From 3288d736e92952fb4cd4a869e0e5bb238f03a9e4 Mon Sep 17 00:00:00 2001
From: Alex Ostapenko <aostapenko@google.com>
Date: Mon, 15 May 2023 12:04:03 +0200
Subject: [PATCH] fixed permissions for security stage SA

it should be able to use automation project
as a quota project, hence it needs `serviceusage.serviceUsageConsumer`
role
---
 fast/stages/1-resman/branch-security.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fast/stages/1-resman/branch-security.tf b/fast/stages/1-resman/branch-security.tf
index 8e638a1a3b..31a833dc5e 100644
--- a/fast/stages/1-resman/branch-security.tf
+++ b/fast/stages/1-resman/branch-security.tf
@@ -59,6 +59,11 @@ module "branch-security-sa" {
       try(module.branch-security-sa-cicd.0.iam_email, null)
     ])
   }
+  iam_project_roles = {
+    (var.automation.project_id) = [
+      "roles/serviceusage.serviceUsageConsumer",
+    ]
+  }
   iam_storage_roles = {
     (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
   }