The instructions for the creation of the notification need to be run
after the Terraform script, otherwise we get an error because the service account
was not created yet:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.beta.organizations.add-iam-policy-binding) INVALID_ARGUMENT: Service account automation-service-account@out-of-order-666666666.iam.gserviceaccount.com does not exist.
The instructions for the creation of the notification need to be run after the Terraform script, otherwise we get an error because the service account was not created yet:
export PROJECT_ID=out-of-order-666666666 export SERVICE_ACCOUNT_EMAIL=automation-service-account@$PROJECT_ID.iam.gserviceaccount.com \ ORGANIZATION_ID=
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \ --role='roles/securitycenter.notificationConfigEditor'
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.beta.organizations.add-iam-policy-binding) INVALID_ARGUMENT: Service account automation-service-account@out-of-order-666666666.iam.gserviceaccount.com does not exist.