diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62c93c7e7..a1b759c51 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,29 @@
+## 16.11.0 (2024-04-18)
+
+This release was tested against GitLab 16.9, 16.10, and 16.11 for both CE and EE
+
+IMPROVEMENTS:
+
+- **New Data Source** data/gitlab_compliance_framework: Allows querying Compliance Frameworks to help retrieve the ID for use in downstream resources ([!1880](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1880))
+- resources/gitlab_project_access_token: Added support for the use of `rotation_configuration` to automatically rotate tokens periodically. ([!1887](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1887))
+- resources/gitlab_project_access_token: Added support for rotating the token by changing the `expires_at` instead of deleting and re-creating the token. ([!1887](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1887))
+- resources/gitlab_group_access_token: Added support for the use of `rotation_configuration` to automatically rotate tokens periodically. ([!1887](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1887))
+- resources/gitlab_group_access_token: Added support for rotating the token by changing the `expires_at` instead of deleting and re-creating the token. ([!1887](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1887))
+- resources/gitlab_project_access_token: Added support for new token scopes related to AI, k8s, and observability ([!1878](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1878))
+- resources/gitlab_group_access_token: Added support for new token scopes related to AI, k8s, and observability ([!1878](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1878))
+- resources/gitlab_project: Added support for `emails_enabled` and deprecated support for `emails_disabled`, which will be removed in 17.0 ([!1881](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1881))
+- resources/gitlab_project_protected_environment: Added support for `group_inheritance_type` ([!1855](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1855))
+- resources/gitlab_group_protected_environment: Added support for `group_inheritance_type` ([!1855](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1855))
+- resources/gitlab_project_hook: Added support for `custom_webhook_template` ([!1862](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1862))
+- resources/gitlab_group_hook: Added support for `custom_webhook_template` ([!1862](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1862))
+- resources/gitlab_group_membership: Added support for `member_role_id`, enabling the use of a custom role when assigning users to a group ([!1809](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1809))
+- data/gitlab_project_hook(s): Added support for `custom_webhook_template` ([!1862](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1862))
+- data/gitlab_group_hook(s): Added support for `custom_webhook_template` ([!1862](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1862))
+
+BUG FIXES:
+
+- resource/gitlab_project_hook: Fixed an issue where changing the `project` value didn't force a new resource ([!1871](https://gitlab.com/gitlab-org/terraform-provider-gitlab/-/merge_requests/1871))
+
 ## 16.10.0 (2024-03-21)
 
 This release was tested against GitLab 16.8, 16.9, and 16.10 for both CE and EE
@@ -157,7 +183,7 @@ This release was tested against GitLab 16.2, 16.3, and 16.4 for both CE and EE
 
 BREAKING CHANGES:
 
-This breaking change was made early for security reasons. If a configuration relies on the value being non-sensitive, 
+This breaking change was made early for security reasons. If a configuration relies on the value being non-sensitive,
 users can use the [`nonsensitive()`](https://developer.hashicorp.com/terraform/language/functions/nonsensitive) function
 in Terraform.
 
