From 3c5b0947c34b933e208603b1faa4f6053108dbcf Mon Sep 17 00:00:00 2001
From: Sam Levenick <slevenick@google.com>
Date: Mon, 7 Oct 2019 22:46:22 +0000
Subject: [PATCH] IAP IAM AppEngine Version

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 google/iam_binary_authorization_attestor.go   |   3 +
 google/iam_cloud_functions_cloud_function.go  |   5 +-
 google/iam_iap_app_engine_service.go          | 185 +++++++++
 ...m_iap_app_engine_service_generated_test.go | 380 +++++++++++++++++
 google/iam_iap_app_engine_version.go          | 198 +++++++++
 ...m_iap_app_engine_version_generated_test.go | 384 ++++++++++++++++++
 google/iam_iap_web_backend_service.go         |   3 +
 google/iam_iap_web_type_app_engine.go         |   3 +
 google/iam_pubsub_topic.go                    |   3 +
 google/iam_runtime_config_config.go           |   3 +
 google/iam_source_repo_repository.go          |   3 +
 google/provider.go                            |  10 +-
 .../iap_app_engine_service_iam.html.markdown  | 131 ++++++
 .../iap_app_engine_version_iam.html.markdown  | 135 ++++++
 website/google.erb                            |  18 +
 15 files changed, 1460 insertions(+), 4 deletions(-)
 create mode 100644 google/iam_iap_app_engine_service.go
 create mode 100644 google/iam_iap_app_engine_service_generated_test.go
 create mode 100644 google/iam_iap_app_engine_version.go
 create mode 100644 google/iam_iap_app_engine_version_generated_test.go
 create mode 100644 website/docs/r/iap_app_engine_service_iam.html.markdown
 create mode 100644 website/docs/r/iap_app_engine_version_iam.html.markdown

diff --git a/google/iam_binary_authorization_attestor.go b/google/iam_binary_authorization_attestor.go
index 1f3192784d5..57bd7b0ff5e 100644
--- a/google/iam_binary_authorization_attestor.go
+++ b/google/iam_binary_authorization_attestor.go
@@ -51,6 +51,9 @@ func BinaryAuthorizationAttestorIamUpdaterProducer(d *schema.ResourceData, confi
 		return nil, err
 	}
 	values["project"] = project
+	if v, ok := d.GetOk("attestor"); ok {
+		values["attestor"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/attestors/(?P<attestor>[^/]+)", "(?P<project>[^/]+)/(?P<attestor>[^/]+)", "(?P<attestor>[^/]+)"}, d, config, d.Get("attestor").(string))
diff --git a/google/iam_cloud_functions_cloud_function.go b/google/iam_cloud_functions_cloud_function.go
index df16af3c911..478356ad5d4 100644
--- a/google/iam_cloud_functions_cloud_function.go
+++ b/google/iam_cloud_functions_cloud_function.go
@@ -58,12 +58,14 @@ func CloudFunctionsCloudFunctionIamUpdaterProducer(d *schema.ResourceData, confi
 		return nil, err
 	}
 	values["project"] = project
-
 	region, err := getRegion(d, config)
 	if err != nil {
 		return nil, err
 	}
 	values["region"] = region
+	if v, ok := d.GetOk("cloud_function"); ok {
+		values["cloud_function"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/locations/(?P<region>[^/]+)/functions/(?P<cloud_function>[^/]+)", "(?P<project>[^/]+)/(?P<region>[^/]+)/(?P<cloud_function>[^/]+)", "(?P<region>[^/]+)/(?P<cloud_function>[^/]+)", "(?P<cloud_function>[^/]+)"}, d, config, d.Get("cloud_function").(string))
@@ -100,7 +102,6 @@ func CloudFunctionsCloudFunctionIdParseFunc(d *schema.ResourceData, config *Conf
 		return err
 	}
 	values["project"] = project
-
 	region, err := getRegion(d, config)
 	if err != nil {
 		return err
diff --git a/google/iam_iap_app_engine_service.go b/google/iam_iap_app_engine_service.go
new file mode 100644
index 00000000000..1294fe62c05
--- /dev/null
+++ b/google/iam_iap_app_engine_service.go
@@ -0,0 +1,185 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+package google
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+var IapAppEngineServiceIamSchema = map[string]*schema.Schema{
+	"project": {
+		Type:     schema.TypeString,
+		Computed: true,
+		Optional: true,
+		ForceNew: true,
+	},
+	"app_id": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+	"service": {
+		Type:             schema.TypeString,
+		Required:         true,
+		ForceNew:         true,
+		DiffSuppressFunc: compareSelfLinkOrResourceName,
+	},
+}
+
+type IapAppEngineServiceIamUpdater struct {
+	project string
+	appId   string
+	service string
+	d       *schema.ResourceData
+	Config  *Config
+}
+
+func IapAppEngineServiceIamUpdaterProducer(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
+	values := make(map[string]string)
+
+	project, err := getProject(d, config)
