diff --git a/backend_service_tls_settings/main.tf b/backend_service_tls_settings/main.tf
index 244d5ec6..1007dc26 100644
--- a/backend_service_tls_settings/main.tf
+++ b/backend_service_tls_settings/main.tf
@@ -5,15 +5,13 @@ resource "google_compute_backend_service" "default" {
   protocol = "HTTPS"
   tls_settings {
     sni = "example.com"
-    subjectAltNames = [
-      {
+    subject_alt_names {
         dns_name = "example.com"
-      },
-      {
+    }
+    subject_alt_names {
         uniform_resource_identifier = "https://example.com"
-      }
-    ]
-    authentication_config = [google_network_security_backend_authentication_config.default.id]
+    }
+    authentication_config = "//networksecurity.googleapis.com/${google_network_security_backend_authentication_config.default.id}"
   }
 }
 
diff --git a/network_security_backend_authentication_config_basic/backing_file.tf b/network_security_backend_authentication_config_basic/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/network_security_backend_authentication_config_basic/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+  name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+  length = 2
+}
+
+provider "google" {
+  region = "us-central1"
+  zone   = "us-central1-c"
+}
diff --git a/network_security_backend_authentication_config_basic/main.tf b/network_security_backend_authentication_config_basic/main.tf
new file mode 100644
index 00000000..74d9a697
--- /dev/null
+++ b/network_security_backend_authentication_config_basic/main.tf
@@ -0,0 +1,8 @@
+resource "google_network_security_backend_authentication_config" "default" {
+  name             = "my-backend-authentication-config-${local.name_suffix}"
+  labels           = {
+    foo = "bar"
+  }
+  description      = "my description"
+  well_known_roots = "PUBLIC_ROOTS"
+}
diff --git a/network_security_backend_authentication_config_basic/motd b/network_security_backend_authentication_config_basic/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/network_security_backend_authentication_config_basic/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/network_security_backend_authentication_config_basic/tutorial.md b/network_security_backend_authentication_config_basic/tutorial.md
new file mode 100644
index 00000000..41022162
--- /dev/null
+++ b/network_security_backend_authentication_config_basic/tutorial.md
@@ -0,0 +1,79 @@
+# Network Security Backend Authentication Config Basic - Terraform
+
+## Setup
+
+<walkthrough-author name="rileykarson@google.com" analyticsId="UA-125550242-1" tutorialName="network_security_backend_authentication_config_basic" repositoryUrl="https://github.com/terraform-google-modules/docs-examples"></walkthrough-author>
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+<walkthrough-project-billing-setup></walkthrough-project-billing-setup>
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```
diff --git a/network_security_backend_authentication_config_full/backing_file.tf b/network_security_backend_authentication_config_full/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/network_security_backend_authentication_config_full/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+  name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+  length = 2
+}
+
+provider "google" {
+  region = "us-central1"
+  zone   = "us-central1-c"
+}
diff --git a/network_security_backend_authentication_config_full/main.tf b/network_security_backend_authentication_config_full/main.tf
new file mode 100644
index 00000000..7c69497c
--- /dev/null
+++ b/network_security_backend_authentication_config_full/main.tf
@@ -0,0 +1,43 @@
+resource "google_certificate_manager_certificate" "certificate" {
+  name     = "my-certificate-${local.name_suffix}"
+  labels   = {
+    foo = "bar"
+  }
+  location    = "global"
+  self_managed {
+    pem_certificate = file("test-fixtures/cert.pem")
+    pem_private_key = file("test-fixtures/key.pem")
+  }
+  scope       = "CLIENT_AUTH"
+}
+
+resource "google_certificate_manager_trust_config" "trust_config" {
+  name        = "my-trust-config-${local.name_suffix}"
+  description = "sample description for the trust config"
+  location    = "global"
+
+  trust_stores {
+    trust_anchors { 
+      pem_certificate = file("test-fixtures/cert.pem")
+    }
+    intermediate_cas { 
+      pem_certificate = file("test-fixtures/cert.pem")
+    }
+  }
+
+  labels = {
+    foo = "bar"
+  }
+}
+
+resource "google_network_security_backend_authentication_config" "default" {
+  name     = "my-backend-authentication-config-${local.name_suffix}"
+  labels   = {
+    bar = "foo"
+  }
+  location           = "global"
+  description        = "my description"
+  well_known_roots   = "PUBLIC_ROOTS"
+  client_certificate = google_certificate_manager_certificate.certificate.id
+  trust_config       = google_certificate_manager_trust_config.trust_config.id
+}
diff --git a/network_security_backend_authentication_config_full/motd b/network_security_backend_authentication_config_full/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/network_security_backend_authentication_config_full/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/network_security_backend_authentication_config_full/tutorial.md b/network_security_backend_authentication_config_full/tutorial.md
new file mode 100644
index 00000000..4cccfeb3
--- /dev/null
+++ b/network_security_backend_authentication_config_full/tutorial.md
@@ -0,0 +1,79 @@
+# Network Security Backend Authentication Config Full - Terraform
+
+## Setup
+
+<walkthrough-author name="rileykarson@google.com" analyticsId="UA-125550242-1" tutorialName="network_security_backend_authentication_config_full" repositoryUrl="https://github.com/terraform-google-modules/docs-examples"></walkthrough-author>
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+<walkthrough-project-billing-setup></walkthrough-project-billing-setup>
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```