Remove unneeded delegated grants

fast/stages/00-bootstrap/organization.tf

@@ -147,17 +147,15 @@ module "organization" {
       "resourcemanager.organizations.getIamPolicy",
       "resourcemanager.organizations.setIamPolicy"
     ]
-    "xpnServiceAdmin" = [
+    "serviceProjectNetworkAdmin" = [
       "compute.globalOperations.get",
       "compute.organizations.disableXpnResource",
       "compute.organizations.enableXpnResource",
       "compute.projects.get",
-      "resourcemanager.projects.get",
-    ]
-    "serviceProjectNetworkAdmin" = [
       "compute.subnetworks.getIamPolicy",
       "compute.subnetworks.setIamPolicy",
       "dns.networks.bindPrivateDNSZone",
+      "resourcemanager.projects.get",
     ]
   }
   logging_sinks = {

fast/stages/01-resman/organization.tf

@@ -49,9 +49,6 @@ module "organization" {
   # role assigned in stage 00; they need to be additive to avoid conflicts
   iam_additive = merge(
     {
-      (var.custom_roles.xpnServiceAdmin) = concat(
-        local.branch_teams_pf_sa_iam_emails
-      )
       "roles/accesscontextmanager.policyAdmin" = [
         module.branch-security-sa.iam_email
       ]

fast/stages/02-networking/main.tf

@@ -46,7 +46,6 @@ locals {
     "roles/compute.networkUser",
     "roles/container.hostServiceAgentUser",
     "roles/vpcaccess.user",
-    var.custom_roles.serviceProjectNetworkAdmin
   ]
 }
 

fast/stages/02-networking/vpc-spoke-dev.tf

@@ -40,6 +40,9 @@ module "dev-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = [var.project_factory_sa.dev]
+    (var.custom_roles.serviceProjectNetworkAdmin) = [
+      var.project_factory_sa.prod
+    ]
   }
 }
 

fast/stages/02-networking/vpc-spoke-prod.tf

@@ -40,6 +40,9 @@ module "prod-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = [var.project_factory_sa.prod]
+    (var.custom_roles.serviceProjectNetworkAdmin) = [
+      var.project_factory_sa.prod
+    ]
   }
 }