diff --git a/docs/data-sources/compliance_framework.md b/docs/data-sources/compliance_framework.md
new file mode 100644
index 000000000..3afe13231
--- /dev/null
+++ b/docs/data-sources/compliance_framework.md
@@ -0,0 +1,40 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "gitlab_compliance_framework Data Source - terraform-provider-gitlab"
+subcategory: ""
+description: |-
+  The gitlab_compliance_framework data source allows details of a compliance framework to be retrieved by its name and the namespace it belongs to.
+  Upstream API: GitLab GraphQL API docs https://docs.gitlab.com/ee/api/graphql/reference/#querynamespace
+---
+
+# gitlab_compliance_framework (Data Source)
+
+The `gitlab_compliance_framework` data source allows details of a compliance framework to be retrieved by its name and the namespace it belongs to.
+
+**Upstream API**: [GitLab GraphQL API docs](https://docs.gitlab.com/ee/api/graphql/reference/#querynamespace)
+
+## Example Usage
+
+```terraform
+data "gitlab_compliance_framework" "example" {
+  namespace_path = "top-level-group"
+  name           = "HIPAA"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name for the compliance framework.
+- `namespace_path` (String) Full path of the namespace to where the compliance framework is.
+
+### Read-Only
+
+- `color` (String) Color representation of the compliance framework in hex format. e.g. #FCA121.
+- `default` (Boolean) Is the compliance framework the default framework for the group.
+- `description` (String) Description for the compliance framework.
+- `framework_id` (String) Globally unique ID of the compliance framework.
+- `id` (String) The ID of this Terraform resource. In the format of `<namespace_path>:<framework_id>`.
+- `pipeline_configuration_full_path` (String) Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa`. Format: `path/file.y[a]ml@group-name/project-name` **Note**: Ultimate license required.
diff --git a/docs/data-sources/group_hook.md b/docs/data-sources/group_hook.md
index 17782dfd5..b7c654206 100644
--- a/docs/data-sources/group_hook.md
+++ b/docs/data-sources/group_hook.md
@@ -38,6 +38,7 @@ data "gitlab_group_hook" "example" {
 
 - `confidential_issues_events` (Boolean) Invoke the hook for confidential issues events.
 - `confidential_note_events` (Boolean) Invoke the hook for confidential notes events.
+- `custom_webhook_template` (String) Set a custom webhook template.
 - `deployment_events` (Boolean) Invoke the hook for deployment events.
 - `enable_ssl_verification` (Boolean) Enable ssl verification when invoking the hook.
 - `group_id` (Number) The id of the group for the hook.
diff --git a/docs/data-sources/group_hooks.md b/docs/data-sources/group_hooks.md
index f1b7d8fb0..26882461c 100644
--- a/docs/data-sources/group_hooks.md
+++ b/docs/data-sources/group_hooks.md
@@ -44,6 +44,7 @@ Read-Only:
 
 - `confidential_issues_events` (Boolean)
 - `confidential_note_events` (Boolean)
+- `custom_webhook_template` (String)
 - `deployment_events` (Boolean)
 - `enable_ssl_verification` (Boolean)
 - `group` (String)
diff --git a/docs/data-sources/group_subgroups.md b/docs/data-sources/group_subgroups.md
index c7e8af425..0949cfa60 100644
--- a/docs/data-sources/group_subgroups.md
+++ b/docs/data-sources/group_subgroups.md
@@ -60,6 +60,7 @@ Read-Only:
 - `default_branch_protection` (Number)
 - `description` (String)
 - `emails_disabled` (Boolean)
+- `emails_enabled` (Boolean)
 - `file_template_project_id` (Number)
 - `full_name` (String)
 - `full_path` (String)
diff --git a/docs/data-sources/project.md b/docs/data-sources/project.md
index 00d21277a..14f1237fc 100644
--- a/docs/data-sources/project.md
+++ b/docs/data-sources/project.md
@@ -55,7 +55,8 @@ data "gitlab_project" "example" {
 - `container_registry_access_level` (String) Set visibility of container registry, for this project. Valid values are `disabled`, `private`, `enabled`.
 - `default_branch` (String) The default branch for the project.
 - `description` (String) A description of the project.
-- `emails_disabled` (Boolean) Disable email notifications.
+- `emails_disabled` (Boolean, Deprecated) Disable email notifications.
+- `emails_enabled` (Boolean) Enable email notifications.
 - `empty_repo` (Boolean) Whether the project is empty.
 - `environments_access_level` (String) Set the environments access level. Valid values are `disabled`, `private`, `enabled`.
 - `external_authorization_classification_label` (String) The classification label for the project.
diff --git a/docs/data-sources/project_hook.md b/docs/data-sources/project_hook.md
index afb865128..b6e3fd4c0 100644
--- a/docs/data-sources/project_hook.md
+++ b/docs/data-sources/project_hook.md
@@ -38,6 +38,7 @@ data "gitlab_project_hook" "example" {
 
