GoogleCloudPlatform
diff --git a/‎go.mod
+8-8 b/‎go.mod
+8-8
diff --git a/‎go.sum
+16-16 b/‎go.sum
+16-16
diff --git a/‎tfplan2cai/ancestrymanager/ancestrymanager.go
+34-26 b/‎tfplan2cai/ancestrymanager/ancestrymanager.go
+34-26
diff --git a/‎tfplan2cai/ancestrymanager/ancestrymanager_test.go
+16 b/‎tfplan2cai/ancestrymanager/ancestrymanager_test.go
+16
diff --git a/‎tfplan2cai/converters/google/resources/resource_converters.go
+3 b/‎tfplan2cai/converters/google/resources/resource_converters.go
+3
diff --git a/‎tfplan2cai/converters/google/resources/services/bigquery/iam_bigquery_table.go
-5 b/‎tfplan2cai/converters/google/resources/services/bigquery/iam_bigquery_table.go
-5
diff --git a/‎tfplan2cai/converters/google/resources/services/cloudquotas/cloudquotas_quota_preference.go
+1-1 b/‎tfplan2cai/converters/google/resources/services/cloudquotas/cloudquotas_quota_preference.go
+1-1
diff --git a/‎tfplan2cai/converters/google/resources/services/compute/compute_subnetwork.go
+32 b/‎tfplan2cai/converters/google/resources/services/compute/compute_subnetwork.go
+32
@@ -11,13 +11,13 @@ require (
 	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/hashicorp/terraform-json v0.22.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0
-	github.com/hashicorp/terraform-provider-google-beta v1.20.1-0.20240820164214-0ac834396a40
+	github.com/hashicorp/terraform-provider-google-beta v1.20.1-0.20240820232428-04b789c2f9b2
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.9.0
 	github.com/zclconf/go-cty v1.14.4
 	go.uber.org/zap v1.21.0
-	google.golang.org/api v0.190.0
+	google.golang.org/api v0.191.0
 )
 
 require github.com/spf13/cobra v1.7.0
@@ -26,14 +26,14 @@ require (
 	bitbucket.org/creachadair/stringset v0.0.11 // indirect
 	cel.dev/expr v0.15.0 // indirect
 	cloud.google.com/go v0.115.0 // indirect
-	cloud.google.com/go/auth v0.7.3 // indirect
+	cloud.google.com/go/auth v0.8.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.3 // indirect
-	cloud.google.com/go/bigtable v1.27.2-0.20240730134218-123c88616251 // indirect
+	cloud.google.com/go/bigtable v1.29.0 // indirect
 	cloud.google.com/go/compute/metadata v0.5.0 // indirect
 	cloud.google.com/go/iam v1.1.12 // indirect
 	cloud.google.com/go/longrunning v0.5.11 // indirect
 	cloud.google.com/go/monitoring v1.20.3 // indirect
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.70.0 // indirect
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.71.0 // indirect
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
@@ -111,11 +111,11 @@ require (
 	golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/oauth2 v0.22.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20240730163845-b1a4ccb954bf // indirect
 
