From ce31e7cd1ea3a0ae10b7de09129773730b9874ab Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Sun, 21 May 2023 10:23:12 +0200
Subject: [PATCH 1/2] add org admin conditional role to sandbox SA

---
 fast/stages/1-resman/branch-sandbox.tf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fast/stages/1-resman/branch-sandbox.tf b/fast/stages/1-resman/branch-sandbox.tf
index 33eae4f001..01ce09b345 100644
--- a/fast/stages/1-resman/branch-sandbox.tf
+++ b/fast/stages/1-resman/branch-sandbox.tf
@@ -60,3 +60,17 @@ module "branch-sandbox-sa" {
   display_name = "Terraform resman sandbox service account."
   prefix       = var.prefix
 }
+
+resource "google_organization_iam_member" "org_policy_admin_sandbox" {
+  count  = var.fast_features.project_factory ? 1 : 0
+  org_id = var.organization.id
+  role   = "roles/orgpolicy.policyAdmin"
+  member = module.branch-sandbox-sa.0.iam_email
+  condition {
+    title       = "org_policy_tag_sandbox_scoped"
+    description = "Org policy tag scoped grant for sandbox."
+    expression  = <<-END
+    resource.matchTag('${var.organization.id}/${var.tag_names.context}', 'sandbox')
+    END
+  }
+}

From 1c853e23ec74a5b5263b95411e6e494dbda51b56 Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Sun, 21 May 2023 10:27:37 +0200
Subject: [PATCH 2/2] tfdoc

---
 fast/stages/1-resman/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index afe0ba3c3b..00a3edfc9d 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -185,7 +185,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 | [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> |  |
 | [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> |  |
 | [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | <code>gcs</code> · <code>iam-service-account</code> | <code>google_organization_iam_member</code> |
-| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> |  |
+| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | <code>google_organization_iam_member</code> |
 | [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> |  |
 | [branch-teams.tf](./branch-teams.tf) | Team stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> |  |
 | [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> |  |