Add the organization iam policy, with suitable warnings. (hashicorp#1196

)

google/provider.go

@@ -171,6 +171,7 @@ func Provider() terraform.ResourceProvider {
 			"google_organization_iam_binding":              ResourceIamBindingWithImport(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
 			"google_organization_iam_custom_role":          resourceGoogleOrganizationIamCustomRole(),
 			"google_organization_iam_member":               ResourceIamMemberWithImport(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
+			"google_organization_iam_policy":               ResourceIamPolicyWithImport(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
 			"google_organization_policy":                   resourceGoogleOrganizationPolicy(),
 			"google_project":                               resourceGoogleProject(),
 			"google_project_iam_policy":                    resourceGoogleProjectIamPolicy(),

google/resource_google_organization_iam_test.go

@@ -17,6 +17,7 @@ import (
 // them to see the new diff instead of blindly overriding the policy stored in GCP. This desired
 // behavior however induces flakiness in our acceptance tests, hence the need for running them
 // serially.
+// Policies are *not tested*, because testing them will ruin changes made to the test org.
 func TestAccOrganizationIam(t *testing.T) {
 	t.Parallel()
 

website/docs/r/google_organization_iam_policy.md

@@ -0,0 +1,59 @@
+---
+layout: "google"
+page_title: "Google: google_organization_iam_policy"
+sidebar_current: "docs-google-organization-iam-policy"
+description: |-
+ Allows management of the entire IAM policy for a Google Cloud Platform Organization.
+---
+
+# google\_organization\_iam\_policy
+
+Allows management of the entire IAM policy for an existing Google Cloud Platform Organization.
+
+~> **Warning:** New organizations have several default policies which will,
+   without extreme caution, be **overwritten** by use of this resource.
+   The safest alternative is to use multiple `google_organization_iam_binding`
+   resources.  It is easy to use this resource to remove your own access to
+   an organization, which will require a call to Google Support to have
+   fixed, and can take multiple days to resolve.  If you do use this resource,
+   the best way to be sure that you are not making dangerous changes is to start
+   by importing your existing policy, and examining the diff very closely.
+
+~> **Note:** This resource __must not__ be used in conjunction with
+   `google_organization_iam_member` or `google_organization_iam_binding`
+   or they will fight over what your policy should be.
+
+## Example Usage
+
+```hcl
+resource "google_organization_iam_policy" "policy" {
+  org_id = "123456789"
+  policy_data = "${data.google_iam_policy.admin.policy_data}"
+}
+
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/editor"
+
+    members = [
+      "user:[email protected]",
+    ]
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `org_id` - (Required) The numeric ID of the organization in which you want to create a custom role.
+
+* `policy_data` - (Required) The `google_iam_policy` data source that represents
+    the IAM policy that will be applied to the organization. This policy overrides any existing
+    policy applied to the organization.
+
+## Import
+
+```
+$ terraform import google_organization_iam_policy.my_org your-org-id
+```

website/google.erb

@@ -162,6 +162,9 @@
       <li<%= sidebar_current("docs-google-organization-iam-member") %>>
         <a href="/docs/providers/google/r/google_organization_iam_member.html">google_organization_iam_member</a>
       </li>
+      <li<%= sidebar_current("docs-google-organization-iam-policy") %>>
+        <a href="/docs/providers/google/r/google_organization_iam_policy.html">google_organization_iam_policy</a>
+      </li>
       <li<%= sidebar_current("docs-google-project-x") %>>
         <a href="/docs/providers/google/r/google_project.html">google_project</a>
       </li>