From 03359e9aef478f62382e85a60113eb4d011bca10 Mon Sep 17 00:00:00 2001
From: Haresh Suresh <39659445+haresh-suresh@users.noreply.github.com>
Date: Mon, 28 Oct 2024 10:51:56 -0700
Subject: [PATCH] SSPROD-48773: set right organizational level roles for CIEM
 (#47)

---
 modules/config-posture/organizational.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
index f3f9a87..0d09f99 100644
--- a/modules/config-posture/organizational.tf
+++ b/modules/config-posture/organizational.tf
@@ -16,7 +16,7 @@ data "google_organization" "org" {
 #---------------------------------------------------------------------------------------------
 resource "google_organization_iam_member" "cspm" {
   # adding ciem role with permissions to the service account alongside cspm roles
-  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
 
   org_id = data.google_organization.org[0].org_id
   role   = each.key