Add IAM condition support for privateca CaPool (#5874) (#11392)

Signed-off-by: Modular Magician <magic-modules@google.com>

.changelog/5874.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+privateca: Added support for IAM conditions to CaPool
+```

google/iam_privateca_ca_pool.go

@@ -149,6 +149,10 @@ func (u *PrivatecaCaPoolIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		return nil, err
 	}
 	var obj map[string]interface{}
+	url, err = addQueryParams(url, map[string]string{"options.requestedPolicyVersion": fmt.Sprintf("%d", iamPolicyVersion)})
+	if err != nil {
+		return nil, err
+	}
 
 	userAgent, err := generateUserAgentString(u.d, u.Config.userAgent)
 	if err != nil {

website/docs/r/privateca_ca_pool_iam.html.markdown

@@ -31,6 +31,7 @@ Three different resources help you manage your IAM policy for Certificate Author
 
 ~> **Note:** `google_privateca_ca_pool_iam_binding` resources **can be** used in conjunction with `google_privateca_ca_pool_iam_member` resources **only if** they do not grant privilege to the same role.
 
+~> **Note:**  This resource supports IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)) but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.
 
 
 
@@ -52,6 +53,29 @@ resource "google_privateca_ca_pool_iam_policy" "policy" {
 }
 ```
 
+With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)):
+
+```hcl
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/privateca.certificateManager"
+    members = [
+      "user:jane@example.com",
+    ]
+
+    condition {
+      title       = "expires_after_2019_12_31"
+      description = "Expiring at midnight of 2019-12-31"
+      expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
+    }
+  }
+}
+
+resource "google_privateca_ca_pool_iam_policy" "policy" {
+  ca_pool = google_privateca_ca_pool.default.id
+  policy_data = data.google_iam_policy.admin.policy_data
+}
+```
 ## google\_privateca\_ca\_pool\_iam\_binding
 
 ```hcl
@@ -64,6 +88,23 @@ resource "google_privateca_ca_pool_iam_binding" "binding" {
 }
 ```
 
+With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)):
+
+```hcl
+resource "google_privateca_ca_pool_iam_binding" "binding" {
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  members = [
+    "user:jane@example.com",
+  ]
+
+  condition {
+    title       = "expires_after_2019_12_31"
+    description = "Expiring at midnight of 2019-12-31"
+    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
+  }
+}
+```
 ## google\_privateca\_ca\_pool\_iam\_member
 
 ```hcl
@@ -74,6 +115,21 @@ resource "google_privateca_ca_pool_iam_member" "member" {
 }
 ```
 
+With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)):
+
+```hcl
+resource "google_privateca_ca_pool_iam_member" "member" {
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "user:jane@example.com"
+
+  condition {
+    title       = "expires_after_2019_12_31"
+    description = "Expiring at midnight of 2019-12-31"
+    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
+  }
+}
+```
 ## Argument Reference
 
 The following arguments are supported:
@@ -105,6 +161,22 @@ running `gcloud privateca locations list`.
 * `policy_data` - (Required only by `google_privateca_ca_pool_iam_policy`) The policy data generated by
   a `google_iam_policy` data source.
 
+* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
+  Structure is documented below.
+
+---
+
+The `condition` block supports:
+
+* `expression` - (Required) Textual representation of an expression in Common Expression Language syntax.
+
+* `title` - (Required) A title for the expression, i.e. a short string describing its purpose.
+
+* `description` - (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
+
+~> **Warning:** Terraform considers the `role` and condition contents (`title`+`description`+`expression`) as the
+  identifier for the binding. This means that if any part of the condition is changed out-of-band, Terraform will
+  consider it to be an entirely different resource and will treat it as such.
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are