Update permissions required for TFV

[bharathkkb]

TFV has been using the CB default SA (not Terraform SA) which did not have any additional permissions, however now v2021-04-07+ it looks like it needs Security Reviewer at the org level to pull IAM policy otherwise this error is thrown for 1-org

 Error: converting tfplan to CAI assets: adding resource changes to converter: adding resource create/update/no-op fetching asset: Error retrieving IAM policy for organization "ORG_ID": googleapi: Error 403: The caller does not have permission, forbidden

We should add Security Reviewer to the CB SA once confirmed via https://github.com/GoogleCloudPlatform/terraform-validator/issues/290

Longer term (v3) we maybe looking at configuring custom SAs via CB trigger

[philip-harvey]

As a workaround manually add Security Reviewer to the CB SA ([email protected]) at the organization level. I have confirmed this work around works in our environment.

[bharathkkb]

Short term we can use GOOGLE_IMPERSONATE_SERVICE_ACCOUNT rather than granting CB SA permissions. Long term we will be switching to custom SA from impersonation approach.

[bharathkkb]

Using https://github.com/terraform-google-modules/terraform-google-bootstrap/releases/tag/v5.0.0 will allow support for v0.6.0+ of TFV with GOOGLE_IMPERSONATE_SERVICE_ACCOUNT support.

[bharathkkb]

Since we have a workaround in place, @amandakarina will explore using user-specified service account cloud build SA rather than SA impersonation which will help us get rid of provider impersonation and solve the TFV auth issue.

[bharathkkb]

Closing this since we now have user defined SA in pipeline and GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is used for local which is respected by gcloud vet. @daniel-cit lmk if this is still an issue.