Remove unnecessary WorkloadIdentity role from CSPM Project member (#78)

ravinadhruve10 · web-flow · commit 0bbe04670a9e · 2025-11-13T16:23:56.000-08:00
The WorkloadIdentity role is assigned with SA membership directly on
the Service Account for WIF auth. It is not needed for project level
membership as well.

Testing done:
---------------
Validated this with a live install.
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -64,7 +64,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
 #---------------------------------------------------------------------------------------------
 resource "google_project_iam_member" "cspm" {
   # adding ciem role with permissions to the service account alongside cspm roles
-  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
 
   project = var.project_id
   role    = each.key
