Removes org browser role, adds compute viewe role

amandakarina · amandakarina · commit dda2fcf49f5d · 2025-04-29T11:35:32.000-03:00
diff --git a/4-appfactory/modules/app-group-baseline/main.tf b/4-appfactory/modules/app-group-baseline/main.tf
@@ -27,7 +27,8 @@ locals {
         "roles/storage.admin", "roles/iam.serviceAccountAdmin",
         "roles/artifactregistry.admin", "roles/clouddeploy.admin",
         "roles/cloudbuild.builds.editor", "roles/resourcemanager.projectIamAdmin",
-        "roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin"
+        "roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin",
+        "roles/compute.viewer"
       ]
     } },
     {
@@ -38,7 +39,6 @@ locals {
     }
   )
 
-  org_ids             = distinct([for env in var.envs : env.org_id])
   use_csr             = var.cloudbuildv2_repository_config.repo_type == "CSR"
   service_repo_name   = var.cloudbuildv2_repository_config.repositories[var.service_name].repository_name
   worker_pool_project = element(split("/", var.workerpool_id), index(split("/", var.workerpool_id), "projects") + 1, )
@@ -253,13 +253,6 @@ resource "google_service_account_iam_member" "account_access" {
   member             = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"
 }
 
-resource "google_organization_iam_member" "builder_organization_browser" {
-  for_each = toset(local.org_ids)
-  member   = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"
-  org_id   = each.value
-  role     = "roles/browser"
-}
-
 // Create infra project
 module "app_infra_project" {
   source   = "terraform-google-modules/project-factory/google"

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,8 @@ locals {`
`27`	`27`	`"roles/storage.admin", "roles/iam.serviceAccountAdmin",`
`28`	`28`	`"roles/artifactregistry.admin", "roles/clouddeploy.admin",`
`29`	`29`	`"roles/cloudbuild.builds.editor", "roles/resourcemanager.projectIamAdmin",`
`30`		`- "roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin"`
	`30`	`+ "roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin",`
	`31`	`+ "roles/compute.viewer"`
`31`	`32`	`]`
`32`	`33`	`} },`
`33`	`34`	`{`
`@@ -38,7 +39,6 @@ locals {`
`38`	`39`	`}`
`39`	`40`	`)`
`40`	`41`
`41`		`- org_ids = distinct([for env in var.envs : env.org_id])`
`42`	`42`	`use_csr = var.cloudbuildv2_repository_config.repo_type == "CSR"`
`43`	`43`	`service_repo_name = var.cloudbuildv2_repository_config.repositories[var.service_name].repository_name`
`44`	`44`	`worker_pool_project = element(split("/", var.workerpool_id), index(split("/", var.workerpool_id), "projects") + 1, )`
`@@ -253,13 +253,6 @@ resource "google_service_account_iam_member" "account_access" {`
`253`	`253`	`member = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"`
`254`	`254`	`}`
`255`	`255`
`256`		`-resource "google_organization_iam_member" "builder_organization_browser" {`
`257`		`- for_each = toset(local.org_ids)`
`258`		`- member = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"`
`259`		`- org_id = each.value`
`260`		`- role = "roles/browser"`
`261`		`-}`
`262`		`-`
`263`	`256`	`// Create infra project`
`264`	`257`	`module "app_infra_project" {`
`265`	`258`	`source = "terraform-google-modules/project-factory/google"`