Read-only bootstrap SA lacks logging.settings.get permissions

[andres-cloudpunk]

Describe the bug
When setting up CICD on GitHub actions, the plan is run by a read-only service account through impersonation, usually a SA named like XXXX-prod-bootstrap-0r@XXXX-prod-iac-core-0.iam.gserviceaccount.com, while the apply is run by a more powerful service account, XXXX-prod-bootstrap-0@XXXX-prod-iac-core-0.iam.gserviceaccount.com

When running the fast-pr job, you get the following error:

Error: Error when reading or editing LoggingOrganizationSettings "organizations/123456789012/settings": googleapi: Error 403: Permission 'logging.settings.get' denied on resource (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "iam.googleapis.com",
    "metadata": {
      "permission": "logging.settings.get"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]

  with module.organization-logging.google_logging_organization_settings.default[0],
  on .terraform/modules/organization-logging/organization/logging.tf line 37, in resource "google_logging_organization_settings" "default":
  37: resource "google_logging_organization_settings" "default" {

After some debugging, we noticed that the apply SA has the Logging Admin role, which includes the logging.settings.get permission, while the plan SA has the Logs Viewer role, which lacks said permission.

Giving a Logging Admin permission to a read-only SA makes no sense, so perhaps we should add logging.settings.get to the Custom role organizationAdminViewer custom role?

[ludoo]

Good catch and great suggestion. I wonder why this did not cause errors when we tested the move to split service accounts. If you prefer to send a PR go ahead, otherwise we'll make one ASAP. Thanks again for this!

[ludoo]

Ahhh yes, this is a consequence of #2139. Sending a PR to fix it.