+	if err != nil {
+		return nil, err
+	}
+	values["project"] = project
+	if v, ok := d.GetOk("app_id"); ok {
+		values["appId"] = v.(string)
+	}
+
+	if v, ok := d.GetOk("service"); ok {
+		values["service"] = v.(string)
+	}
+
+	// We may have gotten either a long or short name, so attempt to parse long name if possible
+	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/iap_web/appengine-(?P<appId>[^/]+)/services/(?P<service>[^/]+)", "(?P<project>[^/]+)/(?P<appId>[^/]+)/(?P<service>[^/]+)", "(?P<appId>[^/]+)/(?P<service>[^/]+)", "(?P<service>[^/]+)"}, d, config, d.Get("service").(string))
+	if err != nil {
+		return nil, err
+	}
+
+	for k, v := range m {
+		values[k] = v
+	}
+
+	u := &IapAppEngineServiceIamUpdater{
+		project: values["project"],
+		appId:   values["appId"],
+		service: values["service"],
+		d:       d,
+		Config:  config,
+	}
+
+	d.Set("project", u.project)
+	d.Set("app_id", u.appId)
+	d.Set("service", u.GetResourceId())
+
+	d.SetId(u.GetResourceId())
+
+	return u, nil
+}
+
+func IapAppEngineServiceIdParseFunc(d *schema.ResourceData, config *Config) error {
+	values := make(map[string]string)
+
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+	values["project"] = project
+
+	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/iap_web/appengine-(?P<appId>[^/]+)/services/(?P<service>[^/]+)", "(?P<project>[^/]+)/(?P<appId>[^/]+)/(?P<service>[^/]+)", "(?P<appId>[^/]+)/(?P<service>[^/]+)", "(?P<service>[^/]+)"}, d, config, d.Id())
+	if err != nil {
+		return err
+	}
+
+	for k, v := range m {
+		values[k] = v
+	}
+
+	u := &IapAppEngineServiceIamUpdater{
+		project: values["project"],
+		appId:   values["appId"],
+		service: values["service"],
+		d:       d,
+		Config:  config,
+	}
+	d.Set("service", u.GetResourceId())
+	d.SetId(u.GetResourceId())
+	return nil
+}
+
+func (u *IapAppEngineServiceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
+	url := u.qualifyAppEngineServiceUrl("getIamPolicy")
+
+	project, err := getProject(u.d, u.Config)
+	if err != nil {
+		return nil, err
+	}
+
+	policy, err := sendRequest(u.Config, "POST", project, url, nil)
+	if err != nil {
+		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	out := &cloudresourcemanager.Policy{}
+	err = Convert(policy, out)
+	if err != nil {
+		return nil, errwrap.Wrapf("Cannot convert a policy to a resource manager policy: {{err}}", err)
+	}
+
+	return out, nil
+}
+
+func (u *IapAppEngineServiceIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
+	json, err := ConvertToMap(policy)
+	if err != nil {
+		return err
+	}
+
+	obj := make(map[string]interface{})
+	obj["policy"] = json
+
+	url := u.qualifyAppEngineServiceUrl("setIamPolicy")
+
+	project, err := getProject(u.d, u.Config)
+	if err != nil {
+		return err
+	}
+
+	_, err = sendRequestWithTimeout(u.Config, "POST", project, url, obj, u.d.Timeout(schema.TimeoutCreate))
+	if err != nil {
+		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	return nil
+}
+
+func (u *IapAppEngineServiceIamUpdater) qualifyAppEngineServiceUrl(methodIdentifier string) string {
+	return fmt.Sprintf("https://iap.googleapis.com/v1/%s:%s", fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", u.project, u.appId, u.service), methodIdentifier)
+}
+
+func (u *IapAppEngineServiceIamUpdater) GetResourceId() string {
+	return fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", u.project, u.appId, u.service)
+}
+
+func (u *IapAppEngineServiceIamUpdater) GetMutexKey() string {
+	return fmt.Sprintf("iam-iap-appengineservice-%s", u.GetResourceId())
+}
+
+func (u *IapAppEngineServiceIamUpdater) DescribeResource() string {
+	return fmt.Sprintf("iap appengineservice %q", u.GetResourceId())
+}
diff --git a/google/iam_iap_app_engine_service_generated_test.go b/google/iam_iap_app_engine_service_generated_test.go
new file mode 100644
index 00000000000..452ff5d68a1
--- /dev/null
+++ b/google/iam_iap_app_engine_service_generated_test.go
@@ -0,0 +1,380 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccIapAppEngineServiceIamBindingGenerated(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(10),
+		"role":            "roles/iap.httpsResourceAccessor",
+		"project_id":      fmt.Sprintf("tf-test%s", acctest.RandString(10)),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIapAppEngineServiceIamBinding_basicGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_service_iam_binding.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s roles/iap.httpsResourceAccessor", context["project_id"], context["project_id"], "default"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Test Iam Binding update
+				Config: testAccIapAppEngineServiceIamBinding_updateGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_service_iam_binding.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s roles/iap.httpsResourceAccessor", context["project_id"], context["project_id"], "default"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccIapAppEngineServiceIamMemberGenerated(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(10),
+		"role":            "roles/iap.httpsResourceAccessor",
+		"project_id":      fmt.Sprintf("tf-test%s", acctest.RandString(10)),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				// Test Iam Member creation (no update for member, no need to test)
+				Config: testAccIapAppEngineServiceIamMember_basicGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_service_iam_member.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s roles/iap.httpsResourceAccessor user:admin@hashicorptest.com", context["project_id"], context["project_id"], "default"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccIapAppEngineServiceIamPolicyGenerated(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(10),
+		"role":            "roles/iap.httpsResourceAccessor",
+		"project_id":      fmt.Sprintf("tf-test%s", acctest.RandString(10)),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIapAppEngineServiceIamPolicy_basicGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_service_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", context["project_id"], context["project_id"], "default"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccIapAppEngineServiceIamMember_basicGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+resource "google_iap_app_engine_service_iam_member" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	role = "%{role}"
+	member = "user:admin@hashicorptest.com"
+}
+`, context)
+}
+
+func testAccIapAppEngineServiceIamPolicy_basicGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+data "google_iam_policy" "foo" {
+	binding {
+		role = "%{role}"
+		members = ["user:admin@hashicorptest.com"]
+	}
+}
+
+resource "google_iap_app_engine_service_iam_policy" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
+func testAccIapAppEngineServiceIamBinding_basicGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+resource "google_iap_app_engine_service_iam_binding" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	role = "%{role}"
+	members = ["user:admin@hashicorptest.com"]
+}
+`, context)
+}
+
+func testAccIapAppEngineServiceIamBinding_updateGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+resource "google_iap_app_engine_service_iam_binding" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	role = "%{role}"
+	members = ["user:admin@hashicorptest.com", "user:paddy@hashicorp.com"]
+}
+`, context)
+}
diff --git a/google/iam_iap_app_engine_version.go b/google/iam_iap_app_engine_version.go
new file mode 100644
index 00000000000..f542c95ad84
--- /dev/null
+++ b/google/iam_iap_app_engine_version.go
@@ -0,0 +1,198 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+package google
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+var IapAppEngineVersionIamSchema = map[string]*schema.Schema{
+	"project": {
+		Type:     schema.TypeString,
+		Computed: true,
+		Optional: true,
+		ForceNew: true,
+	},
+	"app_id": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+	"service": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+	"version_id": {
+		Type:             schema.TypeString,
+		Required:         true,
+		ForceNew:         true,
+		DiffSuppressFunc: compareSelfLinkOrResourceName,
+	},
+}
+
+type IapAppEngineVersionIamUpdater struct {
+	project   string
+	appId     string
+	service   string
+	versionId string
+	d         *schema.ResourceData
+	Config    *Config
+}
+
+func IapAppEngineVersionIamUpdaterProducer(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
+	values := make(map[string]string)
+
+	project, err := getProject(d, config)
+	if err != nil {
+		return nil, err
+	}
+	values["project"] = project
+	if v, ok := d.GetOk("app_id"); ok {
+		values["appId"] = v.(string)
+	}
+
+	if v, ok := d.GetOk("service"); ok {
+		values["service"] = v.(string)
+	}
+
