• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5  margin: 0;
6  padding: 0;
7  border: 0;
8  font-weight: inherit;
9  font-style: inherit;
10  font-size: 100%;
11  font-family: inherit;
12  vertical-align: baseline;
13}
14
15body {
16  font-size: 13px;
17  padding: 1em;
18}
19
20h1 {
21  font-size: 26px;
22  margin-bottom: 1em;
23}
24
25h2 {
26  font-size: 24px;
27  margin-bottom: 1em;
28}
29
30h3 {
31  font-size: 20px;
32  margin-bottom: 1em;
33  margin-top: 1em;
34}
35
36pre, code {
37  line-height: 1.5;
38  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42  margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46  font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50  border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54  margin-top: 0.5em;
55}
56
57.firstline {
58  margin-left: 2 em;
59}
60
61.method  {
62  margin-top: 1em;
63  border: solid 1px #CCC;
64  padding: 1em;
65  background: #EEE;
66}
67
68.details {
69  font-weight: bold;
70  font-size: 14px;
71}
72
73</style>
74
75<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.locations.html">locations</a> . <a href="dlp_v2.projects.locations.deidentifyTemplates.html">deidentifyTemplates</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78  <code><a href="#close">close()</a></code></p>
79<p class="firstline">Close httplib2 connections.</p>
80<p class="toc_element">
81  <code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>
82<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration for de-identifying content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.</p>
83<p class="toc_element">
84  <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
85<p class="firstline">Deletes a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.</p>
86<p class="toc_element">
87  <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
88<p class="firstline">Gets a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.</p>
89<p class="toc_element">
90  <code><a href="#list">list(parent, locationId=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)</a></code></p>
91<p class="firstline">Lists DeidentifyTemplates. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.</p>
92<p class="toc_element">
93  <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
94<p class="firstline">Retrieves the next page of results.</p>
95<p class="toc_element">
96  <code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>
97<p class="firstline">Updates the DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.</p>
98<h3>Method Details</h3>
99<div class="method">
100    <code class="details" id="close">close()</code>
101  <pre>Close httplib2 connections.</pre>
102</div>
103
104<div class="method">
105    <code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>
106  <pre>Creates a DeidentifyTemplate for re-using frequently used configuration for de-identifying content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
107
108Args:
109  parent: string, Required. Parent resource name. The format of this value varies depending on the scope of the request (project or organization) and whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID + Organizations scope, location specified: `organizations/`ORG_ID`/locations/`LOCATION_ID + Organizations scope, no location specified (defaults to global): `organizations/`ORG_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)
110  body: object, The request body.
111    The object takes the form of:
112
113{ # Request message for CreateDeidentifyTemplate.
114  &quot;deidentifyTemplate&quot;: { # DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more. # Required. The DeidentifyTemplate to create.
115    &quot;createTime&quot;: &quot;A String&quot;, # Output only. The creation timestamp of an inspectTemplate.
116    &quot;deidentifyConfig&quot;: { # The configuration that controls how the data will change. # The core content of the template.
117      &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
118        &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
119          { # A transformation to apply to text that is identified as a specific info_type.
120            &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
121              { # Type of information detected by the API.
122                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
123                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
124              },
125            ],
126            &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
127              &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
128                &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
129                  { # Bucket is represented as a range, along with replacement values.
130                    &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
131                      &quot;booleanValue&quot;: True or False, # boolean
132                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
133                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
134                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
135                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
136                      },
137                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
138                      &quot;floatValue&quot;: 3.14, # float
139                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
140                      &quot;stringValue&quot;: &quot;A String&quot;, # string
141                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
142                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
143                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
144                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
145                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
146                      },
147                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
148                    },
149                    &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
150                      &quot;booleanValue&quot;: True or False, # boolean
151                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
152                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
153                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
154                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
155                      },
156                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
157                      &quot;floatValue&quot;: 3.14, # float
158                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
159                      &quot;stringValue&quot;: &quot;A String&quot;, # string
160                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
161                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
162                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
163                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
164                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
165                      },
166                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
167                    },
168                    &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
169                      &quot;booleanValue&quot;: True or False, # boolean
170                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
171                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
172                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
173                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
174                      },
175                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
176                      &quot;floatValue&quot;: 3.14, # float
177                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
178                      &quot;stringValue&quot;: &quot;A String&quot;, # string
179                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
180                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
181                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
182                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
183                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
184                      },
185                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
186                    },
187                  },
188                ],
189              },
190              &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
191                &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
192                  { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
193                    &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
194                    &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
195                  },
196                ],
197                &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
198                &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
199                &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
200              },
201              &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
202                &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
203                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
204                },
205                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
206                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
207                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
208                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
209                  },
210                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
211                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
212                  },
213                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
214                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
215                  },
216                },
217                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
218                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
219                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
220                },
221              },
222              &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
223                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
224                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
225                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
226                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
227                  },
228                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
229                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
230                  },
231                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
232                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
233                  },
234                },
235              },
236              &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
237                &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
238                &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
239                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
240                },
241                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
242                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
243                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
244                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
245                  },
246                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
247                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
248                  },
249                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
250                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
251                  },
252                },
253                &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
254                &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
255                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
256                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
257                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
258                },
259              },
260              &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
261                &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
262                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
263                },
264                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
265                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
266                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
267                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
268                  },
269                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
270                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
271                  },
272                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
273                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
274                  },
275                },
276                &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
277                &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
278              },
279              &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
280                &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
281                &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
282                  &quot;booleanValue&quot;: True or False, # boolean
283                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
284                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
285                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
286                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
287                  },
288                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
289                  &quot;floatValue&quot;: 3.14, # float
290                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
291                  &quot;stringValue&quot;: &quot;A String&quot;, # string
292                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
293                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
294                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
295                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
296                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
297                  },
298                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
299                },
300                &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
301                  &quot;booleanValue&quot;: True or False, # boolean
302                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
303                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
304                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
305                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
306                  },
307                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
308                  &quot;floatValue&quot;: 3.14, # float
309                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
310                  &quot;stringValue&quot;: &quot;A String&quot;, # string
311                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
312                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
313                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
314                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
315                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
316                  },
317                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
318                },
319              },
320              &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
321              },
322              &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
323                &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
324                  &quot;booleanValue&quot;: True or False, # boolean
325                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
326                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
327                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
328                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
329                  },
330                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
331                  &quot;floatValue&quot;: 3.14, # float
332                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
333                  &quot;stringValue&quot;: &quot;A String&quot;, # string
334                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
335                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
336                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
337                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
338                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
339                  },
340                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
341                },
342              },
343              &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
344                &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
345                  &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
346                    &quot;A String&quot;,
347                  ],
348                },
349              },
350              &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
351              },
352              &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
353                &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
354              },
355            },
356          },
357        ],
358      },
359      &quot;recordTransformations&quot;: { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
360        &quot;fieldTransformations&quot;: [ # Transform the record by applying various field transformations.
361          { # The transformation to apply to the field.
362            &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
363              &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
364                &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
365                  &quot;conditions&quot;: [ # A collection of conditions.
366                    { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
367                      &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
368                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
369                      },
370                      &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
371                      &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
372                        &quot;booleanValue&quot;: True or False, # boolean
373                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
374                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
375                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
376                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
377                        },
378                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
379                        &quot;floatValue&quot;: 3.14, # float
380                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
381                        &quot;stringValue&quot;: &quot;A String&quot;, # string
382                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
383                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
384                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
385                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
386                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
387                        },
388                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
389                      },
390                    },
391                  ],
392                },
393                &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
394              },
395            },
396            &quot;fields&quot;: [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of &quot;contact.nums[0].type&quot;, use &quot;contact.nums.type&quot;.
397              { # General identifier of a data field in a storage service.
398                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
399              },
400            ],
401            &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
402              &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
403                { # A transformation to apply to text that is identified as a specific info_type.
404                  &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
405                    { # Type of information detected by the API.
406                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
407                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
408                    },
409                  ],
410                  &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
411                    &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
412                      &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
413                        { # Bucket is represented as a range, along with replacement values.
414                          &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
415                            &quot;booleanValue&quot;: True or False, # boolean
416                            &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
417                              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
418                              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
419                              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
420                            },
421                            &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
422                            &quot;floatValue&quot;: 3.14, # float
423                            &quot;integerValue&quot;: &quot;A String&quot;, # integer
424                            &quot;stringValue&quot;: &quot;A String&quot;, # string
425                            &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
426                              &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
427                              &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
428                              &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
429                              &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
430                            },
431                            &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
432                          },
433                          &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
434                            &quot;booleanValue&quot;: True or False, # boolean
435                            &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
436                              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
437                              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
438                              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
439                            },
440                            &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
441                            &quot;floatValue&quot;: 3.14, # float
442                            &quot;integerValue&quot;: &quot;A String&quot;, # integer
443                            &quot;stringValue&quot;: &quot;A String&quot;, # string
444                            &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
445                              &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
446                              &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
447                              &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
448                              &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
449                            },
450                            &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
451                          },
452                          &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
453                            &quot;booleanValue&quot;: True or False, # boolean
454                            &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
455                              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
456                              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
457                              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
458                            },
459                            &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
460                            &quot;floatValue&quot;: 3.14, # float
461                            &quot;integerValue&quot;: &quot;A String&quot;, # integer
462                            &quot;stringValue&quot;: &quot;A String&quot;, # string
463                            &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
464                              &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
465                              &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
466                              &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
467                              &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
468                            },
469                            &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
470                          },
471                        },
472                      ],
473                    },
474                    &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
475                      &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
476                        { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
477                          &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
478                          &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
479                        },
480                      ],
481                      &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
482                      &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
483                      &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
484                    },
485                    &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
486                      &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
487                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
488                      },
489                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
490                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
491                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
492                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
493                        },
494                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
495                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
496                        },
497                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
498                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
499                        },
500                      },
501                      &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
502                        &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
503                        &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
504                      },
505                    },
506                    &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
507                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
508                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
509                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
510                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
511                        },
512                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
513                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
514                        },
515                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
516                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
517                        },
518                      },
519                    },
520                    &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
521                      &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
522                      &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
523                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
524                      },
525                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
526                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
527                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
528                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
529                        },
530                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
531                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
532                        },
533                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
534                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
535                        },
536                      },
537                      &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
538                      &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
539                      &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
540                        &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
541                        &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
542                      },
543                    },
544                    &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
545                      &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
546                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
547                      },
548                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
549                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
550                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
551                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
552                        },
553                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
554                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
555                        },
556                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
557                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
558                        },
559                      },
560                      &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
561                      &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
562                    },
563                    &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
564                      &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
565                      &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
566                        &quot;booleanValue&quot;: True or False, # boolean
567                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
568                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
569                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
570                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
571                        },
572                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
573                        &quot;floatValue&quot;: 3.14, # float
574                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
575                        &quot;stringValue&quot;: &quot;A String&quot;, # string
576                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
577                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
578                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
579                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
580                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
581                        },
582                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
583                      },
584                      &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
585                        &quot;booleanValue&quot;: True or False, # boolean
586                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
587                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
588                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
589                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
590                        },
591                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
592                        &quot;floatValue&quot;: 3.14, # float
593                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
594                        &quot;stringValue&quot;: &quot;A String&quot;, # string
595                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
596                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
597                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
598                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
599                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
600                        },
601                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
602                      },
603                    },
604                    &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
605                    },
606                    &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
607                      &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
608                        &quot;booleanValue&quot;: True or False, # boolean
609                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
610                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
611                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
612                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
613                        },
614                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
615                        &quot;floatValue&quot;: 3.14, # float
616                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
617                        &quot;stringValue&quot;: &quot;A String&quot;, # string
618                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
619                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
620                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
621                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
622                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
623                        },
624                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
625                      },
626                    },
627                    &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
628                      &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
629                        &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
630                          &quot;A String&quot;,
631                        ],
632                      },
633                    },
634                    &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
635                    },
636                    &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
637                      &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
638                    },
639                  },
640                },
641              ],
642            },
643            &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Apply the transformation to the entire field.
644              &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
645                &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
646                  { # Bucket is represented as a range, along with replacement values.
