Document the google_project_iam_audit_config resource. Fix #3066

website/docs/r/google_project_iam.html.markdown

@@ -8,13 +8,15 @@ description: |-
 
 # IAM policy for projects
 
-Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:
+Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:
 
 * `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
 * `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
 * `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
+* `google_project_iam_audit_config`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.
 
-~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be.
+
+~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config` or they will fight over what your policy should be.
 
 ~> **Note:** `google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role.
 
@@ -69,18 +71,33 @@ resource "google_project_iam_member" "project" {
 }
 ```
 
+## google\_project\_iam\_audit\_config
+
+```hcl
+resource "google_project_iam_audit_config" "project" {
+  project = "your-project-id"
+  service = "allServices"
+  audit_log_config {
+    log_type = "DATA_READ"
+    exempted_members = [
+      "user:[email protected]",
+    ]
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
 
-* `member/members` - (Required) Identities that will be granted the privilege in `role`.
+* `member/members` - (Required except for google\_project\_iam\_audit\_config) Identities that will be granted the privilege in `role`.
   Each entry can have one of the following values:
   * **user:{emailid}**: An email address that represents a specific Google account. For example, [email protected] or [email protected].
   * **serviceAccount:{emailid}**: An email address that represents a service account. For example, [email protected].
   * **group:{emailid}**: An email address that represents a Google group. For example, [email protected].
   * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
 
-* `role` - (Required) The role that should be applied. Only one
+* `role` - (Required except for google\_project\_iam\_audit\_config) The role that should be applied. Only one
     `google_project_iam_binding` can be used per role. Note that custom roles must be of the format
     `[projects|organizations]/{parent-name}/roles/{role-name}`.
 
@@ -93,11 +110,22 @@ The following arguments are supported:
     Deleting this removes all policies from the project, locking out users without
     organization-level access.
 
-* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`
-or `google_project_iam_member`, uses the ID of the project configured with the provider.
+* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config`, uses the ID of the project configured with the provider.
 Required for `google_project_iam_policy` - you must explicitly set the project, and it
 will not be inferred from the provider.
-
+
+* `service` - (Required only by google\_project\_iam\_audit\_config) Service which will be enabled for audit logging.  The special value `allServices` covers all services.  Note that if there are google\_project\_iam\_audit\_config resources covering both `allServices` and a specific service then the union of the two AuditConfigs is used for that service: the `log_types` specified in each `audit_log_config` are enabled, and the `exempted_members` in each `audit_log_config` are exempted.
+
+* `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission.  This can be specified multiple times.  Structure is documented below.
+
+---
+
+The `audit_log_config` block supports:
+
+* `log_type` - (Required) Permission type for which logging is to be configured.  Must be one of `DATA_READ`, `DATA_WRITE`, or `ADMIN_READ`.
+
+* `exempted_members` - (Optional) Identities that do not cause logging for this type of permission.  The format is the same as that for `members`.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are
@@ -125,3 +153,9 @@ IAM policy imports use the identifier of the resource in question.  This policy
 ```
 $ terraform import google_project_iam_policy.my_project your-project-id
 ```
+
+IAM audit config imports use the identifier of the resource in question and the service, e.g.
+
+```
+terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com"
+```

website/google.erb

@@ -324,6 +324,9 @@
       <li<%= sidebar_current("docs-google-project-x") %>>
         <a href="/docs/providers/google/r/google_project.html">google_project</a>
       </li>
+      <li<%= sidebar_current("docs-google-project-iam-x") %>>
+        <a href="/docs/providers/google/r/google_project_iam.html">google_project_iam_audit_config</a>
+      </li>
       <li<%= sidebar_current("docs-google-project-iam-x") %>>
         <a href="/docs/providers/google/r/google_project_iam.html">google_project_iam_binding</a>
       </li>