Adds missing roles, org_id var and update readme

Author: amandakarina

1-bootstrap/README.md

@@ -298,6 +298,7 @@ Within the repository, you'll find `backend.tf` files that define the GCS bucket
 | common\_folder\_id | Folder ID in which to create all application admin projects, must be prefixed with 'folders/' | `string` | n/a | yes |
 | envs | Environments | <pre>map(object({<br>    billing_account    = string<br>    folder_id          = string<br>    network_project_id = string<br>    network_self_link  = string<br>    org_id             = string<br>    subnets_self_links = list(string)<br>  }))</pre> | n/a | yes |
 | location | Location for build buckets. | `string` | `"us-central1"` | no |
+| org\_id | Organization ID | `string` | n/a | yes |
 | project\_id | Project ID for initial resources | `string` | n/a | yes |
 | tf\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "nonproduction",<br>  "production"<br>]</pre> | no |
 | trigger\_location | Location of for Cloud Build triggers created in the workspace. If using private pools should be the same location as the pool. | `string` | `"us-central1"` | no |

1-bootstrap/iam.tf

@@ -123,12 +123,12 @@ resource "google_folder_iam_member" "app_factory_project_creator" {
   folder = var.common_folder_id
 }
 
-resource "google_folder_iam_member" "app_factory_folder_viewer" {
-  for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj if obj.multitenant_pipeline == "applicationfactory" })
-
-  role   = "roles/resourcemanager.folderViewer"
-  member = "serviceAccount:${each.value.email}"
-  folder = var.common_folder_id
+// needed by terraform-vet to get parent folder
+resource "google_organization_iam_member" "app_factory_folder_viewer" {
+  for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj if obj.multitenant_pipeline == "applicationfactory"  })
+  role     = "roles/resourcemanager.folderViewer"
+  org_id   = var.org_id
+  member   = "serviceAccount:${each.value.email}"
 }
 
 resource "google_project_iam_member" "cloud_build_worker_pool_user" {
@@ -138,3 +138,10 @@ resource "google_project_iam_member" "cloud_build_worker_pool_user" {
   member  = "serviceAccount:${each.value}"
   project = local.worker_pool_project
 }
+
+resource "google_organization_iam_member" "policyAdmin_role" {
+  for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj })
+  role     = "roles/accesscontextmanager.policyAdmin"
+  org_id   = var.org_id
+  member   = "serviceAccount:${each.value.email}"
+}

1-bootstrap/variables.tf

@@ -179,3 +179,8 @@ variable "access_level_name" {
   type        = string
   default     = null
 }
+
+variable "org_id" {
+  description = "Organization ID"
+  type        = string
+}