647                    &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
648                      &quot;booleanValue&quot;: True or False, # boolean
649                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
650                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
651                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
652                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
653                      },
654                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
655                      &quot;floatValue&quot;: 3.14, # float
656                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
657                      &quot;stringValue&quot;: &quot;A String&quot;, # string
658                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
659                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
660                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
661                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
662                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
663                      },
664                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
665                    },
666                    &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
667                      &quot;booleanValue&quot;: True or False, # boolean
668                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
669                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
670                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
671                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
672                      },
673                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
674                      &quot;floatValue&quot;: 3.14, # float
675                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
676                      &quot;stringValue&quot;: &quot;A String&quot;, # string
677                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
678                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
679                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
680                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
681                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
682                      },
683                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
684                    },
685                    &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
686                      &quot;booleanValue&quot;: True or False, # boolean
687                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
688                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
689                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
690                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
691                      },
692                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
693                      &quot;floatValue&quot;: 3.14, # float
694                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
695                      &quot;stringValue&quot;: &quot;A String&quot;, # string
696                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
697                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
698                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
699                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
700                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
701                      },
702                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
703                    },
704                  },
705                ],
706              },
707              &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
708                &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
709                  { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
710                    &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
711                    &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
712                  },
713                ],
714                &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
715                &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
716                &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
717              },
718              &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
719                &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
720                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
721                },
722                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
723                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
724                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
725                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
726                  },
727                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
728                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
729                  },
730                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
731                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
732                  },
733                },
734                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
735                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
736                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
737                },
738              },
739              &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
740                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
741                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
742                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
743                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
744                  },
745                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
746                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
747                  },
748                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
749                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
750                  },
751                },
752              },
753              &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
754                &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
755                &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
756                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
757                },
758                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
759                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
760                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
761                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
762                  },
763                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
764                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
765                  },
766                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
767                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
768                  },
769                },
770                &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
771                &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
772                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
773                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
774                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
775                },
776              },
777              &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
778                &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
779                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
780                },
781                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
782                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
783                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
784                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
785                  },
786                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
787                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
788                  },
789                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
790                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
791                  },
792                },
793                &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
794                &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
795              },
796              &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
797                &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
798                &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
799                  &quot;booleanValue&quot;: True or False, # boolean
800                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
801                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
802                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
803                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
804                  },
805                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
806                  &quot;floatValue&quot;: 3.14, # float
807                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
808                  &quot;stringValue&quot;: &quot;A String&quot;, # string
809                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
810                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
811                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
812                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
813                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
814                  },
815                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
816                },
817                &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
818                  &quot;booleanValue&quot;: True or False, # boolean
819                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
820                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
821                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
822                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
823                  },
824                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
825                  &quot;floatValue&quot;: 3.14, # float
826                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
827                  &quot;stringValue&quot;: &quot;A String&quot;, # string
828                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
829                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
830                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
831                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
832                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
833                  },
834                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
835                },
836              },
837              &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
838              },
839              &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
840                &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
841                  &quot;booleanValue&quot;: True or False, # boolean
842                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
843                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
844                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
845                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
846                  },
847                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
848                  &quot;floatValue&quot;: 3.14, # float
849                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
850                  &quot;stringValue&quot;: &quot;A String&quot;, # string
851                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
852                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
853                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
854                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
855                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
856                  },
857                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
858                },
859              },
860              &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
861                &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
862                  &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
863                    &quot;A String&quot;,
864                  ],
865                },
866              },
867              &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
868              },
869              &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
870                &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
871              },
872            },
873          },
874        ],
875        &quot;recordSuppressions&quot;: [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
876          { # Configuration to suppress records whose suppression conditions evaluate to true.
877            &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
878              &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
879                &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
880                  &quot;conditions&quot;: [ # A collection of conditions.
881                    { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
882                      &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
883                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
884                      },
885                      &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
886                      &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
887                        &quot;booleanValue&quot;: True or False, # boolean
888                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
889                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
890                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
891                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
892                        },
893                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
894                        &quot;floatValue&quot;: 3.14, # float
895                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
896                        &quot;stringValue&quot;: &quot;A String&quot;, # string
897                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
898                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
899                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
900                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
901                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
902                        },
903                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
904                      },
905                    },
906                  ],
907                },
908                &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
909              },
910            },
911          },
912        ],
913      },
914      &quot;transformationErrorHandling&quot;: { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
915        &quot;leaveUntransformed&quot;: { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
916        },
917        &quot;throwError&quot;: { # Throw an error and fail the request when a transformation error occurs. # Throw an error
918        },
919      },
920    },
921    &quot;description&quot;: &quot;A String&quot;, # Short description (max 256 chars).
922    &quot;displayName&quot;: &quot;A String&quot;, # Display name (max 256 chars).
923    &quot;name&quot;: &quot;A String&quot;, # Output only. The template name. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
924    &quot;updateTime&quot;: &quot;A String&quot;, # Output only. The last update timestamp of an inspectTemplate.
925  },
926  &quot;locationId&quot;: &quot;A String&quot;, # Deprecated. This field has no effect.
927  &quot;templateId&quot;: &quot;A String&quot;, # The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.
928}
929
930  x__xgafv: string, V1 error format.
931    Allowed values
932      1 - v1 error format
933      2 - v2 error format
934
935Returns:
936  An object of the form:
937
938    { # DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
939  &quot;createTime&quot;: &quot;A String&quot;, # Output only. The creation timestamp of an inspectTemplate.
940  &quot;deidentifyConfig&quot;: { # The configuration that controls how the data will change. # The core content of the template.
941    &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
942      &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
943        { # A transformation to apply to text that is identified as a specific info_type.
944          &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
945            { # Type of information detected by the API.
946              &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
947              &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
948            },
949          ],
950          &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
951            &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
952              &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
953                { # Bucket is represented as a range, along with replacement values.
954                  &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
955                    &quot;booleanValue&quot;: True or False, # boolean
956                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
957                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
958                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
959                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
960                    },
961                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
962                    &quot;floatValue&quot;: 3.14, # float
963                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
964                    &quot;stringValue&quot;: &quot;A String&quot;, # string
965                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
966                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
967                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
968                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
969                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
970                    },
971                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
972                  },
973                  &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
974                    &quot;booleanValue&quot;: True or False, # boolean
975                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
976                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
977                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
978                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
979                    },
980                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
981                    &quot;floatValue&quot;: 3.14, # float
982                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
983                    &quot;stringValue&quot;: &quot;A String&quot;, # string
984                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
985                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
986                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
987                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
988                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
989                    },
990                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
991                  },
992                  &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
993                    &quot;booleanValue&quot;: True or False, # boolean
994                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
995                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
996                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
997                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
998                    },
999                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1000                    &quot;floatValue&quot;: 3.14, # float
1001                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1002                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1003                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1004                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1005                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1006                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1007                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1008                    },
1009                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1010                  },
1011                },
1012              ],
1013            },
1014            &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
1015              &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
1016                { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
1017                  &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
1018                  &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
1019                },
1020              ],
1021              &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
1022              &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
1023              &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
1024            },
1025            &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
1026              &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
1027                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1028              },
1029              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
1030                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1031                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1032                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1033                },
1034                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1035                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1036                },
1037                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1038                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1039                },
1040              },
1041              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
1042                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1043                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1044              },
1045            },
1046            &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
1047              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
1048                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1049                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1050                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1051                },
1052                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1053                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1054                },
1055                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1056                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1057                },
1058              },
1059            },
1060            &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
1061              &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
1062              &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
1063                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1064              },
1065              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
1066                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1067                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1068                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1069                },
1070                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1071                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1072                },
1073                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1074                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1075                },
1076              },
1077              &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
1078              &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
1079              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
1080                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1081                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1082              },
1083            },
1084            &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
1085              &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
1086                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1087              },
1088              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
1089                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1090                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1091                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1092                },
1093                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1094                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1095                },
1096                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1097                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1098                },
1099              },
1100              &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1101              &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
1102            },
1103            &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
1104              &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
1105              &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
1106                &quot;booleanValue&quot;: True or False, # boolean
1107                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1108                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1109                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1110                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1111                },
1112                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1113                &quot;floatValue&quot;: 3.14, # float
1114                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1115                &quot;stringValue&quot;: &quot;A String&quot;, # string
1116                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1117                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1118                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1119                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1120                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1121                },
1122                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1123              },
1124              &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
1125                &quot;booleanValue&quot;: True or False, # boolean
1126                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1127                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1128                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1129                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1130                },
1131                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1132                &quot;floatValue&quot;: 3.14, # float
1133                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1134                &quot;stringValue&quot;: &quot;A String&quot;, # string
1135                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1136                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1137                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1138                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1139                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1140                },
1141                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1142              },
1143            },
1144            &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
1145            },
1146            &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
1147              &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
1148                &quot;booleanValue&quot;: True or False, # boolean
1149                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1150                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1151                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1152                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1153                },
1154                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1155                &quot;floatValue&quot;: 3.14, # float
1156                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1157                &quot;stringValue&quot;: &quot;A String&quot;, # string
1158                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1159                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1160                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1161                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1162                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1163                },
1164                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1165              },
1166            },
1167            &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
1168              &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
1169                &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
1170                  &quot;A String&quot;,
1171                ],
1172              },
1173            },
1174            &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
1175            },
1176            &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
1177              &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
1178            },
1179          },
1180        },
1181      ],
1182    },
1183    &quot;recordTransformations&quot;: { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
1184      &quot;fieldTransformations&quot;: [ # Transform the record by applying various field transformations.
1185        { # The transformation to apply to the field.
1186          &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
1187            &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
1188              &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
1189                &quot;conditions&quot;: [ # A collection of conditions.
1190                  { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
1191                    &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
1192                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1193                    },
1194                    &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
1195                    &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
1196                      &quot;booleanValue&quot;: True or False, # boolean
1197                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1198                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1199                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1200                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1201                      },
1202                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1203                      &quot;floatValue&quot;: 3.14, # float
1204                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
1205                      &quot;stringValue&quot;: &quot;A String&quot;, # string
1206                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1207                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1208                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1209                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1210                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1211                      },
1212                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1213                    },
1214                  },
1215                ],
1216              },
1217              &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
1218            },
1219          },
1220          &quot;fields&quot;: [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of &quot;contact.nums[0].type&quot;, use &quot;contact.nums.type&quot;.
1221            { # General identifier of a data field in a storage service.
1222              &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1223            },
1224          ],
1225          &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
1226            &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
1227              { # A transformation to apply to text that is identified as a specific info_type.
1228                &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
1229                  { # Type of information detected by the API.
1230                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1231                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1232                  },
1233                ],
1234                &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
1235                  &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
1236                    &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
1237                      { # Bucket is represented as a range, along with replacement values.
1238                        &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
1239                          &quot;booleanValue&quot;: True or False, # boolean
1240                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1241                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1242                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1243                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1244                          },
1245                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1246                          &quot;floatValue&quot;: 3.14, # float
1247                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
1248                          &quot;stringValue&quot;: &quot;A String&quot;, # string
1249                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1250                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1251                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1252                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1253                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1254                          },
1255                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1256                        },
1257                        &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
1258                          &quot;booleanValue&quot;: True or False, # boolean
1259                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1260                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1261                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1262                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1263                          },
1264                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1265                          &quot;floatValue&quot;: 3.14, # float
1266                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
1267                          &quot;stringValue&quot;: &quot;A String&quot;, # string
1268                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1269                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1270                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1271                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1272                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1273                          },
1274                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1275                        },
1276                        &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
1277                          &quot;booleanValue&quot;: True or False, # boolean
1278                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1279                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1280                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1281                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1282                          },
1283                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1284                          &quot;floatValue&quot;: 3.14, # float
1285                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
1286                          &quot;stringValue&quot;: &quot;A String&quot;, # string
1287                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1288                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1289                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1290                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1291                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1292                          },
1293                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1294                        },
1295                      },
1296                    ],
1297                  },
1298                  &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
1299                    &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
1300                      { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
1301                        &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
1302                        &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
1303                      },
1304                    ],
1305                    &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
1306                    &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
1307                    &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
1308                  },
1309                  &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
1310                    &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
1311                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1312                    },
1313                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
1314                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1315                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1316                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1317                      },
1318                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1319                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1320                      },
1321                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1322                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1323                      },
1324                    },
1325                    &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
1326                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1327                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1328                    },
1329                  },
1330                  &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
1331                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
1332                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1333                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1334                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1335                      },
1336                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1337                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1338                      },
1339                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1340                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1341                      },
1342                    },
1343                  },
1344                  &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
1345                    &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
1346                    &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
1347                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1348                    },
1349                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
1350                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1351                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1352                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1353                      },
1354                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1355                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1356                      },
1357                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1358                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1359                      },
1360                    },
1361                    &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
1362                    &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
1363                    &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
1364                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1365                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1366                    },
1367                  },
1368                  &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
1369                    &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
1370                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1371                    },
1372                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
1373                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1374                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1375                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1376                      },
1377                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1378                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1379                      },
1380                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1381                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1382                      },
1383                    },
1384                    &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1385                    &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
1386                  },
1387                  &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
1388                    &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
1389                    &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
1390                      &quot;booleanValue&quot;: True or False, # boolean
1391                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1392                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1393                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1394                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1395                      },
1396                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1397                      &quot;floatValue&quot;: 3.14, # float
1398                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
1399                      &quot;stringValue&quot;: &quot;A String&quot;, # string
1400                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1401                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1402                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1403                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1404                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1405                      },
1406                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1407                    },
1408                    &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
1409                      &quot;booleanValue&quot;: True or False, # boolean
1410                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1411                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1412                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1413                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1414                      },
1415                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1416                      &quot;floatValue&quot;: 3.14, # float
1417                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
1418                      &quot;stringValue&quot;: &quot;A String&quot;, # string
1419                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1420                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1421                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1422                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1423                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1424                      },
1425                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1426                    },
1427                  },
1428                  &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
1429                  },
1430                  &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
1431                    &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
1432                      &quot;booleanValue&quot;: True or False, # boolean
1433                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1434                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1435                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1436                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1437                      },
1438                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1439                      &quot;floatValue&quot;: 3.14, # float
1440                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
1441                      &quot;stringValue&quot;: &quot;A String&quot;, # string
1442                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1443                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1444                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1445                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1446                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1447                      },
1448                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1449                    },
1450                  },
1451                  &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
1452                    &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
1453                      &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
1454                        &quot;A String&quot;,
1455                      ],
1456                    },
1457                  },
1458                  &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
1459                  },
1460                  &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
1461                    &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
1462                  },
1463                },
1464              },
1465            ],
1466          },
1467          &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Apply the transformation to the entire field.
