(internal)Add serviceAccountTokenCreator for CSPM (#10)

mdkulkarni15 · web-flow · commit e73d0a3d5590 · 2023-10-30T14:57:29.000-07:00
* Add serviceAccountTokenCreator for CSPM

* Add to org
diff --git a/modules/services/service-principal/main.tf b/modules/services/service-principal/main.tf
@@ -23,7 +23,7 @@ resource "google_project_iam_member" "browser" {
 # role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
 #---------------------------------------------------------------------------------------------
 resource "google_project_iam_member" "cloudasset_viewer" {
-  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer"])
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.serviceAccountTokenCreator"])
 
   project = var.project_id
   role    = each.key
diff --git a/modules/services/service-principal/organizational.tf b/modules/services/service-principal/organizational.tf
@@ -26,7 +26,7 @@ resource "google_organization_iam_member" "browser" {
 # role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
 #---------------------------------------------------------------------------------------------
 resource "google_organization_iam_member" "cloudasset_viewer" {
-  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer"]) : []
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.serviceAccountTokenCreator"]) : []
 
   org_id = data.google_organization.org[0].org_id
   role   = each.key