+	if v, ok := d.GetOk("version_id"); ok {
+		values["versionId"] = v.(string)
+	}
+
+	// We may have gotten either a long or short name, so attempt to parse long name if possible
+	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/iap_web/appengine-(?P<appId>[^/]+)/services/(?P<service>[^/]+)/versions/(?P<versionId>[^/]+)", "(?P<project>[^/]+)/(?P<appId>[^/]+)/(?P<service>[^/]+)/(?P<versionId>[^/]+)", "(?P<appId>[^/]+)/(?P<service>[^/]+)/(?P<versionId>[^/]+)", "(?P<version>[^/]+)"}, d, config, d.Get("version_id").(string))
+	if err != nil {
+		return nil, err
+	}
+
+	for k, v := range m {
+		values[k] = v
+	}
+
+	u := &IapAppEngineVersionIamUpdater{
+		project:   values["project"],
+		appId:     values["appId"],
+		service:   values["service"],
+		versionId: values["versionId"],
+		d:         d,
+		Config:    config,
+	}
+
+	d.Set("project", u.project)
+	d.Set("app_id", u.appId)
+	d.Set("service", u.service)
+	d.Set("version_id", u.GetResourceId())
+
+	d.SetId(u.GetResourceId())
+
+	return u, nil
+}
+
+func IapAppEngineVersionIdParseFunc(d *schema.ResourceData, config *Config) error {
+	values := make(map[string]string)
+
+	project, err := getProject(d, config)
+	if err != nil {
+		return err
+	}
+	values["project"] = project
+
+	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/iap_web/appengine-(?P<appId>[^/]+)/services/(?P<service>[^/]+)/versions/(?P<versionId>[^/]+)", "(?P<project>[^/]+)/(?P<appId>[^/]+)/(?P<service>[^/]+)/(?P<versionId>[^/]+)", "(?P<appId>[^/]+)/(?P<service>[^/]+)/(?P<versionId>[^/]+)", "(?P<version>[^/]+)"}, d, config, d.Id())
+	if err != nil {
+		return err
+	}
+
+	for k, v := range m {
+		values[k] = v
+	}
+
+	u := &IapAppEngineVersionIamUpdater{
+		project:   values["project"],
+		appId:     values["appId"],
+		service:   values["service"],
+		versionId: values["versionId"],
+		d:         d,
+		Config:    config,
+	}
+	d.Set("version_id", u.GetResourceId())
+	d.SetId(u.GetResourceId())
+	return nil
+}
+
+func (u *IapAppEngineVersionIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
+	url := u.qualifyAppEngineVersionUrl("getIamPolicy")
+
+	project, err := getProject(u.d, u.Config)
+	if err != nil {
+		return nil, err
+	}
+
+	policy, err := sendRequest(u.Config, "POST", project, url, nil)
+	if err != nil {
+		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	out := &cloudresourcemanager.Policy{}
+	err = Convert(policy, out)
+	if err != nil {
+		return nil, errwrap.Wrapf("Cannot convert a policy to a resource manager policy: {{err}}", err)
+	}
+
+	return out, nil
+}
+
+func (u *IapAppEngineVersionIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
+	json, err := ConvertToMap(policy)
+	if err != nil {
+		return err
+	}
+
+	obj := make(map[string]interface{})
+	obj["policy"] = json
+
+	url := u.qualifyAppEngineVersionUrl("setIamPolicy")
+
+	project, err := getProject(u.d, u.Config)
+	if err != nil {
+		return err
+	}
+
+	_, err = sendRequestWithTimeout(u.Config, "POST", project, url, obj, u.d.Timeout(schema.TimeoutCreate))
+	if err != nil {
+		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)
+	}
+
+	return nil
+}
+
+func (u *IapAppEngineVersionIamUpdater) qualifyAppEngineVersionUrl(methodIdentifier string) string {
+	return fmt.Sprintf("https://iap.googleapis.com/v1/%s:%s", fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s", u.project, u.appId, u.service, u.versionId), methodIdentifier)
+}
+
+func (u *IapAppEngineVersionIamUpdater) GetResourceId() string {
+	return fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s", u.project, u.appId, u.service, u.versionId)
+}
+
+func (u *IapAppEngineVersionIamUpdater) GetMutexKey() string {
+	return fmt.Sprintf("iam-iap-appengineversion-%s", u.GetResourceId())
+}
+
+func (u *IapAppEngineVersionIamUpdater) DescribeResource() string {
+	return fmt.Sprintf("iap appengineversion %q", u.GetResourceId())
+}
diff --git a/google/iam_iap_app_engine_version_generated_test.go b/google/iam_iap_app_engine_version_generated_test.go
new file mode 100644
index 00000000000..882893a7cf7
--- /dev/null
+++ b/google/iam_iap_app_engine_version_generated_test.go
@@ -0,0 +1,384 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This file is automatically generated by Magic Modules and manual
+//     changes will be clobbered when the file is regenerated.
+//
+//     Please read more about how to change this file in
+//     .github/CONTRIBUTING.md.