1468            &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
1469              &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
1470                { # Bucket is represented as a range, along with replacement values.
1471                  &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
1472                    &quot;booleanValue&quot;: True or False, # boolean
1473                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1474                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1475                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1476                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1477                    },
1478                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1479                    &quot;floatValue&quot;: 3.14, # float
1480                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1481                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1482                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1483                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1484                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1485                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1486                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1487                    },
1488                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1489                  },
1490                  &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
1491                    &quot;booleanValue&quot;: True or False, # boolean
1492                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1493                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1494                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1495                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1496                    },
1497                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1498                    &quot;floatValue&quot;: 3.14, # float
1499                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1500                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1501                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1502                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1503                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1504                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1505                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1506                    },
1507                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1508                  },
1509                  &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
1510                    &quot;booleanValue&quot;: True or False, # boolean
1511                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1512                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1513                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1514                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1515                    },
1516                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1517                    &quot;floatValue&quot;: 3.14, # float
1518                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1519                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1520                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1521                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1522                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1523                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1524                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1525                    },
1526                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1527                  },
1528                },
1529              ],
1530            },
1531            &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
1532              &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
1533                { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
1534                  &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
1535                  &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
1536                },
1537              ],
1538              &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
1539              &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
1540              &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
1541            },
1542            &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
1543              &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
1544                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1545              },
1546              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
1547                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1548                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1549                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1550                },
1551                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1552                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1553                },
1554                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1555                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1556                },
1557              },
1558              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
1559                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1560                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1561              },
1562            },
1563            &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
1564              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
1565                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1566                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1567                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1568                },
1569                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1570                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1571                },
1572                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1573                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1574                },
1575              },
1576            },
1577            &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
1578              &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
1579              &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
1580                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1581              },
1582              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
1583                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1584                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1585                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1586                },
1587                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1588                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1589                },
1590                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1591                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1592                },
1593              },
1594              &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
1595              &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
1596              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
1597                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1598                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1599              },
1600            },
1601            &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
1602              &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
1603                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1604              },
1605              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
1606                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1607                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1608                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1609                },
1610                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1611                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1612                },
1613                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1614                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1615                },
1616              },
1617              &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1618              &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
1619            },
1620            &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
1621              &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
1622              &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
1623                &quot;booleanValue&quot;: True or False, # boolean
1624                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1625                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1626                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1627                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1628                },
1629                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1630                &quot;floatValue&quot;: 3.14, # float
1631                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1632                &quot;stringValue&quot;: &quot;A String&quot;, # string
1633                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1634                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1635                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1636                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1637                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1638                },
1639                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1640              },
1641              &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
1642                &quot;booleanValue&quot;: True or False, # boolean
1643                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1644                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1645                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1646                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1647                },
1648                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1649                &quot;floatValue&quot;: 3.14, # float
1650                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1651                &quot;stringValue&quot;: &quot;A String&quot;, # string
1652                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1653                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1654                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1655                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1656                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1657                },
1658                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1659              },
1660            },
1661            &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
1662            },
1663            &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
1664              &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
1665                &quot;booleanValue&quot;: True or False, # boolean
1666                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1667                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1668                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1669                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1670                },
1671                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1672                &quot;floatValue&quot;: 3.14, # float
1673                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1674                &quot;stringValue&quot;: &quot;A String&quot;, # string
1675                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1676                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1677                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1678                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1679                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1680                },
1681                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1682              },
1683            },
1684            &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
1685              &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
1686                &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
1687                  &quot;A String&quot;,
1688                ],
1689              },
1690            },
1691            &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
1692            },
1693            &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
1694              &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
1695            },
1696          },
1697        },
1698      ],
1699      &quot;recordSuppressions&quot;: [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
1700        { # Configuration to suppress records whose suppression conditions evaluate to true.
1701          &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
1702            &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
1703              &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
1704                &quot;conditions&quot;: [ # A collection of conditions.
1705                  { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
1706                    &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
1707                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1708                    },
1709                    &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
1710                    &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
1711                      &quot;booleanValue&quot;: True or False, # boolean
1712                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1713                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1714                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1715                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1716                      },
1717                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1718                      &quot;floatValue&quot;: 3.14, # float
1719                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
1720                      &quot;stringValue&quot;: &quot;A String&quot;, # string
1721                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1722                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1723                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1724                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1725                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1726                      },
1727                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1728                    },
1729                  },
1730                ],
1731              },
1732              &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
1733            },
1734          },
1735        },
1736      ],
1737    },
1738    &quot;transformationErrorHandling&quot;: { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
1739      &quot;leaveUntransformed&quot;: { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
1740      },
1741      &quot;throwError&quot;: { # Throw an error and fail the request when a transformation error occurs. # Throw an error
1742      },
1743    },
1744  },
1745  &quot;description&quot;: &quot;A String&quot;, # Short description (max 256 chars).
1746  &quot;displayName&quot;: &quot;A String&quot;, # Display name (max 256 chars).
1747  &quot;name&quot;: &quot;A String&quot;, # Output only. The template name. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
1748  &quot;updateTime&quot;: &quot;A String&quot;, # Output only. The last update timestamp of an inspectTemplate.
1749}</pre>
1750</div>
1751
1752<div class="method">
1753    <code class="details" id="delete">delete(name, x__xgafv=None)</code>
1754  <pre>Deletes a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
1755
1756Args:
1757  name: string, Required. Resource name of the organization and deidentify template to be deleted, for example `organizations/433245324/deidentifyTemplates/432452342` or projects/project-id/deidentifyTemplates/432452342. (required)
1758  x__xgafv: string, V1 error format.
1759    Allowed values
1760      1 - v1 error format
1761      2 - v2 error format
1762
1763Returns:
1764  An object of the form:
1765
1766    { # A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for `Empty` is empty JSON object `{}`.
1767}</pre>
1768</div>
1769
1770<div class="method">
1771    <code class="details" id="get">get(name, x__xgafv=None)</code>
1772  <pre>Gets a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
1773
1774Args:
1775  name: string, Required. Resource name of the organization and deidentify template to be read, for example `organizations/433245324/deidentifyTemplates/432452342` or projects/project-id/deidentifyTemplates/432452342. (required)
1776  x__xgafv: string, V1 error format.
1777    Allowed values
1778      1 - v1 error format
1779      2 - v2 error format
1780
1781Returns:
1782  An object of the form:
1783
1784    { # DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
1785  &quot;createTime&quot;: &quot;A String&quot;, # Output only. The creation timestamp of an inspectTemplate.
1786  &quot;deidentifyConfig&quot;: { # The configuration that controls how the data will change. # The core content of the template.
1787    &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
1788      &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
1789        { # A transformation to apply to text that is identified as a specific info_type.
1790          &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
1791            { # Type of information detected by the API.
1792              &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1793              &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1794            },
1795          ],
1796          &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
1797            &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
1798              &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
1799                { # Bucket is represented as a range, along with replacement values.
1800                  &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
1801                    &quot;booleanValue&quot;: True or False, # boolean
1802                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1803                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1804                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1805                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1806                    },
1807                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1808                    &quot;floatValue&quot;: 3.14, # float
1809                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1810                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1811                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1812                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1813                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1814                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1815                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1816                    },
1817                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1818                  },
1819                  &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
1820                    &quot;booleanValue&quot;: True or False, # boolean
1821                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1822                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1823                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1824                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1825                    },
1826                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1827                    &quot;floatValue&quot;: 3.14, # float
1828                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1829                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1830                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1831                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1832                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1833                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1834                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1835                    },
1836                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1837                  },
1838                  &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
1839                    &quot;booleanValue&quot;: True or False, # boolean
1840                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1841                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1842                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1843                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1844                    },
1845                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1846                    &quot;floatValue&quot;: 3.14, # float
1847                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
1848                    &quot;stringValue&quot;: &quot;A String&quot;, # string
1849                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1850                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1851                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1852                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1853                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1854                    },
1855                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1856                  },
1857                },
1858              ],
1859            },
1860            &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
1861              &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
1862                { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
1863                  &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
1864                  &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
1865                },
1866              ],
1867              &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
1868              &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
1869              &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
1870            },
1871            &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
1872              &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
1873                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1874              },
1875              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
1876                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1877                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1878                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1879                },
1880                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1881                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1882                },
1883                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1884                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1885                },
1886              },
1887              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
1888                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1889                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1890              },
1891            },
1892            &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
1893              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
1894                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1895                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1896                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1897                },
1898                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1899                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1900                },
1901                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1902                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1903                },
1904              },
1905            },
1906            &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
1907              &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
1908              &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
1909                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1910              },
1911              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
1912                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1913                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1914                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1915                },
1916                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1917                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1918                },
1919                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1920                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1921                },
1922              },
1923              &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
1924              &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
1925              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
1926                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
1927                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
1928              },
1929            },
1930            &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
1931              &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
1932                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
1933              },
1934              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
1935                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
1936                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1937                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
1938                },
1939                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
1940                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
1941                },
1942                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
1943                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
1944                },
1945              },
1946              &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1947              &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
1948            },
1949            &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
1950              &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
1951              &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
1952                &quot;booleanValue&quot;: True or False, # boolean
1953                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1954                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1955                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1956                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1957                },
1958                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1959                &quot;floatValue&quot;: 3.14, # float
1960                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1961                &quot;stringValue&quot;: &quot;A String&quot;, # string
1962                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1963                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1964                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1965                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1966                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1967                },
1968                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1969              },
1970              &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
1971                &quot;booleanValue&quot;: True or False, # boolean
1972                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1973                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1974                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1975                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1976                },
1977                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
1978                &quot;floatValue&quot;: 3.14, # float
1979                &quot;integerValue&quot;: &quot;A String&quot;, # integer
1980                &quot;stringValue&quot;: &quot;A String&quot;, # string
1981                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
1982                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
1983                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
1984                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1985                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
1986                },
1987                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
1988              },
1989            },
1990            &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
1991            },
1992            &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
1993              &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
1994                &quot;booleanValue&quot;: True or False, # boolean
1995                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
1996                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
1997                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
1998                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
1999                },
2000                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2001                &quot;floatValue&quot;: 3.14, # float
2002                &quot;integerValue&quot;: &quot;A String&quot;, # integer
2003                &quot;stringValue&quot;: &quot;A String&quot;, # string
2004                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2005                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2006                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2007                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2008                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2009                },
2010                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2011              },
2012            },
2013            &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
2014              &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
2015                &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
2016                  &quot;A String&quot;,
2017                ],
2018              },
2019            },
2020            &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
2021            },
2022            &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
2023              &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
2024            },
2025          },
2026        },
2027      ],
2028    },
2029    &quot;recordTransformations&quot;: { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
2030      &quot;fieldTransformations&quot;: [ # Transform the record by applying various field transformations.
2031        { # The transformation to apply to the field.
2032          &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
2033            &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
2034              &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
2035                &quot;conditions&quot;: [ # A collection of conditions.
2036                  { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
2037                    &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
2038                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2039                    },
2040                    &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
2041                    &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
2042                      &quot;booleanValue&quot;: True or False, # boolean
2043                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2044                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2045                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2046                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2047                      },
2048                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2049                      &quot;floatValue&quot;: 3.14, # float
2050                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
2051                      &quot;stringValue&quot;: &quot;A String&quot;, # string
2052                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2053                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2054                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2055                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2056                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2057                      },
2058                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2059                    },
2060                  },
2061                ],
2062              },
2063              &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
2064            },
2065          },
2066          &quot;fields&quot;: [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of &quot;contact.nums[0].type&quot;, use &quot;contact.nums.type&quot;.
2067            { # General identifier of a data field in a storage service.
2068              &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2069            },
2070          ],
2071          &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
2072            &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
2073              { # A transformation to apply to text that is identified as a specific info_type.