 - `confidential_issues_events` (Boolean) Invoke the hook for confidential issues events.
 - `confidential_note_events` (Boolean) Invoke the hook for confidential notes events.
+- `custom_webhook_template` (String) Set a custom webhook template.
 - `deployment_events` (Boolean) Invoke the hook for deployment events.
 - `enable_ssl_verification` (Boolean) Enable ssl verification when invoking the hook.
 - `id` (String) The ID of this resource.
diff --git a/docs/data-sources/project_hooks.md b/docs/data-sources/project_hooks.md
index 3feb89291..a66e4109b 100644
--- a/docs/data-sources/project_hooks.md
+++ b/docs/data-sources/project_hooks.md
@@ -44,6 +44,7 @@ Read-Only:
 
 - `confidential_issues_events` (Boolean)
 - `confidential_note_events` (Boolean)
+- `custom_webhook_template` (String)
 - `deployment_events` (Boolean)
 - `enable_ssl_verification` (Boolean)
 - `hook_id` (Number)
diff --git a/docs/data-sources/projects.md b/docs/data-sources/projects.md
index 7a414fe52..80eb8429c 100644
--- a/docs/data-sources/projects.md
+++ b/docs/data-sources/projects.md
@@ -106,6 +106,7 @@ Read-Only:
 - `default_branch` (String)
 - `description` (String)
 - `emails_disabled` (Boolean)
+- `emails_enabled` (Boolean)
 - `empty_repo` (Boolean)
 - `environments_access_level` (String)
 - `external_authorization_classification_label` (String)
diff --git a/docs/resources/group.md b/docs/resources/group.md
index 17cfbb976..7bdcd2d84 100644
--- a/docs/resources/group.md
+++ b/docs/resources/group.md
@@ -62,7 +62,8 @@ resource "gitlab_group" "example-two" {
 - `avatar_hash` (String) The hash of the avatar image. Use `filesha256("path/to/avatar.png")` whenever possible. **Note**: this is used to trigger an update of the avatar. If it's not given, but an avatar is given, the avatar will be updated each time.
 - `default_branch_protection` (Number) See https://docs.gitlab.com/ee/api/groups.html#options-for-default_branch_protection. Valid values are: `0`, `1`, `2`, `3`, `4`.
 - `description` (String) The group's description.
-- `emails_disabled` (Boolean) Disable email notifications.
+- `emails_disabled` (Boolean, Deprecated) Disable email notifications.
+- `emails_enabled` (Boolean) Enable email notifications.
 - `extra_shared_runners_minutes_limit` (Number) Can be set by administrators only. Additional CI/CD minutes for this group.
 - `ip_restriction_ranges` (List of String) A list of IP addresses or subnet masks to restrict group access. Will be concatenated together into a comma separated string. Only allowed on top level groups.
 - `lfs_enabled` (Boolean) Enable/disable Large File Storage (LFS) for the projects in this group.
diff --git a/docs/resources/group_access_token.md b/docs/resources/group_access_token.md
index 1a64a1eb8..56dddd3db 100644
--- a/docs/resources/group_access_token.md
+++ b/docs/resources/group_access_token.md
@@ -3,16 +3,22 @@
 page_title: "gitlab_group_access_token Resource - terraform-provider-gitlab"
 subcategory: ""
 description: |-
-  The gitlab_group_accesstoken resource allows to manage the lifecycle of a group access token.
-  -> Group Access Token were introduced in GitLab 14.7
+  The gitlab_group_access_tokenresource allows to manage the lifecycle of a group access token.
+  ~> Observability scopes are in beta and may not work on all instances. See more details in the documentation https://docs.gitlab.com/ee/operations/tracing.html
+  ~> Use rotation_configuration to automatically rotate tokens instead of using timestamp() as timestamp will cause changes with every plan. terraform apply must still be run to rotate the token.
+  ~> Due to Automatic reuse detection https://docs.gitlab.com/ee/api/group_access_tokens.html#automatic-reuse-detection it's possible that a new Group Access Token will immediately be revoked. Check if an old process using the old token is running if this happens.
   Upstream API: GitLab REST API https://docs.gitlab.com/ee/api/group_access_tokens.html
 ---
 