@@ -5,12 +5,12 @@ cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.115.0 h1:CnFSK6Xo3lDYRoBKEcAtia6VSC837/ZkJuRduSFnr14=
 cloud.google.com/go v0.115.0/go.mod h1:8jIM5vVgoAEoiVxQ/O4BFTfHqulPZgs/ufEzMcFMdWU=
-cloud.google.com/go/auth v0.7.3 h1:98Vr+5jMaCZ5NZk6e/uBgf60phTk/XN84r8QEWB9yjY=
-cloud.google.com/go/auth v0.7.3/go.mod h1:HJtWUx1P5eqjy/f6Iq5KeytNpbAcGolPhOgyop2LlzA=
+cloud.google.com/go/auth v0.8.0 h1:y8jUJLl/Fg+qNBWxP/Hox2ezJvjkrPb952PC1p0G6A4=
+cloud.google.com/go/auth v0.8.0/go.mod h1:qGVp/Y3kDRSDZ5gFD/XPUfYQ9xW1iI7q8RIRoCyBbJc=
 cloud.google.com/go/auth/oauth2adapt v0.2.3 h1:MlxF+Pd3OmSudg/b1yZ5lJwoXCEaeedAguodky1PcKI=
 cloud.google.com/go/auth/oauth2adapt v0.2.3/go.mod h1:tMQXOfZzFuNuUxOypHlQEXgdfX5cuhwU+ffUuXRJE8I=
-cloud.google.com/go/bigtable v1.27.2-0.20240730134218-123c88616251 h1:OF+V7OrVPhsXy++iTHewE4VD1kv6ikWQJbRIiq1/Kjc=
-cloud.google.com/go/bigtable v1.27.2-0.20240730134218-123c88616251/go.mod h1:avmXcmxVbLJAo9moICRYMgDyTTPoV0MA0lHKnyqV4fQ=
+cloud.google.com/go/bigtable v1.29.0 h1:2CnFjKPwjpZMZdTi2RpppvxzD80zKzDYrLYEQw/NnAs=
+cloud.google.com/go/bigtable v1.29.0/go.mod h1:5p909nNdWaNUcWs6KGZO8mI5HUovstlmrIi7+eA5PTQ=
 cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
 cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
 cloud.google.com/go/iam v1.1.12 h1:JixGLimRrNGcxvJEQ8+clfLxPlbeZA6MuRJ+qJNQ5Xw=
@@ -22,8 +22,8 @@ cloud.google.com/go/monitoring v1.20.3/go.mod h1:GPIVIdNznIdGqEjtRKQWTLcUeRnPjZW
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.70.0 h1:dqqxHZYK0tlzViFqAbKzMIkfboQVWYN1CTEM2sjBtmQ=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.70.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.71.0 h1:vRKCLiR3faPmXAoqSdwXLv28/kygggzaKXzgdm6GXhg=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.71.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/ProtonMail/go-crypto v1.1.0-alpha.2 h1:bkyFVUP+ROOARdgCiJzNQo2V2kiB97LyUpzH9P6Hrlg=
@@ -190,8 +190,8 @@ github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 h1:qHprzXy/As0rxedphECBEQAh
 github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0/go.mod h1:H+8tjs9TjV2w57QFVSMBQacf8k/E1XwLXGCARgViC6A=
 github.com/hashicorp/terraform-plugin-testing v1.5.1 h1:T4aQh9JAhmWo4+t1A7x+rnxAJHCDIYW9kXyo4sVO92c=
 github.com/hashicorp/terraform-plugin-testing v1.5.1/go.mod h1:dg8clO6K59rZ8w9EshBmDp1CxTIPu3yA4iaDpX1h5u0=
-github.com/hashicorp/terraform-provider-google-beta v1.20.1-0.20240820164214-0ac834396a40 h1:93h8huZYFPlN4E5gvLW+GhLZxSnC1+dfsja3AW2kY4E=
-github.com/hashicorp/terraform-provider-google-beta v1.20.1-0.20240820164214-0ac834396a40/go.mod h1:mbLHS7zKRfkaFt9qpT/cmmwnrB5NSdnz1jpDoAZd6A0=
+github.com/hashicorp/terraform-provider-google-beta v1.20.1-0.20240820232428-04b789c2f9b2 h1:MffSs5GmWnt6PxnJctKByXuN+xU3JJpfo6P7bkNXNig=
+github.com/hashicorp/terraform-provider-google-beta v1.20.1-0.20240820232428-04b789c2f9b2/go.mod h1:IkI2dOHongwQ2RIUyitBH4rDJvYBuClAoFCheApCTpY=
 github.com/hashicorp/terraform-registry-address v0.2.3 h1:2TAiKJ1A3MAkZlH1YI/aTVcLZRu7JseiXNRHbOAyoTI=
 github.com/hashicorp/terraform-registry-address v0.2.3/go.mod h1:lFHA76T8jfQteVfT7caREqguFrW3c4MFSPhZB7HHgUM=
 github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ=
@@ -361,17 +361,17 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -403,8 +403,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -422,8 +422,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.190.0 h1:ASM+IhLY1zljNdLu19W1jTmU6A+gMk6M46Wlur61s+Q=
-google.golang.org/api v0.190.0/go.mod h1:QIr6I9iedBLnfqoD6L6Vze1UvS5Hzj5r2aUBOaZnLHo=
+google.golang.org/api v0.191.0 h1:cJcF09Z+4HAB2t5qTQM1ZtfL/PemsLFkcFG67qq2afk=
+google.golang.org/api v0.191.0/go.mod h1:tD5dsFGxFza0hnQveGfVk9QQYKcfp+VzgRqyXFxE0+E=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 
@@ -18,6 +18,13 @@ import (
 	"go.uber.org/zap"
 )
 
