| --- |
| # ---------------------------------------------------------------------------- |
| # |
| # *** AUTO GENERATED CODE *** Type: MMv1 *** |
| # |
| # ---------------------------------------------------------------------------- |
| # |
| # This file is automatically generated by Magic Modules and manual |
| # changes will be clobbered when the file is regenerated. |
| # |
| # Please read more about how to change this file in |
| # .github/CONTRIBUTING.md. |
| # |
| # ---------------------------------------------------------------------------- |
| subcategory: "Data loss prevention" |
| description: |- |
| Allows creation of templates to de-identify content. |
| --- |
| |
| # google\_data\_loss\_prevention\_deidentify\_template |
| |
| Allows creation of templates to de-identify content. |
| |
| |
| To get more information about DeidentifyTemplate, see: |
| |
| * [API documentation](https://cloud.google.com/dlp/docs/reference/rest/v2/projects.deidentifyTemplates) |
| * How-to Guides |
| * [Official Documentation](https://cloud.google.com/dlp/docs/concepts-templates) |
| |
| ~> **Warning:** All arguments including the following potentially sensitive |
| values will be stored in the raw state as plain text: `deidentify_config.record_transformations.field_transformations.field_transformations.info_type_transformations.transformations.transformations.primitive_transformation.crypto_replace_ffx_fpe_config.crypto_key.unwrapped.key`, `deidentify_config.record_transformations.field_transformations.field_transformations.info_type_transformations.transformations.transformations.primitive_transformation.crypto_hash_config.crypto_key.unwrapped.key`, `deidentify_config.record_transformations.field_transformations.field_transformations.info_type_transformations.transformations.transformations.primitive_transformation.date_shift_config.crypto_key.unwrapped.key`, `deidentify_config.record_transformations.field_transformations.field_transformations.info_type_transformations.transformations.transformations.primitive_transformation.crypto_deterministic_config.crypto_key.unwrapped.key`. |
| [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data). |
| |
| ## Example Usage - Dlp Deidentify Template Basic |
| |
| |
| ```hcl |
| resource "google_data_loss_prevention_deidentify_template" "basic" { |
| parent = "projects/my-project-name" |
| description = "Description" |
| display_name = "Displayname" |
| |
| deidentify_config { |
| info_type_transformations { |
| transformations { |
| info_types { |
| name = "FIRST_NAME" |
| } |
| |
| primitive_transformation { |
| replace_with_info_type_config = true |
| } |
| } |
| |
| transformations { |
| info_types { |
| name = "PHONE_NUMBER" |
| } |
| info_types { |
| name = "AGE" |
| } |
| |
| primitive_transformation { |
| replace_config { |
| new_value { |
| integer_value = 9 |
| } |
| } |
| } |
| } |
| |
| transformations { |
| info_types { |
| name = "EMAIL_ADDRESS" |
| } |
| info_types { |
| name = "LAST_NAME" |
| } |
| |
| primitive_transformation { |
| character_mask_config { |
| masking_character = "X" |
| number_to_mask = 4 |
| reverse_order = true |
| characters_to_ignore { |
| common_characters_to_ignore = "PUNCTUATION" |
| } |
| } |
| } |
| } |
| |
| transformations { |
| info_types { |
| name = "DATE_OF_BIRTH" |
| } |
| |
| primitive_transformation { |
| replace_config { |
| new_value { |
| date_value { |
| year = 2020 |
| month = 1 |
| day = 1 |
| } |
| } |
| } |
| } |
| } |
| |
| transformations { |
| info_types { |
| name = "CREDIT_CARD_NUMBER" |
| } |
| |
| primitive_transformation { |
| crypto_deterministic_config { |
| context { |
| name = "sometweak" |
| } |
| crypto_key { |
| transient { |
| name = "beep" |
| } |
| } |
| surrogate_info_type { |
| name = "abc" |
| } |
| } |
| } |
| } |
| } |
| } |
| } |
| ``` |
| ## Example Usage - Dlp Deidentify Template Image Transformations |
| |
| |
| ```hcl |
| resource "google_data_loss_prevention_deidentify_template" "basic" { |
| parent = "projects/my-project-name" |
| description = "Description" |
| display_name = "Displayname" |
| |
| deidentify_config { |
| image_transformations { |
| transforms { |
| redaction_color { |
| red = 0.5 |
| blue = 1 |
| green = 0.2 |
| } |
| selected_info_types { |
| info_types { |
| name = "COLOR_INFO" |
| version = "latest" |
| } |
| } |
| } |
| |
| transforms { |
| all_info_types {} |
| } |
| |
| transforms { |
| all_text {} |
| } |
| } |
| } |
| } |
| ``` |
| |
| ## Argument Reference |
| |
| The following arguments are supported: |
| |
| |
| * `deidentify_config` - |
| (Required) |
| Configuration of the deidentify template |
| Structure is [documented below](#nested_deidentify_config). |
| |
| * `parent` - |
| (Required) |
| The parent of the template in any of the following formats: |
| * `projects/{{project}}` |
| * `projects/{{project}}/locations/{{location}}` |
| * `organizations/{{organization_id}}` |
| * `organizations/{{organization_id}}/locations/{{location}}` |
| |
| |
| <a name="nested_deidentify_config"></a>The `deidentify_config` block supports: |
| |
| * `image_transformations` - |
| (Optional) |
| Treat the dataset as an image and redact. |
| Structure is [documented below](#nested_image_transformations). |
| |
| * `info_type_transformations` - |
| (Optional) |
| Treat the dataset as free-form text and apply the same free text transformation everywhere |
| Structure is [documented below](#nested_info_type_transformations). |
| |
| * `record_transformations` - |
| (Optional) |
| Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table. |
| Structure is [documented below](#nested_record_transformations). |
| |
| |
| <a name="nested_image_transformations"></a>The `image_transformations` block supports: |
| |
| * `transforms` - |
| (Required) |
| For determination of how redaction of images should occur. |
| Structure is [documented below](#nested_transforms). |
| |
| |
| <a name="nested_transforms"></a>The `transforms` block supports: |
| |
| * `redaction_color` - |
| (Optional) |
| The color to use when redacting content from an image. If not specified, the default is black. |
| Structure is [documented below](#nested_redaction_color). |
| |
| * `selected_info_types` - |
| (Optional) |
| Apply transformation to the selected infoTypes. |
| Structure is [documented below](#nested_selected_info_types). |
| |
| * `all_info_types` - |
| (Optional) |
| Apply transformation to all findings not specified in other ImageTransformation's selectedInfoTypes. |
| |
| * `all_text` - |
| (Optional) |
| Apply transformation to all text that doesn't match an infoType. |
| |
| |
| <a name="nested_redaction_color"></a>The `redaction_color` block supports: |
| |
| * `red` - |
| (Optional) |
| The amount of red in the color as a value in the interval [0, 1]. |
| |
| * `blue` - |
| (Optional) |
| The amount of blue in the color as a value in the interval [0, 1]. |
| |
| * `green` - |
| (Optional) |
| The amount of green in the color as a value in the interval [0, 1]. |
| |
| <a name="nested_selected_info_types"></a>The `selected_info_types` block supports: |
| |
| * `info_types` - |
| (Required) |
| InfoTypes to apply the transformation to. Leaving this empty will apply the transformation to apply to |
| all findings that correspond to infoTypes that were requested in InspectConfig. |
| Structure is [documented below](#nested_info_types). |
| |
| |
| <a name="nested_info_types"></a>The `info_types` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the information type. |
| |
| * `version` - |
| (Optional) |
| Version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_info_type_transformations"></a>The `info_type_transformations` block supports: |
| |
| * `transformations` - |
| (Required) |
| Transformation for each infoType. Cannot specify more than one for a given infoType. |
| Structure is [documented below](#nested_transformations). |
| |
| |
| <a name="nested_transformations"></a>The `transformations` block supports: |
| |
| * `info_types` - |
| (Optional) |
| InfoTypes to apply the transformation to. Leaving this empty will apply the transformation to apply to |
