutable. Name of the Violation. Format: organizations/{organization}/locations/{location}/workloads/{workload_id}/violations/{violations_id} |
acknowledged | boolean | A boolean that indicates if the violation is acknowledged |
acknowledgementTime | string (google-datetime) | Optional. Timestamp when this violation was acknowledged first. Check exception_contexts to find the last time the violation was acknowledged when there are more than one violations. This field will be absent when acknowledged field is marked as false. |
associatedOrgPolicyViolationId | string | Optional. Output only. Violation Id of the org-policy violation due to which the resource violation is caused. Empty for org-policy violations. |
auditLogLink | string | Output only. Immutable. Audit Log Link for violated resource Format: https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{timeRange}{folder} |
beginTime | string (google-datetime) | Output only. Time of the event which triggered the Violation. |
category | string | Output only. Category under which this violation is mapped. e.g. Location, Service Usage, Access, Encryption, etc. |
description | string | Output only. Description for the Violation. e.g. OrgPolicy gcp.resourceLocations has non compliant value. |
exceptionAuditLogLink | string | Output only. Immutable. Audit Log link to find business justification provided for violation exception. Format: https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{protoPayload.methodName}{timeRange}{organization} |
exceptionContexts | array | Output only. List of all the exception detail added for the violation. |
nonCompliantOrgPolicy | string | Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and resulted this violation. Format: projects/{project_number}/policies/{constraint_name} folders/{folder_id}/policies/{constraint_name} organizations/{organization_id}/policies/{constraint_name} |
orgPolicyConstraint | string | Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in this violation. |
parentProjectNumber | string | Optional. Output only. Parent project number where resource is present. Empty for org-policy violations. |
remediation | object | Output only. Compliance violation remediation (id: GoogleCloudAssuredworkloadsV1ViolationRemediation) |
resolveTime | string (google-datetime) | Output only. Time of the event which fixed the Violation. If the violation is ACTIVE this will be empty. |
resourceName | string | Optional. Output only. Name of the resource like //storage.googleapis.com/myprojectxyz-testbucket. Empty for org-policy violations. |
resourceType | string | Optional. Output only. Type of the resource like compute.googleapis.com/Disk, etc. Empty for org-policy violations. |
state | string | Output only. State of the violation |
updateTime | string (google-datetime) | Output only. The last time when the Violation record was updated. |
violationType | string | Output only. Type of the violation |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | organizationsId, locationsId, workloadsId, violationsId | Retrieves Assured Workload Violation based on ID. | |
list | select | organizationsId, locationsId, workloadsId | interval.startTime, interval.endTime, pageSize, pageToken, filter | Lists the Violations in the AssuredWorkload Environment. Callers may also choose to read across multiple Workloads as per AIP-159 by using '-' (the hyphen or dash character) as a wildcard character instead of workload-id in the parent. Format organizations/{org_id}/locations/{location}/workloads/- |
acknowledge | exec | organizationsId, locationsId, workloadsId, violationsId | Acknowledges an existing violation. By acknowledging a violation, users acknowledge the existence of a compliance violation in their workload and decide to ignore it due to a valid business justification. Acknowledgement is a permanent operation and it cannot be reverted. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
locationsId | string | |
organizationsId | string | |
violationsId | string | |
workloadsId | string | |
filter | string | |
interval.endTime | string (google-datetime) | |
interval.startTime | string (google-datetime) | |
pageSize | integer (int32) | |
pageToken | string |
SELECT examples
- get
- list
Retrieves Assured Workload Violation based on ID.
SELECT
name,
acknowledged,
acknowledgementTime,
associatedOrgPolicyViolationId,
auditLogLink,
beginTime,
category,
description,
exceptionAuditLogLink,
exceptionContexts,
nonCompliantOrgPolicy,
orgPolicyConstraint,
parentProjectNumber,
remediation,
resolveTime,
resourceName,
resourceType,
state,
updateTime,
violationType
FROM google.assuredworkloads.violations
WHERE organizationsId = '{{ organizationsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND workloadsId = '{{ workloadsId }}' -- required
AND violationsId = '{{ violationsId }}' -- required;
Lists the Violations in the AssuredWorkload Environment. Callers may also choose to read across multiple Workloads as per AIP-159 by using '-' (the hyphen or dash character) as a wildcard character instead of workload-id in the parent. Format organizations/{org_id}/locations/{location}/workloads/-
SELECT
name,
acknowledged,
acknowledgementTime,
associatedOrgPolicyViolationId,
auditLogLink,
beginTime,
category,
description,
exceptionAuditLogLink,
exceptionContexts,
nonCompliantOrgPolicy,
orgPolicyConstraint,
parentProjectNumber,
remediation,
resolveTime,
resourceName,
resourceType,
state,
updateTime,
violationType
FROM google.assuredworkloads.violations
WHERE organizationsId = '{{ organizationsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND workloadsId = '{{ workloadsId }}' -- required
AND interval.startTime = '{{ interval.startTime }}'
AND interval.endTime = '{{ interval.endTime }}'
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND filter = '{{ filter }}';
Lifecycle Methods
- acknowledge
Acknowledges an existing violation. By acknowledging a violation, users acknowledge the existence of a compliance violation in their workload and decide to ignore it due to a valid business justification. Acknowledgement is a permanent operation and it cannot be reverted.
EXEC google.assuredworkloads.violations.acknowledge
@organizationsId='{{ organizationsId }}' --required,
@locationsId='{{ locationsId }}' --required,
@workloadsId='{{ workloadsId }}' --required,
@violationsId='{{ violationsId }}' --required
@@json=
'{
"comment": "{{ comment }}",
"nonCompliantOrgPolicy": "{{ nonCompliantOrgPolicy }}",
"acknowledgeType": "{{ acknowledgeType }}"
}';