+//
+// ----------------------------------------------------------------------------
+
+package google
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccIapAppEngineVersionIamBindingGenerated(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(10),
+		"role":            "roles/iap.httpsResourceAccessor",
+		"project_id":      fmt.Sprintf("tf-test%s", acctest.RandString(10)),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIapAppEngineVersionIamBinding_basicGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_version_iam_binding.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s roles/iap.httpsResourceAccessor", context["project_id"], context["project_id"], "default", "v2"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Test Iam Binding update
+				Config: testAccIapAppEngineVersionIamBinding_updateGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_version_iam_binding.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s roles/iap.httpsResourceAccessor", context["project_id"], context["project_id"], "default", "v2"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccIapAppEngineVersionIamMemberGenerated(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(10),
+		"role":            "roles/iap.httpsResourceAccessor",
+		"project_id":      fmt.Sprintf("tf-test%s", acctest.RandString(10)),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				// Test Iam Member creation (no update for member, no need to test)
+				Config: testAccIapAppEngineVersionIamMember_basicGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_version_iam_member.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s roles/iap.httpsResourceAccessor user:admin@hashicorptest.com", context["project_id"], context["project_id"], "default", "v2"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccIapAppEngineVersionIamPolicyGenerated(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix":   acctest.RandString(10),
+		"role":            "roles/iap.httpsResourceAccessor",
+		"project_id":      fmt.Sprintf("tf-test%s", acctest.RandString(10)),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIapAppEngineVersionIamPolicy_basicGenerated(context),
+			},
+			{
+				ResourceName:      "google_iap_app_engine_version_iam_policy.foo",
+				ImportStateId:     fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s/versions/%s", context["project_id"], context["project_id"], "default", "v2"),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccIapAppEngineVersionIamMember_basicGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+resource "google_iap_app_engine_version_iam_member" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	role = "%{role}"
+	member = "user:admin@hashicorptest.com"
+}
+`, context)
+}
+
+func testAccIapAppEngineVersionIamPolicy_basicGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+data "google_iam_policy" "foo" {
+	binding {
+		role = "%{role}"
+		members = ["user:admin@hashicorptest.com"]
+	}
+}
+
+resource "google_iap_app_engine_version_iam_policy" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	policy_data = "${data.google_iam_policy.foo.policy_data}"
+}
+`, context)
+}
+
+func testAccIapAppEngineVersionIamBinding_basicGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+resource "google_iap_app_engine_version_iam_binding" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	role = "%{role}"
+	members = ["user:admin@hashicorptest.com"]
+}
+`, context)
+}
+
+func testAccIapAppEngineVersionIamBinding_updateGenerated(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_project" "my_project" {
+  name            = "%{project_id}"
+  project_id      = "%{project_id}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "project_service" {
+  project = "${google_project.my_project.project_id}"
+  service = "iap.googleapis.com"
+}
+
+resource "google_project_service" "cloudbuild_service" {
+  project = "${google_project_service.project_service.project}"
+  service = "cloudbuild.googleapis.com"
+}
+
+resource "google_app_engine_application" "app" {
+  project     = "${google_project_service.cloudbuild_service.project}"
+  location_id = "us-central"
+}
+
+resource "google_storage_bucket" "bucket" {
+  project = "${google_app_engine_application.app.project}"
+  name    = "appengine-static-content-%{random_suffix}"
+}
+
+resource "google_storage_bucket_object" "object" {
+  name    = "hello-world.zip"
+  bucket  = "${google_storage_bucket.bucket.name}"
+  source  = "./test-fixtures/appengine/hello-world.zip"
+}
+
+resource "google_app_engine_standard_app_version" "version" {
+  project = "${google_app_engine_application.app.project}"
+  version_id = "v2"
+  service = "default"
+  runtime = "nodejs10"
+  noop_on_destroy = true
+  entrypoint {
+    shell = "node ./app.js"
+  }
+  deployment {
+    zip {
+      source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/hello-world.zip"
+    }
+  }
+  env_variables = {
+    port = "8080"
+  }
+}
+
+resource "google_iap_app_engine_version_iam_binding" "foo" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	role = "%{role}"
+	members = ["user:admin@hashicorptest.com", "user:paddy@hashicorp.com"]
+}
+`, context)
+}
diff --git a/google/iam_iap_web_backend_service.go b/google/iam_iap_web_backend_service.go
index 521caab095e..7199337c915 100644
--- a/google/iam_iap_web_backend_service.go
+++ b/google/iam_iap_web_backend_service.go
@@ -51,6 +51,9 @@ func IapWebBackendServiceIamUpdaterProducer(d *schema.ResourceData, config *Conf
 		return nil, err
 	}
 	values["project"] = project
+	if v, ok := d.GetOk("web_backend_service"); ok {
+		values["web_backend_service"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/iap_web/compute/services/(?P<web_backend_service>[^/]+)", "(?P<project>[^/]+)/(?P<web_backend_service>[^/]+)", "(?P<web_backend_service>[^/]+)"}, d, config, d.Get("web_backend_service").(string))
diff --git a/google/iam_iap_web_type_app_engine.go b/google/iam_iap_web_type_app_engine.go