| all findings that correspond to infoTypes that were requested in InspectConfig. |
| Structure is [documented below](#nested_info_types). |
| |
| * `primitive_transformation` - |
| (Required) |
| Primitive transformation to apply to the infoType. |
| The `primitive_transformation` block must only contain one argument, corresponding to the type of transformation. |
| Structure is [documented below](#nested_primitive_transformation). |
| |
| |
| <a name="nested_info_types"></a>The `info_types` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the information type. |
| |
| * `version` - |
| (Optional) |
| Version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_primitive_transformation"></a>The `primitive_transformation` block supports: |
| |
| * `replace_config` - |
| (Optional) |
| Replace each input value with a given value. |
| Structure is [documented below](#nested_replace_config). |
| |
| * `replace_with_info_type_config` - |
| (Optional) |
| Replace each matching finding with the name of the info type. |
| |
| * `character_mask_config` - |
| (Optional) |
| Partially mask a string by replacing a given number of characters with a fixed character. |
| Masking can start from the beginning or end of the string. |
| Structure is [documented below](#nested_character_mask_config). |
| |
| * `crypto_deterministic_config` - |
| (Optional) |
| Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC [https://tools.ietf.org/html/rfc5297](https://tools.ietf.org/html/rfc5297). |
| Structure is [documented below](#nested_crypto_deterministic_config). |
| |
| * `crypto_replace_ffx_fpe_config` - |
| (Optional) |
| Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `content.reidentify` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See [https://cloud.google.com/dlp/docs/pseudonymization](https://cloud.google.com/dlp/docs/pseudonymization) to learn more. |
| Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. |
| Structure is [documented below](#nested_crypto_replace_ffx_fpe_config). |
| |
| * `replace_dictionary_config` - |
| (Optional) |
| Replace with a value randomly drawn (with replacement) from a dictionary. |
| Structure is [documented below](#nested_replace_dictionary_config). |
| |
| * `date_shift_config` - |
| (Optional) |
| Shifts dates by random number of days, with option to be consistent for the same context. |
| Structure is [documented below](#nested_date_shift_config). |
| |
| * `fixed_size_bucketing_config` - |
| (Optional) |
| Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. |
| The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". |
| This can be used on data of type: double, long. |
| If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. |
| See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| Structure is [documented below](#nested_fixed_size_bucketing_config). |
| |
| * `bucketing_config` - |
| (Optional) |
| Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| This can be used on data of type: number, long, string, timestamp. |
| If the provided value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. |
| See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| Structure is [documented below](#nested_bucketing_config). |
| |
| * `time_part_config` - |
| (Optional) |
| For use with Date, Timestamp, and TimeOfDay, extract or preserve a portion of the value. |
| Structure is [documented below](#nested_time_part_config). |
| |
| * `redact_config` - |
| (Optional) |
| Redact a given value. For example, if used with an InfoTypeTransformation transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. |
| |
| * `crypto_hash_config` - |
| (Optional) |
| Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. |
| Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| Currently, only string and integer values can be hashed. |
| See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| Structure is [documented below](#nested_crypto_hash_config). |
| |
| |
| <a name="nested_replace_config"></a>The `replace_config` block supports: |
| |
| * `new_value` - |
| (Required) |
| Replace each input value with a given value. |
| The `new_value` block must only contain one argument. For example when replacing the contents of a string-type field, only `string_value` should be set. |
| Structure is [documented below](#nested_new_value). |
| |
| |
| <a name="nested_new_value"></a>The `new_value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value. |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. |
| Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a |
| year by itself or a year and month where the day is not significant. |
| |
| <a name="nested_character_mask_config"></a>The `character_mask_config` block supports: |
| |
| * `masking_character` - |
| (Optional) |
| Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string |
| such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for |
| strings, and 0 for digits. |
| |
| * `number_to_mask` - |
| (Optional) |
| Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. |
| |
| * `reverse_order` - |
| (Optional) |
| Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is `false`, then the |
| input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| |
| * `characters_to_ignore` - |
| (Optional) |
| Characters to skip when doing de-identification of a value. These will be left alone and skipped. |
| Structure is [documented below](#nested_characters_to_ignore). |
| |
| |
| <a name="nested_characters_to_ignore"></a>The `characters_to_ignore` block supports: |
| |
| * `characters_to_skip` - |
| (Optional) |
| Characters to not transform when masking. |
| |
| * `common_characters_to_ignore` - |
| (Optional) |
| Common characters to not transform when masking. Useful to avoid removing punctuation. |
| Possible values are: `NUMERIC`, `ALPHA_UPPER_CASE`, `ALPHA_LOWER_CASE`, `PUNCTUATION`, `WHITESPACE`. |
| |
| <a name="nested_crypto_deterministic_config"></a>The `crypto_deterministic_config` block supports: |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption function. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `surrogate_info_type` - |
| (Optional) |
| The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} |
| For example, if the name of custom info type is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' |
| This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. |
| Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. |
| In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either |
| * reverse a surrogate that does not correspond to an actual identifier |
| * be unable to parse the surrogate and result in an error |
| Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE. |
| Structure is [documented below](#nested_surrogate_info_type). |
| |
| * `context` - |
| (Optional) |
| A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. |
| If the context is not set, plaintext would be used as is for encryption. If the context is set but: |
| 1. there is no record present when transforming a given value or |
| 2. the field is not present when transforming a given value, |
| plaintext would be used as is for encryption. |
| Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. |
| Structure is [documented below](#nested_context). |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_surrogate_info_type"></a>The `surrogate_info_type` block supports: |
| |
| * `name` - |
| (Optional) |
| Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| |
| * `version` - |
| (Optional) |
| Optional version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_crypto_replace_ffx_fpe_config"></a>The `crypto_replace_ffx_fpe_config` block supports: |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption algorithm. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `context` - |
| (Optional) |
| The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. |
| If the context is set but: |
| 1. there is no record present when transforming a given value or |
| 2. the field is not present when transforming a given value, |
