From ebece4e7c78136ea161d135c4bce66952d67db70 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Wed, 5 May 2021 22:54:55 -0400
Subject: [PATCH] infra/gcp/org: give org admins orgpolicy.policyAdmin role

---
 infra/gcp/ensure-organization.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/infra/gcp/ensure-organization.sh b/infra/gcp/ensure-organization.sh
index 00d22f17da8..1621f2021f0 100755
--- a/infra/gcp/ensure-organization.sh
+++ b/infra/gcp/ensure-organization.sh
@@ -52,6 +52,9 @@ org_role_bindings=(
   # https://cloud.google.com/storage/docs/access-control/iam-roles#basic-roles-intrinsic
   "group:k8s-infra-gcp-org-admins@kubernetes.io:roles/owner"
   "group:k8s-infra-gcp-org-admins@kubernetes.io:$(custom_org_role_name "organization.admin")"
+  # orgpolicy.policy.set is not allowed in custom roles, this is the only role that has it
+  "group:k8s-infra-gcp-org-admins@kubernetes.io:roles/orgpolicy.policyAdmin"
+  
 
   # empower k8s-infra-prow-oncall@ to use GCP Console to navigate to their projects
   "group:k8s-infra-prow-oncall@kubernetes.io:roles/browser"