 # gitlab_group_access_token (Resource)
 
-The `gitlab_group_access`token resource allows to manage the lifecycle of a group access token.
+The `gitlab_group_access_token`resource allows to manage the lifecycle of a group access token.
 
--> Group Access Token were introduced in GitLab 14.7
+~> Observability scopes are in beta and may not work on all instances. See more details in [the documentation](https://docs.gitlab.com/ee/operations/tracing.html)
+
+~> Use `rotation_configuration` to automatically rotate tokens instead of using `timestamp()` as timestamp will cause changes with every plan. `terraform apply` must still be run to rotate the token.
+
+~> Due to [Automatic reuse detection](https://docs.gitlab.com/ee/api/group_access_tokens.html#automatic-reuse-detection) it's possible that a new Group Access Token will immediately be revoked. Check if an old process using the old token is running if this happens.
 
 **Upstream API**: [GitLab REST API](https://docs.gitlab.com/ee/api/group_access_tokens.html)
 
@@ -40,23 +46,32 @@ resource "gitlab_group_variable" "example" {
 
 ### Required
 
-- `expires_at` (String) The token expires at midnight UTC on that date. The date must be in the format YYYY-MM-DD.
-- `group` (String) The ID or path of the group to add the group access token to.
+- `group` (String) The ID or full path of the group.
 - `name` (String) The name of the group access token.
-- `scopes` (Set of String) The scope for the group access token. It determines the actions which can be performed when authenticating with this token. Valid values are: `api`, `read_api`, `read_registry`, `write_registry`, `read_repository`, `write_repository`, `create_runner`.
+- `scopes` (Set of String) The scopes of the group access token. Valid values are: `api`, `read_api`, `read_user`, `k8s_proxy`, `read_registry`, `write_registry`, `read_repository`, `write_repository`, `create_runner`, `ai_features`, `k8s_proxy`, `read_observability`, `write_observability`
 
 ### Optional
 
-- `access_level` (String) The access level for the group access token. Valid values are: `guest`, `reporter`, `developer`, `maintainer`, `owner`.
+- `access_level` (String) The access level for the group access token. Valid values are: `no one`, `minimal`, `guest`, `reporter`, `developer`, `maintainer`, `owner`, `master`. Default is `maintainer`.
+- `expires_at` (String) When the token will expire, YYYY-MM-DD format.
+- `rotation_configuration` (Attributes) The configuration for when to rotate a token automatically. Will not rotate a token until `terraform apply` is run. (see [below for nested schema](#nestedatt--rotation_configuration))
 
 ### Read-Only
 
 - `active` (Boolean) True if the token is active.
 - `created_at` (String) Time the token has been created, RFC3339 format.
-- `id` (String) The ID of this resource.
+- `id` (String) The ID of the group access token.
 - `revoked` (Boolean) True if the token is revoked.
-- `token` (String, Sensitive) The group access token. This is only populated when creating a new group access token. This attribute is not available for imported resources.
-- `user_id` (Number) The user id associated to the token.
+- `token` (String, Sensitive) The token of the group access token. **Note**: the token is not available for imported resources.
+- `user_id` (Number) The user_id associated to the token.
+
+<a id="nestedatt--rotation_configuration"></a>
+### Nested Schema for `rotation_configuration`
+
+Required:
+
+- `expiration_days` (Number) The duration (in days) the new token should be valid for.
+- `rotate_before_days` (Number) The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when `terraform apply` is run in that timeframe.
 
