read/write iam policies at version 3 in GA provider

google/iam.go

@@ -15,6 +15,7 @@ import (
 )
 
 const maxBackoffSeconds = 30
+const iamPolicyVersion = 3
 
 // These types are implemented per GCP resource type and specify how to do per-resource IAM operations.
 // They are used in the generic Terraform IAM resource definitions
@@ -272,6 +273,13 @@ func listFromIamBindingMap(bm map[iamBindingKey]map[string]struct{}) []*cloudres
 			Role:    key.Role,
 			Members: stringSliceFromGolangSet(members),
 		}
+		if !key.Condition.Empty() {
+			b.Condition = &cloudresourcemanager.Expr{
+				Description: key.Condition.Description,
+				Expression:  key.Condition.Expression,
+				Title:       key.Condition.Title,
+			}
+		}
 		rb = append(rb, b)
 	}
 	return rb

google/iam_compute_instance.go

@@ -138,6 +138,10 @@ func (u *ComputeInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		return nil, err
 	}
 	var obj map[string]interface{}
+	url, err = addQueryParams(url, map[string]string{"optionsRequestedPolicyVersion": fmt.Sprintf("%d", iamPolicyVersion)})
+	if err != nil {
+		return nil, err
+	}
 
 	policy, err := sendRequest(u.Config, "GET", project, url, obj)
 	if err != nil {

google/iam_iap_app_engine_service.go

@@ -131,6 +131,11 @@ func (u *IapAppEngineServiceIamUpdater) GetResourceIamPolicy() (*cloudresourcema
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_iap_app_engine_version.go

@@ -144,6 +144,11 @@ func (u *IapAppEngineVersionIamUpdater) GetResourceIamPolicy() (*cloudresourcema
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_iap_tunnel_instance.go

@@ -138,6 +138,11 @@ func (u *IapTunnelInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemana
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_iap_web.go

@@ -106,6 +106,11 @@ func (u *IapWebIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy,
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_iap_web_backend_service.go

@@ -118,6 +118,11 @@ func (u *IapWebBackendServiceIamUpdater) GetResourceIamPolicy() (*cloudresourcem
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_iap_web_type_app_engine.go

@@ -132,6 +132,11 @@ func (u *IapWebTypeAppEngineIamUpdater) GetResourceIamPolicy() (*cloudresourcema
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_iap_web_type_compute.go

@@ -106,6 +106,11 @@ func (u *IapWebTypeComputeIamUpdater) GetResourceIamPolicy() (*cloudresourcemana
 		return nil, err
 	}
 	var obj map[string]interface{}
+	obj = map[string]interface{}{
+		"options": map[string]interface{}{
+			"requestedPolicyVersion": iamPolicyVersion,
+		},
+	}
 
 	policy, err := sendRequest(u.Config, "POST", project, url, obj)
 	if err != nil {

google/iam_kms_crypto_key.go

@@ -47,7 +47,7 @@ func CryptoIdParseFunc(d *schema.ResourceData, config *Config) error {
 }
 
 func (u *KmsCryptoKeyIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
-	p, err := u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.GetIamPolicy(u.resourceId).Do()
+	p, err := u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.GetIamPolicy(u.resourceId).OptionsRequestedPolicyVersion(iamPolicyVersion).Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)

google/iam_kms_key_ring.go

@@ -48,7 +48,7 @@ func KeyRingIdParseFunc(d *schema.ResourceData, config *Config) error {
 }
 
 func (u *KmsKeyRingIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
-	p, err := u.Config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(u.resourceId).Do()
+	p, err := u.Config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(u.resourceId).OptionsRequestedPolicyVersion(iamPolicyVersion).Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)

google/iam_project.go

@@ -43,7 +43,11 @@ func ProjectIdParseFunc(d *schema.ResourceData, _ *Config) error {
 
 func (u *ProjectIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
 	p, err := u.Config.clientResourceManager.Projects.GetIamPolicy(u.resourceId,
-		&cloudresourcemanager.GetIamPolicyRequest{}).Do()
+		&cloudresourcemanager.GetIamPolicyRequest{
+			Options: &cloudresourcemanager.GetPolicyOptions{
+				RequestedPolicyVersion: iamPolicyVersion,
+			},
+		}).Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)

google/iam_service_account.go

@@ -36,7 +36,7 @@ func ServiceAccountIdParseFunc(d *schema.ResourceData, _ *Config) error {
 }
 
