Make policyReader binding additive in bootstrap (#2470)

GoogleCloudPlatform · Aug 6, 2024 · 89333a5 · 89333a5
1 parent b3efa95
commit 89333a5
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf
@@ -156,7 +156,6 @@ locals {
     }
     (module.automation-tf-resman-r-sa.iam_email) = {
       authoritative = [
-        "roles/accesscontextmanager.policyReader",
         "roles/essentialcontacts.viewer",
         "roles/logging.viewer",
         "roles/resourcemanager.folderViewer",
@@ -165,6 +164,7 @@ locals {
       ]
       additive = concat(
         [
+          "roles/accesscontextmanager.policyReader",
           # the organizationAdminViewer custom role is granted via the SA module
           "roles/orgpolicy.policyViewer"
         ],

diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -379,9 +379,9 @@ counts:
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
-  google_organization_iam_binding: 29
+  google_organization_iam_binding: 28
   google_organization_iam_custom_role: 9
-  google_organization_iam_member: 41
+  google_organization_iam_member: 42
   google_project: 3
   google_project_iam_audit_config: 1
   google_project_iam_binding: 19

diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -20,9 +20,9 @@ counts:
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
-  google_organization_iam_binding: 29
+  google_organization_iam_binding: 28
   google_organization_iam_custom_role: 9
-  google_organization_iam_member: 28
+  google_organization_iam_member: 29
   google_project: 3
   google_project_iam_audit_config: 1
   google_project_iam_binding: 19