| a default tweak will be used. |
| Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. |
| The tweak is constructed as a sequence of bytes in big endian byte order such that: |
| * a 64 bit integer is encoded followed by a single byte of value 1 |
| * a string is encoded in UTF-8 format followed by a single byte of value 2 |
| Structure is [documented below](#nested_context). |
| |
| * `surrogate_info_type` - |
| (Optional) |
| The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info\_type\_name(surrogate\_character\_count):surrogate |
| For example, if the name of custom infoType is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' |
| This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. |
| In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE |
| Structure is [documented below](#nested_surrogate_info_type). |
| |
| * `common_alphabet` - |
| (Optional) |
| Common alphabets. |
| Possible values are: `FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED`, `NUMERIC`, `HEXADECIMAL`, `UPPER_CASE_ALPHA_NUMERIC`, `ALPHA_NUMERIC`. |
| |
| * `custom_alphabet` - |
| (Optional) |
| This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range \[2, 95\]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: |
| ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/`` |
| |
| * `radix` - |
| (Optional) |
| The native way to select the alphabet. Must be in the range \[2, 95\]. |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_surrogate_info_type"></a>The `surrogate_info_type` block supports: |
| |
| * `name` - |
| (Optional) |
| Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| |
| * `version` - |
| (Optional) |
| Optional version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_replace_dictionary_config"></a>The `replace_dictionary_config` block supports: |
| |
| * `word_list` - |
| (Required) |
| A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. |
| Structure is [documented below](#nested_word_list). |
| |
| |
| <a name="nested_word_list"></a>The `word_list` block supports: |
| |
| * `words` - |
| (Required) |
| Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. |
| |
| <a name="nested_date_shift_config"></a>The `date_shift_config` block supports: |
| |
| * `context` - |
| (Optional) |
| Points to the field that contains the context, for example, an entity id. |
| If set, must also set cryptoKey. If set, shift will be consistent for the given context. |
| Structure is [documented below](#nested_context). |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption function. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `upper_bound_days` - |
| (Required) |
| Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). |
| Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. |
| |
| * `lower_bound_days` - |
| (Required) |
| Range of shift in days. Negative means shift to earlier in time. |
| |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Required) |
| Name describing the field. |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_fixed_size_bucketing_config"></a>The `fixed_size_bucketing_config` block supports: |
| |
| * `lower_bound` - |
| (Required) |
| Lower bound value of buckets. |
| All values less than lower_bound are grouped together into a single bucket; for example if lower_bound = 10, then all values less than 10 are replaced with the value "-10". |
| The `lower_bound` block must only contain one argument. See the `fixed_size_bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_lower_bound). |
| |
| * `upper_bound` - |
| (Required) |
| Upper bound value of buckets. |
| All values greater than upper_bound are grouped together into a single bucket; for example if upper_bound = 89, then all values greater than 89 are replaced with the value "89+". |
| The `upper_bound` block must only contain one argument. See the `fixed_size_bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_upper_bound). |
| |
| * `bucket_size` - |
| (Required) |
| Size of each bucket (except for minimum and maximum buckets). |
| So if lower_bound = 10, upper_bound = 89, and bucketSize = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. |
| Precision up to 2 decimals works. |
| |
| |
| <a name="nested_lower_bound"></a>The `lower_bound` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| <a name="nested_upper_bound"></a>The `upper_bound` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| <a name="nested_bucketing_config"></a>The `bucketing_config` block supports: |
| |
| * `buckets` - |
| (Optional) |
| Set of buckets. Ranges must be non-overlapping. |
| Bucket is represented as a range, along with replacement values. |
| Structure is [documented below](#nested_buckets). |
| |
| |
| <a name="nested_buckets"></a>The `buckets` block supports: |
| |
| * `min` - |
| (Optional) |
| Lower bound of the range, inclusive. Type should be the same as max if used. |
| The `min` block must only contain one argument. See the `bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_min). |
| |
| * `max` - |
| (Optional) |
| Upper bound of the range, exclusive; type must match min. |
| The `max` block must only contain one argument. See the `bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_max). |
| |
| * `replacement_value` - |
| (Required) |
| Replacement value for this bucket. |
| The `replacement_value` block must only contain one argument. |
| Structure is [documented below](#nested_replacement_value). |
| |
| |
| <a name="nested_min"></a>The `min` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_max"></a>The `max` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_replacement_value"></a>The `replacement_value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_time_part_config"></a>The `time_part_config` block supports: |
| |
| * `part_to_extract` - |
| (Optional) |
| The part of the time to keep. |
| Possible values are: `YEAR`, `MONTH`, `DAY_OF_MONTH`, `DAY_OF_WEEK`, `WEEK_OF_YEAR`, `HOUR_OF_DAY`. |
| |
| <a name="nested_crypto_hash_config"></a>The `crypto_hash_config` block supports: |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption function. |
| Structure is [documented below](#nested_crypto_key). |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_record_transformations"></a>The `record_transformations` block supports: |
| |
| * `field_transformations` - |
| (Optional) |
| Transform the record by applying various field transformations. |
| Structure is [documented below](#nested_field_transformations). |
| |
| * `record_suppressions` - |
| (Optional) |
| Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output. |
| Structure is [documented below](#nested_record_suppressions). |
| |
| |
| <a name="nested_field_transformations"></a>The `field_transformations` block supports: |
| |
| * `fields` - |
| (Required) |
| Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. |
| FieldId name matching ignores the index. For example, instead of "contact.nums[0].type", use "contact.nums.type". |
| Structure is [documented below](#nested_fields). |
| |
| * `condition` - |
| (Optional) |
| Only apply the transformation if the condition evaluates to true for the given RecordCondition. The conditions are allowed to reference fields that are not used in the actual transformation. |
| Example Use Cases: |
| - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. |
| - Redact a field if the date of birth field is greater than 85. |
| Structure is [documented below](#nested_condition). |
| |
| * `primitive_transformation` - |
| (Optional) |
| Apply the transformation to the entire field. |
| The `primitive_transformation` block must only contain one argument, corresponding to the type of transformation. |
| Only one of `primitive_transformation` or `info_type_transformations` must be specified. |
| Structure is [documented below](#nested_primitive_transformation). |
| |
| * `info_type_transformations` - |
| (Optional) |
| Treat the contents of the field as free text, and selectively transform content that matches an InfoType. |
| Only one of `primitive_transformation` or `info_type_transformations` must be specified. |
