From 2d0df00b28edf11289e7a3027ca60d7a287726df Mon Sep 17 00:00:00 2001
From: pp <paul.palam@gmail.com>
Date: Fri, 8 Nov 2019 16:26:11 +0200
Subject: [PATCH] Reworked SA roles for old-projects cleanup.

---
 modules/project_cleanup/main.tf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/project_cleanup/main.tf b/modules/project_cleanup/main.tf
index 3c2bf608..416d4b3c 100644
--- a/modules/project_cleanup/main.tf
+++ b/modules/project_cleanup/main.tf
@@ -16,6 +16,11 @@
 
 locals {
   target_included_labels = var.target_tag_name != "" && var.target_tag_value != "" ? merge({ "${var.target_tag_name}" = "${var.target_tag_value}" }, var.target_included_labels) : var.target_included_labels
+  org_roles              = [
+    "roles/resourcemanager.projectDeleter",
+    "roles/resourcemanager.folderViewer",
+    "roles/resourcemanager.lienModifier"
+  ]
 }
 
 resource "google_service_account" "project_cleaner_function" {
@@ -25,8 +30,9 @@ resource "google_service_account" "project_cleaner_function" {
 }
 
 resource "google_organization_iam_member" "project_owner" {
+  count  = length(local.org_roles)
   org_id = var.organization_id
-  role   = "roles/owner"
+  role   = local.org_roles[count.index]
   member = "serviceAccount:${google_service_account.project_cleaner_function.email}"
 }