 func (u *ServiceAccountIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
-	p, err := u.Config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(u.serviceAccountId).Do()
+	p, err := u.Config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(u.serviceAccountId).OptionsRequestedPolicyVersion(iamPolicyVersion).Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)

google/iam_storage_bucket.go

@@ -93,6 +93,10 @@ func (u *StorageBucketIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.
 	}
 
 	var obj map[string]interface{}
+	url, err = addQueryParams(url, map[string]string{"optionsRequestedPolicyVersion": fmt.Sprintf("%d", iamPolicyVersion)})
+	if err != nil {
+		return nil, err
+	}
 
 	policy, err := sendRequest(u.Config, "GET", "", url, obj)
 	if err != nil {

google/resource_google_project_iam_policy.go

@@ -142,6 +142,8 @@ func resourceGoogleProjectIamPolicyImport(d *schema.ResourceData, meta interface
 }
 
 func setProjectIamPolicy(policy *cloudresourcemanager.Policy, config *Config, pid string) error {
+	policy.Version = iamPolicyVersion
+
 	// Apply the policy
 	pbytes, _ := json.Marshal(policy)
 	log.Printf("[DEBUG] Setting policy %#v for project: %s", string(pbytes), pid)
@@ -168,7 +170,11 @@ func getResourceIamPolicy(d *schema.ResourceData) (*cloudresourcemanager.Policy,
 // Retrieve the existing IAM Policy for a Project
 func getProjectIamPolicy(project string, config *Config) (*cloudresourcemanager.Policy, error) {
 	p, err := config.clientResourceManager.Projects.GetIamPolicy(project,
-		&cloudresourcemanager.GetIamPolicyRequest{}).Do()
+		&cloudresourcemanager.GetIamPolicyRequest{
+			Options: &cloudresourcemanager.GetPolicyOptions{
+				RequestedPolicyVersion: iamPolicyVersion,
+			},
+		}).Do()
 
 	if err != nil {
 		return nil, fmt.Errorf("Error retrieving IAM policy for project %q: %s", project, err)

google/resource_google_service_account_iam_test.go

@@ -83,7 +83,7 @@ func TestAccServiceAccountIamPolicy(t *testing.T) {
 func testAccCheckGoogleServiceAccountIam(account string, numBindings int) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		config := testAccProvider.Meta().(*Config)
-		p, err := config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(serviceAccountCanonicalId(account)).Do()
+		p, err := config.clientIAM.Projects.ServiceAccounts.GetIamPolicy(serviceAccountCanonicalId(account)).OptionsRequestedPolicyVersion(iamPolicyVersion).Do()
 		if err != nil {
 			return err
 		}

google/resource_iam_binding.go

@@ -66,6 +66,7 @@ func resourceIamBindingCreateUpdate(newUpdaterFunc newResourceIamUpdaterFunc, en
 		modifyF := func(ep *cloudresourcemanager.Policy) error {
 			cleaned := filterBindingsWithRoleAndCondition(ep.Bindings, binding.Role, binding.Condition)
 			ep.Bindings = append(cleaned, binding)
+			ep.Version = iamPolicyVersion
 			return nil
 		}
 

google/resource_iam_member.go

@@ -99,6 +99,7 @@ func resourceIamMemberCreate(newUpdaterFunc newResourceIamUpdaterFunc, enableBat
 		modifyF := func(ep *cloudresourcemanager.Policy) error {
 			// Merge the bindings together
 			ep.Bindings = mergeBindings(append(ep.Bindings, memberBind))
+			ep.Version = iamPolicyVersion
 			return nil
 		}
 		if enableBatching {

google/resource_iam_policy.go

@@ -119,6 +119,7 @@ func ResourceIamPolicyDelete(newUpdaterFunc newResourceIamUpdaterFunc) schema.De
 		if v, ok := d.GetOk("etag"); ok {
 			pol.Etag = v.(string)
 		}
+		pol.Version = iamPolicyVersion
 		err = updater.SetResourceIamPolicy(pol)
 		if err != nil {
 			return err
@@ -133,6 +134,7 @@ func setIamPolicyData(d *schema.ResourceData, updater ResourceIamUpdater) error
 	if err != nil {
 		return fmt.Errorf("'policy_data' is not valid for %s: %s", updater.DescribeResource(), err)
 	}
+	policy.Version = iamPolicyVersion
 
 	err = updater.SetResourceIamPolicy(policy)
 	if err != nil {