grant cloudbuild.serviceAgent to the cloudbuid service agent SA

modules/im_cloudbuild_workspace/cb.tf

@@ -139,5 +139,6 @@ resource "time_sleep" "iam_propagation" {
     google_project_iam_member.cb_logWriter_role,
     google_project_iam_member.cb_serviceAccountUser_role,
     google_project_iam_member.cb_storage_objects_viewer,
+    google_project_iam_member.cb_service_agent_role,
   ]
 }

modules/im_cloudbuild_workspace/sa.tf

@@ -55,6 +55,12 @@ resource "google_project_iam_member" "cb_logWriter_role" {
   member  = "serviceAccount:${local.cloudbuild_sa_email}"
 }
 
+resource "google_project_iam_member" "cb_service_agent_role" {
+  project = var.project_id
+  role    = "roles/cloudbuild.serviceAgent"
+  member  = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+}
+
 # Allows the Cloud Build service account to act as the Infra Manger service account
 resource "google_project_iam_member" "cb_serviceAccountUser_role" {
   count   = local.create_cloudbuild_sa ? 1 : 0