From 89333a5d438df5da1f9dbaf48106e62c45536e24 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Tue, 6 Aug 2024 11:35:37 +0200
Subject: [PATCH] Make policyReader binding additive in bootstrap (#2470)

---
 fast/stages/0-bootstrap/organization-iam.tf   | 2 +-
 tests/fast/stages/s0_bootstrap/checklist.yaml | 4 ++--
 tests/fast/stages/s0_bootstrap/simple.yaml    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf
index bde1b2150..6227e5b4a 100644
--- a/fast/stages/0-bootstrap/organization-iam.tf
+++ b/fast/stages/0-bootstrap/organization-iam.tf
@@ -156,7 +156,6 @@ locals {
     }
     (module.automation-tf-resman-r-sa.iam_email) = {
       authoritative = [
-        "roles/accesscontextmanager.policyReader",
         "roles/essentialcontacts.viewer",
         "roles/logging.viewer",
         "roles/resourcemanager.folderViewer",
@@ -165,6 +164,7 @@ locals {
       ]
       additive = concat(
         [
+          "roles/accesscontextmanager.policyReader",
           # the organizationAdminViewer custom role is granted via the SA module
           "roles/orgpolicy.policyViewer"
         ],
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 61d5a41c1..09f1cdb70 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -379,9 +379,9 @@ counts:
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
-  google_organization_iam_binding: 29
+  google_organization_iam_binding: 28
   google_organization_iam_custom_role: 9
-  google_organization_iam_member: 41
+  google_organization_iam_member: 42
   google_project: 3
   google_project_iam_audit_config: 1
   google_project_iam_binding: 19
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 76a252143..53e28ffe2 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -20,9 +20,9 @@ counts:
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
-  google_organization_iam_binding: 29
+  google_organization_iam_binding: 28
   google_organization_iam_custom_role: 9
-  google_organization_iam_member: 28
+  google_organization_iam_member: 29
   google_project: 3
   google_project_iam_audit_config: 1
   google_project_iam_binding: 19