SSPROD-48773: set right organizational level roles for CIEM (#47)

sysdiglabs · Oct 28, 2024 · 03359e9 · 03359e9
1 parent 0cc5797
commit 03359e9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
@@ -16,7 +16,7 @@ data "google_organization" "org" {
 #---------------------------------------------------------------------------------------------
 resource "google_organization_iam_member" "cspm" {
   # adding ciem role with permissions to the service account alongside cspm roles
-  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
 
   org_id = data.google_organization.org[0].org_id
   role   = each.key