diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf
index b54b6030c..ced8c02ed 100644
--- a/fast/stages/0-bootstrap/automation.tf
+++ b/fast/stages/0-bootstrap/automation.tf
@@ -328,18 +328,15 @@ module "automation-tf-vpcsc-sa" {
   name         = var.resource_names["sa-vpcsc"]
   display_name = "Terraform stage 1 vpcsc service account."
   prefix       = var.prefix
-  # allow SA used by CI/CD workflow to impersonate this SA
+  # allow security group and SA used by CI/CD workflow to impersonate this SA
   iam = {
-    "roles/iam.serviceAccountTokenCreator" = [
-      for k, v in local.cicd_repositories :
-      module.automation-tf-cicd-sa[k].iam_email if v.stage == "vpcsc"
-    ]
-  }
-  iam_bindings_additive = {
-    security_admins = {
-      member = local.principals["gcp-security-admins"]
-      role   = "roles/iam.serviceAccountTokenCreator"
-    }
+    "roles/iam.serviceAccountTokenCreator" = concat(
+      [local.principals["gcp-security-admins"]],
+      [
+        for k, v in local.cicd_repositories :
+        module.automation-tf-cicd-sa[k].iam_email if v.stage == "vpcsc"
+      ]
+    )
   }
   iam_storage_roles = {
     (module.automation-tf-output-gcs.name) = ["roles/storage.admin"]
diff --git a/fast/stages/2-networking-a-simple/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-a-simple/data/hierarchical-ingress-rules.yaml
index 817be2e99..95996e42c 100644
--- a/fast/stages/2-networking-a-simple/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-a-simple/data/hierarchical-ingress-rules.yaml
@@ -1,7 +1,8 @@
 # skip boilerplate check
 ---
-# Terraform will be unable to decode this file if it does not contain valid YAML
-# You can retain `---` (start of the document) to indicate an empty document.
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../schemas/firewall-policy-rules.schema.json
 
 # allow-admins:
 #   description: Access from the admin subnet to all subnets
diff --git a/fast/stages/2-networking-b-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-nva/data/hierarchical-ingress-rules.yaml
index 817be2e99..95996e42c 100644
--- a/fast/stages/2-networking-b-nva/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-b-nva/data/hierarchical-ingress-rules.yaml
@@ -1,7 +1,8 @@
 # skip boilerplate check
 ---
-# Terraform will be unable to decode this file if it does not contain valid YAML
-# You can retain `---` (start of the document) to indicate an empty document.
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../schemas/firewall-policy-rules.schema.json
 
 # allow-admins:
 #   description: Access from the admin subnet to all subnets
diff --git a/fast/stages/2-networking-c-separate-envs/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-c-separate-envs/data/hierarchical-ingress-rules.yaml
index 817be2e99..95996e42c 100644
--- a/fast/stages/2-networking-c-separate-envs/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-c-separate-envs/data/hierarchical-ingress-rules.yaml
@@ -1,7 +1,8 @@
 # skip boilerplate check
 ---
-# Terraform will be unable to decode this file if it does not contain valid YAML
-# You can retain `---` (start of the document) to indicate an empty document.
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../schemas/firewall-policy-rules.schema.json
 
 # allow-admins:
 #   description: Access from the admin subnet to all subnets
diff --git a/tests/fast/stages/s0_bootstrap/cicd.yaml b/tests/fast/stages/s0_bootstrap/cicd.yaml
index 30259d6b7..186cd1ec0 100644
--- a/tests/fast/stages/s0_bootstrap/cicd.yaml
+++ b/tests/fast/stages/s0_bootstrap/cicd.yaml
@@ -346,7 +346,6 @@ counts:
   google_project_service_identity: 7
   google_service_account: 12
   google_service_account_iam_binding: 12
-  google_service_account_iam_member: 1
   google_storage_bucket: 4
   google_storage_bucket_iam_binding: 4
   google_storage_bucket_iam_member: 12
@@ -356,4 +355,4 @@ counts:
   google_tags_tag_value: 2
   local_file: 13
   modules: 26
-  resources: 272
+  resources: 271
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 17dc99a88..8ad9f8cfc 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -31,7 +31,6 @@ counts:
   google_project_service_identity: 7
   google_service_account: 6
   google_service_account_iam_binding: 6
-  google_service_account_iam_member: 1
   google_storage_bucket: 4
   google_storage_bucket_iam_binding: 4
   google_storage_bucket_iam_member: 6
@@ -41,7 +40,7 @@ counts:
   google_tags_tag_value: 2
   local_file: 8
   modules: 20
-  resources: 235
+  resources: 234
 
 outputs:
   automation: __missing__