| Structure is [documented below](#nested_info_type_transformations). |
| |
| |
| <a name="nested_fields"></a>The `fields` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_condition"></a>The `condition` block supports: |
| |
| * `expressions` - |
| (Optional) |
| An expression. |
| Structure is [documented below](#nested_expressions). |
| |
| |
| <a name="nested_expressions"></a>The `expressions` block supports: |
| |
| * `logical_operator` - |
| (Optional) |
| The operator to apply to the result of conditions. Default and currently only supported value is AND |
| Default value is `AND`. |
| Possible values are: `AND`. |
| |
| * `conditions` - |
| (Optional) |
| Conditions to apply to the expression. |
| Structure is [documented below](#nested_conditions). |
| |
| |
| <a name="nested_conditions"></a>The `conditions` block supports: |
| |
| * `conditions` - |
| (Optional) |
| A collection of conditions. |
| Structure is [documented below](#nested_conditions). |
| |
| |
| <a name="nested_conditions"></a>The `conditions` block supports: |
| |
| * `field` - |
| (Required) |
| Field within the record this condition is evaluated against. |
| Structure is [documented below](#nested_field). |
| |
| * `operator` - |
| (Required) |
| Operator used to compare the field or infoType to the value. |
| Possible values are: `EQUAL_TO`, `NOT_EQUAL_TO`, `GREATER_THAN`, `LESS_THAN`, `GREATER_THAN_OR_EQUALS`, `LESS_THAN_OR_EQUALS`, `EXISTS`. |
| |
| * `value` - |
| (Optional) |
| Value to compare against. |
| The `value` block must only contain one argument. For example when a condition is evaluated against a string-type field, only `string_value` should be set. |
| This argument is mandatory, except for conditions using the `EXISTS` operator. |
| Structure is [documented below](#nested_value). |
| |
| |
| <a name="nested_field"></a>The `field` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_value"></a>The `value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_primitive_transformation"></a>The `primitive_transformation` block supports: |
| |
| * `replace_config` - |
| (Optional) |
| Replace with a specified value. |
| Structure is [documented below](#nested_replace_config). |
| |
| * `redact_config` - |
| (Optional) |
| Redact a given value. For example, if used with an InfoTypeTransformation transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. |
| |
| * `character_mask_config` - |
| (Optional) |
| Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3). |
| Structure is [documented below](#nested_character_mask_config). |
| |
| * `crypto_replace_ffx_fpe_config` - |
| (Optional) |
| Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `content.reidentify` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See [https://cloud.google.com/dlp/docs/pseudonymization](https://cloud.google.com/dlp/docs/pseudonymization) to learn more. |
| Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. |
| Structure is [documented below](#nested_crypto_replace_ffx_fpe_config). |
| |
| * `fixed_size_bucketing_config` - |
| (Optional) |
| Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. |
| The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". |
| This can be used on data of type: double, long. |
| If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. |
| See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| Structure is [documented below](#nested_fixed_size_bucketing_config). |
| |
| * `bucketing_config` - |
| (Optional) |
| Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| This can be used on data of type: number, long, string, timestamp. |
| If the provided value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. |
| See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| Structure is [documented below](#nested_bucketing_config). |
| |
| * `time_part_config` - |
| (Optional) |
| For use with Date, Timestamp, and TimeOfDay, extract or preserve a portion of the value. |
| Structure is [documented below](#nested_time_part_config). |
| |
| * `crypto_hash_config` - |
| (Optional) |
| Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. |
| Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| Currently, only string and integer values can be hashed. |
| See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| Structure is [documented below](#nested_crypto_hash_config). |
| |
| * `date_shift_config` - |
| (Optional) |
| Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. |
| Structure is [documented below](#nested_date_shift_config). |
| |
| * `crypto_deterministic_config` - |
| (Optional) |
| Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC [https://tools.ietf.org/html/rfc5297](https://tools.ietf.org/html/rfc5297). |
| Structure is [documented below](#nested_crypto_deterministic_config). |
| |
| * `replace_dictionary_config` - |
| (Optional) |
| Replace with a value randomly drawn (with replacement) from a dictionary. |
| Structure is [documented below](#nested_replace_dictionary_config). |
| |
| |
| <a name="nested_replace_config"></a>The `replace_config` block supports: |
| |
| * `new_value` - |
| (Required) |
| Replace each input value with a given value. |
| The `new_value` block must only contain one argument. For example when replacing the contents of a string-type field, only `string_value` should be set. |
| Structure is [documented below](#nested_new_value). |
| |
| |
| <a name="nested_new_value"></a>The `new_value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_character_mask_config"></a>The `character_mask_config` block supports: |
| |
| * `masking_character` - |
| (Optional) |
| Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string |
| such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for |
| strings, and 0 for digits. |
| |
| * `number_to_mask` - |
| (Optional) |
| Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. |
| If number_to_mask is negative, this denotes inverse masking. Cloud DLP masks all but a number of characters. For example, suppose you have the following values: |
| - `masking_character` is * |
| - `number_to_mask` is -4 |
| - `reverse_order` is false |
| - `characters_to_ignore` includes - |
| - Input string is 1234-5678-9012-3456 |
| The resulting de-identified string is ****-****-****-3456. Cloud DLP masks all but the last four characters. If reverseOrder is true, all but the first four characters are masked as 1234-****-****-****. |
| |
| * `reverse_order` - |
| (Optional) |
| Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is `false`, then the |
| input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| |
| * `characters_to_ignore` - |
| (Optional) |
| Characters to skip when doing de-identification of a value. These will be left alone and skipped. |
| Structure is [documented below](#nested_characters_to_ignore). |
| |
| |
| <a name="nested_characters_to_ignore"></a>The `characters_to_ignore` block supports: |
| |
| * `characters_to_skip` - |
| (Optional) |
| Characters to not transform when masking. |
| |
| * `common_characters_to_ignore` - |
| (Optional) |
| Common characters to not transform when masking. Useful to avoid removing punctuation. |
| Possible values are: `NUMERIC`, `ALPHA_UPPER_CASE`, `ALPHA_LOWER_CASE`, `PUNCTUATION`, `WHITESPACE`. |
| |
| <a name="nested_crypto_replace_ffx_fpe_config"></a>The `crypto_replace_ffx_fpe_config` block supports: |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption algorithm. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `context` - |
| (Optional) |
| The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. |
| If the context is set but: |
| 1. there is no record present when transforming a given value or |
| 2. the field is not present when transforming a given value, |
| a default tweak will be used. |
| Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. |
| The tweak is constructed as a sequence of bytes in big endian byte order such that: |
| * a 64 bit integer is encoded followed by a single byte of value 1 |
| * a string is encoded in UTF-8 format followed by a single byte of value 2 |