index a981676db7f..648c819fd7a 100644
--- a/google/iam_iap_web_type_app_engine.go
+++ b/google/iam_iap_web_type_app_engine.go
@@ -65,6 +65,9 @@ func IapWebTypeAppEngineIamUpdaterProducer(d *schema.ResourceData, config *Confi
 		return nil, err
 	}
 	values["project"] = project
+	if v, ok := d.GetOk("app_id"); ok {
+		values["appId"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/iap_web/appengine-(?P<appId>[^/]+)", "(?P<project>[^/]+)/(?P<appId>[^/]+)", "(?P<appId>[^/]+)"}, d, config, d.Get("app_id").(string))
diff --git a/google/iam_pubsub_topic.go b/google/iam_pubsub_topic.go
index 9ba89293a4c..81a4328f767 100644
--- a/google/iam_pubsub_topic.go
+++ b/google/iam_pubsub_topic.go
@@ -51,6 +51,9 @@ func PubsubTopicIamUpdaterProducer(d *schema.ResourceData, config *Config) (Reso
 		return nil, err
 	}
 	values["project"] = project
+	if v, ok := d.GetOk("topic"); ok {
+		values["topic"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/topics/(?P<topic>[^/]+)", "(?P<project>[^/]+)/(?P<topic>[^/]+)", "(?P<topic>[^/]+)"}, d, config, d.Get("topic").(string))
diff --git a/google/iam_runtime_config_config.go b/google/iam_runtime_config_config.go
index 3502b3130b5..ff39e683f54 100644
--- a/google/iam_runtime_config_config.go
+++ b/google/iam_runtime_config_config.go
@@ -51,6 +51,9 @@ func RuntimeConfigConfigIamUpdaterProducer(d *schema.ResourceData, config *Confi
 		return nil, err
 	}
 	values["project"] = project
+	if v, ok := d.GetOk("config"); ok {
+		values["config"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/configs/(?P<config>[^/]+)", "(?P<project>[^/]+)/(?P<config>[^/]+)", "(?P<config>[^/]+)"}, d, config, d.Get("config").(string))
diff --git a/google/iam_source_repo_repository.go b/google/iam_source_repo_repository.go
index 03b8e5e8126..d6d0dc4cfe0 100644
--- a/google/iam_source_repo_repository.go
+++ b/google/iam_source_repo_repository.go
@@ -51,6 +51,9 @@ func SourceRepoRepositoryIamUpdaterProducer(d *schema.ResourceData, config *Conf
 		return nil, err
 	}
 	values["project"] = project
+	if v, ok := d.GetOk("repository"); ok {
+		values["repository"] = v.(string)
+	}
 
 	// We may have gotten either a long or short name, so attempt to parse long name if possible
 	m, err := getImportIdQualifiers([]string{"projects/(?P<project>[^/]+)/repos/(?P<repository>[^/]+)", "(?P<project>[^/]+)/(?P<repository>[^/]+)", "(?P<repository>[^/]+)"}, d, config, d.Get("repository").(string))
diff --git a/google/provider.go b/google/provider.go
index db66f50d1b0..48cfbce13cc 100644
--- a/google/provider.go
+++ b/google/provider.go
@@ -438,8 +438,8 @@ func Provider() terraform.ResourceProvider {
 }
 
 // Generated resources: 80
-// Generated IAM resources: 27
-// Total generated resources: 107
+// Generated IAM resources: 33
+// Total generated resources: 113
 func ResourceMap() map[string]*schema.Resource {
 	resourceMap, _ := ResourceMapWithErrors()
 	return resourceMap
@@ -522,6 +522,12 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_iap_web_type_app_engine_iam_binding":       ResourceIamBinding(IapWebTypeAppEngineIamSchema, IapWebTypeAppEngineIamUpdaterProducer, IapWebTypeAppEngineIdParseFunc),
 			"google_iap_web_type_app_engine_iam_member":        ResourceIamMember(IapWebTypeAppEngineIamSchema, IapWebTypeAppEngineIamUpdaterProducer, IapWebTypeAppEngineIdParseFunc),
 			"google_iap_web_type_app_engine_iam_policy":        ResourceIamPolicy(IapWebTypeAppEngineIamSchema, IapWebTypeAppEngineIamUpdaterProducer, IapWebTypeAppEngineIdParseFunc),
+			"google_iap_app_engine_version_iam_binding":        ResourceIamBinding(IapAppEngineVersionIamSchema, IapAppEngineVersionIamUpdaterProducer, IapAppEngineVersionIdParseFunc),
+			"google_iap_app_engine_version_iam_member":         ResourceIamMember(IapAppEngineVersionIamSchema, IapAppEngineVersionIamUpdaterProducer, IapAppEngineVersionIdParseFunc),
+			"google_iap_app_engine_version_iam_policy":         ResourceIamPolicy(IapAppEngineVersionIamSchema, IapAppEngineVersionIamUpdaterProducer, IapAppEngineVersionIdParseFunc),
+			"google_iap_app_engine_service_iam_binding":        ResourceIamBinding(IapAppEngineServiceIamSchema, IapAppEngineServiceIamUpdaterProducer, IapAppEngineServiceIdParseFunc),
+			"google_iap_app_engine_service_iam_member":         ResourceIamMember(IapAppEngineServiceIamSchema, IapAppEngineServiceIamUpdaterProducer, IapAppEngineServiceIdParseFunc),
+			"google_iap_app_engine_service_iam_policy":         ResourceIamPolicy(IapAppEngineServiceIamSchema, IapAppEngineServiceIamUpdaterProducer, IapAppEngineServiceIdParseFunc),
 			"google_iap_web_backend_service_iam_binding":       ResourceIamBinding(IapWebBackendServiceIamSchema, IapWebBackendServiceIamUpdaterProducer, IapWebBackendServiceIdParseFunc),
 			"google_iap_web_backend_service_iam_member":        ResourceIamMember(IapWebBackendServiceIamSchema, IapWebBackendServiceIamUpdaterProducer, IapWebBackendServiceIdParseFunc),
 			"google_iap_web_backend_service_iam_policy":        ResourceIamPolicy(IapWebBackendServiceIamSchema, IapWebBackendServiceIamUpdaterProducer, IapWebBackendServiceIdParseFunc),
diff --git a/website/docs/r/iap_app_engine_service_iam.html.markdown b/website/docs/r/iap_app_engine_service_iam.html.markdown
new file mode 100644
index 00000000000..2e153c6c991
--- /dev/null
+++ b/website/docs/r/iap_app_engine_service_iam.html.markdown
@@ -0,0 +1,131 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+layout: "google"
+page_title: "Google: google_iap_app_engine_service_iam"
+sidebar_current: "docs-google-iap-app-engine-service-iam"
+description: |-
+  Collection of resources to manage IAM policy for IapAppEngineService
+---
+
+# IAM policy for IapAppEngineService
+Three different resources help you manage your IAM policy for Iap AppEngineService. Each of these resources serves a different use case:
+
+* `google_iap_app_engine_service_iam_policy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached.