+const (
+	projectPrefix = "projects/"
+	folderPrefix  = "folders/"
+	orgPrefix     = "organizations/"
+	unknownOrg    = orgPrefix + "unknown"
+)
+
 // AncestryManager is the interface that fetch ancestors for a resource.
 type AncestryManager interface {
 	// Ancestors returns a list of ancestors.
@@ -73,8 +80,11 @@ func (m *manager) initAncestryCache(entries map[string]string) error {
 			if err != nil {
 				return err
 			}
-			// ancestry path should include the item itself
-			if ancestors[0] != key {
+			// The ancestry path should include the item itself, unless both the key and ancestor
+			// have the projects/ prefix, indicating the key is a project ID and the ancestry is
+			// project number. CAI ancestors use the project number, so that is preferred if it
+			// is available.
+			if ancestors[0] != key && !(strings.HasPrefix(key, projectPrefix) && strings.HasPrefix(ancestors[0], projectPrefix)) {
 				ancestors = append([]string{key}, ancestors...)
 			}
 			m.store(key, ancestors)
@@ -88,7 +98,7 @@ func parseAncestryKey(val string) (string, error) {
 	ix := strings.LastIndex(key, "/")
 	if ix == -1 {
 		// If not containing /, then treat it as a project.
-		return fmt.Sprintf("projects/%s", key), nil
+		return projectPrefix + key, nil
 	} else {
 		k := key[:ix]
 		if k == "projects" || k == "folders" || k == "organizations" {
@@ -127,24 +137,15 @@ func (m *manager) fetchAncestors(config *transport_tpg.Config, tfData tpgresourc
 
 	orgID, orgOK := getOrganizationFromResource(tfData)
 	if orgOK {
-		orgKey = orgID
-		if !strings.HasPrefix(orgKey, "organizations/") {
-			orgKey = fmt.Sprintf("organizations/%s", orgKey)
-		}
+		orgKey = ensurePrefix(orgID, orgPrefix)
 	}
 	folderID, folderOK := getFolderFromResource(tfData)
 	if folderOK {
-		folderKey = folderID
-		if !strings.HasPrefix(folderKey, "folders/") {
-			folderKey = fmt.Sprintf("folders/%s", folderKey)
-		}
+		folderKey = ensurePrefix(folderID, folderPrefix)
 	}
 	project, _ := m.getProjectFromResource(tfData, config, cai)
 	if project != "" {
-		projectKey = project
-		if !strings.HasPrefix(projectKey, "projects/") {
-			projectKey = fmt.Sprintf("projects/%s", project)
-		}
+		projectKey = ensurePrefix(project, projectPrefix)
 	}
 
 	switch cai.Type {
@@ -154,7 +155,7 @@ func (m *manager) fetchAncestors(config *transport_tpg.Config, tfData tpgresourc
 		} else if orgOK {
 			key = orgKey
 		} else {
-			return []string{"organizations/unknown"}, nil
+			return []string{unknownOrg}, nil
 		}
 	case "cloudresourcemanager.googleapis.com/Organization":
 		if !orgOK {
@@ -168,7 +169,7 @@ func (m *manager) fetchAncestors(config *transport_tpg.Config, tfData tpgresourc
 		} else if projectKey != "" {
 			key = projectKey
 		} else {
-			return []string{"organizations/unknown"}, nil
+			return []string{unknownOrg}, nil
 		}
 	case "cloudresourcemanager.googleapis.com/Project", "cloudbilling.googleapis.com/ProjectBillingInfo":
 		// for google_project and google_project_iam resources
@@ -183,7 +184,7 @@ func (m *manager) fetchAncestors(config *transport_tpg.Config, tfData tpgresourc
 		// only folder_id or org_id is allowed for google_project
 		if orgOK {
 			// no need to use API to fetch ancestors
-			ancestors = append(ancestors, fmt.Sprintf("organizations/%s", orgID))
+			ancestors = append(ancestors, orgPrefix+orgID)
 			return ancestors, nil
 		}
 		if folderOK {
@@ -199,13 +200,13 @@ func (m *manager) fetchAncestors(config *transport_tpg.Config, tfData tpgresourc
 
