feat: add OAuth Config Editor role to developers

:tropical_drink: `preview` on infra-core/prod

Pulumi report

``` Previewing update (prod): @ previewing update.... @ previewing update.... pulumi:pulumi:Stack infra-core-prod running @ previewing update................... ayr-cloudrun-service tripletex-agent pulumi:providers:gcp google ayr-pubsub-service workspace-agent ayr-cloudrun-service workspace-agent-v2 ayr-cloudrun-service workspace-agent ayr-cloudrun-service consumer-api ayr-cloudrun-service freshworks-agent ayr-cloudrun-service calendar-agent pulumi:providers:gcp console-google pulumi:providers:github main-github pulumi:providers:github github gcp:serviceAccount:Account freshworks-scheduler gcp:iam:WorkloadIdentityPool github-actions gcp:pubsub:Topic slack-logger gcp:serviceAccount:Account service-deploy github:index:ActionsSecret studio-project-id github:index:ActionsOrganizationSecret ayrbot-token github:index:ActionsSecret website-project-id @ previewing update.... gcp:organizations:Project apps-main-project gcp:logging:ProjectSink console-slack-logger gcp:cloudfunctions:CallbackFunction console-new-log-entry gcp:logging:ProjectSink console-slack-logger-v2 gcp:iam:WorkloadIdentityPoolProvider github-actions + github:index:ActionsSecret freshworks-agent-service-service-account create + github:index:ActionsSecret workspace-agent-service-service-account create gcp:serviceAccount:IAMMember iam-service-freshworks-agent gcp:serviceAccount:IAMMember iam-service-token-freshworks-agent gcp:serviceAccount:IAMMember iam-service-workspace-agent gcp:serviceAccount:IAMMember iam-service-token-workspace-agent google-native:iam/v1:ServiceAccount workspace-agent google-native:iam/v1:ServiceAccount consumer-api google-native:iam/v1:ServiceAccount tripletex-agent google-native:iam/v1:ServiceAccount freshworks-agent google-native:bigquery/v2:Dataset console gcp:projects:Service serviceusage.googleapis.com gcp:projects:Service servicemanagement.googleapis.com gcp:projects:Service servicecontrol.googleapis.com gcp:projects:Service container.googleapis.com gcp:projects:Service compute.googleapis.com gcp:projects:Service dns.googleapis.com gcp:projects:Service cloudresourcemanager.googleapis.com gcp:projects:Service logging.googleapis.com gcp:projects:Service stackdriver.googleapis.com gcp:projects:Service monitoring.googleapis.com gcp:projects:Service cloudtrace.googleapis.com gcp:projects:Service clouderrorreporting.googleapis.com gcp:projects:Service clouddebugger.googleapis.com gcp:projects:Service cloudprofiler.googleapis.com gcp:projects:Service sqladmin.googleapis.com gcp:projects:Service cloudkms.googleapis.com gcp:projects:Service cloudfunctions.googleapis.com gcp:projects:Service run.googleapis.com gcp:projects:Service cloudbuild.googleapis.com gcp:projects:Service iam.googleapis.com gcp:projects:Service cloudbilling.googleapis.com gcp:projects:Service appengine.googleapis.com gcp:projects:Service secretmanager.googleapis.com gcp:organizations:Project ayr-console-project gcp:organizations:Project ayr-core-project gcp:organizations:Project ayr-onboarding-project gcp:organizations:Project website google-native:iam/v1:ServiceAccount workspace-agent-invoker gcp:pubsub:Topic workspace-agent github:index:ActionsSecret tripletex-agent-main-project-id gcp:projects:Service main-cloudprofiler.googleapis.com gcp:projects:Service main-clouddebugger.googleapis.com github:index:ActionsSecret workspace-agent-main-project-id gcp:projects:Service main-serviceusage.googleapis.com gcp:projects:Service main-servicemanagement.googleapis.com gcp:projects:Service main-servicecontrol.googleapis.com gcp:projects:Service main-container.googleapis.com gcp:projects:Service main-compute.googleapis.com gcp:projects:Service main-dns.googleapis.com gcp:projects:Service main-cloudresourcemanager.googleapis.com gcp:projects:Service main-logging.googleapis.com gcp:projects:Service main-stackdriver.googleapis.com