SSPROD-48612: add ciem roles to cspm svc acct org case (#46)

haresh-suresh · web-flow · commit 0cc57975744f · 2024-10-24T13:18:04.000-07:00
* SSPROD-48612: add ciem roles to cspm svc acct org case

* rm ciem roles from pub sub integrations
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
@@ -15,7 +15,8 @@ data "google_organization" "org" {
 # role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
 #---------------------------------------------------------------------------------------------
 resource "google_organization_iam_member" "cspm" {
-  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : []
+  # adding ciem role with permissions to the service account alongside cspm roles
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
 
   org_id = data.google_organization.org[0].org_id
   role   = each.key
diff --git a/modules/integrations/pub-sub/organizational.tf b/modules/integrations/pub-sub/organizational.tf
@@ -83,13 +83,4 @@ resource "google_organization_iam_member" "custom" {
   org_id = data.google_organization.org[0].org_id
   role   = google_organization_iam_custom_role.custom_ingestion_auth_role[0].id
   member = "serviceAccount:${google_service_account.push_auth.email}"
-}
-
-# adding ciem role with permissions to the service account for org
-resource "google_organization_iam_member" "identity_mgmt" {
-  for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
-
-  org_id = data.google_organization.org[0].org_id
-  role   = each.key
-  member = "serviceAccount:${google_service_account.push_auth.email}"
 }
