Remove privilegedaccessmanager roles

Author: amandakarina

4-appfactory/modules/app-group-baseline/main.tf

@@ -26,14 +26,14 @@ locals {
         "roles/browser", "roles/serviceusage.serviceUsageAdmin",
         "roles/storage.admin", "roles/iam.serviceAccountAdmin",
         "roles/artifactregistry.admin", "roles/clouddeploy.admin",
-        "roles/cloudbuild.builds.editor", "roles/privilegedaccessmanager.projectServiceAgent",
+        "roles/cloudbuild.builds.editor", "roles/resourcemanager.projectIamAdmin",
         "roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin"
       ]
     } },
     {
       for cluster_project_id in var.cluster_projects_ids : cluster_project_id => {
         project_id = cluster_project_id
-        roles      = ["roles/privilegedaccessmanager.projectServiceAgent"]
+        roles      = ["roles/resourcemanager.projectIamAdmin"]
       }
     }
   )
@@ -201,10 +201,10 @@ resource "google_project_iam_member" "worker_pool_builder_logging_writer" {
   role    = "roles/logging.logWriter"
 }
 
-resource "google_project_iam_member" "worker_pool_roles_privilegedaccessmanager_projectServiceAgent" {
+resource "google_project_iam_member" "worker_pool_roles_project_iam_admin" {
   member  = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"
   project = local.worker_pool_project
-  role    = "roles/privilegedaccessmanager.projectServiceAgent"
+  role    = "roles/resourcemanager.projectIamAdmin"
 }
 
 resource "google_project_iam_member" "cloud_build_builder" {

examples/standalone_single_project/README.md

@@ -79,7 +79,7 @@ The entity used to deploy this examples must have the following roles at Project
 - Service Account Admin: `roles/iam.serviceAccountAdmin`
 - Service Account User: `roles/iam.serviceAccountUser`
 - Logging LogWriter: `roles/logging.logWriter`
-- Privileged Access Manager Project Service Agent: `roles/privilegedaccessmanager.projectServiceAgent`
+- Project IAM Admin: `roles/resourcemanager.projectIamAdmin`
 - Service Usage Admin: `roles/serviceusage.serviceUsageAdmin`
 - Source Repository Admin: `roles/source.admin` (if using CSR)
 - Storage Admin: `roles/storage.admin`
@@ -88,7 +88,7 @@ The entity used to deploy this examples must have the following roles at Project
 
 The entity used to deploy this examples must have the following roles at Organization level:
 
-- Privileged Access Manager Organization Service Agent: `roles/privilegedaccessmanager.organizationServiceAgent`
+- Organization Administrator: `roles/resourcemanager.organizationAdmin`
 - Access Context Manager Policy Admin: `roles/accesscontextmanager.policyAdmin`
 
 This example requires a Single network configured:

test/setup/iam.tf

@@ -20,7 +20,7 @@ locals {
     "roles/cloudbuild.workerPoolOwner",
     "roles/dns.admin",
     "roles/compute.networkAdmin",
-    "roles/privilegedaccessmanager.projectServiceAgent",
+    "roles/resourcemanager.projectIamAdmin",
     ] : [
     "roles/artifactregistry.admin",
     "roles/certificatemanager.owner",
@@ -39,7 +39,7 @@ locals {
     "roles/iam.serviceAccountAdmin",
     "roles/iam.serviceAccountUser",
     "roles/logging.logWriter",
-    "roles/privilegedaccessmanager.projectServiceAgent",
+    "roles/resourcemanager.projectIamAdmin",
     "roles/serviceusage.serviceUsageAdmin",
     "roles/source.admin",
     "roles/storage.admin",
@@ -89,13 +89,13 @@ resource "google_project_iam_member" "int_test_iam" {
   for_each = module.vpc_project
 
   project = each.value.project_id
-  role    = "roles/privilegedaccessmanager.projectServiceAgent"
+  role    = "roles/resourcemanager.projectIamAdmin"
   member  = "serviceAccount:${google_service_account.int_test[local.index].email}"
 }
 
 resource "google_organization_iam_member" "organizationServiceAgent_role" {
   org_id = var.org_id
-  role   = "roles/privilegedaccessmanager.organizationServiceAgent"
+  role   = "roles/resourcemanager.organizationAdmin"
   member = "serviceAccount:${google_service_account.int_test[local.index].email}"
 }