read-only resman sa roles

GoogleCloudPlatform · Dec 18, 2023 · 42df43c · 42df43c
1 parent c0bccf6
commit 42df43c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf
@@ -257,6 +257,14 @@ module "automation-tf-resman-r-sa" {
       }
     }
   )
+  # we grant organization roles here as IAM bindings have precedence over
+  # custom roles in the organization module, so these need to depend on it
+  iam_organization_roles = {
+    (var.organization.id) = [
+      module.organization.custom_role_id["organization_admin_viewer"],
+      module.organization.custom_role_id["tag_viewer"]
+    ]
+  }
   iam_storage_roles = {
     (module.automation-tf-output-gcs.name) = [module.organization.custom_role_id["storage_viewer"]]
   }

diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf
@@ -115,13 +115,13 @@ locals {
     }
     (module.automation-tf-bootstrap-r-sa.iam_email) = {
       authoritative = [
-        # the organizationAdminViewer custom role is granted via the SA module
         "roles/logging.viewer",
         "roles/resourcemanager.folderViewer",
         "roles/resourcemanager.tagViewer"
       ]
       additive = concat(
         [
+          # the organizationAdminViewer custom role is granted via the SA module
           "roles/iam.organizationRoleViewer",
           "roles/orgpolicy.policyViewer"
         ],
@@ -155,6 +155,7 @@ locals {
       ]
       additive = concat(
         [
+          # the organizationAdminViewer custom role is granted via the SA module
           "roles/orgpolicy.policyViewer"
         ],
         local.billing_mode != "org" ? [] : [