From ad47ff72a429e3a58478d3e7182262cb96e65a49 Mon Sep 17 00:00:00 2001
From: Joe Wilder <joe.wilder@lacework.net>
Date: Tue, 2 Sep 2025 16:55:47 +0000
Subject: [PATCH 1/2] fix(LINK-4116): do not require org level permissions for
 project level integrations

---
 checks.tf                                      |  3 +--
 custom_roles.tf                                | 16 ----------------
 examples/custom-vpc-network/README.md          |  2 --
 examples/custom-vpc-network/main.tf            |  2 --
 examples/project-level-multi-region/README.md  |  2 --
 examples/project-level-multi-region/main.tf    |  2 --
 examples/project-level-single-region/README.md |  1 -
 examples/project-level-single-region/main.tf   |  1 -
 main.tf                                        |  9 ---------
 9 files changed, 1 insertion(+), 37 deletions(-)

diff --git a/checks.tf b/checks.tf
index 7beccb9..41c6e66 100644
--- a/checks.tf
+++ b/checks.tf
@@ -1,10 +1,9 @@
-// ensure that organization_id is not empty, even for project-level integrations
 check "non_empty_organization_id" {
   // There can be multiple reasons for an empty `organization_id`. One example is that the provider project resides
   // in a folder. In this case, google_project.selected[0].org_id will be empty whereas google_project.selected[0].folder_id
   // will be non-empty. We'd need to ask the user to provide the organization_id in such cases.
   assert {
-    condition     = local.organization_id != ""
+    condition     = local.organization_id != "" && local.integration_type == "ORGANIZATION"
     error_message = "No `organization_id` is provided and we failed to derive one. Please provide `organization_id`."
   }
 }
diff --git a/custom_roles.tf b/custom_roles.tf
index 67e9dc0..63ec90c 100644
--- a/custom_roles.tf
+++ b/custom_roles.tf
@@ -19,22 +19,6 @@ resource "google_project_iam_custom_role" "agentless_orchestrate_monitored_proje
   ]
 }
 
-// Scope : MONITORED_PROJECT
-// Use	 : Accessing Folders/Organizations for Resource Group v2
-// Role created at organization
-// Note this binding happens at the organization level because the custom role requires organization level permissions
-resource "google_organization_iam_custom_role" "agentless_orchestrate_monitored_project_resource_group" {
-  count = var.global && (var.integration_type == "PROJECT") ? 1 : 0
-
-  org_id  = local.organization_id
-  role_id = replace("${var.prefix}-resource-group-${local.suffix}", "-", "_")
-  title   = "Lacework Agentless Workload Scanning Role for monitored project (Resource Group)"
-  permissions = [
-    "resourcemanager.folders.get",
-    "resourcemanager.organizations.get",
-  ]
-}
-
 //-----------------------------------------------------------------------------------
 
 // Scope : MONITORED_ORGANIZATION
diff --git a/examples/custom-vpc-network/README.md b/examples/custom-vpc-network/README.md
index b8a36a4..d921ec5 100644
--- a/examples/custom-vpc-network/README.md
+++ b/examples/custom-vpc-network/README.md
@@ -115,7 +115,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_<alias1>" {
 
   project_filter_list = local.project_filter_list
 
-  organization_id  = <your-org-id>
   global                    = true
   regional                  = true
 
@@ -132,7 +131,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_<alias2>" {
 
   project_filter_list = local.project_filter_list
 
-  organization_id  = <your-org-id>
   regional                = true
   global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
 
diff --git a/examples/custom-vpc-network/main.tf b/examples/custom-vpc-network/main.tf
index e4aff21..ad5b9be 100644
--- a/examples/custom-vpc-network/main.tf
+++ b/examples/custom-vpc-network/main.tf
@@ -71,7 +71,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_use1" {
 
   global          = true
   regional        = true
-  organization_id = "1234567890"
 
   custom_vpc_subnet = google_compute_subnetwork.awls_subnet_1.id
   # example: passing an environment variable to the cloud run task
@@ -86,7 +85,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_usc1" {
   }
 
   regional        = true
-  organization_id = "1234567890"
 
   global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
 
diff --git a/examples/project-level-multi-region/README.md b/examples/project-level-multi-region/README.md
index 16edc50..7fcb75d 100644
--- a/examples/project-level-multi-region/README.md
+++ b/examples/project-level-multi-region/README.md
@@ -73,7 +73,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_<alias1>" {
 
   global                    = true
   regional                  = true
-  organization_id           = <your-org-id>
   lacework_integration_name = "agentless_from_terraform"
 }
 
@@ -86,7 +85,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_<alias2>" {
   }
 
   regional                = true
-  organization_id         = <your-org-id>
   global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_<alias1>
 }
 ```
diff --git a/examples/project-level-multi-region/main.tf b/examples/project-level-multi-region/main.tf
index aef7c19..1061c1e 100644
--- a/examples/project-level-multi-region/main.tf
+++ b/examples/project-level-multi-region/main.tf
@@ -28,7 +28,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_use1" {
 
   global          = true
   regional        = true
-  organization_id = "1234567890"
 
   lacework_integration_name = "agentless_from_terraform"
 }
@@ -41,7 +40,6 @@ module "lacework_gcp_agentless_scanning_project_multi_region_usc1" {
   }
 
   regional        = true
-  organization_id = "1234567890"
 
   global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
 }
diff --git a/examples/project-level-single-region/README.md b/examples/project-level-single-region/README.md
index dc583ea..6951c3c 100644
--- a/examples/project-level-single-region/README.md
+++ b/examples/project-level-single-region/README.md
@@ -54,7 +54,6 @@ module "lacework_gcp_agentless_scanning_project_single_region" {
 
   global                    = true
   regional                  = true
-  organization_id           = <your-org-id>
   lacework_integration_name = "agentless_from_terraform"
 }
 ```
diff --git a/examples/project-level-single-region/main.tf b/examples/project-level-single-region/main.tf
index f810bc7..0b5e5dd 100644
--- a/examples/project-level-single-region/main.tf
+++ b/examples/project-level-single-region/main.tf
@@ -14,7 +14,6 @@ module "lacework_gcp_agentless_scanning_project_single_region" {
 
   global          = true
   regional        = true
-  organization_id = "1234567890"
 
   lacework_integration_name = "agentless_from_terraform"
 }
diff --git a/main.tf b/main.tf
index 2665187..4253699 100644
--- a/main.tf
+++ b/main.tf
@@ -269,15 +269,6 @@ resource "google_project_iam_member" "agentless_orchestrate_monitored_project" {
   member  = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
 }
 
-// Orchestrate Service Account <-> Role Binding for Custom Role project-level resource group support
-resource "google_organization_iam_member" "agentless_orchestrate_monitored_project_resource_group" {
-  count = var.global && (local.integration_type == "PROJECT") ? 1 : 0
-
-  org_id = local.organization_id
-  role   = google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group[0].id
-  member = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
-}
-
 // Orchestrate Service Account <-> Role Binding for Custom Role created in Scanner Project
 resource "google_project_iam_member" "agentless_orchestrate" {
   count = var.global ? 1 : 0

From b6a8ef8a4fc2e2c6bcd9f4371cf5e1a886413556 Mon Sep 17 00:00:00 2001
From: Joe Wilder <joe.wilder@lacework.net>
Date: Tue, 2 Sep 2025 17:06:41 +0000
Subject: [PATCH 2/2] fix(LINK2-4116): update readme

---
 README.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/README.md b/README.md
index c0baf8c..61e539d 100644
--- a/README.md
+++ b/README.md
@@ -37,9 +37,7 @@ A Terraform Module to configure the Lacework Agentless Scanner.
 | [google_cloud_run_v2_job.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_job) | resource |
 | [google_cloud_scheduler_job.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
 | [google_organization_iam_custom_role.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
-| [google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
 | [google_organization_iam_member.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
-| [google_organization_iam_member.agentless_orchestrate_monitored_project_resource_group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
 | [google_project_iam_custom_role.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.agentless_orchestrate_monitored_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.agentless_scan](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |