Update GCP SA roles to allow listing clusters/instances for CIEM at Org level (#9)

ravinadhruve10 · web-flow · commit 7300458cc8f4 · 2023-10-25T17:42:00.000-07:00
diff --git a/modules/services/service-principal/organizational.tf b/modules/services/service-principal/organizational.tf
@@ -37,7 +37,7 @@ resource "google_organization_iam_member" "cloudasset_viewer" {
 # role permissions for CIEM (GCP Predefined Roles for Sysdig Cloud Identity Management)
 #---------------------------------------------------------------------------------------
 resource "google_organization_iam_member" "identity_mgmt" {
-  for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer"]) : []
+  for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []
 
   org_id = data.google_organization.org[0].org_id
   role   = each.key