 		// neither folder_id nor org_id is specified
 		if projectKey == "" {
-			return []string{"organizations/unknown"}, nil
+			return []string{unknownOrg}, nil
 		}
 		key = projectKey
 
 	default:
 		if projectKey == "" {
-			return []string{"organizations/unknown"}, nil
+			return []string{unknownOrg}, nil
 		}
 		key = projectKey
 	}
@@ -220,16 +221,16 @@ func (m *manager) getAncestorsWithCache(key string) ([]string, error) {
 			ancestors = append(ancestors, cachedAncestors...)
 			break
 		}
-		if strings.HasPrefix(cur, "organizations/") {
+		if strings.HasPrefix(cur, orgPrefix) {
 			ancestors = append(ancestors, cur)
 			break
 		}
 		if m.resourceManagerV3 == nil || m.resourceManagerV1 == nil {
 			return nil, fmt.Errorf("resourceManager required to fetch ancestry for %s from the API", cur)
 		}
-		if strings.HasPrefix(cur, "projects") {
+		if strings.HasPrefix(cur, projectPrefix) {
 			// fall back to use v1 API GetAncestry to avoid requiring extra folder permission
-			projectID := strings.TrimPrefix(cur, "projects/")
+			projectID := strings.TrimPrefix(cur, projectPrefix)
 			var resp *crmv1.GetAncestryResponse
 			var err error
 			err = transport_tpg.Retry(transport_tpg.RetryOptions{
@@ -325,9 +326,9 @@ func normalizeAncestry(val string) string {
 		old string
 		new string
 	}{
-		{"organization/", "organizations/"},
-		{"folder/", "folders/"},
-		{"project/", "projects/"},
+		{"organization/", orgPrefix},
+		{"folder/", folderPrefix},
+		{"project/", projectPrefix},
 	} {
 		val = strings.ReplaceAll(val, r.old, r.new)
 	}
@@ -383,3 +384,10 @@ type NoOpAncestryManager struct{}
 func (*NoOpAncestryManager) Ancestors(config *transport_tpg.Config, tfData tpgresource.TerraformResourceData, cai *resources.Asset) ([]string, string, error) {
 	return nil, "", nil
 }
+
+func ensurePrefix(s, pre string) string {
+	if strings.HasPrefix(s, pre) {
+		return s
+	}
+	return pre + s
+}
@@ -1032,6 +1032,8 @@ func TestParseAncestryPath_Fail(t *testing.T) {
 }
 
 func TestInitAncestryCache(t *testing.T) {
+	t.Parallel()
+
 	tests := []struct {
 		name    string
 		entries map[string]string
@@ -1082,9 +1084,23 @@ func TestInitAncestryCache(t *testing.T) {
 				"organizations/123":  {"organizations/123"},
 			},
 		},
+		{
+			name: "project id key with project number ancestry",
+			entries: map[string]string{
+				"projects/test-proj": "organizations/456/projects/123",
+			},
+			want: map[string][]string{
+				"projects/test-proj": {"projects/123", "organizations/456"},
+				"projects/123":       {"projects/123", "organizations/456"},
+				"organizations/456":  {"organizations/456"},
+			},
+		},
 	}
 	for _, test := range tests {
+		test := test
 		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
 			m := &manager{
 				ancestorCache: make(map[string][]string),
 			}
 
@@ -339,6 +339,9 @@ func ResourceConverters() map[string][]cai.ResourceConverter {
 		"google_iap_web_iam_policy":                               {iap.ResourceConverterIapWebIamPolicy()},
 		"google_iap_web_iam_binding":                              {iap.ResourceConverterIapWebIamBinding()},
 		"google_iap_web_iam_member":                               {iap.ResourceConverterIapWebIamMember()},
+		"google_kms_ekm_connection_iam_policy":                    {kms.ResourceConverterKMSEkmConnectionIamPolicy()},
+		"google_kms_ekm_connection_iam_binding":                   {kms.ResourceConverterKMSEkmConnectionIamBinding()},
+		"google_kms_ekm_connection_iam_member":                    {kms.ResourceConverterKMSEkmConnectionIamMember()},
 		"google_logging_log_view_iam_policy":                      {logging.ResourceConverterLoggingLogViewIamPolicy()},
 		"google_logging_log_view_iam_binding":                     {logging.ResourceConverterLoggingLogViewIamBinding()},
 		"google_logging_log_view_iam_member":                      {logging.ResourceConverterLoggingLogViewIamMember()},
 
@@ -145,11 +145,6 @@ func (u *BigQueryTableIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.
 		return nil, err
 	}
 	var obj map[string]interface{}
-	obj = map[string]interface{}{
-		"options": map[string]interface{}{
-			"requestedPolicyVersion": 1,
-		},
-	}
 
 	userAgent, err := tpgresource.GenerateUserAgentString(u.d, u.Config.UserAgent)
 	if err != nil {
 
@@ -179,7 +179,7 @@ func expandCloudQuotasQuotaPreferenceQuotaConfigGrantedValue(v interface{}, d tp
 }
 
 func expandCloudQuotasQuotaPreferenceQuotaConfigTraceId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
-	return v, nil
+	return nil, nil
 }
 
 func expandCloudQuotasQuotaPreferenceQuotaConfigAnnotations(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 
@@ -17,6 +17,7 @@ package compute
 import (
 	"context"
 	"fmt"
+	"log"
 	"net"
 	"reflect"
 
@@ -48,6 +49,37 @@ func IsShrinkageIpCidr(_ context.Context, old, new, _ interface{}) bool {
 	return true
 }
 
+func sendSecondaryIpRangeIfEmptyDiff(_ context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+	// on create, return immediately as we don't need to determine if the value is empty or not
+	if diff.Id() == "" {
+		return nil
+	}
+
+	sendZero := diff.Get("send_secondary_ip_range_if_empty").(bool)
+	if !sendZero {
+		return nil
+	}
+
+	configSecondaryIpRange := diff.GetRawConfig().GetAttr("secondary_ip_range")
+	if !configSecondaryIpRange.IsKnown() {
+		return nil
+	}
+	configValueIsEmpty := configSecondaryIpRange.IsNull() || configSecondaryIpRange.LengthInt() == 0
+
+	stateSecondaryIpRange := diff.GetRawState().GetAttr("secondary_ip_range")
+	if !stateSecondaryIpRange.IsKnown() {
+		return nil
+	}
+	stateValueIsEmpty := stateSecondaryIpRange.IsNull() || stateSecondaryIpRange.LengthInt() == 0
+
+	if configValueIsEmpty && !stateValueIsEmpty {
+		log.Printf("[DEBUG] setting secondary_ip_range to newly empty")
+		diff.SetNew("secondary_ip_range", make([]interface{}, 0))
+	}
+
+	return nil
+}
+
 const ComputeSubnetworkAssetType string = "compute.googleapis.com/Subnetwork"
 
 func ResourceConverterComputeSubnetwork() cai.ResourceConverter {
Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ func expandCloudQuotasQuotaPreferenceQuotaConfigGrantedValue(v interface{}, d tp`
`179`	`179`	`}`
`180`	`180`
`181`	`181`	`func expandCloudQuotasQuotaPreferenceQuotaConfigTraceId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {`
`182`		`- return v, nil`
	`182`	`+ return nil, nil`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`func expandCloudQuotasQuotaPreferenceQuotaConfigAnnotations(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {`