diff --git a/build/ansible b/build/ansible
index 50c9cc64fd5b..763ed45a3996 160000
--- a/build/ansible
+++ b/build/ansible
@@ -1 +1 @@
-Subproject commit 50c9cc64fd5b7bd5ad5972569543bf3322266d2a
+Subproject commit 763ed45a39965fa65d241fd4989953939afaaa16
diff --git a/build/inspec b/build/inspec
index 84afaea61273..d0eb095e51b5 160000
--- a/build/inspec
+++ b/build/inspec
@@ -1 +1 @@
-Subproject commit 84afaea61273cb2e2849ea2403e5145b38925602
+Subproject commit d0eb095e51b59b67026f10e5d99761ad10d8cc40
diff --git a/build/terraform b/build/terraform
index afb2f1de1362..1246621080fa 160000
--- a/build/terraform
+++ b/build/terraform
@@ -1 +1 @@
-Subproject commit afb2f1de1362e34b49282bcfed99992f8e4507b8
+Subproject commit 1246621080faa6366b20750efe3c9d35cbef9025
diff --git a/build/terraform-beta b/build/terraform-beta
index ce8003191cba..43af0afd382d 160000
--- a/build/terraform-beta
+++ b/build/terraform-beta
@@ -1 +1 @@
-Subproject commit ce8003191cbaf187cadb2d4694cab94061bfd4b7
+Subproject commit 43af0afd382d6297b88d807d3bbee1f97e4327f2
diff --git a/build/terraform-mapper b/build/terraform-mapper
index 82d0cc1041b0..670010538372 160000
--- a/build/terraform-mapper
+++ b/build/terraform-mapper
@@ -1 +1 @@
-Subproject commit 82d0cc1041b0bb0087b93872322ee174c5c156e4
+Subproject commit 67001053837274140ea6665fb365c86e6f5c09e8
diff --git a/third_party/terraform/website-compiled/google.erb b/third_party/terraform/website-compiled/google.erb
index 91d3c4d5b2ab..92edafa24b4c 100644
--- a/third_party/terraform/website-compiled/google.erb
+++ b/third_party/terraform/website-compiled/google.erb
@@ -349,6 +349,9 @@
       <li<%%= sidebar_current("docs-google-project-x") %>>
         <a href="/docs/providers/google/r/google_project.html">google_project</a>
       </li>
+      <li<%%= sidebar_current("docs-google-project-iam-x") %>>
+        <a href="/docs/providers/google/r/google_project_iam.html">google_project_iam_audit_config</a>
+      </li>
       <li<%%= sidebar_current("docs-google-project-iam-x") %>>
         <a href="/docs/providers/google/r/google_project_iam.html">google_project_iam_binding</a>
       </li>
diff --git a/third_party/terraform/website/docs/r/google_project_iam.html.markdown b/third_party/terraform/website/docs/r/google_project_iam.html.markdown
index 70395b12a807..0a12b1e19877 100644
--- a/third_party/terraform/website/docs/r/google_project_iam.html.markdown
+++ b/third_party/terraform/website/docs/r/google_project_iam.html.markdown
@@ -8,13 +8,15 @@ description: |-
 
 # IAM policy for projects
 
-Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:
+Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:
 
 * `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
 * `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
 * `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
+* `google_project_iam_audit_config`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.
 
-~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be.
+
+~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config` or they will fight over what your policy should be.
 
 ~> **Note:** `google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role.
 
@@ -69,18 +71,33 @@ resource "google_project_iam_member" "project" {
 }
 ```
 
+## google\_project\_iam\_audit\_config
+
+```hcl
+resource "google_project_iam_audit_config" "project" {
+  project = "your-project-id"
+  service = "allServices"
+  audit_log_config {
+    log_type = "DATA_READ"
+    exempted_members = [
+      "user:joebloggs@hashicorp.com",
+    ]
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
 
-* `member/members` - (Required) Identities that will be granted the privilege in `role`.
+* `member/members` - (Required except for google\_project\_iam\_audit\_config) Identities that will be granted the privilege in `role`.
   Each entry can have one of the following values:
   * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
   * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
   * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
   * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
 
-* `role` - (Required) The role that should be applied. Only one
+* `role` - (Required except for google\_project\_iam\_audit\_config) The role that should be applied. Only one
     `google_project_iam_binding` can be used per role. Note that custom roles must be of the format
     `[projects|organizations]/{parent-name}/roles/{role-name}`.
 
@@ -93,11 +110,22 @@ The following arguments are supported:
     Deleting this removes all policies from the project, locking out users without
     organization-level access.
 
-* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`
-or `google_project_iam_member`, uses the ID of the project configured with the provider.
+* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config`, uses the ID of the project configured with the provider.
 Required for `google_project_iam_policy` - you must explicitly set the project, and it
 will not be inferred from the provider.
-    
+
+* `service` - (Required only by google\_project\_iam\_audit\_config) Service which will be enabled for audit logging.  The special value `allServices` covers all services.  Note that if there are google\_project\_iam\_audit\_config resources covering both `allServices` and a specific service then the union of the two AuditConfigs is used for that service: the `log_types` specified in each `audit_log_config` are enabled, and the `exempted_members` in each `audit_log_config` are exempted.
+
+* `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission.  This can be specified multiple times.  Structure is documented below.
+
+---
+
+The `audit_log_config` block supports:
+
+* `log_type` - (Required) Permission type for which logging is to be configured.  Must be one of `DATA_READ`, `DATA_WRITE`, or `ADMIN_READ`.
+
+* `exempted_members` - (Optional) Identities that do not cause logging for this type of permission.  The format is the same as that for `members`.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are
@@ -125,3 +153,9 @@ IAM policy imports use the identifier of the resource in question.  This policy
 ```
 $ terraform import google_project_iam_policy.my_project your-project-id
 ```
+
+IAM audit config imports use the identifier of the resource in question and the service, e.g.
+
+```
+terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com"
+```
\ No newline at end of file