| Structure is [documented below](#nested_context). |
| |
| * `surrogate_info_type` - |
| (Optional) |
| The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info\_type\_name(surrogate\_character\_count):surrogate |
| For example, if the name of custom infoType is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' |
| This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. |
| In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE |
| Structure is [documented below](#nested_surrogate_info_type). |
| |
| * `common_alphabet` - |
| (Optional) |
| Common alphabets. |
| Possible values are: `FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED`, `NUMERIC`, `HEXADECIMAL`, `UPPER_CASE_ALPHA_NUMERIC`, `ALPHA_NUMERIC`. |
| |
| * `custom_alphabet` - |
| (Optional) |
| This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range \[2, 95\]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: |
| ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/`` |
| |
| * `radix` - |
| (Optional) |
| The native way to select the alphabet. Must be in the range \[2, 95\]. |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_surrogate_info_type"></a>The `surrogate_info_type` block supports: |
| |
| * `name` - |
| (Optional) |
| Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| |
| * `version` - |
| (Optional) |
| Optional version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_fixed_size_bucketing_config"></a>The `fixed_size_bucketing_config` block supports: |
| |
| * `lower_bound` - |
| (Required) |
| Lower bound value of buckets. |
| All values less than lower_bound are grouped together into a single bucket; for example if lower_bound = 10, then all values less than 10 are replaced with the value "-10". |
| The `lower_bound` block must only contain one argument. See the `fixed_size_bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_lower_bound). |
| |
| * `upper_bound` - |
| (Required) |
| Upper bound value of buckets. |
| All values greater than upper_bound are grouped together into a single bucket; for example if upper_bound = 89, then all values greater than 89 are replaced with the value "89+". |
| The `upper_bound` block must only contain one argument. See the `fixed_size_bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_upper_bound). |
| |
| * `bucket_size` - |
| (Required) |
| Size of each bucket (except for minimum and maximum buckets). |
| So if lower_bound = 10, upper_bound = 89, and bucketSize = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. |
| Precision up to 2 decimals works. |
| |
| |
| <a name="nested_lower_bound"></a>The `lower_bound` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_upper_bound"></a>The `upper_bound` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_bucketing_config"></a>The `bucketing_config` block supports: |
| |
| * `buckets` - |
| (Optional) |
| Set of buckets. Ranges must be non-overlapping. |
| Bucket is represented as a range, along with replacement values. |
| Structure is [documented below](#nested_buckets). |
| |
| |
| <a name="nested_buckets"></a>The `buckets` block supports: |
| |
| * `min` - |
| (Optional) |
| Lower bound of the range, inclusive. Type should be the same as max if used. |
| The `min` block must only contain one argument. See the `bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_min). |
| |
| * `max` - |
| (Optional) |
| Upper bound of the range, exclusive; type must match min. |
| The `max` block must only contain one argument. See the `bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_max). |
| |
| * `replacement_value` - |
| (Required) |
| Replacement value for this bucket. |
| The `replacement_value` block must only contain one argument. |
| Structure is [documented below](#nested_replacement_value). |
| |
| |
| <a name="nested_min"></a>The `min` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_max"></a>The `max` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_replacement_value"></a>The `replacement_value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_time_part_config"></a>The `time_part_config` block supports: |
| |
| * `part_to_extract` - |
| (Optional) |
| The part of the time to keep. |
| Possible values are: `YEAR`, `MONTH`, `DAY_OF_MONTH`, `DAY_OF_WEEK`, `WEEK_OF_YEAR`, `HOUR_OF_DAY`. |
| |
| <a name="nested_crypto_hash_config"></a>The `crypto_hash_config` block supports: |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption function. |
| Structure is [documented below](#nested_crypto_key). |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_date_shift_config"></a>The `date_shift_config` block supports: |
| |
| * `upper_bound_days` - |
| (Required) |
| Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. |
| For example, 3 means shift date to at most 3 days into the future. |
| |
| * `lower_bound_days` - |
| (Required) |
| For example, -5 means shift date to at most 5 days back in the past. |
| |
| * `context` - |
| (Optional) |
| Points to the field that contains the context, for example, an entity id. |
| If set, must also set cryptoKey. If set, shift will be consistent for the given context. |
| Structure is [documented below](#nested_context). |
| |
| * `crypto_key` - |
| (Optional) |
| Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and cryptoKey. If set, must also set context. Can only be applied to table items. |
| Structure is [documented below](#nested_crypto_key). |
| |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_crypto_deterministic_config"></a>The `crypto_deterministic_config` block supports: |
| |
| * `crypto_key` - |
| (Optional) |
| The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `surrogate_info_type` - |
| (Optional) |
| The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} |
| For example, if the name of custom info type is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' |
| This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. |
| Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. |
| In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either |
| * reverse a surrogate that does not correspond to an actual identifier |
| * be unable to parse the surrogate and result in an error |
| Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE. |
| Structure is [documented below](#nested_surrogate_info_type). |
| |
| * `context` - |
| (Optional) |
| A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. |
| If the context is not set, plaintext would be used as is for encryption. If the context is set but: |
| 1. there is no record present when transforming a given value or |
| 2. the field is not present when transforming a given value, |
| plaintext would be used as is for encryption. |
| Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and unstructured ContentItems. |
| Structure is [documented below](#nested_context). |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_surrogate_info_type"></a>The `surrogate_info_type` block supports: |
| |
| * `name` - |
| (Optional) |
| Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| |
| * `version` - |
| (Optional) |
| Optional version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_replace_dictionary_config"></a>The `replace_dictionary_config` block supports: |
| |
| * `word_list` - |
| (Optional) |
| A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. |
| Structure is [documented below](#nested_word_list). |
| |
| |
| <a name="nested_word_list"></a>The `word_list` block supports: |
| |
| * `words` - |
| (Required) |
| Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. |
| |
| <a name="nested_info_type_transformations"></a>The `info_type_transformations` block supports: |
| |
| * `transformations` - |
| (Required) |
| Transformation for each infoType. Cannot specify more than one for a given infoType. |
| Structure is [documented below](#nested_transformations). |
| |
| |
| <a name="nested_transformations"></a>The `transformations` block supports: |
| |
| * `info_types` - |
| (Optional) |
| InfoTypes to apply the transformation to. Leaving this empty will apply the transformation to apply to |