+* `google_iap_app_engine_service_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved.
+* `google_iap_app_engine_service_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.
+
+~> **Note:** `google_iap_app_engine_service_iam_policy` **cannot** be used in conjunction with `google_iap_app_engine_service_iam_binding` and `google_iap_app_engine_service_iam_member` or they will fight over what your policy should be.
+
+~> **Note:** `google_iap_app_engine_service_iam_binding` resources **can be** used in conjunction with `google_iap_app_engine_service_iam_member` resources **only if** they do not grant privilege to the same role.
+
+
+
+## google\_iap\_app\_engine\_service\_iam\_policy
+
+```hcl
+data "google_iam_policy" "admin" {
+	binding {
+		role = "roles/iap.httpsResourceAccessor"
+		members = [
+			"user:jane@example.com",
+		]
+	}
+}
+
+resource "google_iap_app_engine_service_iam_policy" "editor" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	policy_data = "${data.google_iam_policy.admin.policy_data}"
+}
+```
+
+## google\_iap\_app\_engine\_service\_iam\_binding
+
+```hcl
+resource "google_iap_app_engine_service_iam_binding" "editor" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	role = "roles/iap.httpsResourceAccessor"
+	members = [
+		"user:jane@example.com",
+	]
+}
+```
+
+## google\_iap\_app\_engine\_service\_iam\_member
+
+```hcl
+resource "google_iap_app_engine_service_iam_member" "editor" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	role = "roles/iap.httpsResourceAccessor"
+	member = "user:jane@example.com"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `app_id` - (Required) Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
+* `service` - (Required) Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
+
+* `project` - (Optional) The ID of the project in which the resource belongs.
+    If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
+
+* `member/members` - (Required) Identities that will be granted the privilege in `role`.
+  Each entry can have one of the following values:
+  * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
+  * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
+  * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
+  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
+  * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
+  * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
+
+* `role` - (Required) The role that should be applied. Only one
+    `google_iap_app_engine_service_iam_binding` can be used per role. Note that custom roles must be of the format
+    `[projects|organizations]/{parent-name}/roles/{role-name}`.
+
+* `policy_data` - (Required only by `google_iap_app_engine_service_iam_policy`) The policy data generated by
+  a `google_iam_policy` data source.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are
+exported:
+
+* `etag` - (Computed) The etag of the IAM policy.
+
+## Import
+
+Iap appengineservice IAM resources can be imported using the project, resource identifiers, role and member.
+
+```
+$ terraform import google_iap_app_engine_service_iam_policy.editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}
+
+$ terraform import google_iap_app_engine_service_iam_binding.editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor"
+
+$ terraform import google_iap_app_engine_service_iam_member.editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor jane@example.com"
+```
+
+-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
+as an argument so that Terraform uses the correct provider to import your resource.
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_app_engine_version_iam.html.markdown b/website/docs/r/iap_app_engine_version_iam.html.markdown
new file mode 100644
index 00000000000..3505acab2df
--- /dev/null
+++ b/website/docs/r/iap_app_engine_version_iam.html.markdown
@@ -0,0 +1,135 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+layout: "google"
+page_title: "Google: google_iap_app_engine_version_iam"
+sidebar_current: "docs-google-iap-app-engine-version-iam"
+description: |-
+  Collection of resources to manage IAM policy for IapAppEngineVersion
+---
+
+# IAM policy for IapAppEngineVersion
+Three different resources help you manage your IAM policy for Iap AppEngineVersion. Each of these resources serves a different use case:
+
+* `google_iap_app_engine_version_iam_policy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached.
+* `google_iap_app_engine_version_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved.
+* `google_iap_app_engine_version_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.
+
+~> **Note:** `google_iap_app_engine_version_iam_policy` **cannot** be used in conjunction with `google_iap_app_engine_version_iam_binding` and `google_iap_app_engine_version_iam_member` or they will fight over what your policy should be.
