iap.getIamPolicy

valid {
    input.Body.options.requestedPolicyVersion == INTEGER
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

iap.getIapSettings

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.create

valid {
    input.Body.applicationTitle == STRING
    input.Body.supportEmail == STRING
    input.ReqMap.parent == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.identityAwareProxyClients.create

valid {
    input.Body.displayName == STRING
    input.ReqMap.parent == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.identityAwareProxyClients.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.identityAwareProxyClients.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.identityAwareProxyClients.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.identityAwareProxyClients.resetSecret

valid {
    input.Body.STRING == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.brands.list

valid {
    input.ReqMap.parent == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.iap_tunnel.locations.destGroups.create

valid {
    input.Body.cidrs[_] == STRING
    input.Body.fqdns[_] == STRING
    input.Body.name == STRING
    input.ReqMap.parent == STRING
    input.Qs.tunnelDestGroupId == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.iap_tunnel.locations.destGroups.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.iap_tunnel.locations.destGroups.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.iap_tunnel.locations.destGroups.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

iap.projects.iap_tunnel.locations.destGroups.patch

valid {
    input.Body.cidrs[_] == STRING
    input.Body.fqdns[_] == STRING
    input.Body.name == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

iap.setIamPolicy

valid {
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

iap.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

iap.updateIapSettings

enum_AccessSettingsIdentitySources := [ "IDENTITY_SOURCE_UNSPECIFIED", "WORKFORCE_IDENTITY_FEDERATION" ]
enum_AttributePropagationSettingsOutputCredentials := [ "OUTPUT_CREDENTIALS_UNSPECIFIED", "HEADER", "JWT", "RCTOKEN" ]
enum_ReauthSettingsMethod := [ "METHOD_UNSPECIFIED", "LOGIN", "PASSWORD", "SECURE_KEY", "ENROLLED_SECOND_FACTORS" ]
enum_ReauthSettingsPolicyType := [ "POLICY_TYPE_UNSPECIFIED", "MINIMUM", "DEFAULT" ]

valid {
    input.Body.accessSettings.allowedDomainsSettings.domains[_] == STRING
    input.Body.accessSettings.allowedDomainsSettings.enable == BOOLEAN
    input.Body.accessSettings.corsSettings.allowHttpOptions == BOOLEAN
    input.Body.accessSettings.gcipSettings.loginPageUri == STRING
    input.Body.accessSettings.gcipSettings.tenantIds[_] == STRING
    input.Body.accessSettings.identitySources[_] == enum_AccessSettingsIdentitySources[_]
    input.Body.accessSettings.oauthSettings.loginHint == STRING
    input.Body.accessSettings.oauthSettings.programmaticClients[_] == STRING
    input.Body.accessSettings.policyDelegationSettings.iamPermission == STRING
    input.Body.accessSettings.policyDelegationSettings.iamServiceName == STRING
    input.Body.accessSettings.policyDelegationSettings.policyName.id == STRING
    input.Body.accessSettings.policyDelegationSettings.policyName.region == STRING
    input.Body.accessSettings.policyDelegationSettings.policyName.type == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.expectedNextState.STRING == ANY
    input.Body.accessSettings.policyDelegationSettings.resource.labels.STRING == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.name == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.nextStateOfTags.tagsFullState.tags.STRING == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.nextStateOfTags.tagsFullStateForChildResource.tags.STRING == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.nextStateOfTags.tagsPartialState.tagKeysToRemove[_] == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.nextStateOfTags.tagsPartialState.tagsToUpsert.STRING == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.service == STRING
    input.Body.accessSettings.policyDelegationSettings.resource.type == STRING
    input.Body.accessSettings.reauthSettings.maxAge == STRING
    input.Body.accessSettings.reauthSettings.method == enum_ReauthSettingsMethod[_]
    input.Body.accessSettings.reauthSettings.policyType == enum_ReauthSettingsPolicyType[_]
    input.Body.accessSettings.workforceIdentitySettings.oauth2.clientId == STRING
    input.Body.accessSettings.workforceIdentitySettings.oauth2.clientSecret == STRING
    input.Body.accessSettings.workforceIdentitySettings.workforcePools[_] == STRING
    input.Body.applicationSettings.accessDeniedPageSettings.accessDeniedPageUri == STRING
    input.Body.applicationSettings.accessDeniedPageSettings.generateTroubleshootingUri == BOOLEAN
    input.Body.applicationSettings.accessDeniedPageSettings.remediationTokenGenerationEnabled == BOOLEAN
    input.Body.applicationSettings.attributePropagationSettings.enable == BOOLEAN
    input.Body.applicationSettings.attributePropagationSettings.expression == STRING
    input.Body.applicationSettings.attributePropagationSettings.outputCredentials[_] == enum_AttributePropagationSettingsOutputCredentials[_]
    input.Body.applicationSettings.cookieDomain == STRING
    input.Body.applicationSettings.csmSettings.rctokenAud == STRING
    input.Body.name == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

iap.validateAttributeExpression

valid {
    input.ReqMap.name == STRING
    input.Qs.expression == STRING
    input.ProviderMetadata.Region == STRING
}