First pass at review

products/iap/api.yaml

@@ -141,20 +141,27 @@ objects:
     self_link: '{{name}}'
     input: true
     description: |
-      OAuth brand data.
+      OAuth brand data. Only "Organization Internal" brands can be created
+      programatically via API. To convert it into an external brands
+      please use the GCP Console.
     parameters:
       - !ruby/object:Api::Type::String
         name: 'name'
         description: |
-          Output only. Identifier of the brand. NOTE: GCP project number achieves
-          the same brand identification purpose as only one brand per project can be created.
+          Output only. Identifier of the brand, in the format
+          `projects/{project_number}/brands/{brand_id}`. NOTE: The brand
+          identification corresponds to the project number as only one
+          brand per project can be created.
         output: true
     properties:
       - !ruby/object:Api::Type::String
         name: 'supportEmail'
         description: |
-          Support email displayed on the OAuth consent screen. When called using a service account,
-          the support email should refer to a group to which the service account is an owner of.
+          Support email displayed on the OAuth consent screen. Can be either a
+          user or group email. When a user email is specified, the caller must
+          be the user with the associated email address. When a group email is
+          specified, the caller can be either a user or a service account which
+          is an owner of the specified group in Cloud Identity.
         required: true
       - !ruby/object:Api::Type::String
         name: 'applicationTitle'
@@ -167,7 +174,7 @@ objects:
           Whether the brand is only intended for usage inside the GSuite organization only.
         output: true
   - !ruby/object:Api::Resource
-    name: 'IdentityAwareProxyClient'
+    name: 'Client'
     base_url: '{{brand}}/identityAwareProxyClients'
     self_link: '{{name}}'
     input: true
@@ -182,8 +189,9 @@ objects:
       - !ruby/object:Api::Type::String
         name: 'brand'
         description: |
-          Identifier of the brand to which this `IdentityAwareProxyClients``
-          is attached to.
+          Identifier of the brand to which this client
+          is attached to. The format is
+          `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
         input: true
         required: true
         url_param_only: true
@@ -197,4 +205,4 @@ objects:
         name: 'displayName'
         description: |
           Human-friendly name given to the OAuth client.
-        required: true
+        required: true

products/iap/terraform.yaml

@@ -172,13 +172,13 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       custom_delete: templates/terraform/custom_delete/skip_delete.go.erb
       custom_import: templates/terraform/custom_import/iap_brand.go.erb
       post_create: templates/terraform/post_create/set_computed_name.erb
-  IdentityAwareProxyClient: !ruby/object:Overrides::Terraform::ResourceOverride
+  Client: !ruby/object:Overrides::Terraform::ResourceOverride
     id_format: '{{brand}}/identityAwareProxyClients/{{client_id}}'
     self_link: '{{brand}}/identityAwareProxyClients/{{client_id}}'
     import_format: ['{{brand}}/identityAwareProxyClients/{{client_id}}']
     examples:
       - !ruby/object:Provider::Terraform::Examples
-        name: "iap_identity_aware_proxy_client"
+        name: "iap_client"
         primary_resource_id: "project_client"
         vars:
           project_id: 'brand-proj-'
@@ -190,10 +190,12 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     properties:
       name: !ruby/object:Overrides::Terraform::PropertyOverride
         exclude: true
+      secret: !ruby/object:Overrides::Terraform::PropertyOverride
+        sensitive: true
     custom_code: !ruby/object:Provider::Terraform::CustomCode
-      post_create: templates/terraform/post_create/iap_identity_aware_proxy_client.go.erb
-      custom_import: templates/terraform/custom_import/iap_identity_aware_proxy_client.go.erb
-      extra_schema_entry: templates/terraform/extra_schema_entry/iap_identity_aware_proxy_client.erb
+      post_create: templates/terraform/post_create/iap_client.go.erb
+      custom_import: templates/terraform/custom_import/iap_client.go.erb
+      extra_schema_entry: templates/terraform/extra_schema_entry/iap_client.erb
 # This is for copying files over
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.

templates/terraform/examples/iap_identity_aware_proxy_client.tf.erb → templates/terraform/examples/iap_client.tf.erb

@@ -15,7 +15,7 @@ resource "google_iap_brand" "project_brand" {
   project           = google_project_service.project_service.project
 }
 
-resource "google_iap_identity_aware_proxy_client" "project_client" {
+resource "google_iap_client" "project_client" {
   display_name = "Test Client"
   brand        =  google_iap_brand.project_brand.name
-}
+}