+
+~> **Note:** `google_iap_app_engine_version_iam_binding` resources **can be** used in conjunction with `google_iap_app_engine_version_iam_member` resources **only if** they do not grant privilege to the same role.
+
+
+
+## google\_iap\_app\_engine\_version\_iam\_policy
+
+```hcl
+data "google_iam_policy" "admin" {
+	binding {
+		role = "roles/iap.httpsResourceAccessor"
+		members = [
+			"user:jane@example.com",
+		]
+	}
+}
+
+resource "google_iap_app_engine_version_iam_policy" "editor" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	policy_data = "${data.google_iam_policy.admin.policy_data}"
+}
+```
+
+## google\_iap\_app\_engine\_version\_iam\_binding
+
+```hcl
+resource "google_iap_app_engine_version_iam_binding" "editor" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	role = "roles/iap.httpsResourceAccessor"
+	members = [
+		"user:jane@example.com",
+	]
+}
+```
+
+## google\_iap\_app\_engine\_version\_iam\_member
+
+```hcl
+resource "google_iap_app_engine_version_iam_member" "editor" {
+	project = "${google_app_engine_standard_app_version.version.project}"
+	app_id = "${google_app_engine_standard_app_version.version.project}"
+	service = "${google_app_engine_standard_app_version.version.service}"
+	version_id = "${google_app_engine_standard_app_version.version.version_id}"
+	role = "roles/iap.httpsResourceAccessor"
+	member = "user:jane@example.com"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `app_id` - (Required) Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
+* `service` - (Required) Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
+* `version_id` - (Required) Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
+
+* `project` - (Optional) The ID of the project in which the resource belongs.
+    If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
+
+* `member/members` - (Required) Identities that will be granted the privilege in `role`.
+  Each entry can have one of the following values:
+  * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
+  * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
+  * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
+  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
+  * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
+  * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
+
+* `role` - (Required) The role that should be applied. Only one
+    `google_iap_app_engine_version_iam_binding` can be used per role. Note that custom roles must be of the format
+    `[projects|organizations]/{parent-name}/roles/{role-name}`.
+
+* `policy_data` - (Required only by `google_iap_app_engine_version_iam_policy`) The policy data generated by
+  a `google_iam_policy` data source.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are
+exported:
+
+* `etag` - (Computed) The etag of the IAM policy.
+
+## Import
+
+Iap appengineversion IAM resources can be imported using the project, resource identifiers, role and member.
+
+```
+$ terraform import google_iap_app_engine_version_iam_policy.editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}
+
+$ terraform import google_iap_app_engine_version_iam_binding.editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor"
+
+$ terraform import google_iap_app_engine_version_iam_member.editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor jane@example.com"
+```
+
+-> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
+as an argument so that Terraform uses the correct provider to import your resource.
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/provider_reference.html#user_project_override).
diff --git a/website/google.erb b/website/google.erb
index 4978b08bacc..67f19362519 100644
--- a/website/google.erb
+++ b/website/google.erb
@@ -836,6 +836,24 @@
     <li<%= sidebar_current("docs-google-iap") %>>
     <a href="#">Google IAP Resources</a>
     <ul class="nav nav-visible">
+      <li<%= sidebar_current("docs-google-iap-app-engine-service-iam") %>>
+        <a href="/docs/providers/google/r/iap_app_engine_service_iam.html">google_iap_app_engine_service_iam_binding</a>
+      </li>
+      <li<%= sidebar_current("docs-google-iap-app-engine-service-iam") %>>
+        <a href="/docs/providers/google/r/iap_app_engine_service_iam.html">google_iap_app_engine_service_iam_member</a>
+      </li>
+      <li<%= sidebar_current("docs-google-iap-app-engine-service-iam") %>>
+        <a href="/docs/providers/google/r/iap_app_engine_service_iam.html">google_iap_app_engine_service_iam_policy</a>
+      </li>
+      <li<%= sidebar_current("docs-google-iap-app-engine-version-iam") %>>
+        <a href="/docs/providers/google/r/iap_app_engine_version_iam.html">google_iap_app_engine_version_iam_binding</a>
+      </li>
+      <li<%= sidebar_current("docs-google-iap-app-engine-version-iam") %>>
+        <a href="/docs/providers/google/r/iap_app_engine_version_iam.html">google_iap_app_engine_version_iam_member</a>
+      </li>
+      <li<%= sidebar_current("docs-google-iap-app-engine-version-iam") %>>
+        <a href="/docs/providers/google/r/iap_app_engine_version_iam.html">google_iap_app_engine_version_iam_policy</a>
+      </li>
       <li<%= sidebar_current("docs-google-iap-web-backend-service-iam") %>>
         <a href="/docs/providers/google/r/iap_web_backend_service_iam.html">google_iap_web_backend_service_iam_binding</a>
       </li>