| all findings that correspond to infoTypes that were requested in InspectConfig. |
| Structure is [documented below](#nested_info_types). |
| |
| * `primitive_transformation` - |
| (Required) |
| Apply the transformation to the entire field. |
| The `primitive_transformation` block must only contain one argument, corresponding to the type of transformation. |
| Structure is [documented below](#nested_primitive_transformation). |
| |
| |
| <a name="nested_info_types"></a>The `info_types` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the information type. |
| |
| * `version` - |
| (Optional) |
| Version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_primitive_transformation"></a>The `primitive_transformation` block supports: |
| |
| * `replace_config` - |
| (Optional) |
| Replace each input value with a given value. |
| Structure is [documented below](#nested_replace_config). |
| |
| * `redact_config` - |
| (Optional) |
| Redact a given value. For example, if used with an InfoTypeTransformation transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. |
| |
| * `character_mask_config` - |
| (Optional) |
| Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3). |
| Structure is [documented below](#nested_character_mask_config). |
| |
| * `crypto_replace_ffx_fpe_config` - |
| (Optional) |
| Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `content.reidentify` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See [https://cloud.google.com/dlp/docs/pseudonymization](https://cloud.google.com/dlp/docs/pseudonymization) to learn more. |
| Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. |
| Structure is [documented below](#nested_crypto_replace_ffx_fpe_config). |
| |
| * `fixed_size_bucketing_config` - |
| (Optional) |
| Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. |
| The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". |
| This can be used on data of type: double, long. |
| If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. |
| See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| Structure is [documented below](#nested_fixed_size_bucketing_config). |
| |
| * `bucketing_config` - |
| (Optional) |
| Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| This can be used on data of type: number, long, string, timestamp. |
| If the provided value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. |
| See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| Structure is [documented below](#nested_bucketing_config). |
| |
| * `replace_with_info_type_config` - |
| (Optional) |
| Replace each matching finding with the name of the info type. |
| |
| * `time_part_config` - |
| (Optional) |
| For use with Date, Timestamp, and TimeOfDay, extract or preserve a portion of the value. |
| Structure is [documented below](#nested_time_part_config). |
| |
| * `crypto_hash_config` - |
| (Optional) |
| Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. |
| Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| Currently, only string and integer values can be hashed. |
| See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| Structure is [documented below](#nested_crypto_hash_config). |
| |
| * `date_shift_config` - |
| (Optional) |
| Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. |
| Structure is [documented below](#nested_date_shift_config). |
| |
| * `crypto_deterministic_config` - |
| (Optional) |
| Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC [https://tools.ietf.org/html/rfc5297](https://tools.ietf.org/html/rfc5297). |
| Structure is [documented below](#nested_crypto_deterministic_config). |
| |
| * `replace_dictionary_config` - |
| (Optional) |
| Replace with a value randomly drawn (with replacement) from a dictionary. |
| Structure is [documented below](#nested_replace_dictionary_config). |
| |
| |
| <a name="nested_replace_config"></a>The `replace_config` block supports: |
| |
| * `new_value` - |
| (Required) |
| Replace each input value with a given value. |
| The `new_value` block must only contain one argument. For example when replacing the contents of a string-type field, only `string_value` should be set. |
| Structure is [documented below](#nested_new_value). |
| |
| |
| <a name="nested_new_value"></a>The `new_value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. |
| Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_character_mask_config"></a>The `character_mask_config` block supports: |
| |
| * `masking_character` - |
| (Optional) |
| Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string |
| such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for |
| strings, and 0 for digits. |
| |
| * `number_to_mask` - |
| (Optional) |
| Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. |
| If number_to_mask is negative, this denotes inverse masking. Cloud DLP masks all but a number of characters. For example, suppose you have the following values: |
| - `masking_character` is * |
| - `number_to_mask` is -4 |
| - `reverse_order` is false |
| - `characters_to_ignore` includes - |
| - Input string is 1234-5678-9012-3456 |
| The resulting de-identified string is ****-****-****-3456. Cloud DLP masks all but the last four characters. If reverseOrder is true, all but the first four characters are masked as 1234-****-****-****. |
| |
| * `reverse_order` - |
| (Optional) |
| Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is `false`, then the |
| input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| |
| * `characters_to_ignore` - |
| (Optional) |
| Characters to skip when doing de-identification of a value. These will be left alone and skipped. |
| Structure is [documented below](#nested_characters_to_ignore). |
| |
| |
| <a name="nested_characters_to_ignore"></a>The `characters_to_ignore` block supports: |
| |
| * `characters_to_skip` - |
| (Optional) |
| Characters to not transform when masking. Only one of this or `common_characters_to_ignore` must be specified. |
| |
| * `common_characters_to_ignore` - |
| (Optional) |
| Common characters to not transform when masking. Useful to avoid removing punctuation. Only one of this or `characters_to_skip` must be specified. |
| Possible values are: `NUMERIC`, `ALPHA_UPPER_CASE`, `ALPHA_LOWER_CASE`, `PUNCTUATION`, `WHITESPACE`. |
| |
| <a name="nested_crypto_replace_ffx_fpe_config"></a>The `crypto_replace_ffx_fpe_config` block supports: |
| |
| * `crypto_key` - |
| (Required) |
| The key used by the encryption algorithm. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `context` - |
| (Optional) |
| The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. |
| If the context is set but: |
| 1. there is no record present when transforming a given value or |
| 2. the field is not present when transforming a given value, |
| a default tweak will be used. |
| Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. |
| The tweak is constructed as a sequence of bytes in big endian byte order such that: |
| * a 64 bit integer is encoded followed by a single byte of value 1 |
| * a string is encoded in UTF-8 format followed by a single byte of value 2 |
| Structure is [documented below](#nested_context). |
| |
| * `surrogate_info_type` - |
| (Optional) |
| The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info\_type\_name(surrogate\_character\_count):surrogate |
| For example, if the name of custom infoType is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' |
| This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. |
| In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE |
| Structure is [documented below](#nested_surrogate_info_type). |
| |
| * `common_alphabet` - |
| (Optional) |
| Common alphabets. Only one of this, `custom_alphabet` or `radix` must be specified. |
| Possible values are: `NUMERIC`, `HEXADECIMAL`, `UPPER_CASE_ALPHA_NUMERIC`, `ALPHA_NUMERIC`. |
| |
| * `custom_alphabet` - |
| (Optional) |
| This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range \[2, 95\]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: |
| ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/``. Only one of this, `common_alphabet` or `radix` must be specified. |
| |
| * `radix` - |
| (Optional) |
| The native way to select the alphabet. Must be in the range \[2, 95\]. Only one of this, `custom_alphabet` or `common_alphabet` must be specified. |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. Only one of this, `unwrapped` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. Only one of this, `transient` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). Only one of this, `transient` or `unwrapped` must be specified. |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| **Note**: This property is sensitive and will not be displayed in the plan. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Required) |
| Name describing the field. |
| |
| <a name="nested_surrogate_info_type"></a>The `surrogate_info_type` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| |
| * `version` - |
| (Optional) |
| Optional version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_fixed_size_bucketing_config"></a>The `fixed_size_bucketing_config` block supports: |
| |
| * `lower_bound` - |
| (Required) |
| Lower bound value of buckets. |
| All values less than lower_bound are grouped together into a single bucket; for example if lower_bound = 10, then all values less than 10 are replaced with the value "-10". |
| The `lower_bound` block must only contain one argument. See the `fixed_size_bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_lower_bound). |
| |
| * `upper_bound` - |
| (Required) |
| Upper bound value of buckets. |
| All values greater than upper_bound are grouped together into a single bucket; for example if upper_bound = 89, then all values greater than 89 are replaced with the value "89+". |
| The `upper_bound` block must only contain one argument. See the `fixed_size_bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_upper_bound). |
| |
| * `bucket_size` - |
| (Required) |
| Size of each bucket (except for minimum and maximum buckets). |
| So if lower_bound = 10, upper_bound = 89, and bucketSize = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. |
| Precision up to 2 decimals works. |
| |
| |
| <a name="nested_lower_bound"></a>The `lower_bound` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| <a name="nested_upper_bound"></a>The `upper_bound` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| <a name="nested_bucketing_config"></a>The `bucketing_config` block supports: |
| |
| * `buckets` - |
| (Required) |
| Set of buckets. Ranges must be non-overlapping. |
| Bucket is represented as a range, along with replacement values. |
| Structure is [documented below](#nested_buckets). |
| |
| |
| <a name="nested_buckets"></a>The `buckets` block supports: |
| |
| * `min` - |
| (Optional) |
| Lower bound of the range, inclusive. Type should be the same as max if used. |
| The `min` block must only contain one argument. See the `bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_min). |
| |
| * `max` - |
| (Optional) |
| Upper bound of the range, exclusive; type must match min. |
| The `max` block must only contain one argument. See the `bucketing_config` block description for more information about choosing a data type. |
| Structure is [documented below](#nested_max). |
| |
| * `replacement_value` - |
| (Required) |
| Replacement value for this bucket. |
| The `replacement_value` block must only contain one argument. |
| Structure is [documented below](#nested_replacement_value). |
| |
| |
| <a name="nested_min"></a>The `min` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_max"></a>The `max` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_replacement_value"></a>The `replacement_value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| <a name="nested_time_part_config"></a>The `time_part_config` block supports: |
| |
| * `part_to_extract` - |
| (Required) |
| The part of the time to keep. |
| Possible values are: `YEAR`, `MONTH`, `DAY_OF_MONTH`, `DAY_OF_WEEK`, `WEEK_OF_YEAR`, `HOUR_OF_DAY`. |
| |
| <a name="nested_crypto_hash_config"></a>The `crypto_hash_config` block supports: |
| |
| * `crypto_key` - |
| (Required) |
| The key used by the encryption function. |
| Structure is [documented below](#nested_crypto_key). |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. Only one of this, `unwrapped` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. Only one of this, `transient` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). Only one of this, `transient` or `unwrapped` must be specified. |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| **Note**: This property is sensitive and will not be displayed in the plan. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_date_shift_config"></a>The `date_shift_config` block supports: |
| |
| * `upper_bound_days` - |
| (Required) |
| Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. |
| For example, 3 means shift date to at most 3 days into the future. |
| |
| * `lower_bound_days` - |
| (Required) |
| For example, -5 means shift date to at most 5 days back in the past. |
| |
| * `context` - |
| (Optional) |
| Points to the field that contains the context, for example, an entity id. |
| If set, must also set cryptoKey. If set, shift will be consistent for the given context. |
| Structure is [documented below](#nested_context). |
| |
| * `crypto_key` - |
| (Optional) |
| Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and cryptoKey. If set, must also set context. Can only be applied to table items. |
| Structure is [documented below](#nested_crypto_key). |
| |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Required) |
| Name describing the field. |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. Only one of this, `unwrapped` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. Only one of this, `transient` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). Only one of this, `transient` or `unwrapped` must be specified. |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| **Note**: This property is sensitive and will not be displayed in the plan. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_crypto_deterministic_config"></a>The `crypto_deterministic_config` block supports: |
| |
| * `crypto_key` - |
| (Required) |
| The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. |
| Structure is [documented below](#nested_crypto_key). |
| |
| * `surrogate_info_type` - |
| (Required) |
| The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} |
| For example, if the name of custom info type is 'MY\_TOKEN\_INFO\_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY\_TOKEN\_INFO\_TYPE(3):abc' |
| This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. |
| Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. |
| In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either |
| * reverse a surrogate that does not correspond to an actual identifier |
| * be unable to parse the surrogate and result in an error |
| Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY\_TOKEN\_TYPE. |
| Structure is [documented below](#nested_surrogate_info_type). |
| |
| * `context` - |
| (Optional) |
| A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. |
| If the context is not set, plaintext would be used as is for encryption. If the context is set but: |
| 1. there is no record present when transforming a given value or |
| 2. the field is not present when transforming a given value, |
| plaintext would be used as is for encryption. |
| Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and unstructured ContentItems. |
| Structure is [documented below](#nested_context). |
| |
| |
| <a name="nested_crypto_key"></a>The `crypto_key` block supports: |
| |
| * `transient` - |
| (Optional) |
| Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. Only one of this, `unwrapped` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_transient). |
| |
| * `unwrapped` - |
| (Optional) |
| Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. Only one of this, `transient` or `kms_wrapped` must be specified. |