2074                &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
2075                  { # Type of information detected by the API.
2076                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2077                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2078                  },
2079                ],
2080                &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
2081                  &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
2082                    &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
2083                      { # Bucket is represented as a range, along with replacement values.
2084                        &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
2085                          &quot;booleanValue&quot;: True or False, # boolean
2086                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2087                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2088                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2089                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2090                          },
2091                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2092                          &quot;floatValue&quot;: 3.14, # float
2093                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
2094                          &quot;stringValue&quot;: &quot;A String&quot;, # string
2095                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2096                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2097                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2098                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2099                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2100                          },
2101                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2102                        },
2103                        &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
2104                          &quot;booleanValue&quot;: True or False, # boolean
2105                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2106                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2107                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2108                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2109                          },
2110                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2111                          &quot;floatValue&quot;: 3.14, # float
2112                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
2113                          &quot;stringValue&quot;: &quot;A String&quot;, # string
2114                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2115                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2116                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2117                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2118                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2119                          },
2120                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2121                        },
2122                        &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
2123                          &quot;booleanValue&quot;: True or False, # boolean
2124                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2125                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2126                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2127                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2128                          },
2129                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2130                          &quot;floatValue&quot;: 3.14, # float
2131                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
2132                          &quot;stringValue&quot;: &quot;A String&quot;, # string
2133                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2134                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2135                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2136                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2137                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2138                          },
2139                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2140                        },
2141                      },
2142                    ],
2143                  },
2144                  &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
2145                    &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
2146                      { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
2147                        &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
2148                        &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
2149                      },
2150                    ],
2151                    &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
2152                    &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
2153                    &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
2154                  },
2155                  &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
2156                    &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
2157                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2158                    },
2159                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
2160                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2161                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2162                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2163                      },
2164                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2165                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2166                      },
2167                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2168                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2169                      },
2170                    },
2171                    &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
2172                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2173                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2174                    },
2175                  },
2176                  &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
2177                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
2178                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2179                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2180                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2181                      },
2182                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2183                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2184                      },
2185                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2186                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2187                      },
2188                    },
2189                  },
2190                  &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
2191                    &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
2192                    &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
2193                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2194                    },
2195                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
2196                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2197                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2198                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2199                      },
2200                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2201                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2202                      },
2203                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2204                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2205                      },
2206                    },
2207                    &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
2208                    &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
2209                    &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
2210                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2211                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2212                    },
2213                  },
2214                  &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
2215                    &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
2216                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2217                    },
2218                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
2219                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2220                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2221                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2222                      },
2223                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2224                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2225                      },
2226                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2227                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2228                      },
2229                    },
2230                    &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
2231                    &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
2232                  },
2233                  &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
2234                    &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
2235                    &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
2236                      &quot;booleanValue&quot;: True or False, # boolean
2237                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2238                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2239                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2240                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2241                      },
2242                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2243                      &quot;floatValue&quot;: 3.14, # float
2244                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
2245                      &quot;stringValue&quot;: &quot;A String&quot;, # string
2246                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2247                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2248                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2249                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2250                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2251                      },
2252                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2253                    },
2254                    &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
2255                      &quot;booleanValue&quot;: True or False, # boolean
2256                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2257                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2258                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2259                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2260                      },
2261                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2262                      &quot;floatValue&quot;: 3.14, # float
2263                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
2264                      &quot;stringValue&quot;: &quot;A String&quot;, # string
2265                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2266                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2267                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2268                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2269                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2270                      },
2271                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2272                    },
2273                  },
2274                  &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
2275                  },
2276                  &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
2277                    &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
2278                      &quot;booleanValue&quot;: True or False, # boolean
2279                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2280                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2281                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2282                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2283                      },
2284                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2285                      &quot;floatValue&quot;: 3.14, # float
2286                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
2287                      &quot;stringValue&quot;: &quot;A String&quot;, # string
2288                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2289                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2290                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2291                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2292                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2293                      },
2294                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2295                    },
2296                  },
2297                  &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
2298                    &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
2299                      &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
2300                        &quot;A String&quot;,
2301                      ],
2302                    },
2303                  },
2304                  &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
2305                  },
2306                  &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
2307                    &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
2308                  },
2309                },
2310              },
2311            ],
2312          },
2313          &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Apply the transformation to the entire field.
2314            &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
2315              &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
2316                { # Bucket is represented as a range, along with replacement values.
2317                  &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
2318                    &quot;booleanValue&quot;: True or False, # boolean
2319                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2320                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2321                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2322                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2323                    },
2324                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2325                    &quot;floatValue&quot;: 3.14, # float
2326                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
2327                    &quot;stringValue&quot;: &quot;A String&quot;, # string
2328                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2329                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2330                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2331                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2332                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2333                    },
2334                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2335                  },
2336                  &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
2337                    &quot;booleanValue&quot;: True or False, # boolean
2338                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2339                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2340                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2341                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2342                    },
2343                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2344                    &quot;floatValue&quot;: 3.14, # float
2345                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
2346                    &quot;stringValue&quot;: &quot;A String&quot;, # string
2347                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2348                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2349                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2350                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2351                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2352                    },
2353                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2354                  },
2355                  &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
2356                    &quot;booleanValue&quot;: True or False, # boolean
2357                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2358                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2359                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2360                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2361                    },
2362                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2363                    &quot;floatValue&quot;: 3.14, # float
2364                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
2365                    &quot;stringValue&quot;: &quot;A String&quot;, # string
2366                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2367                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2368                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2369                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2370                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2371                    },
2372                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2373                  },
2374                },
2375              ],
2376            },
2377            &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
2378              &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
2379                { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
2380                  &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
2381                  &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
2382                },
2383              ],
2384              &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
2385              &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
2386              &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
2387            },
2388            &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
2389              &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
2390                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2391              },
2392              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
2393                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2394                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2395                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2396                },
2397                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2398                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2399                },
2400                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2401                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2402                },
2403              },
2404              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
2405                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2406                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2407              },
2408            },
2409            &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
2410              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
2411                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2412                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2413                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2414                },
2415                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2416                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2417                },
2418                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2419                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2420                },
2421              },
2422            },
2423            &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
2424              &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
2425              &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
2426                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2427              },
2428              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
2429                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2430                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2431                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2432                },
2433                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2434                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2435                },
2436                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2437                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2438                },
2439              },
2440              &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
2441              &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
2442              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
2443                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2444                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2445              },
2446            },
2447            &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
2448              &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
2449                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2450              },
2451              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
2452                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2453                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2454                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2455                },
2456                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2457                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2458                },
2459                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2460                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2461                },
2462              },
2463              &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
2464              &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
2465            },
2466            &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
2467              &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
2468              &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
2469                &quot;booleanValue&quot;: True or False, # boolean
2470                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2471                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2472                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2473                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2474                },
2475                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2476                &quot;floatValue&quot;: 3.14, # float
2477                &quot;integerValue&quot;: &quot;A String&quot;, # integer
2478                &quot;stringValue&quot;: &quot;A String&quot;, # string
2479                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2480                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2481                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2482                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2483                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2484                },
2485                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2486              },
2487              &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
2488                &quot;booleanValue&quot;: True or False, # boolean
2489                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2490                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2491                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2492                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2493                },
2494                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2495                &quot;floatValue&quot;: 3.14, # float
2496                &quot;integerValue&quot;: &quot;A String&quot;, # integer
2497                &quot;stringValue&quot;: &quot;A String&quot;, # string
2498                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2499                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2500                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2501                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2502                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2503                },
2504                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2505              },
2506            },
2507            &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
2508            },
2509            &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
2510              &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
2511                &quot;booleanValue&quot;: True or False, # boolean
2512                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2513                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2514                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2515                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2516                },
2517                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2518                &quot;floatValue&quot;: 3.14, # float
2519                &quot;integerValue&quot;: &quot;A String&quot;, # integer
2520                &quot;stringValue&quot;: &quot;A String&quot;, # string
2521                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2522                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2523                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2524                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2525                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2526                },
2527                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2528              },
2529            },
2530            &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
2531              &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
2532                &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
2533                  &quot;A String&quot;,
2534                ],
2535              },
2536            },
2537            &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
2538            },
2539            &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
2540              &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
2541            },
2542          },
2543        },
2544      ],
2545      &quot;recordSuppressions&quot;: [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
2546        { # Configuration to suppress records whose suppression conditions evaluate to true.
2547          &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
2548            &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
2549              &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
2550                &quot;conditions&quot;: [ # A collection of conditions.
2551                  { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
2552                    &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
2553                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2554                    },
2555                    &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
2556                    &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
2557                      &quot;booleanValue&quot;: True or False, # boolean
2558                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2559                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2560                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2561                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2562                      },
2563                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2564                      &quot;floatValue&quot;: 3.14, # float
2565                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
2566                      &quot;stringValue&quot;: &quot;A String&quot;, # string
2567                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2568                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2569                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2570                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2571                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2572                      },
2573                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2574                    },
2575                  },
2576                ],
2577              },
2578              &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
2579            },
2580          },
2581        },
2582      ],
2583    },
2584    &quot;transformationErrorHandling&quot;: { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
2585      &quot;leaveUntransformed&quot;: { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
2586      },
2587      &quot;throwError&quot;: { # Throw an error and fail the request when a transformation error occurs. # Throw an error
2588      },
2589    },
2590  },
2591  &quot;description&quot;: &quot;A String&quot;, # Short description (max 256 chars).
2592  &quot;displayName&quot;: &quot;A String&quot;, # Display name (max 256 chars).
2593  &quot;name&quot;: &quot;A String&quot;, # Output only. The template name. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
2594  &quot;updateTime&quot;: &quot;A String&quot;, # Output only. The last update timestamp of an inspectTemplate.
2595}</pre>
2596</div>
2597
2598<div class="method">
2599    <code class="details" id="list">list(parent, locationId=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)</code>
2600  <pre>Lists DeidentifyTemplates. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
2601
2602Args:
2603  parent: string, Required. Parent resource name. The format of this value varies depending on the scope of the request (project or organization) and whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID + Organizations scope, location specified: `organizations/`ORG_ID`/locations/`LOCATION_ID + Organizations scope, no location specified (defaults to global): `organizations/`ORG_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)
2604  locationId: string, Deprecated. This field has no effect.
2605  orderBy: string, Comma separated list of fields to order by, followed by `asc` or `desc` postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant. Example: `name asc,update_time, create_time desc` Supported fields are: - `create_time`: corresponds to time the template was created. - `update_time`: corresponds to time the template was last updated. - `name`: corresponds to template&#x27;s name. - `display_name`: corresponds to template&#x27;s display name.
2606  pageSize: integer, Size of the page, can be limited by server. If zero server returns a page of max size 100.
2607  pageToken: string, Page token to continue retrieval. Comes from previous call to `ListDeidentifyTemplates`.
2608  x__xgafv: string, V1 error format.
2609    Allowed values
2610      1 - v1 error format
2611      2 - v2 error format
2612
2613Returns:
2614  An object of the form:
2615
2616    { # Response message for ListDeidentifyTemplates.
2617  &quot;deidentifyTemplates&quot;: [ # List of deidentify templates, up to page_size in ListDeidentifyTemplatesRequest.
2618    { # DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
2619      &quot;createTime&quot;: &quot;A String&quot;, # Output only. The creation timestamp of an inspectTemplate.
2620      &quot;deidentifyConfig&quot;: { # The configuration that controls how the data will change. # The core content of the template.
2621        &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
2622          &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
2623            { # A transformation to apply to text that is identified as a specific info_type.
2624              &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
2625                { # Type of information detected by the API.
2626                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2627                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2628                },
2629              ],
2630              &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
2631                &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
2632                  &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
2633                    { # Bucket is represented as a range, along with replacement values.
