diff --git a/main.tf b/main.tf
index f850fbb8..7d7e462e 100644
--- a/main.tf
+++ b/main.tf
@@ -157,3 +157,11 @@ resource "google_organization_iam_member" "org_admin_serviceusage_consumer" {
   role   = "roles/serviceusage.serviceUsageConsumer"
   member = "group:${var.group_org_admins}"
 }
+
+resource "google_storage_bucket_iam_member" "orgadmins_state_iam" {
+  count = local.impersonation_enabled_count
+
+  bucket = google_storage_bucket.org_terraform_state.name
+  role   = "roles/storage.admin"
+  member = "group:${var.group_org_admins}"
+}
diff --git a/test/integration/cloudbuild_enabled/controls/gcp.rb b/test/integration/cloudbuild_enabled/controls/gcp.rb
index 5d27d528..aa735d7f 100644
--- a/test/integration/cloudbuild_enabled/controls/gcp.rb
+++ b/test/integration/cloudbuild_enabled/controls/gcp.rb
@@ -88,6 +88,7 @@
   google_projects.where(project_id: attribute("cloudbuild_project_id")).project_numbers.each do |project_number|
     describe google_storage_bucket_iam_binding(bucket: attribute("gcs_bucket_tfstate"),  role: 'roles/storage.admin') do
       it { should exist }
+      its('members') {should include 'group:' + attribute("group_org_admins")}
       its('members') {should include 'serviceAccount:' + attribute("terraform_sa_email")}
       its('members') {should include 'serviceAccount:' + project_number.to_s + '@cloudbuild.gserviceaccount.com'}
     end