From e3db55c5f3b4ff3f6e5a860d267393b85049e3f4 Mon Sep 17 00:00:00 2001
From: Sam Levenick <slevenick@google.com>
Date: Thu, 9 Jan 2020 23:48:21 +0000
Subject: [PATCH] Make binding optional for iam_policy data source

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 google/data_source_google_iam_policy.go       |  6 +-
 ...y_authorization_attestor_generated_test.go | 58 ++++++++++++++
 ...functions_cloud_function_generated_test.go | 46 ++++++++++++
 .../iam_cloud_run_service_generated_test.go   | 41 ++++++++++
 google/iam_compute_instance_generated_test.go | 39 ++++++++++
 .../iam_compute_subnetwork_generated_test.go  | 39 ++++++++++
 ...m_iap_app_engine_service_generated_test.go | 75 +++++++++++++++++++
 ...m_iap_app_engine_version_generated_test.go | 52 +++++++++++++
 ..._iap_web_backend_service_generated_test.go | 34 +++++++++
 google/iam_iap_web_generated_test.go          | 32 ++++++++
 ..._iap_web_type_app_engine_generated_test.go | 38 ++++++++++
 ...iam_iap_web_type_compute_generated_test.go | 32 ++++++++
 google/iam_pubsub_topic_generated_test.go     | 30 ++++++++
 ...am_runtime_config_config_generated_test.go | 27 +++++++
 ...m_source_repo_repository_generated_test.go | 26 +++++++
 google/iam_storage_bucket_generated_test.go   | 26 +++++++
 16 files changed, 599 insertions(+), 2 deletions(-)

diff --git a/google/data_source_google_iam_policy.go b/google/data_source_google_iam_policy.go
index 760f629670c..7a690305733 100644
--- a/google/data_source_google_iam_policy.go
+++ b/google/data_source_google_iam_policy.go
@@ -29,8 +29,10 @@ func dataSourceGoogleIamPolicy() *schema.Resource {
 		Read: dataSourceGoogleIamPolicyRead,
 		Schema: map[string]*schema.Schema{
 			"binding": {
-				Type:     schema.TypeSet,
-				Required: true,
+				Type: schema.TypeSet,
+				// Binding is optional because a user may want to set an IAM policy with no bindings
+				// This allows users to ensure that no bindings were created outside of terraform
+				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"role": {
diff --git a/google/iam_binary_authorization_attestor_generated_test.go b/google/iam_binary_authorization_attestor_generated_test.go
index e7c4aba2e5f..77f2590e648 100644
--- a/google/iam_binary_authorization_attestor_generated_test.go
+++ b/google/iam_binary_authorization_attestor_generated_test.go
@@ -104,6 +104,15 @@ func TestAccBinaryAuthorizationAttestorIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccBinaryAuthorizationAttestorIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_binary_authorization_attestor_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/attestors/%s", getTestProjectFromEnv(), fmt.Sprintf("test-attestor%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -208,6 +217,55 @@ resource "google_binary_authorization_attestor_iam_policy" "foo" {
 `, context)
 }
 
+func testAccBinaryAuthorizationAttestorIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_binary_authorization_attestor" "attestor" {
+  name = "test-attestor%{random_suffix}"
+  attestation_authority_note {
+    note_reference = google_container_analysis_note.note.name
+    public_keys {
+      ascii_armored_pgp_public_key = <<EOF
+mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
+bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
+oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
+V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
+Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
+83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
+IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
+uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
+0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
+51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
+WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
+MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
++OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
+qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
+=6Bvm
+EOF
+
+    }
+  }
+}
+
+resource "google_container_analysis_note" "note" {
+  name = "test-attestor-note%{random_suffix}"
+  attestation_authority {
+    hint {
+      human_readable_name = "Attestor Note"
+    }
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_binary_authorization_attestor_iam_policy" "foo" {
+  project = "${google_binary_authorization_attestor.attestor.project}"
+  attestor = "${google_binary_authorization_attestor.attestor.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccBinaryAuthorizationAttestorIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_binary_authorization_attestor" "attestor" {
diff --git a/google/iam_cloud_functions_cloud_function_generated_test.go b/google/iam_cloud_functions_cloud_function_generated_test.go
index 40f7eb2e76a..4856c35af0d 100644
--- a/google/iam_cloud_functions_cloud_function_generated_test.go
+++ b/google/iam_cloud_functions_cloud_function_generated_test.go
@@ -107,6 +107,15 @@ func TestAccCloudFunctionsCloudFunctionIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_cloudfunctions_function_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/locations/%s/functions/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("my-function%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -187,6 +196,43 @@ resource "google_cloudfunctions_function_iam_policy" "foo" {
 `, context)
 }
 
+func testAccCloudFunctionsCloudFunctionIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_storage_bucket" "bucket" {
+  name = "tf-cloudfunctions-function-example-bucket%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "archive" {
+  name   = "index.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "%{zip_path}"
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name        = "my-function%{random_suffix}"
+  description = "My function"
+  runtime     = "nodejs10"
+
+  available_memory_mb   = 128
+  source_archive_bucket = google_storage_bucket.bucket.name
+  source_archive_object = google_storage_bucket_object.archive.name
+  trigger_http          = true
+  timeout               = 60
+  entry_point           = "helloGET"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_cloudfunctions_function_iam_policy" "foo" {
+  project = "${google_cloudfunctions_function.function.project}"
+  region = "${google_cloudfunctions_function.function.region}"
+  cloud_function = "${google_cloudfunctions_function.function.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccCloudFunctionsCloudFunctionIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_storage_bucket" "bucket" {
diff --git a/google/iam_cloud_run_service_generated_test.go b/google/iam_cloud_run_service_generated_test.go
index f4458111f33..a7ee9bcbd17 100644
--- a/google/iam_cloud_run_service_generated_test.go
+++ b/google/iam_cloud_run_service_generated_test.go
@@ -107,6 +107,15 @@ func TestAccCloudRunServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccCloudRunServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_cloud_run_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/locations/%s/services/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("tftest-cloudrun%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -177,6 +186,38 @@ resource "google_cloud_run_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccCloudRunServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_cloud_run_service" "default" {
+  name     = "tftest-cloudrun%{random_suffix}"
+  location = "us-central1"
+
+  template {
+    spec {
+      containers {
+        image = "gcr.io/cloudrun/hello"
+      }
+    }
+  }
+
+  traffic {
+    percent         = 100
+    latest_revision = true
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_cloud_run_service_iam_policy" "foo" {
+  location = "${google_cloud_run_service.default.location}"
+  project = "${google_cloud_run_service.default.project}"
+  service = "${google_cloud_run_service.default.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccCloudRunServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_cloud_run_service" "default" {
diff --git a/google/iam_compute_instance_generated_test.go b/google/iam_compute_instance_generated_test.go
index 1b90db61ee5..1f6ceece9ab 100644
--- a/google/iam_compute_instance_generated_test.go
+++ b/google/iam_compute_instance_generated_test.go
@@ -104,6 +104,15 @@ func TestAccComputeInstanceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccComputeInstanceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_compute_instance_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/zones/%s/instances/%s", getTestProjectFromEnv(), getTestZoneFromEnv(), fmt.Sprintf("my-instance%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -170,6 +179,36 @@ resource "google_compute_instance_iam_policy" "foo" {
 `, context)
 }
 
+func testAccComputeInstanceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_instance" "default" {
+  name         = "my-instance%{random_suffix}"
+  zone         = ""
+  machine_type = "n1-standard-1"
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-9"
+    }
+  }
+
+  network_interface {
+    network = "default"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_compute_instance_iam_policy" "foo" {
+  project = "${google_compute_instance.default.project}"
+  zone = "${google_compute_instance.default.zone}"
+  instance_name = "${google_compute_instance.default.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccComputeInstanceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_instance" "default" {
diff --git a/google/iam_compute_subnetwork_generated_test.go b/google/iam_compute_subnetwork_generated_test.go
index fc49312830a..fa4f9c8ead8 100644
--- a/google/iam_compute_subnetwork_generated_test.go
+++ b/google/iam_compute_subnetwork_generated_test.go
@@ -104,6 +104,15 @@ func TestAccComputeSubnetworkIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccComputeSubnetworkIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_compute_subnetwork_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/regions/%s/subnetworks/%s", getTestProjectFromEnv(), getTestRegionFromEnv(), fmt.Sprintf("test-subnetwork%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -170,6 +179,36 @@ resource "google_compute_subnetwork_iam_policy" "foo" {
 `, context)
 }
 
+func testAccComputeSubnetworkIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
+  name          = "test-subnetwork%{random_suffix}"
+  ip_cidr_range = "10.2.0.0/16"
+  region        = "us-central1"
+  network       = google_compute_network.custom-test.self_link
+  secondary_ip_range {
+    range_name    = "tf-test-secondary-range-update1"
+    ip_cidr_range = "192.168.10.0/24"
+  }
+}
+
+resource "google_compute_network" "custom-test" {
+  name                    = "test-network%{random_suffix}"
+  auto_create_subnetworks = false
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_compute_subnetwork_iam_policy" "foo" {
+  project = "${google_compute_subnetwork.network-with-private-secondary-ip-ranges.project}"
+  region = "${google_compute_subnetwork.network-with-private-secondary-ip-ranges.region}"
+  subnetwork = "${google_compute_subnetwork.network-with-private-secondary-ip-ranges.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccComputeSubnetworkIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
diff --git a/google/iam_iap_app_engine_service_generated_test.go b/google/iam_iap_app_engine_service_generated_test.go
index a92571e0d74..470cbc28a11 100644
--- a/google/iam_iap_app_engine_service_generated_test.go
+++ b/google/iam_iap_app_engine_service_generated_test.go
@@ -113,6 +113,15 @@ func TestAccIapAppEngineServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapAppEngineServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", context["project_id"], context["project_id"], "default"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -251,6 +260,72 @@ resource "google_iap_app_engine_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapAppEngineServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = google_project.my_project.project_id
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = google_project_service.project_service.project
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = google_project_service.cloudbuild_service.project
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = google_app_engine_application.app.project
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name   = "hello-world.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project         = google_app_engine_application.app.project
+  version_id      = "v2"
+  service         = "default"
+  runtime         = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_app_engine_service_iam_policy" "foo" {
+  project = "${google_app_engine_standard_app_version.version.project}"
+  app_id = "${google_app_engine_standard_app_version.version.project}"
+  service = "${google_app_engine_standard_app_version.version.service}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapAppEngineServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "my_project" {
diff --git a/google/iam_iap_app_engine_version_generated_test.go b/google/iam_iap_app_engine_version_generated_test.go
index e88e47890e8..7138fc33719 100644
--- a/google/iam_iap_app_engine_version_generated_test.go
+++ b/google/iam_iap_app_engine_version_generated_test.go
@@ -104,6 +104,15 @@ func TestAccIapAppEngineVersionIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapAppEngineVersionIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_version_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s", getTestProjectFromEnv(), getTestProjectFromEnv(), "default", context["random_suffix"]),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -196,6 +205,49 @@ resource "google_iap_app_engine_version_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapAppEngineVersionIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_storage_bucket" "bucket" {
+  name = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name   = "hello-world.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  version_id      = "%{random_suffix}"
+  service         = "default"
+  runtime         = "nodejs10"
+  noop_on_destroy = false
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_app_engine_version_iam_policy" "foo" {
+  project = "${google_app_engine_standard_app_version.version.project}"
+  app_id = "${google_app_engine_standard_app_version.version.project}"
+  service = "${google_app_engine_standard_app_version.version.service}"
+  version_id = "${google_app_engine_standard_app_version.version.version_id}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapAppEngineVersionIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_storage_bucket" "bucket" {
diff --git a/google/iam_iap_web_backend_service_generated_test.go b/google/iam_iap_web_backend_service_generated_test.go
index fd037f58c02..aa039512982 100644
--- a/google/iam_iap_web_backend_service_generated_test.go
+++ b/google/iam_iap_web_backend_service_generated_test.go
@@ -104,6 +104,15 @@ func TestAccIapWebBackendServiceIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebBackendServiceIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_backend_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/compute/services/%s", getTestProjectFromEnv(), fmt.Sprintf("backend-service%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -160,6 +169,31 @@ resource "google_iap_web_backend_service_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebBackendServiceIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_compute_backend_service" "default" {
+  name          = "backend-service%{random_suffix}"
+  health_checks = [google_compute_http_health_check.default.self_link]
+}
+
+resource "google_compute_http_health_check" "default" {
+  name               = "health-check%{random_suffix}"
+  request_path       = "/"
+  check_interval_sec = 1
+  timeout_sec        = 1
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_backend_service_iam_policy" "foo" {
+  project = "${google_compute_backend_service.default.project}"
+  web_backend_service = "${google_compute_backend_service.default.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebBackendServiceIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_compute_backend_service" "default" {
diff --git a/google/iam_iap_web_generated_test.go b/google/iam_iap_web_generated_test.go
index 6731ec00446..55ce2a04037 100644
--- a/google/iam_iap_web_generated_test.go
+++ b/google/iam_iap_web_generated_test.go
@@ -107,6 +107,15 @@ func TestAccIapWebIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web", fmt.Sprintf("tf-test%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -159,6 +168,29 @@ resource "google_iap_web_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+  project_id = "tf-test%{random_suffix}"
+  name       = "tf-test%{random_suffix}"
+  org_id     = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+  project = google_project.project.project_id
+  service = "iap.googleapis.com"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_iam_policy" "foo" {
+  project = "${google_project_service.project_service.project}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "project" {
diff --git a/google/iam_iap_web_type_app_engine_generated_test.go b/google/iam_iap_web_type_app_engine_generated_test.go
index dc100e16120..a8ec5a8282d 100644
--- a/google/iam_iap_web_type_app_engine_generated_test.go
+++ b/google/iam_iap_web_type_app_engine_generated_test.go
@@ -110,6 +110,15 @@ func TestAccIapWebTypeAppEngineIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebTypeAppEngineIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_type_app_engine_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s", context["project_id"], context["project_id"]),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -174,6 +183,35 @@ resource "google_iap_web_type_app_engine_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebTypeAppEngineIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name       = "%{project_id}"
+  project_id = "%{project_id}"
+  org_id     = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+  project = google_project.my_project.project_id
+  service = "iap.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = google_project_service.project_service.project
+  location_id = "us-central"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_type_app_engine_iam_policy" "foo" {
+  project = "${google_app_engine_application.app.project}"
+  app_id = "${google_app_engine_application.app.app_id}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebTypeAppEngineIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "my_project" {
diff --git a/google/iam_iap_web_type_compute_generated_test.go b/google/iam_iap_web_type_compute_generated_test.go
index d58cc7da802..464c7547917 100644
--- a/google/iam_iap_web_type_compute_generated_test.go
+++ b/google/iam_iap_web_type_compute_generated_test.go
@@ -107,6 +107,15 @@ func TestAccIapWebTypeComputeIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccIapWebTypeComputeIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_iap_web_type_compute_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/compute", fmt.Sprintf("tf-test%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -159,6 +168,29 @@ resource "google_iap_web_type_compute_iam_policy" "foo" {
 `, context)
 }
 
+func testAccIapWebTypeComputeIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "project" {
+  project_id = "tf-test%{random_suffix}"
+  name       = "tf-test%{random_suffix}"
+  org_id     = "%{org_id}"
+}
+
+resource "google_project_service" "project_service" {
+  project = google_project.project.project_id
+  service = "iap.googleapis.com"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_iap_web_type_compute_iam_policy" "foo" {
+  project = "${google_project_service.project_service.project}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccIapWebTypeComputeIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_project" "project" {
diff --git a/google/iam_pubsub_topic_generated_test.go b/google/iam_pubsub_topic_generated_test.go
index 73a18eaba5b..767791d62c8 100644
--- a/google/iam_pubsub_topic_generated_test.go
+++ b/google/iam_pubsub_topic_generated_test.go
@@ -104,6 +104,15 @@ func TestAccPubsubTopicIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccPubsubTopicIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_pubsub_topic_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/topics/%s", getTestProjectFromEnv(), fmt.Sprintf("example-topic%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -152,6 +161,27 @@ resource "google_pubsub_topic_iam_policy" "foo" {
 `, context)
 }
 
+func testAccPubsubTopicIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_pubsub_topic" "example" {
+  name = "example-topic%{random_suffix}"
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_pubsub_topic_iam_policy" "foo" {
+  project = "${google_pubsub_topic.example.project}"
+  topic = "${google_pubsub_topic.example.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccPubsubTopicIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_pubsub_topic" "example" {
diff --git a/google/iam_runtime_config_config_generated_test.go b/google/iam_runtime_config_config_generated_test.go
index 58171514baa..74aee9f95ce 100644
--- a/google/iam_runtime_config_config_generated_test.go
+++ b/google/iam_runtime_config_config_generated_test.go
@@ -104,6 +104,15 @@ func TestAccRuntimeConfigConfigIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccRuntimeConfigConfigIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_runtimeconfig_config_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/configs/%s", getTestProjectFromEnv(), fmt.Sprintf("my-config%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -146,6 +155,24 @@ resource "google_runtimeconfig_config_iam_policy" "foo" {
 `, context)
 }
 
+func testAccRuntimeConfigConfigIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_runtimeconfig_config" "config" {
+  name        = "my-config%{random_suffix}"
+  description = "Runtime configuration values for my service"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_runtimeconfig_config_iam_policy" "foo" {
+  project = "${google_runtimeconfig_config.config.project}"
+  config = "${google_runtimeconfig_config.config.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccRuntimeConfigConfigIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_runtimeconfig_config" "config" {
diff --git a/google/iam_source_repo_repository_generated_test.go b/google/iam_source_repo_repository_generated_test.go
index 0f866895efc..535fe0a4dc7 100644
--- a/google/iam_source_repo_repository_generated_test.go
+++ b/google/iam_source_repo_repository_generated_test.go
@@ -104,6 +104,15 @@ func TestAccSourceRepoRepositoryIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccSourceRepoRepositoryIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_sourcerepo_repository_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/repos/%s", getTestProjectFromEnv(), fmt.Sprintf("my/repository%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -144,6 +153,23 @@ resource "google_sourcerepo_repository_iam_policy" "foo" {
 `, context)
 }
 
+func testAccSourceRepoRepositoryIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_sourcerepo_repository" "my-repo" {
+  name = "my/repository%{random_suffix}"
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_sourcerepo_repository_iam_policy" "foo" {
+  project = "${google_sourcerepo_repository.my-repo.project}"
+  repository = "${google_sourcerepo_repository.my-repo.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccSourceRepoRepositoryIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_sourcerepo_repository" "my-repo" {
diff --git a/google/iam_storage_bucket_generated_test.go b/google/iam_storage_bucket_generated_test.go
index 004c01b251a..1a9b361ba7e 100644
--- a/google/iam_storage_bucket_generated_test.go
+++ b/google/iam_storage_bucket_generated_test.go
@@ -108,6 +108,15 @@ func TestAccStorageBucketIamPolicyGenerated(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccStorageBucketIamPolicy_emptyBinding(context),
+			},
+			{
+				ResourceName:      "google_storage_bucket_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("b/%s", fmt.Sprintf("my-bucket%s", context["random_suffix"])),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -152,6 +161,23 @@ resource "google_storage_bucket_iam_policy" "foo" {
 `, context)
 }
 
+func testAccStorageBucketIamPolicy_emptyBinding(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_storage_bucket" "default" {
+  name               = "my-bucket%{random_suffix}"
+  bucket_policy_only = true
+}
+
+data "google_iam_policy" "foo" {
+}
+
+resource "google_storage_bucket_iam_policy" "foo" {
+  bucket = "${google_storage_bucket.default.name}"
+  policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
 func testAccStorageBucketIamBinding_basicGenerated(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_storage_bucket" "default" {