2634                      &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
2635                        &quot;booleanValue&quot;: True or False, # boolean
2636                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2637                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2638                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2639                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2640                        },
2641                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2642                        &quot;floatValue&quot;: 3.14, # float
2643                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
2644                        &quot;stringValue&quot;: &quot;A String&quot;, # string
2645                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2646                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2647                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2648                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2649                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2650                        },
2651                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2652                      },
2653                      &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
2654                        &quot;booleanValue&quot;: True or False, # boolean
2655                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2656                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2657                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2658                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2659                        },
2660                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2661                        &quot;floatValue&quot;: 3.14, # float
2662                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
2663                        &quot;stringValue&quot;: &quot;A String&quot;, # string
2664                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2665                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2666                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2667                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2668                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2669                        },
2670                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2671                      },
2672                      &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
2673                        &quot;booleanValue&quot;: True or False, # boolean
2674                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2675                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2676                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2677                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2678                        },
2679                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2680                        &quot;floatValue&quot;: 3.14, # float
2681                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
2682                        &quot;stringValue&quot;: &quot;A String&quot;, # string
2683                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2684                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2685                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2686                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2687                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2688                        },
2689                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2690                      },
2691                    },
2692                  ],
2693                },
2694                &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
2695                  &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
2696                    { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
2697                      &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
2698                      &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
2699                    },
2700                  ],
2701                  &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
2702                  &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
2703                  &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
2704                },
2705                &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
2706                  &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
2707                    &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2708                  },
2709                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
2710                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2711                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2712                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2713                    },
2714                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2715                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2716                    },
2717                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2718                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2719                    },
2720                  },
2721                  &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
2722                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2723                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2724                  },
2725                },
2726                &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
2727                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
2728                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2729                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2730                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2731                    },
2732                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2733                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2734                    },
2735                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2736                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2737                    },
2738                  },
2739                },
2740                &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
2741                  &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
2742                  &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
2743                    &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2744                  },
2745                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
2746                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2747                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2748                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2749                    },
2750                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2751                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2752                    },
2753                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2754                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2755                    },
2756                  },
2757                  &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
2758                  &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
2759                  &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
2760                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2761                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2762                  },
2763                },
2764                &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
2765                  &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
2766                    &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2767                  },
2768                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
2769                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2770                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2771                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2772                    },
2773                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2774                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
2775                    },
2776                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
2777                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
2778                    },
2779                  },
2780                  &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
2781                  &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
2782                },
2783                &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
2784                  &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
2785                  &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
2786                    &quot;booleanValue&quot;: True or False, # boolean
2787                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2788                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2789                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2790                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2791                    },
2792                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2793                    &quot;floatValue&quot;: 3.14, # float
2794                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
2795                    &quot;stringValue&quot;: &quot;A String&quot;, # string
2796                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2797                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2798                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2799                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2800                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2801                    },
2802                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2803                  },
2804                  &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
2805                    &quot;booleanValue&quot;: True or False, # boolean
2806                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2807                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2808                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2809                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2810                    },
2811                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2812                    &quot;floatValue&quot;: 3.14, # float
2813                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
2814                    &quot;stringValue&quot;: &quot;A String&quot;, # string
2815                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2816                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2817                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2818                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2819                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2820                    },
2821                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2822                  },
2823                },
2824                &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
2825                },
2826                &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
2827                  &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
2828                    &quot;booleanValue&quot;: True or False, # boolean
2829                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2830                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2831                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2832                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2833                    },
2834                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2835                    &quot;floatValue&quot;: 3.14, # float
2836                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
2837                    &quot;stringValue&quot;: &quot;A String&quot;, # string
2838                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2839                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2840                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2841                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2842                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2843                    },
2844                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2845                  },
2846                },
2847                &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
2848                  &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
2849                    &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
2850                      &quot;A String&quot;,
2851                    ],
2852                  },
2853                },
2854                &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
2855                },
2856                &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
2857                  &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
2858                },
2859              },
2860            },
2861          ],
2862        },
2863        &quot;recordTransformations&quot;: { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
2864          &quot;fieldTransformations&quot;: [ # Transform the record by applying various field transformations.
2865            { # The transformation to apply to the field.
2866              &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
2867                &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
2868                  &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
2869                    &quot;conditions&quot;: [ # A collection of conditions.
2870                      { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
2871                        &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
2872                          &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2873                        },
2874                        &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
2875                        &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
2876                          &quot;booleanValue&quot;: True or False, # boolean
2877                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2878                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2879                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2880                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2881                          },
2882                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2883                          &quot;floatValue&quot;: 3.14, # float
2884                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
2885                          &quot;stringValue&quot;: &quot;A String&quot;, # string
2886                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2887                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2888                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2889                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2890                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2891                          },
2892                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2893                        },
2894                      },
2895                    ],
2896                  },
2897                  &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
2898                },
2899              },
2900              &quot;fields&quot;: [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of &quot;contact.nums[0].type&quot;, use &quot;contact.nums.type&quot;.
2901                { # General identifier of a data field in a storage service.
2902                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2903                },
2904              ],
2905              &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
2906                &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
2907                  { # A transformation to apply to text that is identified as a specific info_type.
2908                    &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
2909                      { # Type of information detected by the API.
2910                        &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
2911                        &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
2912                      },
2913                    ],
2914                    &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
2915                      &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
2916                        &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
2917                          { # Bucket is represented as a range, along with replacement values.
2918                            &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
2919                              &quot;booleanValue&quot;: True or False, # boolean
2920                              &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2921                                &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2922                                &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2923                                &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2924                              },
2925                              &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2926                              &quot;floatValue&quot;: 3.14, # float
2927                              &quot;integerValue&quot;: &quot;A String&quot;, # integer
2928                              &quot;stringValue&quot;: &quot;A String&quot;, # string
2929                              &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2930                                &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2931                                &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2932                                &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2933                                &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2934                              },
2935                              &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2936                            },
2937                            &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
2938                              &quot;booleanValue&quot;: True or False, # boolean
2939                              &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2940                                &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2941                                &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2942                                &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2943                              },
2944                              &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2945                              &quot;floatValue&quot;: 3.14, # float
2946                              &quot;integerValue&quot;: &quot;A String&quot;, # integer
2947                              &quot;stringValue&quot;: &quot;A String&quot;, # string
2948                              &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2949                                &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2950                                &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2951                                &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2952                                &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2953                              },
2954                              &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2955                            },
2956                            &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
2957                              &quot;booleanValue&quot;: True or False, # boolean
2958                              &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
2959                                &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
2960                                &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
2961                                &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
2962                              },
2963                              &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
2964                              &quot;floatValue&quot;: 3.14, # float
2965                              &quot;integerValue&quot;: &quot;A String&quot;, # integer
2966                              &quot;stringValue&quot;: &quot;A String&quot;, # string
2967                              &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
2968                                &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
2969                                &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
2970                                &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2971                                &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
2972                              },
2973                              &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
2974                            },
2975                          },
2976                        ],
2977                      },
2978                      &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
2979                        &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
2980                          { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
2981                            &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
2982                            &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
2983                          },
2984                        ],
2985                        &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
2986                        &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
2987                        &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
2988                      },
2989                      &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
2990                        &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
2991                          &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
2992                        },
2993                        &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
2994                          &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
2995                            &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2996                            &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
2997                          },
2998                          &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
2999                            &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3000                          },
3001                          &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3002                            &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3003                          },
3004                        },
3005                        &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
3006                          &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3007                          &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3008                        },
3009                      },
3010                      &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
3011                        &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
3012                          &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3013                            &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3014                            &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3015                          },
3016                          &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3017                            &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3018                          },
3019                          &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3020                            &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3021                          },
3022                        },
3023                      },
3024                      &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
3025                        &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
3026                        &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
3027                          &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3028                        },
3029                        &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
3030                          &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3031                            &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3032                            &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3033                          },
3034                          &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3035                            &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3036                          },
3037                          &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3038                            &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3039                          },
3040                        },
3041                        &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
3042                        &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
3043                        &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
3044                          &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3045                          &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3046                        },
3047                      },
3048                      &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
3049                        &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
3050                          &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3051                        },
3052                        &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
3053                          &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3054                            &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3055                            &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3056                          },
3057                          &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3058                            &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3059                          },
3060                          &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3061                            &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3062                          },
3063                        },
3064                        &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3065                        &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
3066                      },
3067                      &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
3068                        &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
3069                        &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
3070                          &quot;booleanValue&quot;: True or False, # boolean
3071                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3072                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3073                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3074                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3075                          },
3076                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3077                          &quot;floatValue&quot;: 3.14, # float
3078                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
3079                          &quot;stringValue&quot;: &quot;A String&quot;, # string
3080                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3081                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3082                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3083                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3084                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3085                          },
3086                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3087                        },
3088                        &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
3089                          &quot;booleanValue&quot;: True or False, # boolean
3090                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3091                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3092                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3093                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3094                          },
3095                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3096                          &quot;floatValue&quot;: 3.14, # float
3097                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
3098                          &quot;stringValue&quot;: &quot;A String&quot;, # string
3099                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3100                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3101                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3102                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3103                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3104                          },
3105                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3106                        },
3107                      },
3108                      &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
3109                      },
3110                      &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
3111                        &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
3112                          &quot;booleanValue&quot;: True or False, # boolean
3113                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3114                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3115                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3116                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3117                          },
3118                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3119                          &quot;floatValue&quot;: 3.14, # float
3120                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
3121                          &quot;stringValue&quot;: &quot;A String&quot;, # string
3122                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3123                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3124                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3125                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3126                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3127                          },
3128                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3129                        },
3130                      },
3131                      &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
3132                        &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
3133                          &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
3134                            &quot;A String&quot;,
3135                          ],
3136                        },
3137                      },
3138                      &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
3139                      },
3140                      &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
3141                        &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
3142                      },
3143                    },
3144                  },
3145                ],
3146              },
3147              &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Apply the transformation to the entire field.
3148                &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
3149                  &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
3150                    { # Bucket is represented as a range, along with replacement values.
3151                      &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
3152                        &quot;booleanValue&quot;: True or False, # boolean
3153                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3154                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3155                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3156                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3157                        },
3158                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3159                        &quot;floatValue&quot;: 3.14, # float
3160                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3161                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3162                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3163                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3164                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3165                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3166                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3167                        },
3168                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3169                      },
3170                      &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
3171                        &quot;booleanValue&quot;: True or False, # boolean
3172                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3173                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3174                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3175                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3176                        },
3177                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3178                        &quot;floatValue&quot;: 3.14, # float
3179                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3180                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3181                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3182                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3183                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3184                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3185                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3186                        },
3187                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3188                      },
3189                      &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
3190                        &quot;booleanValue&quot;: True or False, # boolean
3191                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3192                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3193                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3194                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3195                        },
3196                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3197                        &quot;floatValue&quot;: 3.14, # float
3198                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3199                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3200                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3201                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3202                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3203                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3204                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3205                        },
3206                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3207                      },
3208                    },
3209                  ],
3210                },
3211                &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
3212                  &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
3213                    { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
3214                      &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
3215                      &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
3216                    },
3217                  ],
3218                  &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
3219                  &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
3220                  &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
3221                },
3222                &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
3223                  &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
3224                    &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3225                  },
3226                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
3227                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3228                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3229                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3230                    },
3231                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3232                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3233                    },
3234                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3235                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3236                    },
3237                  },
3238                  &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
3239                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3240                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3241                  },
3242                },
3243                &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
3244                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
3245                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3246                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3247                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3248                    },
3249                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3250                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3251                    },
3252                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3253                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3254                    },
3255                  },
3256                },
3257                &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
3258                  &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
3259                  &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
3260                    &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3261                  },
3262                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
3263                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3264                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3265                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3266                    },
3267                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3268                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3269                    },
3270                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3271                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3272                    },
3273                  },
3274                  &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
3275                  &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
3276                  &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
3277                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3278                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3279                  },
3280                },
3281                &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
3282                  &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
3283                    &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3284                  },
3285                  &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
3286                    &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3287                      &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3288                      &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3289                    },
3290                    &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3291                      &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3292                    },
3293                    &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3294                      &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3295                    },
3296                  },
3297                  &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3298                  &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
3299                },
3300                &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
3301                  &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
3302                  &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
3303                    &quot;booleanValue&quot;: True or False, # boolean
3304                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3305                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3306                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3307                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3308                    },
3309                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3310                    &quot;floatValue&quot;: 3.14, # float
3311                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
3312                    &quot;stringValue&quot;: &quot;A String&quot;, # string
3313                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3314                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3315                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3316                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3317                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3318                    },
3319                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3320                  },
3321                  &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
3322                    &quot;booleanValue&quot;: True or False, # boolean
3323                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3324                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3325                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3326                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3327                    },
3328                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3329                    &quot;floatValue&quot;: 3.14, # float
3330                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
3331                    &quot;stringValue&quot;: &quot;A String&quot;, # string
3332                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3333                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3334                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3335                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3336                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3337                    },
3338                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3339                  },
3340                },
3341                &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
3342                },
3343                &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
3344                  &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
3345                    &quot;booleanValue&quot;: True or False, # boolean
3346                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3347                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3348                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3349                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3350                    },
3351                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3352                    &quot;floatValue&quot;: 3.14, # float
3353                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
3354                    &quot;stringValue&quot;: &quot;A String&quot;, # string
3355                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3356                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3357                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3358                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3359                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3360                    },
3361                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3362                  },
3363                },
3364                &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
3365                  &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
3366                    &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
3367                      &quot;A String&quot;,
3368                    ],
3369                  },
3370                },
3371                &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
3372                },
3373                &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
3374                  &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
3375                },
3376              },
3377            },
3378          ],
3379          &quot;recordSuppressions&quot;: [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
3380            { # Configuration to suppress records whose suppression conditions evaluate to true.
3381              &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
3382                &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
3383                  &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
3384                    &quot;conditions&quot;: [ # A collection of conditions.
3385                      { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
3386                        &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
3387                          &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3388                        },
3389                        &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
3390                        &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
3391                          &quot;booleanValue&quot;: True or False, # boolean
3392                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3393                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3394                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3395                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3396                          },
3397                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3398                          &quot;floatValue&quot;: 3.14, # float
3399                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
3400                          &quot;stringValue&quot;: &quot;A String&quot;, # string
3401                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3402                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3403                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3404                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3405                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3406                          },
3407                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3408                        },
3409                      },
3410                    ],
3411                  },
3412                  &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
3413                },
3414              },
3415            },
3416          ],
3417        },
3418        &quot;transformationErrorHandling&quot;: { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
3419          &quot;leaveUntransformed&quot;: { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
3420          },
3421          &quot;throwError&quot;: { # Throw an error and fail the request when a transformation error occurs. # Throw an error
3422          },
3423        },
3424      },
3425      &quot;description&quot;: &quot;A String&quot;, # Short description (max 256 chars).
3426      &quot;displayName&quot;: &quot;A String&quot;, # Display name (max 256 chars).
3427      &quot;name&quot;: &quot;A String&quot;, # Output only. The template name. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
3428      &quot;updateTime&quot;: &quot;A String&quot;, # Output only. The last update timestamp of an inspectTemplate.
3429    },
3430  ],
3431  &quot;nextPageToken&quot;: &quot;A String&quot;, # If the next page is available then the next page token to be used in following ListDeidentifyTemplates request.
3432}</pre>
3433</div>
3434
3435<div class="method">
3436    <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
3437  <pre>Retrieves the next page of results.
3438
3439Args:
3440  previous_request: The request for the previous page. (required)
3441  previous_response: The response from the request for the previous page. (required)
3442
3443Returns:
3444  A request object that you can call &#x27;execute()&#x27; on to request the next
3445  page. Returns None if there are no more items in the collection.
3446    </pre>
3447</div>
3448
3449<div class="method">
3450    <code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>
3451  <pre>Updates the DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
3452
3453Args:
3454  name: string, Required. Resource name of organization and deidentify template to be updated, for example `organizations/433245324/deidentifyTemplates/432452342` or projects/project-id/deidentifyTemplates/432452342. (required)
3455  body: object, The request body.
3456    The object takes the form of:
3457
3458{ # Request message for UpdateDeidentifyTemplate.
3459  &quot;deidentifyTemplate&quot;: { # DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more. # New DeidentifyTemplate value.
3460    &quot;createTime&quot;: &quot;A String&quot;, # Output only. The creation timestamp of an inspectTemplate.
3461    &quot;deidentifyConfig&quot;: { # The configuration that controls how the data will change. # The core content of the template.
3462      &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
3463        &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
3464          { # A transformation to apply to text that is identified as a specific info_type.
3465            &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
3466              { # Type of information detected by the API.
3467                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3468                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3469              },
3470            ],
3471            &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
3472              &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
3473                &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
3474                  { # Bucket is represented as a range, along with replacement values.
3475                    &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
3476                      &quot;booleanValue&quot;: True or False, # boolean
3477                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3478                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3479                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3480                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3481                      },
3482                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3483                      &quot;floatValue&quot;: 3.14, # float
3484                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
3485                      &quot;stringValue&quot;: &quot;A String&quot;, # string
3486                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3487                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3488                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3489                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3490                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3491                      },
3492                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3493                    },
3494                    &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
3495                      &quot;booleanValue&quot;: True or False, # boolean
3496                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3497                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3498                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3499                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3500                      },
3501                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3502                      &quot;floatValue&quot;: 3.14, # float
3503                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
3504                      &quot;stringValue&quot;: &quot;A String&quot;, # string
3505                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3506                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3507                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3508                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3509                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3510                      },
3511                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3512                    },
3513                    &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
3514                      &quot;booleanValue&quot;: True or False, # boolean
3515                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3516                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3517                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3518                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3519                      },
3520                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3521                      &quot;floatValue&quot;: 3.14, # float
3522                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
3523                      &quot;stringValue&quot;: &quot;A String&quot;, # string
3524                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3525                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3526                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3527                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3528                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3529                      },
3530                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3531                    },
3532                  },
3533                ],
3534              },
3535              &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
3536                &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
3537                  { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
3538                    &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
3539                    &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
3540                  },
3541                ],
3542                &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
3543                &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
3544                &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
3545              },
3546              &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
3547                &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
3548                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3549                },
3550                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
3551                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3552                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3553                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3554                  },
3555                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3556                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3557                  },
3558                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3559                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3560                  },
3561                },
3562                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
3563                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3564                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3565                },
3566              },
3567              &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
3568                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
3569                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3570                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3571                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3572                  },
3573                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3574                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3575                  },
3576                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3577                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3578                  },
3579                },
3580              },
3581              &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
3582                &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
3583                &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
3584                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3585                },
3586                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
3587                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3588                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3589                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3590                  },
3591                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3592                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3593                  },
3594                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3595                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3596                  },
3597                },
3598                &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
3599                &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
3600                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
3601                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3602                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3603                },
3604              },
3605              &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
3606                &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
3607                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3608                },
3609                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
3610                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3611                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3612                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3613                  },
3614                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3615                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3616                  },
3617                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3618                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3619                  },
3620                },
3621                &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3622                &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
3623              },
3624              &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
3625                &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
3626                &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
3627                  &quot;booleanValue&quot;: True or False, # boolean
3628                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3629                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3630                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3631                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3632                  },
3633                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3634                  &quot;floatValue&quot;: 3.14, # float
3635                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
3636                  &quot;stringValue&quot;: &quot;A String&quot;, # string
3637                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3638                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3639                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3640                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3641                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3642                  },
3643                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3644                },
3645                &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
3646                  &quot;booleanValue&quot;: True or False, # boolean
3647                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3648                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3649                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3650                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3651                  },
3652                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3653                  &quot;floatValue&quot;: 3.14, # float
3654                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
3655                  &quot;stringValue&quot;: &quot;A String&quot;, # string
3656                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3657                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3658                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3659                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3660                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3661                  },
3662                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3663                },
3664              },
3665              &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
3666              },
3667              &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
3668                &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
3669                  &quot;booleanValue&quot;: True or False, # boolean
3670                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3671                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3672                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3673                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3674                  },
3675                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3676                  &quot;floatValue&quot;: 3.14, # float
3677                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
3678                  &quot;stringValue&quot;: &quot;A String&quot;, # string
3679                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3680                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3681                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3682                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3683                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3684                  },
3685                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3686                },
3687              },
3688              &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
3689                &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
3690                  &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
3691                    &quot;A String&quot;,
3692                  ],
3693                },
3694              },
3695              &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
3696              },
3697              &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
3698                &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
3699              },
3700            },
3701          },
3702        ],
3703      },
3704      &quot;recordTransformations&quot;: { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
3705        &quot;fieldTransformations&quot;: [ # Transform the record by applying various field transformations.
3706          { # The transformation to apply to the field.
3707            &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
3708              &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
3709                &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
3710                  &quot;conditions&quot;: [ # A collection of conditions.
3711                    { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
3712                      &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
3713                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3714                      },
3715                      &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
3716                      &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
3717                        &quot;booleanValue&quot;: True or False, # boolean
3718                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3719                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3720                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3721                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3722                        },
3723                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3724                        &quot;floatValue&quot;: 3.14, # float
3725                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3726                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3727                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3728                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3729                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3730                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3731                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3732                        },
3733                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3734                      },
3735                    },
3736                  ],
3737                },
3738                &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
3739              },
3740            },
3741            &quot;fields&quot;: [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of &quot;contact.nums[0].type&quot;, use &quot;contact.nums.type&quot;.
3742              { # General identifier of a data field in a storage service.
3743                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3744              },
3745            ],
3746            &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
3747              &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
3748                { # A transformation to apply to text that is identified as a specific info_type.
3749                  &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
3750                    { # Type of information detected by the API.
3751                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3752                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3753                    },
3754                  ],
3755                  &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
3756                    &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
3757                      &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
3758                        { # Bucket is represented as a range, along with replacement values.
3759                          &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
3760                            &quot;booleanValue&quot;: True or False, # boolean
3761                            &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3762                              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3763                              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3764                              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3765                            },
3766                            &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3767                            &quot;floatValue&quot;: 3.14, # float
3768                            &quot;integerValue&quot;: &quot;A String&quot;, # integer
3769                            &quot;stringValue&quot;: &quot;A String&quot;, # string
3770                            &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3771                              &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3772                              &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3773                              &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3774                              &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3775                            },
3776                            &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3777                          },
3778                          &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
3779                            &quot;booleanValue&quot;: True or False, # boolean
3780                            &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3781                              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3782                              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3783                              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3784                            },
3785                            &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3786                            &quot;floatValue&quot;: 3.14, # float
3787                            &quot;integerValue&quot;: &quot;A String&quot;, # integer
3788                            &quot;stringValue&quot;: &quot;A String&quot;, # string
3789                            &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3790                              &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3791                              &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3792                              &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3793                              &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3794                            },
3795                            &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3796                          },
3797                          &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
3798                            &quot;booleanValue&quot;: True or False, # boolean
3799                            &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3800                              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3801                              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3802                              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3803                            },
3804                            &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3805                            &quot;floatValue&quot;: 3.14, # float
3806                            &quot;integerValue&quot;: &quot;A String&quot;, # integer
3807                            &quot;stringValue&quot;: &quot;A String&quot;, # string
3808                            &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3809                              &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3810                              &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3811                              &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3812                              &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3813                            },
3814                            &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3815                          },
3816                        },
3817                      ],
3818                    },
3819                    &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
3820                      &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
3821                        { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
3822                          &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
3823                          &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
3824                        },
3825                      ],
3826                      &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
3827                      &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
3828                      &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
3829                    },
3830                    &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
3831                      &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
3832                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3833                      },
3834                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
3835                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3836                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3837                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3838                        },
3839                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3840                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3841                        },
3842                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3843                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3844                        },
3845                      },
3846                      &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
3847                        &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3848                        &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3849                      },
3850                    },
3851                    &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
3852                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
3853                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3854                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3855                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3856                        },
3857                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3858                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3859                        },
3860                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3861                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3862                        },
3863                      },
3864                    },
3865                    &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
3866                      &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
3867                      &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
3868                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3869                      },
3870                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
3871                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3872                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3873                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3874                        },
3875                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3876                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3877                        },
3878                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3879                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3880                        },
3881                      },
3882                      &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
3883                      &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
3884                      &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
3885                        &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
3886                        &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
3887                      },
3888                    },
3889                    &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
3890                      &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
3891                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
3892                      },
3893                      &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
3894                        &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
3895                          &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3896                          &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
3897                        },
3898                        &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
3899                          &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
3900                        },
3901                        &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
3902                          &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
3903                        },
3904                      },
3905                      &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3906                      &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
3907                    },
3908                    &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
3909                      &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
3910                      &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
3911                        &quot;booleanValue&quot;: True or False, # boolean
3912                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3913                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3914                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3915                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3916                        },
3917                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3918                        &quot;floatValue&quot;: 3.14, # float
3919                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3920                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3921                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3922                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3923                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3924                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3925                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3926                        },
3927                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3928                      },
3929                      &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
3930                        &quot;booleanValue&quot;: True or False, # boolean
3931                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3932                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3933                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3934                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3935                        },
3936                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3937                        &quot;floatValue&quot;: 3.14, # float
3938                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3939                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3940                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3941                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3942                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3943                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3944                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3945                        },
3946                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3947                      },
3948                    },
3949                    &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
3950                    },
3951                    &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
3952                      &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
3953                        &quot;booleanValue&quot;: True or False, # boolean
3954                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3955                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3956                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3957                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3958                        },
3959                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
3960                        &quot;floatValue&quot;: 3.14, # float
3961                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
3962                        &quot;stringValue&quot;: &quot;A String&quot;, # string
3963                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
3964                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
3965                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
3966                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3967                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
3968                        },
3969                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
3970                      },
3971                    },
3972                    &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
3973                      &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
3974                        &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
3975                          &quot;A String&quot;,
3976                        ],
3977                      },
3978                    },
3979                    &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
3980                    },
3981                    &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
3982                      &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
3983                    },
3984                  },
3985                },
3986              ],
3987            },
3988            &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Apply the transformation to the entire field.
3989              &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
3990                &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
3991                  { # Bucket is represented as a range, along with replacement values.
