From 4102e53588c77725f4fa5587eb21f5a77350e2be Mon Sep 17 00:00:00 2001
From: fenyvesi-levi <levente.fenyvesi@ysys.hu>
Date: Wed, 17 Sep 2025 15:37:07 +0200
Subject: [PATCH] Added 2 IAM roles for pf SA and updated test (#3333)

* Added 2 IAM roles for pf SA and updated test

* Updated role grant with condition
---
 fast/stages/0-org-setup/README.md                    |  2 +-
 .../0-org-setup/data/folders/networking/.config.yaml | 12 ++++++++++++
 fast/stages/0-org-setup/outputs.tf                   |  1 +
 tests/fast/stages/s0_org_setup/not-simple.yaml       |  4 ++--
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/fast/stages/0-org-setup/README.md b/fast/stages/0-org-setup/README.md
index 56cdbc917..78de81887 100644
--- a/fast/stages/0-org-setup/README.md
+++ b/fast/stages/0-org-setup/README.md
@@ -635,5 +635,5 @@ Define values for the `var.environments` variable in a tfvars file.
 | [iam_principals](outputs.tf#L17) | IAM principals. |  |
 | [locations](outputs.tf#L22) | Default locations. |  |
 | [projects](outputs.tf#L27) | Attributes for managed projects. |  |
-| [tfvars](outputs.tf#L32) | Stage tfvars. |  |
+| [tfvars](outputs.tf#L32) | Stage tfvars. | ✓ |
 <!-- END TFDOC -->
diff --git a/fast/stages/0-org-setup/data/folders/networking/.config.yaml b/fast/stages/0-org-setup/data/folders/networking/.config.yaml
index c40718b38..03ab7a8e1 100644
--- a/fast/stages/0-org-setup/data/folders/networking/.config.yaml
+++ b/fast/stages/0-org-setup/data/folders/networking/.config.yaml
@@ -31,6 +31,7 @@ iam_by_principals:
     - $custom_roles:service_project_network_admin
   $iam_principals:service_accounts/iac-0/iac-pf-ro:
     - roles/compute.viewer
+    - $custom_roles:project_iam_viewer
 iam_bindings:
   dp_dev_rw:
     members:
@@ -48,3 +49,14 @@ iam_bindings:
       title: Data platform dev network viewer.
       expression: |
         resource.matchTag('${organization.id}/environment', 'development')
+  project_factory:
+    role: roles/resourcemanager.projectIamAdmin
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-pf-rw
+    condition:
+      title: Project factory delegated IAM grant.
+      expression: |
+        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+          'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',
+          'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user'
+        ])
\ No newline at end of file
diff --git a/fast/stages/0-org-setup/outputs.tf b/fast/stages/0-org-setup/outputs.tf
index 27e0e1cc9..4b3b5ca12 100644
--- a/fast/stages/0-org-setup/outputs.tf
+++ b/fast/stages/0-org-setup/outputs.tf
@@ -32,4 +32,5 @@ output "projects" {
 output "tfvars" {
   description = "Stage tfvars."
   value       = local.of_tfvars
+  sensitive   = true
 }
diff --git a/tests/fast/stages/s0_org_setup/not-simple.yaml b/tests/fast/stages/s0_org_setup/not-simple.yaml
index 4e160eb07..4759033a2 100644
--- a/tests/fast/stages/s0_org_setup/not-simple.yaml
+++ b/tests/fast/stages/s0_org_setup/not-simple.yaml
@@ -2619,7 +2619,7 @@ counts:
   google_bigquery_default_service_account: 1
   google_billing_account_iam_member: 5
   google_folder: 8
-  google_folder_iam_binding: 38
+  google_folder_iam_binding: 40
   google_iam_workload_identity_pool: 1
   google_iam_workload_identity_pool_provider: 1
   google_logging_organization_settings: 1
@@ -2648,5 +2648,5 @@ counts:
   google_tags_tag_value_iam_binding: 4
   local_file: 9
   modules: 43
-  resources: 286
+  resources: 288
   terraform_data: 2