diff --git a/.changelog/9401.txt b/.changelog/9401.txt
new file mode 100644
index 00000000000..a88f22800f3
--- /dev/null
+++ b/.changelog/9401.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+containerattached: added `proxy_config` field to `google_container_attached_cluster` resource
+```
diff --git a/google/services/containerattached/resource_container_attached_cluster.go b/google/services/containerattached/resource_container_attached_cluster.go
index f2a60f079f8..e021ede70b5 100644
--- a/google/services/containerattached/resource_container_attached_cluster.go
+++ b/google/services/containerattached/resource_container_attached_cluster.go
@@ -276,6 +276,36 @@ than 255 UTF-8 encoded bytes.`,
 					},
 				},
 			},
+			"proxy_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `Support for proxy configuration.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"kubernetes_secret": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `The Kubernetes Secret resource that contains the HTTP(S) proxy configuration.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"name": {
+										Type:        schema.TypeString,
+										Required:    true,
+										Description: `Name of the kubernetes secret containing the proxy config.`,
+									},
+									"namespace": {
+										Type:        schema.TypeString,
+										Required:    true,
+										Description: `Namespace of the kubernetes secret containing the proxy config.`,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			"cluster_region": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -446,6 +476,12 @@ func resourceContainerAttachedClusterCreate(d *schema.ResourceData, meta interfa
 	} else if v, ok := d.GetOkExists("binary_authorization"); !tpgresource.IsEmptyValue(reflect.ValueOf(binaryAuthorizationProp)) && (ok || !reflect.DeepEqual(v, binaryAuthorizationProp)) {
 		obj["binaryAuthorization"] = binaryAuthorizationProp
 	}
+	proxyConfigProp, err := expandContainerAttachedClusterProxyConfig(d.Get("proxy_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("proxy_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(proxyConfigProp)) && (ok || !reflect.DeepEqual(v, proxyConfigProp)) {
+		obj["proxyConfig"] = proxyConfigProp
+	}
 	annotationsProp, err := expandContainerAttachedClusterEffectiveAnnotations(d.Get("effective_annotations"), d, config)
 	if err != nil {
 		return err
@@ -627,6 +663,9 @@ func resourceContainerAttachedClusterRead(d *schema.ResourceData, meta interface
 	if err := d.Set("binary_authorization", flattenContainerAttachedClusterBinaryAuthorization(res["binaryAuthorization"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Cluster: %s", err)
 	}
+	if err := d.Set("proxy_config", flattenContainerAttachedClusterProxyConfig(res["proxyConfig"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Cluster: %s", err)
+	}
 	if err := d.Set("effective_annotations", flattenContainerAttachedClusterEffectiveAnnotations(res["annotations"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Cluster: %s", err)
 	}
@@ -698,6 +737,12 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 	} else if v, ok := d.GetOkExists("binary_authorization"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, binaryAuthorizationProp)) {
 		obj["binaryAuthorization"] = binaryAuthorizationProp
 	}
+	proxyConfigProp, err := expandContainerAttachedClusterProxyConfig(d.Get("proxy_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("proxy_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, proxyConfigProp)) {
+		obj["proxyConfig"] = proxyConfigProp
+	}
 	annotationsProp, err := expandContainerAttachedClusterEffectiveAnnotations(d.Get("effective_annotations"), d, config)
 	if err != nil {
 		return err
@@ -745,6 +790,10 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 		updateMask = append(updateMask, "binaryAuthorization")
 	}
 
+	if d.HasChange("proxy_config") {
+		updateMask = append(updateMask, "proxyConfig")
+	}
+
 	if d.HasChange("effective_annotations") {
 		updateMask = append(updateMask, "annotations")
 	}
@@ -771,9 +820,13 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 	if d.HasChange("binary_authorization") {
 		newUpdateMask = append(newUpdateMask, "binary_authorization.evaluation_mode")
 	}
+	if d.HasChange("proxy_config") {
+		newUpdateMask = append(newUpdateMask, "proxy_config.kubernetes_secret.name")
+		newUpdateMask = append(newUpdateMask, "proxy_config.kubernetes_secret.namespace")
+	}
 	// Pull out any other set fields from the generated mask.
 	for _, mask := range updateMask {
-		if mask == "authorization" || mask == "loggingConfig" || mask == "monitoringConfig" || mask == "binaryAuthorization" {
+		if mask == "authorization" || mask == "loggingConfig" || mask == "monitoringConfig" || mask == "binaryAuthorization" || mask == "proxyConfig" {
 			continue
 		}
 		newUpdateMask = append(newUpdateMask, mask)
@@ -1175,6 +1228,42 @@ func flattenContainerAttachedClusterBinaryAuthorizationEvaluationMode(v interfac
 	return v
 }
 
+func flattenContainerAttachedClusterProxyConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["kubernetes_secret"] =
+		flattenContainerAttachedClusterProxyConfigKubernetesSecret(original["kubernetesSecret"], d, config)
+	return []interface{}{transformed}
+}
+func flattenContainerAttachedClusterProxyConfigKubernetesSecret(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["name"] =
+		flattenContainerAttachedClusterProxyConfigKubernetesSecretName(original["name"], d, config)
+	transformed["namespace"] =
+		flattenContainerAttachedClusterProxyConfigKubernetesSecretNamespace(original["namespace"], d, config)
+	return []interface{}{transformed}
+}
+func flattenContainerAttachedClusterProxyConfigKubernetesSecretName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenContainerAttachedClusterProxyConfigKubernetesSecretNamespace(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenContainerAttachedClusterEffectiveAnnotations(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1448,6 +1537,59 @@ func expandContainerAttachedClusterBinaryAuthorizationEvaluationMode(v interface
 	return v, nil
 }
 
+func expandContainerAttachedClusterProxyConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedKubernetesSecret, err := expandContainerAttachedClusterProxyConfigKubernetesSecret(original["kubernetes_secret"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedKubernetesSecret); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["kubernetesSecret"] = transformedKubernetesSecret
+	}
+
+	return transformed, nil
+}
+
+func expandContainerAttachedClusterProxyConfigKubernetesSecret(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedName, err := expandContainerAttachedClusterProxyConfigKubernetesSecretName(original["name"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["name"] = transformedName
+	}
+
+	transformedNamespace, err := expandContainerAttachedClusterProxyConfigKubernetesSecretNamespace(original["namespace"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedNamespace); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["namespace"] = transformedNamespace
+	}
+
+	return transformed, nil
+}
+
+func expandContainerAttachedClusterProxyConfigKubernetesSecretName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandContainerAttachedClusterProxyConfigKubernetesSecretNamespace(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandContainerAttachedClusterEffectiveAnnotations(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil
diff --git a/google/services/containerattached/resource_container_attached_cluster_generated_test.go b/google/services/containerattached/resource_container_attached_cluster_generated_test.go
index 24672217cdd..c541dca3c16 100644
--- a/google/services/containerattached/resource_container_attached_cluster_generated_test.go
+++ b/google/services/containerattached/resource_container_attached_cluster_generated_test.go
@@ -151,6 +151,12 @@ resource "google_container_attached_cluster" "primary" {
   binary_authorization {
     evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
   }
+  proxy_config {
+    kubernetes_secret {
+      name = "proxy-config"
+      namespace = "default"
+    }
+  }
 }
 `, context)
 }
diff --git a/google/services/containerattached/resource_container_attached_cluster_update_test.go b/google/services/containerattached/resource_container_attached_cluster_update_test.go
index f25a694b24d..9cde80fefb1 100644
--- a/google/services/containerattached/resource_container_attached_cluster_update_test.go
+++ b/google/services/containerattached/resource_container_attached_cluster_update_test.go
@@ -96,6 +96,12 @@ resource "google_container_attached_cluster" "primary" {
   binary_authorization {
     evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
   }
+  proxy_config {
+    kubernetes_secret {
+      name = "proxy-config"
+      namespace = "default"
+    }
+  }
 }
 `, context)
 }
@@ -138,6 +144,12 @@ resource "google_container_attached_cluster" "primary" {
   binary_authorization {
     evaluation_mode = "DISABLED"
   }
+  proxy_config {
+    kubernetes_secret {
+      name = "new-proxy-config"
+      namespace = "custom-ns"
+    }
+  }
   lifecycle {
     prevent_destroy = true
   }
@@ -185,6 +197,12 @@ resource "google_container_attached_cluster" "primary" {
   binary_authorization {
     evaluation_mode = "DISABLED"
   }
+  proxy_config {
+    kubernetes_secret {
+      name = "new-proxy-config"
+      namespace = "custom-ns"
+    }
+  }
 }
 `, context)
 }
diff --git a/website/docs/r/container_attached_cluster.html.markdown b/website/docs/r/container_attached_cluster.html.markdown
index 82e05eb4d92..86a97d39c8d 100644
--- a/website/docs/r/container_attached_cluster.html.markdown
+++ b/website/docs/r/container_attached_cluster.html.markdown
@@ -112,6 +112,12 @@ resource "google_container_attached_cluster" "primary" {
   binary_authorization {
     evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
   }
+  proxy_config {
+    kubernetes_secret {
+      name = "proxy-config"
+      namespace = "default"
+    }
+  }
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
@@ -252,6 +258,11 @@ The following arguments are supported:
   Binary Authorization configuration.
   Structure is [documented below](#nested_binary_authorization).
 
+* `proxy_config` -
+  (Optional)
+  Support for proxy configuration.
+  Structure is [documented below](#nested_proxy_config).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
@@ -311,6 +322,24 @@ The following arguments are supported:
   Configure Binary Authorization evaluation mode.
   Possible values are: `DISABLED`, `PROJECT_SINGLETON_POLICY_ENFORCE`.
 
+<a name="nested_proxy_config"></a>The `proxy_config` block supports:
+
+* `kubernetes_secret` -
+  (Optional)
+  The Kubernetes Secret resource that contains the HTTP(S) proxy configuration.
+  Structure is [documented below](#nested_kubernetes_secret).
+
+
+<a name="nested_kubernetes_secret"></a>The `kubernetes_secret` block supports:
+
+* `name` -
+  (Required)
+  Name of the kubernetes secret containing the proxy config.
+
+* `namespace` -
+  (Required)
+  Namespace of the kubernetes secret containing the proxy config.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: