Description

We will need a group for Terraform backend service accounts. For example, each backend service account created will require IAM roles to solve this problem:

Error: Request `Create IAM Members roles/logging.bucketWriter serviceAccount:p980112215208-515759@gcp-sa-logging.iam.gserviceaccount.com for project "shared-logs01-tf3521-sb"` returned error: Error retrieving IAM policy for project "shared-logs01-tf3521-sb": googleapi: Error 403: The caller does not have permission, forbidden

In this example, we have a service account creating a new project and resource for google_logging_project_sink, which requires project IAM admin in the logging project. This isn't ideal from a security perspective, but I'm not sure there is another way around it if we set up logging buckets this way.

Acceptance

• Terraform backend service accounts should be able to create the google_logging_project_sink resource

Implementation Notes

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink

Additional Context

Also, note the service account for the terraform backend will need to be a manager in the group.