diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index ee888637e..ad02969d4 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -267,18 +267,18 @@ terraform apply
 |---|---|:---:|:---:|:---:|:---:|
 | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10;  outputs_bucket          &#61; string&#10;  project_id              &#61; string&#10;  project_number          &#61; string&#10;  federated_identity_pool &#61; string&#10;  federated_identity_providers &#61; map&#40;object&#40;&#123;&#10;    audiences        &#61; list&#40;string&#41;&#10;    issuer           &#61; string&#10;    issuer_uri       &#61; string&#10;    name             &#61; string&#10;    principal_branch &#61; string&#10;    principal_repo   &#61; string&#10;  &#125;&#41;&#41;&#10;  service_accounts &#61; object&#40;&#123;&#10;    resman-r &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
 | [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10;  id           &#61; string&#10;  is_org_level &#61; optional&#40;bool, true&#41;&#10;  no_iam       &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [logging](variables-fast.tf#L97) | Logging configuration for tenants. | <code title="object&#40;&#123;&#10;  project_id &#61; string&#10;  log_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    filter &#61; string&#10;    type   &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>1-tenant-factory</code> |
-| [organization](variables-fast.tf#L110) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [prefix](variables-fast.tf#L128) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
-| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  organization_admin_viewer       &#61; string&#10;  service_project_network_admin   &#61; string&#10;  storage_viewer                  &#61; string&#10;  gcve_network_admin              &#61; optional&#40;string&#41;&#10;  gcve_network_viewer             &#61; optional&#40;string&#41;&#10;  network_firewall_policies_admin &#61; optional&#40;string&#41;&#10;  ngfw_enterprise_admin           &#61; optional&#40;string&#41;&#10;  ngfw_enterprise_viewer          &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
+| [logging](variables-fast.tf#L98) | Logging configuration for tenants. | <code title="object&#40;&#123;&#10;  project_id &#61; string&#10;  log_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    filter &#61; string&#10;    type   &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>1-tenant-factory</code> |
+| [organization](variables-fast.tf#L111) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
+| [prefix](variables-fast.tf#L129) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
+| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  organization_admin_viewer       &#61; string&#10;  project_iam_viewer              &#61; string&#10;  service_project_network_admin   &#61; string&#10;  storage_viewer                  &#61; string&#10;  gcve_network_admin              &#61; optional&#40;string&#41;&#10;  gcve_network_viewer             &#61; optional&#40;string&#41;&#10;  network_firewall_policies_admin &#61; optional&#40;string&#41;&#10;  ngfw_enterprise_admin           &#61; optional&#40;string&#41;&#10;  ngfw_enterprise_viewer          &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [environment_names](variables.tf#L20) | Long environment names. | <code title="object&#40;&#123;&#10;  dev  &#61; string&#10;  prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  dev  &#61; &#34;development&#34;&#10;  prod &#61; &#34;production&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10;  org_policies      &#61; optional&#40;string, &#34;data&#47;org-policies&#34;&#41;&#10;  stage_3           &#61; optional&#40;string, &#34;data&#47;stage-3&#34;&#41;&#10;  top_level_folders &#61; optional&#40;string, &#34;data&#47;top-level-folders&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | <code title="object&#40;&#123;&#10;  networking &#61; optional&#40;object&#40;&#123;&#10;    enabled    &#61; optional&#40;bool, true&#41;&#10;    short_name &#61; optional&#40;string, &#34;net&#34;&#41;&#10;    cicd_config &#61; optional&#40;object&#40;&#123;&#10;      identity_provider &#61; string&#10;      repository &#61; object&#40;&#123;&#10;        name      &#61; string&#10;        branch    &#61; optional&#40;string&#41;&#10;        parent_id &#61; optional&#40;string&#41;&#10;        type      &#61; optional&#40;string, &#34;github&#34;&#41;&#10;      &#125;&#41;&#10;    &#125;&#41;&#41;&#10;    