diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf index 3b642e1b2f..2b22c75fb9 100644 --- a/fast/stages/0-bootstrap/organization-iam.tf +++ b/fast/stages/0-bootstrap/organization-iam.tf @@ -108,6 +108,7 @@ locals { additive = concat( [ "roles/iam.organizationRoleAdmin", + "roles/iam.workforcePoolAdmin", "roles/orgpolicy.policyAdmin" ], local.billing_mode != "org" ? [] : [ @@ -126,6 +127,7 @@ locals { [ # the organizationAdminViewer custom role is granted via the SA module "roles/iam.organizationRoleViewer", + "roles/iam.workforcePoolViewer", "roles/orgpolicy.policyViewer" ], local.billing_mode != "org" ? [] : [ diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml index ec3e4f39f5..ffa04c1757 100644 --- a/tests/fast/stages/s0_bootstrap/checklist.yaml +++ b/tests/fast/stages/s0_bootstrap/checklist.yaml @@ -92,6 +92,12 @@ values: - group:gcp-security-admins@fast.example.com org_id: '123456789012' role: roles/iam.securityReviewer + module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]: + condition: [ ] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.workforcePoolAdmin module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: @@ -295,6 +301,16 @@ values: member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com org_id: '123456789012' role: roles/iam.organizationRoleViewer + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [ ] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.workforcePoolAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [ ] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.workforcePoolViewer ? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:gcp-security-admins@fast.example.com"] : condition: [] member: group:gcp-security-admins@fast.example.com @@ -366,7 +382,7 @@ counts: google_org_policy_policy: 22 google_organization_iam_binding: 28 google_organization_iam_custom_role: 7 - google_organization_iam_member: 36 + google_organization_iam_member: 38 google_project: 3 google_project_iam_audit_config: 1 google_project_iam_binding: 19 @@ -383,4 +399,4 @@ counts: google_tags_tag_key: 1 google_tags_tag_value: 1 modules: 18 - resources: 205 + resources: 207 diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index f3bb189e8b..89de01c2db 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -35,7 +35,6 @@ values: - group:gcp-support@example.com org_id: '123456789012' role: roles/monitoring.viewer -counts: counts: google_bigquery_dataset: 1 google_bigquery_default_service_account: 3 @@ -46,7 +45,7 @@ counts: google_org_policy_policy: 22 google_organization_iam_binding: 28 google_organization_iam_custom_role: 7 - google_organization_iam_member: 23 + google_organization_iam_member: 25 google_project: 3 google_project_iam_audit_config: 1 google_project_iam_binding: 19 @@ -64,7 +63,7 @@ counts: google_tags_tag_value: 1 local_file: 8 modules: 17 - resources: 197 + resources: 199 outputs: custom_roles: