diff --git a/google/data_source_google_iam_policy.go b/google/data_source_google_iam_policy.go index 760f629670c..7a690305733 100644 --- a/google/data_source_google_iam_policy.go +++ b/google/data_source_google_iam_policy.go @@ -29,8 +29,10 @@ func dataSourceGoogleIamPolicy() *schema.Resource { Read: dataSourceGoogleIamPolicyRead, Schema: map[string]*schema.Schema{ "binding": { - Type: schema.TypeSet, - Required: true, + Type: schema.TypeSet, + // Binding is optional because a user may want to set an IAM policy with no bindings + // This allows users to ensure that no bindings were created outside of terraform + Optional: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "role": { diff --git a/google/iam_binary_authorization_attestor_generated_test.go b/google/iam_binary_authorization_attestor_generated_test.go index e7c4aba2e5f..77f2590e648 100644 --- a/google/iam_binary_authorization_attestor_generated_test.go +++ b/google/iam_binary_authorization_attestor_generated_test.go @@ -104,6 +104,15 @@ func TestAccBinaryAuthorizationAttestorIamPolicyGenerated(t *testing.T) { ImportState: true, ImportStateVerify: true, }, + { + Config: testAccBinaryAuthorizationAttestorIamPolicy_emptyBinding(context), + }, + { + ResourceName: "google_binary_authorization_attestor_iam_policy.foo", + ImportStateId: fmt.Sprintf("projects/%s/attestors/%s", getTestProjectFromEnv(), fmt.Sprintf("test-attestor%s", context["random_suffix"])), + ImportState: true, + ImportStateVerify: true, + }, }, }) } @@ -208,6 +217,55 @@ resource "google_binary_authorization_attestor_iam_policy" "foo" { `, context) } +func testAccBinaryAuthorizationAttestorIamPolicy_emptyBinding(context map[string]interface{}) string { + return Nprintf(` +resource "google_binary_authorization_attestor" "attestor" { + name = "test-attestor%{random_suffix}" + attestation_authority_note { + note_reference = google_container_analysis_note.note.name + public_keys { + ascii_armored_pgp_public_key = <