folder_config &#61; optional&#40;object&#40;&#123;&#10;      create_env_folders &#61; optional&#40;bool, true&#41;&#10;      iam_by_principals  &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;      name               &#61; optional&#40;string, &#34;Networking&#34;&#41;&#10;      parent_id          &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  network_security &#61; optional&#40;object&#40;&#123;&#10;    enabled    &#61; optional&#40;bool, false&#41;&#10;    short_name &#61; optional&#40;string, &#34;nsec&#34;&#41;&#10;    cicd_config &#61; optional&#40;object&#40;&#123;&#10;      identity_provider &#61; string&#10;      repository &#61; object&#40;&#123;&#10;        name      &#61; string&#10;        branch    &#61; optional&#40;string&#41;&#10;        parent_id &#61; optional&#40;string&#41;&#10;        type      &#61; optional&#40;string, &#34;github&#34;&#41;&#10;      &#125;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  project_factory &#61; optional&#40;object&#40;&#123;&#10;    enabled    &#61; optional&#40;bool, true&#41;&#10;    short_name &#61; optional&#40;string, &#34;pf&#34;&#41;&#10;    cicd_config &#61; optional&#40;object&#40;&#123;&#10;      identity_provider &#61; string&#10;      repository &#61; object&#40;&#123;&#10;        name   &#61; string&#10;        branch &#61; optional&#40;string&#41;&#10;        type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;      &#125;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  security &#61; optional&#40;object&#40;&#123;&#10;    enabled    &#61; optional&#40;bool, true&#41;&#10;    short_name &#61; optional&#40;string, &#34;sec&#34;&#41;&#10;    cicd_config &#61; optional&#40;object&#40;&#123;&#10;      identity_provider &#61; string&#10;      repository &#61; object&#40;&#123;&#10;        name   &#61; string&#10;        branch &#61; optional&#40;string&#41;&#10;        type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;      &#125;&#41;&#10;    &#125;&#41;&#41;&#10;    folder_config &#61; optional&#40;object&#40;&#123;&#10;      create_env_folders &#61; optional&#40;bool, false&#41;&#10;      iam_by_principals  &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;      name               &#61; optional&#40;string, &#34;Security&#34;&#41;&#10;      parent_id          &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_stage_3](variables-stages.tf#L97) | FAST stages 3 configurations. | <code title="map&#40;object&#40;&#123;&#10;  short_name  &#61; string&#10;  environment &#61; optional&#40;string, &#34;dev&#34;&#41;&#10;  cicd_config &#61; optional&#40;object&#40;&#123;&#10;    identity_provider &#61; string&#10;    repository &#61; object&#40;&#123;&#10;      name   &#61; string&#10;      branch &#61; optional&#40;string&#41;&#10;      type   &#61; optional&#40;string, &#34;github&#34;&#41;&#10;    &#125;&#41;&#10;  &#125;&#41;&#41;&#10;  folder_config &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    parent_id         &#61; optional&#40;string&#41;&#10;    tag_bindings      &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  organization_iam &#61; optional&#40;object&#40;&#123;&#10;    context_tag_value &#61; string&#10;    sa_roles &#61; object&#40;&#123;&#10;      ro &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;      rw &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#10;  &#125;&#41;&#41;&#10;  stage2_iam &#61; optional&#40;object&#40;&#123;&#10;    networking &#61; optional&#40;object&#40;&#123;&#10;      iam_admin_delegated &#61; optional&#40;bool, false&#41;&#10;      sa_roles &#61; optional&#40;object&#40;&#123;&#10;        ro &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;        rw &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    security &#61; optional&#40;object&#40;&#123;&#10;      iam_admin_delegated &#61; optional&#40;bool, false&#41;&#10;      sa_roles &#61; optional&#40;object&#40;&#123;&#10;        ro &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;        rw &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
-| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [groups](variables-fast.tf#L70) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [locations](variables-fast.tf#L85) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [outputs_location](variables.tf#L43) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
-| [root_node](variables-fast.tf#L134) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> |  | <code>null</code> | <code>0-bootstrap</code> |
