Merge pull request #6 from rjerrems/fix-impersonation

Fix permissions issue in #5 for org admins using impersonation

main.tf

@@ -157,3 +157,11 @@ resource "google_organization_iam_member" "org_admin_serviceusage_consumer" {
   role   = "roles/serviceusage.serviceUsageConsumer"
   member = "group:${var.group_org_admins}"
 }
+
+resource "google_storage_bucket_iam_member" "orgadmins_state_iam" {
+  count = local.impersonation_enabled_count
+
+  bucket = google_storage_bucket.org_terraform_state.name
+  role   = "roles/storage.admin"
+  member = "group:${var.group_org_admins}"
+}

test/integration/cloudbuild_enabled/controls/gcp.rb

@@ -88,6 +88,7 @@
   google_projects.where(project_id: attribute("cloudbuild_project_id")).project_numbers.each do |project_number|
     describe google_storage_bucket_iam_binding(bucket: attribute("gcs_bucket_tfstate"),  role: 'roles/storage.admin') do
       it { should exist }
+      its('members') {should include 'group:' + attribute("group_org_admins")}
       its('members') {should include 'serviceAccount:' + attribute("terraform_sa_email")}
       its('members') {should include 'serviceAccount:' + project_number.to_s + '@cloudbuild.gserviceaccount.com'}
     end