Remove viewer roles from CF's terraform configuration:
# Required to retrieve ancestry for projects within this folder.
resource "google_folder_iam_member" "roles-viewer" {
count = length(var.folder-ids)
folder = "folders/${var.folder-ids[count.index]}"
role = "roles/viewer"
member = "serviceAccount:${var.setup.automation-service-account}"
}
Then test each CF to check whether or not this role is suitable
Remove viewer roles from CF's terraform configuration:
Then test each CF to check whether or not this role is suitable