diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf index bde1b21505..6227e5b4a6 100644 --- a/fast/stages/0-bootstrap/organization-iam.tf +++ b/fast/stages/0-bootstrap/organization-iam.tf @@ -156,7 +156,6 @@ locals { } (module.automation-tf-resman-r-sa.iam_email) = { authoritative = [ - "roles/accesscontextmanager.policyReader", "roles/essentialcontacts.viewer", "roles/logging.viewer", "roles/resourcemanager.folderViewer", @@ -165,6 +164,7 @@ locals { ] additive = concat( [ + "roles/accesscontextmanager.policyReader", # the organizationAdminViewer custom role is granted via the SA module "roles/orgpolicy.policyViewer" ], diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml index 61d5a41c1f..09f1cdb703 100644 --- a/tests/fast/stages/s0_bootstrap/checklist.yaml +++ b/tests/fast/stages/s0_bootstrap/checklist.yaml @@ -379,9 +379,9 @@ counts: google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 google_org_policy_policy: 22 - google_organization_iam_binding: 29 + google_organization_iam_binding: 28 google_organization_iam_custom_role: 9 - google_organization_iam_member: 41 + google_organization_iam_member: 42 google_project: 3 google_project_iam_audit_config: 1 google_project_iam_binding: 19 diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 76a2521437..53e28ffe25 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -20,9 +20,9 @@ counts: google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 google_org_policy_policy: 22 - google_organization_iam_binding: 29 + google_organization_iam_binding: 28 google_organization_iam_custom_role: 9 - google_organization_iam_member: 28 + google_organization_iam_member: 29 google_project: 3 google_project_iam_audit_config: 1 google_project_iam_binding: 19