| Structure is [documented below](#nested_unwrapped). |
| |
| * `kms_wrapped` - |
| (Optional) |
| KMS wrapped key. |
| Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt |
| For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). Only one of this, `transient` or `unwrapped` must be specified. |
| Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). |
| Structure is [documented below](#nested_kms_wrapped). |
| |
| |
| <a name="nested_transient"></a>The `transient` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| |
| <a name="nested_unwrapped"></a>The `unwrapped` block supports: |
| |
| * `key` - |
| (Required) |
| A 128/192/256 bit key. |
| A base64-encoded string. |
| **Note**: This property is sensitive and will not be displayed in the plan. |
| |
| <a name="nested_kms_wrapped"></a>The `kms_wrapped` block supports: |
| |
| * `wrapped_key` - |
| (Required) |
| The wrapped data crypto key. |
| A base64-encoded string. |
| |
| * `crypto_key_name` - |
| (Required) |
| The resource name of the KMS CryptoKey to use for unwrapping. |
| |
| <a name="nested_surrogate_info_type"></a>The `surrogate_info_type` block supports: |
| |
| * `name` - |
| (Required) |
| Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at [https://cloud.google.com/dlp/docs/infotypes-reference](https://cloud.google.com/dlp/docs/infotypes-reference) when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| |
| * `version` - |
| (Optional) |
| Optional version name for this InfoType. |
| |
| * `sensitivity_score` - |
| (Optional) |
| Optional custom sensitivity for this InfoType. This only applies to data profiling. |
| Structure is [documented below](#nested_sensitivity_score). |
| |
| |
| <a name="nested_sensitivity_score"></a>The `sensitivity_score` block supports: |
| |
| * `score` - |
| (Required) |
| The sensitivity score applied to the resource. |
| Possible values are: `SENSITIVITY_LOW`, `SENSITIVITY_MODERATE`, `SENSITIVITY_HIGH`. |
| |
| <a name="nested_context"></a>The `context` block supports: |
| |
| * `name` - |
| (Required) |
| Name describing the field. |
| |
| <a name="nested_replace_dictionary_config"></a>The `replace_dictionary_config` block supports: |
| |
| * `word_list` - |
| (Required) |
| A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. |
| Structure is [documented below](#nested_word_list). |
| |
| |
| <a name="nested_word_list"></a>The `word_list` block supports: |
| |
| * `words` - |
| (Required) |
| Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. |
| |
| <a name="nested_record_suppressions"></a>The `record_suppressions` block supports: |
| |
| * `condition` - |
| (Optional) |
| A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content. |
| Structure is [documented below](#nested_condition). |
| |
| |
| <a name="nested_condition"></a>The `condition` block supports: |
| |
| * `expressions` - |
| (Optional) |
| An expression, consisting of an operator and conditions. |
| Structure is [documented below](#nested_expressions). |
| |
| |
| <a name="nested_expressions"></a>The `expressions` block supports: |
| |
| * `logical_operator` - |
| (Optional) |
| The operator to apply to the result of conditions. Default and currently only supported value is AND. |
| Default value is `AND`. |
| Possible values are: `AND`. |
| |
| * `conditions` - |
| (Optional) |
| Conditions to apply to the expression. |
| Structure is [documented below](#nested_conditions). |
| |
| |
| <a name="nested_conditions"></a>The `conditions` block supports: |
| |
| * `conditions` - |
| (Optional) |
| A collection of conditions. |
| Structure is [documented below](#nested_conditions). |
| |
| |
| <a name="nested_conditions"></a>The `conditions` block supports: |
| |
| * `field` - |
| (Required) |
| Field within the record this condition is evaluated against. |
| Structure is [documented below](#nested_field). |
| |
| * `operator` - |
| (Required) |
| Operator used to compare the field or infoType to the value. |
| Possible values are: `EQUAL_TO`, `NOT_EQUAL_TO`, `GREATER_THAN`, `LESS_THAN`, `GREATER_THAN_OR_EQUALS`, `LESS_THAN_OR_EQUALS`, `EXISTS`. |
| |
| * `value` - |
| (Optional) |
| Value to compare against. [Mandatory, except for EXISTS tests.] |
| Structure is [documented below](#nested_value). |
| |
| |
| <a name="nested_field"></a>The `field` block supports: |
| |
| * `name` - |
| (Optional) |
| Name describing the field. |
| |
| <a name="nested_value"></a>The `value` block supports: |
| |
| * `integer_value` - |
| (Optional) |
| An integer value (int64 format) |
| |
| * `float_value` - |
| (Optional) |
| A float value. |
| |
| * `string_value` - |
| (Optional) |
| A string value. |
| |
| * `boolean_value` - |
| (Optional) |
| A boolean value. |
| |
| * `timestamp_value` - |
| (Optional) |
| A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". |
| |
| * `time_value` - |
| (Optional) |
| Represents a time of day. |
| Structure is [documented below](#nested_time_value). |
| |
| * `date_value` - |
| (Optional) |
| Represents a whole or partial calendar date. |
| Structure is [documented below](#nested_date_value). |
| |
| * `day_of_week_value` - |
| (Optional) |
| Represents a day of the week. |
| Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. |
| |
| |
| <a name="nested_time_value"></a>The `time_value` block supports: |
| |
| * `hours` - |
| (Optional) |
| Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| |
| * `minutes` - |
| (Optional) |
| Minutes of hour of day. Must be from 0 to 59. |
| |
| * `seconds` - |
| (Optional) |
| Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| |
| * `nanos` - |
| (Optional) |
| Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| |
| <a name="nested_date_value"></a>The `date_value` block supports: |
| |
| * `year` - |
| (Optional) |
| Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| |
| * `month` - |
| (Optional) |
| Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| |
| * `day` - |
| (Optional) |
| Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| |
| - - - |
| |
| |
| * `description` - |
| (Optional) |
| A description of the template. |
| |
| * `display_name` - |
| (Optional) |
| User set display name of the template. |
| |
| * `template_id` - |
| (Optional) |
| The template id can contain uppercase and lowercase letters, numbers, and hyphens; |
| that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is |
| 100 characters. Can be empty to allow the system to generate one. |
| |
| |
| ## Attributes Reference |
| |
| In addition to the arguments listed above, the following computed attributes are exported: |
| |
| * `id` - an identifier for the resource with format `{{parent}}/deidentifyTemplates/{{name}}` |
| |
| * `name` - |
| The resource name of the template. Set by the server. |
| |
| * `create_time` - |
| The creation timestamp of an deidentifyTemplate. Set by the server. |
| |
| * `update_time` - |
| The last update timestamp of an deidentifyTemplate. Set by the server. |
| |
| |
| ## Timeouts |
| |
| This resource provides the following |
| [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options: |
| |
| - `create` - Default is 20 minutes. |
| - `update` - Default is 20 minutes. |
| - `delete` - Default is 20 minutes. |
| |
| ## Import |
| |
| |
| DeidentifyTemplate can be imported using any of these accepted formats: |
| |
| * `{{parent}}/deidentifyTemplates/{{name}}` |
| * `{{parent}}/{{name}}` |
| |
| |
| In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import DeidentifyTemplate using one of the formats above. For example: |
| |
| ```tf |
| import { |
| id = "{{parent}}/deidentifyTemplates/{{name}}" |
| to = google_data_loss_prevention_deidentify_template.default |
| } |
| ``` |
| |
| When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), DeidentifyTemplate can be imported using one of the formats above. For example: |
| |
| ``` |
| $ terraform import google_data_loss_prevention_deidentify_template.default {{parent}}/deidentifyTemplates/{{name}} |
| $ terraform import google_data_loss_prevention_deidentify_template.default {{parent}}/{{name}} |
| ``` |