From 253a9628e1c67d5fb1feeb8b84817e85dd9fb86b Mon Sep 17 00:00:00 2001
From: Gerard Toonstra <gtoonstra@gmail.com>
Date: Wed, 20 Mar 2024 11:08:20 +0100
Subject: [PATCH] fix: Allow support admin access to cluster

---
 iam.tf | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/iam.tf b/iam.tf
index 1347db9..da0635b 100644
--- a/iam.tf
+++ b/iam.tf
@@ -4,11 +4,8 @@
 
 locals {
   viewer_role = var.restricted_viewer_role ? "roles/viewer" : "roles/compute.viewer"
-  project_roles = var.restricted_roles ? [
-    "${var.project_id}=>roles/secretmanager.secretAccessor"
-    ] : [
+  project_roles = var.restricted_roles ? [] : [
     "${var.project_id}=>${local.viewer_role}",
-    "${var.project_id}=>roles/secretmanager.secretAccessor"
   ]
 }
 
@@ -32,10 +29,10 @@ module "project-iam-bindings" {
     "roles/iap.tunnelResourceAccessor" = [
       "group:datafold-onprem-support@datafold.com"
     ]
-    "roles/secretmanager.secretAccessor" = [
+    "roles/container.admin" = [
       "group:datafold-onprem-support@datafold.com"
     ]
-    "roles/iam.serviceAccountUser" = [
+    "roles/container.clusterAdmin" = [
       "group:datafold-onprem-support@datafold.com"
     ]
   }