 ## Import
 
diff --git a/docs/resources/group_hook.md b/docs/resources/group_hook.md
index 6e200fb5f..4044e8605 100644
--- a/docs/resources/group_hook.md
+++ b/docs/resources/group_hook.md
@@ -57,6 +57,7 @@ resource "gitlab_group_hook" "all_attributes" {
 
 - `confidential_issues_events` (Boolean) Invoke the hook for confidential issues events.
 - `confidential_note_events` (Boolean) Invoke the hook for confidential notes events.
+- `custom_webhook_template` (String) Set a custom webhook template.
 - `deployment_events` (Boolean) Invoke the hook for deployment events.
 - `enable_ssl_verification` (Boolean) Enable ssl verification when invoking the hook.
 - `issues_events` (Boolean) Invoke the hook for issues events.
diff --git a/docs/resources/group_membership.md b/docs/resources/group_membership.md
index b73e24cef..0bc81d83e 100644
--- a/docs/resources/group_membership.md
+++ b/docs/resources/group_membership.md
@@ -39,6 +39,7 @@ resource "gitlab_group_membership" "test" {
 ### Optional
 
 - `expires_at` (String) Expiration date for the group membership. Format: `YYYY-MM-DD`
+- `member_role_id` (Number) The ID of a custom member role. Only available for Ultimate instances.
 - `skip_subresources_on_destroy` (Boolean) Whether the deletion of direct memberships of the removed member in subgroups and projects should be skipped. Only used during a destroy.
 - `unassign_issuables_on_destroy` (Boolean) Whether the removed member should be unassigned from any issues or merge requests inside a given group or project. Only used during a destroy.
 
diff --git a/docs/resources/group_protected_environment.md b/docs/resources/group_protected_environment.md
index 15b198730..b9f7dbac3 100644
--- a/docs/resources/group_protected_environment.md
+++ b/docs/resources/group_protected_environment.md
@@ -151,6 +151,7 @@ Optional:
 
 - `access_level` (String) Levels of access required to deploy to this protected environment. Valid values are `developer`, `maintainer`.
 - `group_id` (Number) The ID of the group allowed to deploy to this protected environment. The group must be a sub-group under the given group.
+- `group_inheritance_type` (Number) Group inheritance allows deploy access levels to take inherited group membership into account. Valid values are `0`, `1`. `0` => Direct group membership only, `1` => All inherited groups. Default: `0`
 - `user_id` (Number) The ID of the user allowed to deploy to this protected environment. The user must be a member of the group with Maintainer role or higher.
 
 Read-Only:
@@ -166,6 +167,7 @@ Optional:
 
 - `access_level` (String) Levels of access allowed to approve a deployment to this protected environment. Valid values are `developer`, `maintainer`.
 - `group_id` (Number) The ID of the group allowed to approve a deployment to this protected environment. TThe group must be a sub-group under the given group. This is mutually exclusive with user_id.
+- `group_inheritance_type` (Number) Group inheritance allows access rules to take inherited group membership into account. Valid values are `0`, `1`. `0` => Direct group membership only, `1` => All inherited groups. Default: `0`
 - `required_approvals` (Number) The number of approval required to allow deployment to this protected environment. This is mutually exclusive with user_id.
 - `user_id` (Number) The ID of the user allowed to approve a deployment to this protected environment. The user must be a member of the group with Maintainer role or higher. This is mutually exclusive with group_id and required_approvals.
 