+| [root_node](variables-fast.tf#L135) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [tag_names](variables.tf#L49) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [tags](variables.tf#L63) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | <code title="map&#40;object&#40;&#123;&#10;  name      &#61; string&#10;  parent_id &#61; optional&#40;string&#41;&#10;  automation &#61; optional&#40;object&#40;&#123;&#10;    enable                      &#61; optional&#40;bool, true&#41;&#10;    environment_name            &#61; optional&#40;string, &#34;prod&#34;&#41;&#10;    sa_impersonation_principals &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    short_name                  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  contacts &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  firewall_policy &#61; optional&#40;object&#40;&#123;&#10;    name   &#61; string&#10;    policy &#61; string&#10;  &#125;&#41;&#41;&#10;  is_fast_context     &#61; optional&#40;bool, true&#41;&#10;  logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10;  logging_exclusions  &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  logging_settings &#61; optional&#40;object&#40;&#123;&#10;    disable_default_sink &#61; optional&#40;bool&#41;&#10;    storage_location     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;    description          &#61; optional&#40;string&#41;&#10;    destination          &#61; string&#10;    disabled             &#61; optional&#40;bool, false&#41;&#10;    exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    filter               &#61; optional&#40;string&#41;&#10;    iam                  &#61; optional&#40;bool, true&#41;&#10;    include_children     &#61; optional&#40;bool, true&#41;&#10;    type                 &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;    inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;    reset               &#61; optional&#40;bool&#41;&#10;    rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;      allow &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      deny &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        description &#61; optional&#40;string&#41;&#10;        expression  &#61; optional&#40;string&#41;&#10;        location    &#61; optional&#40;string&#41;&#10;        title       &#61; optional&#40;string&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf
index ae8243c34..f4a52601c 100644
--- a/fast/stages/1-resman/stage-2-networking.tf
+++ b/fast/stages/1-resman/stage-2-networking.tf
@@ -96,6 +96,9 @@ module "net-folder" {
       (var.custom_roles.service_project_network_admin) = [
         module.pf-sa-rw[0].iam_email
       ]
+      (var.custom_roles.project_iam_viewer) = [
+        module.pf-sa-ro[0].iam_email
+      ]
       "roles/compute.networkViewer" = [
         module.pf-sa-ro[0].iam_email
       ]
diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf
index db978c494..36e3d7b65 100644
--- a/fast/stages/1-resman/stage-2-security.tf
+++ b/fast/stages/1-resman/stage-2-security.tf
@@ -60,6 +60,9 @@ module "sec-folder" {
       "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
         module.pf-sa-rw[0].iam_email
       ]
+      (var.custom_roles.project_iam_viewer) = [
+        module.pf-sa-ro[0].iam_email
+      ]
       "roles/cloudkms.viewer" = [
         module.pf-sa-ro[0].iam_email
       ]
diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf
index 065a74c56..e2de3ba7b 100644
--- a/fast/stages/1-resman/variables-fast.tf
+++ b/fast/stages/1-resman/variables-fast.tf
@@ -55,6 +55,7 @@ variable "custom_roles" {
   description = "Custom roles defined at the org level, in key => id format."
   type = object({
     organization_admin_viewer       = string
+    project_iam_viewer              = string
     service_project_network_admin   = string
     storage_viewer                  = string
     gcve_network_admin              = optional(string)
diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml
index 7535e164a..8f5667ca7 100644
--- a/tests/fast/stages/s1_resman/simple.yaml
+++ b/tests/fast/stages/s1_resman/simple.yaml
@@ -1446,7 +1446,7 @@ values:
 
 counts:
   google_folder: 13
-  google_folder_iam_binding: 72
+  google_folder_iam_binding: 74
   google_organization_iam_member: 14
   google_project_iam_member: 23
   google_service_account: 23
@@ -1460,4 +1460,4 @@ counts:
   google_tags_tag_value: 11
   google_tags_tag_value_iam_binding: 4
   modules: 47
-  resources: 273
+  resources: 275