3992                    &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
3993                      &quot;booleanValue&quot;: True or False, # boolean
3994                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
3995                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
3996                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
3997                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
3998                      },
3999                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4000                      &quot;floatValue&quot;: 3.14, # float
4001                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4002                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4003                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4004                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4005                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4006                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4007                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4008                      },
4009                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4010                    },
4011                    &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
4012                      &quot;booleanValue&quot;: True or False, # boolean
4013                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4014                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4015                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4016                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4017                      },
4018                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4019                      &quot;floatValue&quot;: 3.14, # float
4020                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4021                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4022                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4023                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4024                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4025                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4026                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4027                      },
4028                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4029                    },
4030                    &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
4031                      &quot;booleanValue&quot;: True or False, # boolean
4032                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4033                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4034                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4035                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4036                      },
4037                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4038                      &quot;floatValue&quot;: 3.14, # float
4039                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4040                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4041                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4042                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4043                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4044                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4045                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4046                      },
4047                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4048                    },
4049                  },
4050                ],
4051              },
4052              &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
4053                &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
4054                  { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
4055                    &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
4056                    &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
4057                  },
4058                ],
4059                &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
4060                &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
4061                &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
4062              },
4063              &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
4064                &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
4065                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4066                },
4067                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
4068                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4069                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4070                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4071                  },
4072                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4073                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4074                  },
4075                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4076                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4077                  },
4078                },
4079                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
4080                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4081                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4082                },
4083              },
4084              &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
4085                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
4086                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4087                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4088                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4089                  },
4090                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4091                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4092                  },
4093                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4094                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4095                  },
4096                },
4097              },
4098              &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
4099                &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
4100                &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
4101                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4102                },
4103                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
4104                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4105                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4106                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4107                  },
4108                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4109                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4110                  },
4111                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4112                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4113                  },
4114                },
4115                &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
4116                &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
4117                &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
4118                  &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4119                  &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4120                },
4121              },
4122              &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
4123                &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
4124                  &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4125                },
4126                &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
4127                  &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4128                    &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4129                    &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4130                  },
4131                  &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4132                    &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4133                  },
4134                  &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4135                    &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4136                  },
4137                },
4138                &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
4139                &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
4140              },
4141              &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
4142                &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
4143                &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
4144                  &quot;booleanValue&quot;: True or False, # boolean
4145                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4146                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4147                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4148                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4149                  },
4150                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4151                  &quot;floatValue&quot;: 3.14, # float
4152                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
4153                  &quot;stringValue&quot;: &quot;A String&quot;, # string
4154                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4155                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4156                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4157                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4158                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4159                  },
4160                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4161                },
4162                &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
4163                  &quot;booleanValue&quot;: True or False, # boolean
4164                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4165                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4166                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4167                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4168                  },
4169                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4170                  &quot;floatValue&quot;: 3.14, # float
4171                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
4172                  &quot;stringValue&quot;: &quot;A String&quot;, # string
4173                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4174                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4175                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4176                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4177                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4178                  },
4179                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4180                },
4181              },
4182              &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
4183              },
4184              &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
4185                &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
4186                  &quot;booleanValue&quot;: True or False, # boolean
4187                  &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4188                    &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4189                    &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4190                    &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4191                  },
4192                  &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4193                  &quot;floatValue&quot;: 3.14, # float
4194                  &quot;integerValue&quot;: &quot;A String&quot;, # integer
4195                  &quot;stringValue&quot;: &quot;A String&quot;, # string
4196                  &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4197                    &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4198                    &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4199                    &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4200                    &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4201                  },
4202                  &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4203                },
4204              },
4205              &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
4206                &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
4207                  &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
4208                    &quot;A String&quot;,
4209                  ],
4210                },
4211              },
4212              &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
4213              },
4214              &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
4215                &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
4216              },
4217            },
4218          },
4219        ],
4220        &quot;recordSuppressions&quot;: [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
4221          { # Configuration to suppress records whose suppression conditions evaluate to true.
4222            &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
4223              &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
4224                &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
4225                  &quot;conditions&quot;: [ # A collection of conditions.
4226                    { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
4227                      &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
4228                        &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4229                      },
4230                      &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
4231                      &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
4232                        &quot;booleanValue&quot;: True or False, # boolean
4233                        &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4234                          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4235                          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4236                          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4237                        },
4238                        &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4239                        &quot;floatValue&quot;: 3.14, # float
4240                        &quot;integerValue&quot;: &quot;A String&quot;, # integer
4241                        &quot;stringValue&quot;: &quot;A String&quot;, # string
4242                        &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4243                          &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4244                          &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4245                          &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4246                          &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4247                        },
4248                        &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4249                      },
4250                    },
4251                  ],
4252                },
4253                &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
4254              },
4255            },
4256          },
4257        ],
4258      },
4259      &quot;transformationErrorHandling&quot;: { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
4260        &quot;leaveUntransformed&quot;: { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
4261        },
4262        &quot;throwError&quot;: { # Throw an error and fail the request when a transformation error occurs. # Throw an error
4263        },
4264      },
4265    },
4266    &quot;description&quot;: &quot;A String&quot;, # Short description (max 256 chars).
4267    &quot;displayName&quot;: &quot;A String&quot;, # Display name (max 256 chars).
4268    &quot;name&quot;: &quot;A String&quot;, # Output only. The template name. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
4269    &quot;updateTime&quot;: &quot;A String&quot;, # Output only. The last update timestamp of an inspectTemplate.
4270  },
4271  &quot;updateMask&quot;: &quot;A String&quot;, # Mask to control which fields get updated.
4272}
4273
4274  x__xgafv: string, V1 error format.
4275    Allowed values
4276      1 - v1 error format
4277      2 - v2 error format
4278
4279Returns:
4280  An object of the form:
4281
4282    { # DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
4283  &quot;createTime&quot;: &quot;A String&quot;, # Output only. The creation timestamp of an inspectTemplate.
4284  &quot;deidentifyConfig&quot;: { # The configuration that controls how the data will change. # The core content of the template.
4285    &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
4286      &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
4287        { # A transformation to apply to text that is identified as a specific info_type.
4288          &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
4289            { # Type of information detected by the API.
4290              &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4291              &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4292            },
4293          ],
4294          &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
4295            &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
4296              &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
4297                { # Bucket is represented as a range, along with replacement values.
4298                  &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
4299                    &quot;booleanValue&quot;: True or False, # boolean
4300                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4301                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4302                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4303                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4304                    },
4305                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4306                    &quot;floatValue&quot;: 3.14, # float
4307                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
4308                    &quot;stringValue&quot;: &quot;A String&quot;, # string
4309                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4310                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4311                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4312                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4313                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4314                    },
4315                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4316                  },
4317                  &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
4318                    &quot;booleanValue&quot;: True or False, # boolean
4319                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4320                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4321                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4322                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4323                    },
4324                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4325                    &quot;floatValue&quot;: 3.14, # float
4326                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
4327                    &quot;stringValue&quot;: &quot;A String&quot;, # string
4328                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4329                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4330                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4331                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4332                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4333                    },
4334                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4335                  },
4336                  &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
4337                    &quot;booleanValue&quot;: True or False, # boolean
4338                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4339                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4340                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4341                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4342                    },
4343                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4344                    &quot;floatValue&quot;: 3.14, # float
4345                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
4346                    &quot;stringValue&quot;: &quot;A String&quot;, # string
4347                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4348                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4349                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4350                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4351                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4352                    },
4353                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4354                  },
4355                },
4356              ],
4357            },
4358            &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
4359              &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
4360                { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
4361                  &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
4362                  &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
4363                },
4364              ],
4365              &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
4366              &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
4367              &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
4368            },
4369            &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
4370              &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
4371                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4372              },
4373              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
4374                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4375                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4376                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4377                },
4378                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4379                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4380                },
4381                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4382                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4383                },
4384              },
4385              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
4386                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4387                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4388              },
4389            },
4390            &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
4391              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
4392                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4393                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4394                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4395                },
4396                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4397                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4398                },
4399                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4400                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4401                },
4402              },
4403            },
4404            &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
4405              &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
4406              &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
4407                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4408              },
4409              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
4410                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4411                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4412                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4413                },
4414                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4415                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4416                },
4417                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4418                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4419                },
4420              },
4421              &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
4422              &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
4423              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
4424                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4425                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4426              },
4427            },
4428            &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
4429              &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
4430                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4431              },
4432              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
4433                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4434                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4435                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4436                },
4437                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4438                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4439                },
4440                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4441                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4442                },
4443              },
4444              &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
4445              &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
4446            },
4447            &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
4448              &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
4449              &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
4450                &quot;booleanValue&quot;: True or False, # boolean
4451                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4452                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4453                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4454                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4455                },
4456                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4457                &quot;floatValue&quot;: 3.14, # float
4458                &quot;integerValue&quot;: &quot;A String&quot;, # integer
4459                &quot;stringValue&quot;: &quot;A String&quot;, # string
4460                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4461                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4462                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4463                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4464                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4465                },
4466                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4467              },
4468              &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
4469                &quot;booleanValue&quot;: True or False, # boolean
4470                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4471                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4472                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4473                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4474                },
4475                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4476                &quot;floatValue&quot;: 3.14, # float
4477                &quot;integerValue&quot;: &quot;A String&quot;, # integer
4478                &quot;stringValue&quot;: &quot;A String&quot;, # string
4479                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4480                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4481                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4482                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4483                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4484                },
4485                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4486              },
4487            },
4488            &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
4489            },
4490            &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
4491              &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
4492                &quot;booleanValue&quot;: True or False, # boolean
4493                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4494                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4495                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4496                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4497                },
4498                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4499                &quot;floatValue&quot;: 3.14, # float
4500                &quot;integerValue&quot;: &quot;A String&quot;, # integer
4501                &quot;stringValue&quot;: &quot;A String&quot;, # string
4502                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4503                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4504                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4505                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4506                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4507                },
4508                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4509              },
4510            },
4511            &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
4512              &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
4513                &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
4514                  &quot;A String&quot;,
4515                ],
4516              },
4517            },
4518            &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
4519            },
4520            &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
4521              &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
4522            },
4523          },
4524        },
4525      ],
4526    },
4527    &quot;recordTransformations&quot;: { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
4528      &quot;fieldTransformations&quot;: [ # Transform the record by applying various field transformations.
4529        { # The transformation to apply to the field.
4530          &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
4531            &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
4532              &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
4533                &quot;conditions&quot;: [ # A collection of conditions.
4534                  { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
4535                    &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
4536                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4537                    },
4538                    &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
4539                    &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
4540                      &quot;booleanValue&quot;: True or False, # boolean
4541                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4542                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4543                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4544                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4545                      },
4546                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4547                      &quot;floatValue&quot;: 3.14, # float
4548                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4549                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4550                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4551                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4552                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4553                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4554                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4555                      },
4556                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4557                    },
4558                  },
4559                ],
4560              },
4561              &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
4562            },
4563          },
4564          &quot;fields&quot;: [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of &quot;contact.nums[0].type&quot;, use &quot;contact.nums.type&quot;.
4565            { # General identifier of a data field in a storage service.
4566              &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4567            },
4568          ],
4569          &quot;infoTypeTransformations&quot;: { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
4570            &quot;transformations&quot;: [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
4571              { # A transformation to apply to text that is identified as a specific info_type.
4572                &quot;infoTypes&quot;: [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
4573                  { # Type of information detected by the API.
4574                    &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4575                    &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4576                  },
4577                ],
4578                &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
4579                  &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
4580                    &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
4581                      { # Bucket is represented as a range, along with replacement values.
