From a82f107f54e9dd518e5fbd80b2713d2ea7f2a2a1 Mon Sep 17 00:00:00 2001
From: Simone Ruffilli <sruffilli@google.com>
Date: Fri, 4 Feb 2022 13:59:32 +0100
Subject: [PATCH] FAST-00: Adds projectCreator to resman SA. Always create
 delegated role grants. (#496)

---
 fast/stages/00-bootstrap/organization.tf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index 51ae428a..5b8539f6 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -37,6 +37,10 @@ locals {
     "roles/resourcemanager.organizationViewer" = [
       "domain:${var.organization.domain}"
     ]
+    "roles/resourcemanager.projectCreator" = concat(
+      [module.automation-tf-bootstrap-sa.iam_email],
+      local._iam_bootstrap_user
+    )
   }
   # organization additive IAM bindings, in an easy to edit format before
   # they are combined with var.iam_additive a bit further in locals
@@ -177,7 +181,6 @@ module "organization" {
 
 resource "google_organization_iam_binding" "org_admin_delegated" {
   org_id  = var.organization.id
-  count   = local.billing_org ? 1 : 0
   role    = module.organization.custom_role_id.organizationIamAdmin
   members = [module.automation-tf-resman-sa.iam_email]
   condition {