diff --git a/docs/resources/project.md b/docs/resources/project.md
index 8f541f901..ce555571d 100644
--- a/docs/resources/project.md
+++ b/docs/resources/project.md
@@ -160,7 +160,8 @@ resource "gitlab_project" "import_private" {
 - `container_registry_enabled` (Boolean, Deprecated) Enable container registry for the project.
 - `default_branch` (String) The default branch for the project.
 - `description` (String) A description of the project.
-- `emails_disabled` (Boolean) Disable email notifications.
+- `emails_disabled` (Boolean, Deprecated) Disable email notifications.
+- `emails_enabled` (Boolean) Enable email notifications.
 - `environments_access_level` (String) Set the environments access level. Valid values are `disabled`, `private`, `enabled`.
 - `external_authorization_classification_label` (String) The classification label for the project.
 - `feature_flags_access_level` (String) Set the feature flags access level. Valid values are `disabled`, `private`, `enabled`.
diff --git a/docs/resources/project_access_token.md b/docs/resources/project_access_token.md
index 1d1d1be26..51c2d3502 100644
--- a/docs/resources/project_access_token.md
+++ b/docs/resources/project_access_token.md
@@ -4,7 +4,9 @@ page_title: "gitlab_project_access_token Resource - terraform-provider-gitlab"
 subcategory: ""
 description: |-
   The gitlab_project_access_token resource allows to manage the lifecycle of a project access token.
-  ~>  Use of the timestamp() function with expires_at will cause the resource to be re-created with every apply, it's recommended to use plantimestamp() or a static value instead.
+  ~> Observability scopes are in beta and may not work on all instances. See more details in the documentation https://docs.gitlab.com/ee/operations/tracing.html
+  ~> Use rotation_configuration to automatically rotate tokens instead of using timestamp() as timestamp will cause changes with every plan. terraform apply must still be run to rotate the token.
+  ~> Due to Automatic reuse detection https://docs.gitlab.com/ee/api/project_access_tokens.html#automatic-reuse-detection it's possible that a new Project Access Token will immediately be revoked. Check if an old process using the old token is running if this happens.
   Upstream API: GitLab API docs https://docs.gitlab.com/ee/api/project_access_tokens.html
 ---
 
@@ -12,7 +14,11 @@ description: |-
 
 The `gitlab_project_access_token` resource allows to manage the lifecycle of a project access token.
 
-~>  Use of the `timestamp()` function with expires_at will cause the resource to be re-created with every apply, it's recommended to use `plantimestamp()` or a static value instead.
+~> Observability scopes are in beta and may not work on all instances. See more details in [the documentation](https://docs.gitlab.com/ee/operations/tracing.html)
+
+~> Use `rotation_configuration` to automatically rotate tokens instead of using `timestamp()` as timestamp will cause changes with every plan. `terraform apply` must still be run to rotate the token.
+
+~> Due to [Automatic reuse detection](https://docs.gitlab.com/ee/api/project_access_tokens.html#automatic-reuse-detection) it's possible that a new Project Access Token will immediately be revoked. Check if an old process using the old token is running if this happens.
 
 **Upstream API**: [GitLab API docs](https://docs.gitlab.com/ee/api/project_access_tokens.html)
 
@@ -40,24 +46,33 @@ resource "gitlab_project_variable" "example" {
 
 ### Required
 
-- `expires_at` (String) Time the token will expire it, YYYY-MM-DD format.
-- `name` (String) A name to describe the project access token.
-- `project` (String) The id of the project to add the project access token to.
-- `scopes` (Set of String) The scope for the project access token. It determines the actions which can be performed when authenticating with this token. Valid values are: `api`, `read_api`, `read_registry`, `write_registry`, `read_repository`, `write_repository`, `create_runner`.
+- `name` (String) The name of the project access token.
+- `project` (String) The ID or full path of the project.
+- `scopes` (Set of String) The scopes of the project access token. valid values are: `api`, `read_api`, `read_user`, `k8s_proxy`, `read_registry`, `write_registry`, `read_repository`, `write_repository`, `create_runner`, `ai_features`, `k8s_proxy`, `read_observability`, `write_observability`
 