4582                        &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
4583                          &quot;booleanValue&quot;: True or False, # boolean
4584                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4585                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4586                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4587                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4588                          },
4589                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4590                          &quot;floatValue&quot;: 3.14, # float
4591                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
4592                          &quot;stringValue&quot;: &quot;A String&quot;, # string
4593                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4594                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4595                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4596                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4597                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4598                          },
4599                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4600                        },
4601                        &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
4602                          &quot;booleanValue&quot;: True or False, # boolean
4603                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4604                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4605                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4606                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4607                          },
4608                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4609                          &quot;floatValue&quot;: 3.14, # float
4610                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
4611                          &quot;stringValue&quot;: &quot;A String&quot;, # string
4612                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4613                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4614                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4615                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4616                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4617                          },
4618                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4619                        },
4620                        &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
4621                          &quot;booleanValue&quot;: True or False, # boolean
4622                          &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4623                            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4624                            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4625                            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4626                          },
4627                          &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4628                          &quot;floatValue&quot;: 3.14, # float
4629                          &quot;integerValue&quot;: &quot;A String&quot;, # integer
4630                          &quot;stringValue&quot;: &quot;A String&quot;, # string
4631                          &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4632                            &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4633                            &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4634                            &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4635                            &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4636                          },
4637                          &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4638                        },
4639                      },
4640                    ],
4641                  },
4642                  &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
4643                    &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
4644                      { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
4645                        &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
4646                        &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
4647                      },
4648                    ],
4649                    &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
4650                    &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
4651                    &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
4652                  },
4653                  &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
4654                    &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
4655                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4656                    },
4657                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
4658                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4659                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4660                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4661                      },
4662                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4663                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4664                      },
4665                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4666                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4667                      },
4668                    },
4669                    &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
4670                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4671                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4672                    },
4673                  },
4674                  &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
4675                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
4676                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4677                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4678                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4679                      },
4680                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4681                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4682                      },
4683                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4684                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4685                      },
4686                    },
4687                  },
4688                  &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
4689                    &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
4690                    &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
4691                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4692                    },
4693                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
4694                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4695                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4696                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4697                      },
4698                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4699                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4700                      },
4701                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4702                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4703                      },
4704                    },
4705                    &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
4706                    &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
4707                    &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
4708                      &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4709                      &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4710                    },
4711                  },
4712                  &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
4713                    &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
4714                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4715                    },
4716                    &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
4717                      &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4718                        &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4719                        &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4720                      },
4721                      &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4722                        &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4723                      },
4724                      &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4725                        &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4726                      },
4727                    },
4728                    &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
4729                    &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
4730                  },
4731                  &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
4732                    &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
4733                    &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
4734                      &quot;booleanValue&quot;: True or False, # boolean
4735                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4736                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4737                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4738                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4739                      },
4740                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4741                      &quot;floatValue&quot;: 3.14, # float
4742                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4743                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4744                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4745                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4746                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4747                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4748                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4749                      },
4750                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4751                    },
4752                    &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
4753                      &quot;booleanValue&quot;: True or False, # boolean
4754                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4755                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4756                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4757                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4758                      },
4759                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4760                      &quot;floatValue&quot;: 3.14, # float
4761                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4762                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4763                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4764                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4765                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4766                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4767                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4768                      },
4769                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4770                    },
4771                  },
4772                  &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
4773                  },
4774                  &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
4775                    &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
4776                      &quot;booleanValue&quot;: True or False, # boolean
4777                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4778                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4779                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4780                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4781                      },
4782                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4783                      &quot;floatValue&quot;: 3.14, # float
4784                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
4785                      &quot;stringValue&quot;: &quot;A String&quot;, # string
4786                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4787                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4788                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4789                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4790                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4791                      },
4792                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4793                    },
4794                  },
4795                  &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
4796                    &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
4797                      &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
4798                        &quot;A String&quot;,
4799                      ],
4800                    },
4801                  },
4802                  &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
4803                  },
4804                  &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
4805                    &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
4806                  },
4807                },
4808              },
4809            ],
4810          },
4811          &quot;primitiveTransformation&quot;: { # A rule for transforming a value. # Apply the transformation to the entire field.
4812            &quot;bucketingConfig&quot;: { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
4813              &quot;buckets&quot;: [ # Set of buckets. Ranges must be non-overlapping.
4814                { # Bucket is represented as a range, along with replacement values.
4815                  &quot;max&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
4816                    &quot;booleanValue&quot;: True or False, # boolean
4817                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4818                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4819                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4820                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4821                    },
4822                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4823                    &quot;floatValue&quot;: 3.14, # float
4824                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
4825                    &quot;stringValue&quot;: &quot;A String&quot;, # string
4826                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4827                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4828                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4829                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4830                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4831                    },
4832                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4833                  },
4834                  &quot;min&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
4835                    &quot;booleanValue&quot;: True or False, # boolean
4836                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4837                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4838                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4839                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4840                    },
4841                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4842                    &quot;floatValue&quot;: 3.14, # float
4843                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
4844                    &quot;stringValue&quot;: &quot;A String&quot;, # string
4845                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4846                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4847                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4848                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4849                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4850                    },
4851                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4852                  },
4853                  &quot;replacementValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
4854                    &quot;booleanValue&quot;: True or False, # boolean
4855                    &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4856                      &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4857                      &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4858                      &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4859                    },
4860                    &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4861                    &quot;floatValue&quot;: 3.14, # float
4862                    &quot;integerValue&quot;: &quot;A String&quot;, # integer
4863                    &quot;stringValue&quot;: &quot;A String&quot;, # string
4864                    &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4865                      &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4866                      &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4867                      &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4868                      &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4869                    },
4870                    &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4871                  },
4872                },
4873              ],
4874            },
4875            &quot;characterMaskConfig&quot;: { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we&#x27;ll attempt to preserve the original data&#x27;s type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
4876              &quot;charactersToIgnore&quot;: [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
4877                { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
4878                  &quot;charactersToSkip&quot;: &quot;A String&quot;, # Characters to not transform when masking.
4879                  &quot;commonCharactersToIgnore&quot;: &quot;A String&quot;, # Common characters to not transform when masking. Useful to avoid removing punctuation.
4880                },
4881              ],
4882              &quot;maskingCharacter&quot;: &quot;A String&quot;, # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
4883              &quot;numberToMask&quot;: 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
4884              &quot;reverseOrder&quot;: True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
4885            },
4886            &quot;cryptoDeterministicConfig&quot;: { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
4887              &quot;context&quot;: { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
4888                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4889              },
4890              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use.
4891                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4892                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4893                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4894                },
4895                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4896                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4897                },
4898                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4899                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4900                },
4901              },
4902              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom info type &#x27;Surrogate&#x27;. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
4903                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4904                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4905              },
4906            },
4907            &quot;cryptoHashConfig&quot;: { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
4908              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function.
4909                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4910                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4911                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4912                },
4913                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4914                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4915                },
4916                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4917                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4918                },
4919              },
4920            },
4921            &quot;cryptoReplaceFfxFpeConfig&quot;: { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
4922              &quot;commonAlphabet&quot;: &quot;A String&quot;, # Common alphabets.
4923              &quot;context&quot;: { # General identifier of a data field in a storage service. # The &#x27;tweak&#x27;, a context may be used for higher security since the same identifier in two different contexts won&#x27;t be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
4924                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4925              },
4926              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm.
4927                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4928                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4929                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4930                },
4931                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4932                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4933                },
4934                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4935                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4936                },
4937              },
4938              &quot;customAlphabet&quot;: &quot;A String&quot;, # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&amp;*()_-+={[}]|\:;&quot;&#x27;&lt;,&gt;.?/
4939              &quot;radix&quot;: 42, # The native way to select the alphabet. Must be in the range [2, 95].
4940              &quot;surrogateInfoType&quot;: { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is &#x27;MY_TOKEN_INFO_TYPE&#x27; and the surrogate is &#x27;abc&#x27;, the full replacement value will be: &#x27;MY_TOKEN_INFO_TYPE(3):abc&#x27; This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
4941                &quot;name&quot;: &quot;A String&quot;, # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
4942                &quot;version&quot;: &quot;A String&quot;, # Optional version name for this InfoType.
4943              },
4944            },
4945            &quot;dateShiftConfig&quot;: { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
4946              &quot;context&quot;: { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
4947                &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
4948              },
4949              &quot;cryptoKey&quot;: { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
4950                &quot;kmsWrapped&quot;: { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS
4951                  &quot;cryptoKeyName&quot;: &quot;A String&quot;, # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4952                  &quot;wrappedKey&quot;: &quot;A String&quot;, # Required. The wrapped data crypto key.
4953                },
4954                &quot;transient&quot;: { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
4955                  &quot;name&quot;: &quot;A String&quot;, # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
4956                },
4957                &quot;unwrapped&quot;: { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
4958                  &quot;key&quot;: &quot;A String&quot;, # Required. A 128/192/256 bit key.
4959                },
4960              },
4961              &quot;lowerBoundDays&quot;: 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
4962              &quot;upperBoundDays&quot;: 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
4963            },
4964            &quot;fixedSizeBucketingConfig&quot;: { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with &quot;10-20&quot;. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
4965              &quot;bucketSize&quot;: 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
4966              &quot;lowerBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value &quot;-10&quot;.
4967                &quot;booleanValue&quot;: True or False, # boolean
4968                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4969                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4970                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4971                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4972                },
4973                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4974                &quot;floatValue&quot;: 3.14, # float
4975                &quot;integerValue&quot;: &quot;A String&quot;, # integer
4976                &quot;stringValue&quot;: &quot;A String&quot;, # string
4977                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4978                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4979                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4980                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4981                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
4982                },
4983                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
4984              },
4985              &quot;upperBound&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value &quot;89+&quot;.
4986                &quot;booleanValue&quot;: True or False, # boolean
4987                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
4988                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
4989                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
4990                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
4991                },
4992                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
4993                &quot;floatValue&quot;: 3.14, # float
4994                &quot;integerValue&quot;: &quot;A String&quot;, # integer
4995                &quot;stringValue&quot;: &quot;A String&quot;, # string
4996                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
4997                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
4998                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
4999                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5000                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
5001                },
5002                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
5003              },
5004            },
5005            &quot;redactConfig&quot;: { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input &#x27;My phone number is 206-555-0123&#x27;, the output would be &#x27;My phone number is &#x27;. # Redact
5006            },
5007            &quot;replaceConfig&quot;: { # Replace each input value with a given `Value`. # Replace with a specified value.
5008              &quot;newValue&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
5009                &quot;booleanValue&quot;: True or False, # boolean
5010                &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
5011                  &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
5012                  &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
5013                  &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
5014                },
5015                &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
5016                &quot;floatValue&quot;: 3.14, # float
5017                &quot;integerValue&quot;: &quot;A String&quot;, # integer
5018                &quot;stringValue&quot;: &quot;A String&quot;, # string
5019                &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
5020                  &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
5021                  &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
5022                  &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5023                  &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
5024                },
5025                &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
5026              },
5027            },
5028            &quot;replaceDictionaryConfig&quot;: { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary.
5029              &quot;wordList&quot;: { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries.
5030                &quot;words&quot;: [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
5031                  &quot;A String&quot;,
5032                ],
5033              },
5034            },
5035            &quot;replaceWithInfoTypeConfig&quot;: { # Replace each matching finding with the name of the info_type. # Replace with infotype
5036            },
5037            &quot;timePartConfig&quot;: { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
5038              &quot;partToExtract&quot;: &quot;A String&quot;, # The part of the time to keep.
5039            },
5040          },
5041        },
5042      ],
5043      &quot;recordSuppressions&quot;: [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
5044        { # Configuration to suppress records whose suppression conditions evaluate to true.
5045          &quot;condition&quot;: { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
5046            &quot;expressions&quot;: { # An expression, consisting or an operator and conditions. # An expression.
5047              &quot;conditions&quot;: { # A collection of conditions. # Conditions to apply to the expression.
5048                &quot;conditions&quot;: [ # A collection of conditions.
5049                  { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of &#x27;HH:mm:ss&#x27;. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
5050                    &quot;field&quot;: { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
5051                      &quot;name&quot;: &quot;A String&quot;, # Name describing the field.
5052                    },
5053                    &quot;operator&quot;: &quot;A String&quot;, # Required. Operator used to compare the field or infoType to the value.
5054                    &quot;value&quot;: { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a &#x27;Value&#x27; is based on its representation as a UTF-8 encoded string. For example, if &#x27;integer_value&#x27; is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
5055                      &quot;booleanValue&quot;: True or False, # boolean
5056                      &quot;dateValue&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
5057                        &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
5058                        &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
5059                        &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
5060                      },
5061                      &quot;dayOfWeekValue&quot;: &quot;A String&quot;, # day of week
5062                      &quot;floatValue&quot;: 3.14, # float
5063                      &quot;integerValue&quot;: &quot;A String&quot;, # integer
5064                      &quot;stringValue&quot;: &quot;A String&quot;, # string
5065                      &quot;timeValue&quot;: { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
5066                        &quot;hours&quot;: 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value &quot;24:00:00&quot; for scenarios like business closing time.
5067                        &quot;minutes&quot;: 42, # Minutes of hour of day. Must be from 0 to 59.
5068                        &quot;nanos&quot;: 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5069                        &quot;seconds&quot;: 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
5070                      },
5071                      &quot;timestampValue&quot;: &quot;A String&quot;, # timestamp
5072                    },
5073                  },
5074                ],
5075              },
5076              &quot;logicalOperator&quot;: &quot;A String&quot;, # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
5077            },
5078          },
5079        },
5080      ],
5081    },
5082    &quot;transformationErrorHandling&quot;: { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
5083      &quot;leaveUntransformed&quot;: { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
5084      },
5085      &quot;throwError&quot;: { # Throw an error and fail the request when a transformation error occurs. # Throw an error
5086      },
5087    },
5088  },
5089  &quot;description&quot;: &quot;A String&quot;, # Short description (max 256 chars).
5090  &quot;displayName&quot;: &quot;A String&quot;, # Display name (max 256 chars).
5091  &quot;name&quot;: &quot;A String&quot;, # Output only. The template name. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
5092  &quot;updateTime&quot;: &quot;A String&quot;, # Output only. The last update timestamp of an inspectTemplate.
5093}</pre>
5094</div>
5095
5096</body></html>