fix: Grant role browser to the terraform service account for running …

…gcloud beta terraform vet (#818) * grant role browser to the terraform service account for running glcoud beta terraform vet * fix linting error * add role browser in test validation for step 0-bootstrap * add common_roles in SA creation
terraform-google-modules · Sep 23, 2022 · e80a504 · e80a504
1 parent 383eb06
commit e80a504
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
@@ -26,24 +26,30 @@ locals {
     "proj" = "Foundation Projects SA. Managed by Terraform.",
   }
 
+  common_roles = [
+    "roles/browser", // Required for gcloud beta terraform vet to be able to read the ancestry of folders
+  ]
+
   granular_sa_org_level_roles = {
-    "org" = [
+    "org" = distinct(concat([
       "roles/orgpolicy.policyAdmin",
       "roles/logging.configWriter",
       "roles/resourcemanager.organizationAdmin",
       "roles/securitycenter.notificationConfigEditor",
       "roles/resourcemanager.organizationViewer",
       "roles/accesscontextmanager.policyAdmin",
       "roles/essentialcontacts.admin",
-    ],
-    "net" = [
+    ], local.common_roles)),
+    "env" = distinct(concat([
+    ], local.common_roles)),
+    "net" = distinct(concat([
       "roles/accesscontextmanager.policyAdmin",
       "roles/compute.xpnAdmin",
-    ],
-    "proj" = [
+    ], local.common_roles)),
+    "proj" = distinct(concat([
       "roles/accesscontextmanager.policyAdmin",
-      "roles/serviceusage.serviceUsageConsumer"
-    ],
+      "roles/serviceusage.serviceUsageConsumer",
+    ], local.common_roles)),
   }
 
   granular_sa_parent_level_roles = {

diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go
@@ -203,17 +203,22 @@ func TestBootstrap(t *testing.T) {
 					orgRoles: []string{
 						"roles/accesscontextmanager.policyAdmin",
 						"roles/serviceusage.serviceUsageConsumer",
+						"roles/browser",
 					},
 				},
 				{
 					output: "networks_step_terraform_service_account_email",
 					orgRoles: []string{
 						"roles/accesscontextmanager.policyAdmin",
 						"roles/compute.xpnAdmin",
+						"roles/browser",
 					},
 				},
 				{
 					output: "environment_step_terraform_service_account_email",
+					orgRoles: []string{
+						"roles/browser",
+					},
 				},
 				{
 					output: "organization_step_terraform_service_account_email",
@@ -224,6 +229,7 @@ func TestBootstrap(t *testing.T) {
 						"roles/securitycenter.notificationConfigEditor",
 						"roles/resourcemanager.organizationViewer",
 						"roles/accesscontextmanager.policyAdmin",
+						"roles/browser",
 					},
 				},
 			} {