SSPROD-48773: set right organizational level roles for CIEM (#47)

haresh-suresh · web-flow · commit 03359e9aef47 · 2024-10-28T10:51:56.000-07:00
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
@@ -16,7 +16,7 @@ data "google_organization" "org" {
 #---------------------------------------------------------------------------------------------
 resource "google_organization_iam_member" "cspm" {
   # adding ciem role with permissions to the service account alongside cspm roles
-  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
 
   org_id = data.google_organization.org[0].org_id
   role   = each.key