 ### Optional
 
 - `access_level` (String) The access level for the project access token. Valid values are: `no one`, `minimal`, `guest`, `reporter`, `developer`, `maintainer`, `owner`, `master`. Default is `maintainer`.
+- `expires_at` (String) When the token will expire, YYYY-MM-DD format. Is automatically set when `rotation_configuration` is used.
+- `rotation_configuration` (Attributes) The configuration for when to rotate a token automatically. Will not rotate a token until `terraform apply` is run. (see [below for nested schema](#nestedatt--rotation_configuration))
 
 ### Read-Only
 
 - `active` (Boolean) True if the token is active.
 - `created_at` (String) Time the token has been created, RFC3339 format.
-- `id` (String) The ID of this resource.
+- `id` (String) The ID of the project access token.
 - `revoked` (Boolean) True if the token is revoked.
-- `token` (String, Sensitive) The secret token. **Note**: the token is not available for imported resources.
+- `token` (String, Sensitive) The token of the project access token. **Note**: the token is not available for imported resources.
 - `user_id` (Number) The user_id associated to the token.
 
+<a id="nestedatt--rotation_configuration"></a>
+### Nested Schema for `rotation_configuration`
+
+Required:
+
+- `expiration_days` (Number) The duration (in days) the new token should be valid for.
+- `rotate_before_days` (Number) The duration (in days) before the expiration when the token should be rotated. As an example, if set to 7 days, the token will rotate 7 days before the expiration date, but only when `terraform apply` is run in that timeframe.
+
 ## Import
 
 Import is supported using the following syntax:
diff --git a/docs/resources/project_hook.md b/docs/resources/project_hook.md
index ec0b4deb2..e56971154 100644
--- a/docs/resources/project_hook.md
+++ b/docs/resources/project_hook.md
@@ -35,6 +35,7 @@ resource "gitlab_project_hook" "example" {
 
 - `confidential_issues_events` (Boolean) Invoke the hook for confidential issues events.
 - `confidential_note_events` (Boolean) Invoke the hook for confidential notes events.
+- `custom_webhook_template` (String) Set a custom webhook template.
 - `deployment_events` (Boolean) Invoke the hook for deployment events.
 - `enable_ssl_verification` (Boolean) Enable ssl verification when invoking the hook.
 - `issues_events` (Boolean) Invoke the hook for issues events.
diff --git a/docs/resources/project_protected_environment.md b/docs/resources/project_protected_environment.md
index 87f6fb11e..5747f8280 100644
--- a/docs/resources/project_protected_environment.md
+++ b/docs/resources/project_protected_environment.md
@@ -149,6 +149,7 @@ Optional:
 
 - `access_level` (String) Levels of access allowed to approve a deployment to this protected environment. Valid values are `developer`, `maintainer`.
 - `group_id` (Number) The ID of the group allowed to approve a deployment to this protected environment. The project must be shared with the group. This is mutually exclusive with user_id.
+- `group_inheritance_type` (Number) Group inheritance allows deploy access levels to take inherited group membership into account. Valid values are `0`, `1`. `0` => Direct group membership only, `1` => All inherited groups. Default: `0`
 - `required_approvals` (Number) The number of approval required to allow deployment to this protected environment. This is mutually exclusive with user_id.
 - `user_id` (Number) The ID of the user allowed to approve a deployment to this protected environment. The user must be a member of the project. This is mutually exclusive with group_id and required_approvals.
 
@@ -165,6 +166,7 @@ Optional:
 
 - `access_level` (String) Levels of access required to deploy to this protected environment. Valid values are `developer`, `maintainer`.
 - `group_id` (Number) The ID of the group allowed to deploy to this protected environment. The project must be shared with the group.
+- `group_inheritance_type` (Number) Group inheritance allows deploy access levels to take inherited group membership into account. Valid values are `0`, `1`. `0` => Direct group membership only, `1` => All inherited groups. Default: `0`
 - `user_id` (Number) The ID of the user allowed to deploy to this protected environment. The user must be a member of the project.
 
 Read-Only: