Skip to main content

workloads

Creates, updates, deletes, gets or lists a workloads resource.

Overview

Nameworkloads
TypeResource
Idgoogle.assuredworkloads.workloads

Fields

The following fields are returned by SELECT queries:

Successful response

NameDatatypeDescription
namestringOptional. The resource name of the workload. Format: organizations/{organization}/locations/{location}/workloads/{workload} Read-only.
billingAccountstringOptional. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form billingAccounts/{billing_account_id}. For example, billingAccounts/012345-567890-ABCDEF.
complianceRegimestringRequired. Immutable. Compliance Regime associated with this workload.
complianceStatusobjectOutput only. Count of active Violations in the Workload. (id: GoogleCloudAssuredworkloadsV1WorkloadComplianceStatus)
compliantButDisallowedServicesarrayOutput only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke RestrictAllowedResources endpoint to allow your project developers to use these services in their environment.
createTimestring (google-datetime)Output only. Immutable. The Workload creation timestamp.
displayNamestringRequired. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload
ekmProvisioningResponseobjectOutput only. Represents the Ekm Provisioning State of the given workload. (id: GoogleCloudAssuredworkloadsV1WorkloadEkmProvisioningResponse)
enableSovereignControlsbooleanOptional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers.
etagstringOptional. ETag of the workload, it is calculated on the basis of the Workload contents. It will be used in Update & Delete operations.
kajEnrollmentStatestringOutput only. Represents the KAJ enrollment state of the given workload.
kmsSettingsobjectInput only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. (id: GoogleCloudAssuredworkloadsV1WorkloadKMSSettings)
labelsobjectOptional. Labels applied to the workload.
partnerstringOptional. Partner regime associated with this workload.
partnerPermissionsobjectOptional. Permissions granted to the AW Partner SA account for the customer workload (id: GoogleCloudAssuredworkloadsV1WorkloadPartnerPermissions)
partnerServicesBillingAccountstringOptional. Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC
provisionedResourcesParentstringInput only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id}
resourceMonitoringEnabledbooleanOutput only. Indicates whether resource monitoring is enabled for workload or not. It is true when Resource feed is subscribed to AWM topic and AWM Service Agent Role is binded to AW Service Account for resource Assured workload.
resourceSettingsarrayInput only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional.
resourcesarrayOutput only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only.
saaEnrollmentResponseobjectOutput only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during GetWorkload call. In failure cases, user friendly error message is shown in SAA details page. (id: GoogleCloudAssuredworkloadsV1WorkloadSaaEnrollmentResponse)
violationNotificationsEnabledbooleanOptional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload.
workloadOptionsobjectOptional. Options to be set for the given created workload. (id: GoogleCloudAssuredworkloadsV1WorkloadWorkloadOptions)

Methods

The following methods are available for this resource:

NameAccessible byRequired ParamsOptional ParamsDescription
getselectorganizationsId, locationsId, workloadsIdGets Assured Workload associated with a CRM Node
listselectorganizationsId, locationsIdpageSize, pageToken, filterLists Assured Workloads under a CRM Node.
createinsertorganizationsId, locationsIdexternalIdCreates Assured Workload.
patchupdateorganizationsId, locationsId, workloadsIdupdateMaskUpdates an existing workload. Currently allows updating of workload display_name and labels. For force updates don't set etag field in the Workload. Only one update operation per workload can be in progress.
deletedeleteorganizationsId, locationsId, workloadsIdetagDeletes the workload. Make sure that workload's direct children are already in a deleted state, otherwise the request will fail with a FAILED_PRECONDITION error. In addition to assuredworkloads.workload.delete permission, the user should also have orgpolicy.policy.set permission on the deleted folder to remove Assured Workloads OrgPolicies.
restrict_allowed_resourcesexecorganizationsId, locationsId, workloadsIdRestrict the list of resources allowed in the Workload environment. The current list of allowed products can be found at https://cloud.google.com/assured-workloads/docs/supported-products In addition to assuredworkloads.workload.update permission, the user should also have orgpolicy.policy.set permission on the folder resource to use this functionality.
analyze_workload_moveexecorganizationsId, locationsId, workloadsIdproject, pageSize, pageToken, assetTypesAnalyzes a hypothetical move of a source resource to a target workload to surface compliance risks. The analysis is best effort and is not guaranteed to be exhaustive.
mutate_partner_permissionsexecorganizationsId, locationsId, workloadsIdUpdate the permissions settings for an existing partner workload. For force updates don't set etag field in the Workload. Only one update operation per workload can be in progress.
enable_resource_monitoringexecorganizationsId, locationsId, workloadsIdEnable resource violation monitoring for a workload.
enable_compliance_updatesexecorganizationsId, locationsId, workloadsIdThis endpoint enables Assured Workloads service to offer compliance updates for the folder based assured workload. It sets up an Assured Workloads Service Agent, having permissions to read compliance controls (for example: Org Policies) applied on the workload. The caller must have resourcemanager.folders.getIamPolicy and resourcemanager.folders.setIamPolicy permissions on the assured workload folder.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

NameDatatypeDescription
locationsIdstring
organizationsIdstring
workloadsIdstring
assetTypesstring
etagstring
externalIdstring
filterstring
pageSizeinteger (int32)
pageTokenstring
projectstring
updateMaskstring (google-fieldmask)

SELECT examples

Gets Assured Workload associated with a CRM Node

SELECT
name,
billingAccount,
complianceRegime,
complianceStatus,
compliantButDisallowedServices,
createTime,
displayName,
ekmProvisioningResponse,
enableSovereignControls,
etag,
kajEnrollmentState,
kmsSettings,
labels,
partner,
partnerPermissions,
partnerServicesBillingAccount,
provisionedResourcesParent,
resourceMonitoringEnabled,
resourceSettings,
resources,
saaEnrollmentResponse,
violationNotificationsEnabled,
workloadOptions
FROM google.assuredworkloads.workloads
WHERE organizationsId = '{{ organizationsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND workloadsId = '{{ workloadsId }}' -- required;

INSERT examples

Creates Assured Workload.

INSERT INTO google.assuredworkloads.workloads (
data__name,
data__displayName,
data__complianceRegime,
data__billingAccount,
data__etag,
data__labels,
data__provisionedResourcesParent,
data__kmsSettings,
data__resourceSettings,
data__enableSovereignControls,
data__partner,
data__partnerPermissions,
data__partnerServicesBillingAccount,
data__violationNotificationsEnabled,
data__workloadOptions,
organizationsId,
locationsId,
externalId
)
SELECT 
'{{ name }}',
'{{ displayName }}',
'{{ complianceRegime }}',
'{{ billingAccount }}',
'{{ etag }}',
'{{ labels }}',
'{{ provisionedResourcesParent }}',
'{{ kmsSettings }}',
'{{ resourceSettings }}',
{{ enableSovereignControls }},
'{{ partner }}',
'{{ partnerPermissions }}',
'{{ partnerServicesBillingAccount }}',
{{ violationNotificationsEnabled }},
'{{ workloadOptions }}',
'{{ organizationsId }}',
'{{ locationsId }}',
'{{ externalId }}'
RETURNING
name,
done,
error,
metadata,
response
;

UPDATE examples

Updates an existing workload. Currently allows updating of workload display_name and labels. For force updates don't set etag field in the Workload. Only one update operation per workload can be in progress.

UPDATE google.assuredworkloads.workloads
SET 
data__name = '{{ name }}',
data__displayName = '{{ displayName }}',
data__complianceRegime = '{{ complianceRegime }}',
data__billingAccount = '{{ billingAccount }}',
data__etag = '{{ etag }}',
data__labels = '{{ labels }}',
data__provisionedResourcesParent = '{{ provisionedResourcesParent }}',
data__kmsSettings = '{{ kmsSettings }}',
data__resourceSettings = '{{ resourceSettings }}',
data__enableSovereignControls = {{ enableSovereignControls }},
data__partner = '{{ partner }}',
data__partnerPermissions = '{{ partnerPermissions }}',
data__partnerServicesBillingAccount = '{{ partnerServicesBillingAccount }}',
data__violationNotificationsEnabled = {{ violationNotificationsEnabled }},
data__workloadOptions = '{{ workloadOptions }}'
WHERE 
organizationsId = '{{ organizationsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND workloadsId = '{{ workloadsId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
billingAccount,
complianceRegime,
complianceStatus,
compliantButDisallowedServices,
createTime,
displayName,
ekmProvisioningResponse,
enableSovereignControls,
etag,
kajEnrollmentState,
kmsSettings,
labels,
partner,
partnerPermissions,
partnerServicesBillingAccount,
provisionedResourcesParent,
resourceMonitoringEnabled,
resourceSettings,
resources,
saaEnrollmentResponse,
violationNotificationsEnabled,
workloadOptions;

DELETE examples

Deletes the workload. Make sure that workload's direct children are already in a deleted state, otherwise the request will fail with a FAILED_PRECONDITION error. In addition to assuredworkloads.workload.delete permission, the user should also have orgpolicy.policy.set permission on the deleted folder to remove Assured Workloads OrgPolicies.

DELETE FROM google.assuredworkloads.workloads
WHERE organizationsId = '{{ organizationsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND workloadsId = '{{ workloadsId }}' --required
AND etag = '{{ etag }}';

Lifecycle Methods

Restrict the list of resources allowed in the Workload environment. The current list of allowed products can be found at https://cloud.google.com/assured-workloads/docs/supported-products In addition to assuredworkloads.workload.update permission, the user should also have orgpolicy.policy.set permission on the folder resource to use this functionality.

EXEC google.assuredworkloads.workloads.restrict_allowed_resources 
@organizationsId='{{ organizationsId }}' --required, 
@locationsId='{{ locationsId }}' --required, 
@workloadsId='{{ workloadsId }}' --required 
@@json=
'{
"restrictionType": "{{ restrictionType }}"
}';