hashicorp · modular-magician · Jan 31, 2020 · Jan 31, 2020
diff --git a/.changelog/3058.txt b/.changelog/3058.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+appengine: added support for `google_app_engine_application.iap`
+```
diff --git a/google-beta/resource_app_engine_application.go b/google-beta/resource_app_engine_application.go
@@ -89,6 +89,30 @@ func resourceAppEngineApplication() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"iap": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `Settings for enabling Cloud Identity Aware Proxy`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"oauth2_client_id": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"oauth2_client_secret": {
+							Type:      schema.TypeString,
+							Required:  true,
+							Sensitive: true,
+						},
+						"oauth2_client_secret_sha256": {
+							Type:      schema.TypeString,
+							Computed:  true,
+							Sensitive: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -195,6 +219,14 @@ func resourceAppEngineApplicationRead(d *schema.ResourceData, meta interface{})
 	if err != nil {
 		return fmt.Errorf("Error setting feature settings in state. This is a bug, please report it at https://github.com/terraform-providers/terraform-provider-google/issues. Error is:\n%s", err.Error())
 	}
+	iap, err := flattenAppEngineApplicationIap(d, app.Iap)
+	if err != nil {
+		return err
+	}
+	err = d.Set("iap", iap)
+	if err != nil {
+		return fmt.Errorf("Error setting iap in state. This is a bug, please report it at https://github.com/terraform-providers/terraform-provider-google/issues. Error is:\n%s", err.Error())
+	}
 	return nil
 }
 
@@ -239,6 +271,11 @@ func expandAppEngineApplication(d *schema.ResourceData, project string) (*appeng
 		return nil, err
 	}
 	result.FeatureSettings = featureSettings
+	iap, err := expandAppEngineApplicationIap(d)
+	if err != nil {
+		return nil, err
+	}
+	result.Iap = iap
 	return result, nil
 }
 
@@ -254,6 +291,18 @@ func expandAppEngineApplicationFeatureSettings(d *schema.ResourceData) (*appengi
 	}, nil
 }
 
+func expandAppEngineApplicationIap(d *schema.ResourceData) (*appengine.IdentityAwareProxy, error) {
+	blocks := d.Get("iap").([]interface{})
+	if len(blocks) < 1 {
+		return nil, nil
+	}
+	return &appengine.IdentityAwareProxy{
+		Oauth2ClientId:           d.Get("iap.0.oauth2_client_id").(string),
+		Oauth2ClientSecret:       d.Get("iap.0.oauth2_client_secret").(string),
+		Oauth2ClientSecretSha256: d.Get("iap.0.oauth2_client_secret_sha256").(string),
+	}, nil
+}
+
 func flattenAppEngineApplicationFeatureSettings(settings *appengine.FeatureSettings) ([]map[string]interface{}, error) {
 	if settings == nil {
 		return []map[string]interface{}{}, nil
@@ -264,6 +313,18 @@ func flattenAppEngineApplicationFeatureSettings(settings *appengine.FeatureSetti
 	return []map[string]interface{}{result}, nil
 }
 
+func flattenAppEngineApplicationIap(d *schema.ResourceData, iap *appengine.IdentityAwareProxy) ([]map[string]interface{}, error) {
+	if iap == nil {
+		return []map[string]interface{}{}, nil
+	}
+	result := map[string]interface{}{
+		"oauth2_client_id":            iap.Oauth2ClientId,
+		"oauth2_client_secret":        d.Get("iap.0.oauth2_client_secret"),
+		"oauth2_client_secret_sha256": iap.Oauth2ClientSecretSha256,
+	}
+	return []map[string]interface{}{result}, nil
+}
+
 func flattenAppEngineApplicationDispatchRules(rules []*appengine.UrlDispatchRule) ([]map[string]interface{}, error) {
 	results := make([]map[string]interface{}, 0, len(rules))
 	for _, rule := range rules {

diff --git a/google-beta/resource_app_engine_application_test.go b/google-beta/resource_app_engine_application_test.go
@@ -44,6 +44,51 @@ func TestAccAppEngineApplication_basic(t *testing.T) {
 	})
 }
 
+func TestAccAppEngineApplication_withIAP(t *testing.T) {
+	t.Parallel()
+
+	org := getTestOrgFromEnv(t)
+	pid := acctest.RandomWithPrefix("tf-test")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAppEngineApplication_withIAP(pid, org),
+			},
+			{
+				ResourceName:            "google_app_engine_application.acceptance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"iap.0.oauth2_client_secret"},
+			},
+		},
+	})
+}
+
+func testAccAppEngineApplication_withIAP(pid, org string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+  project_id = "%s"
+  name       = "%s"
+  org_id     = "%s"
+}
+
+resource "google_app_engine_application" "acceptance" {
+  project        = google_project.acceptance.project_id
+  auth_domain    = "hashicorptest.com"
+  location_id    = "us-central"
+  serving_status = "SERVING"
+
+  iap {
+    oauth2_client_id     = "test"
+    oauth2_client_secret = "test"
+  }
+}
+`, pid, pid, org)
+}
+
 func testAccAppEngineApplication_basic(pid, org string) string {
 	return fmt.Sprintf(`
 resource "google_project" "acceptance" {