gcp:projects:Service main-sqladmin.googleapis.com gcp:projects:Service main-cloudkms.googleapis.com gcp:projects:Service main-cloudfunctions.googleapis.com gcp:projects:Service main-run.googleapis.com gcp:projects:Service main-cloudbuild.googleapis.com gcp:projects:Service main-iam.googleapis.com gcp:projects:Service main-cloudbilling.googleapis.com gcp:projects:Service main-appengine.googleapis.com gcp:projects:Service main-secretmanager.googleapis.com gcp:projects:Service main-artifactregistry.googleapis.com github:index:ActionsSecret billing-api-main-project-id github:index:ActionsSecret calendar-agent-main-project-id github:index:ActionsSecret consumer-api-main-project-id gcp:projects:Service main-monitoring.googleapis.com gcp:projects:Service main-cloudtrace.googleapis.com gcp:projects:Service main-clouderrorreporting.googleapis.com github:index:ActionsSecret freshworks-agent-main-project-id gcp:pubsub:TopicIAMMember console-slack-log-sink-pubsub-publisher [diff: ~topic] gcp:cloudrun:Service workspace-agent-v2 [diff: ~template] gcp:pubsub:TopicIAMMember console-slack-log-sink-pubsub-publisher-v2 [diff: ~topic] + github:index:ActionsSecret freshworks-agent-identity-provider create + github:index:ActionsSecret workspace-agent-identity-provider create gcp:cloudrun:Service consumer-api google-native:bigquery/v2:Table console gcp:storage:Bucket console-new-log-entry gcp:cloudrun:Service tripletex-agent gcp:projects:Service ayr-console-cloudtrace.googleapis.com pulumi:providers:gcp onboarding-google gcp:projects:Service ayr-console-serviceusage.googleapis.com gcp:projects:Service ayr-console-servicemanagement.googleapis.com gcp:projects:Service ayr-console-servicecontrol.googleapis.com gcp:projects:Service ayr-console-container.googleapis.com gcp:projects:Service ayr-console-compute.googleapis.com gcp:projects:Service ayr-console-stackdriver.googleapis.com gcp:projects:Service ayr-console-monitoring.googleapis.com gcp:projects:Service ayr-console-dns.googleapis.com gcp:projects:Service ayr-console-cloudresourcemanager.googleapis.com gcp:projects:Service ayr-console-logging.googleapis.com gcp:projects:Service ayr-website-cloudresourcemanager.googleapis.com gcp:projects:Service ayr-website-serviceusage.googleapis.com gcp:projects:Service ayr-console-clouddebugger.googleapis.com gcp:projects:Service ayr-console-cloudprofiler.googleapis.com gcp:projects:Service ayr-console-sqladmin.googleapis.com gcp:projects:Service ayr-console-cloudkms.googleapis.com gcp:projects:Service ayr-console-cloudfunctions.googleapis.com gcp:projects:Service ayr-console-run.googleapis.com gcp:projects:Service ayr-console-cloudbuild.googleapis.com gcp:projects:Service ayr-console-iam.googleapis.com gcp:projects:Service ayr-console-cloudbilling.googleapis.com gcp:projects:Service ayr-console-containerregistry.googleapis.com gcp:projects:Service ayr-console-cloudscheduler.googleapis.com gcp:projects:Service ayr-console-bigquerydatatransfer.googleapis.com gcp:projects:Service ayr-console-clouderrorreporting.googleapis.com gcp:projects:Service ayr-console-artifactregistry.googleapis.com gcp:projects:Service ayr-website-cloudfunctions.googleapis.com google-native:iam/v1:ServiceAccount core-deploy-sa pulumi:providers:google-native core-google google-native:iam/v1:ServiceAccount onboarding-deploy-sa google-native:iam/v1:ServiceAccount console-deploy-sa google-native:iam/v1:ServiceAccount reseller-admin-sa google-native:iam/v1:ServiceAccount console-slack-sa gcp:projects:Service ayr-website-servicecontrol.googleapis.com google-native:iam/v1:ServiceAccount onboarding-slack-sa gcp:projects:Service ayr-website-container.googleapis.com gcp:projects:Service ayr-website-cloudbuild.googleapis.com gcp:projects:Service ayr-website-compute.googleapis.com gcp:projects:Service ayr-website-logging.googleapis.com gcp:projects:Service ayr-website-stackdriver.googleapis.com gcp:projects:Service ayr-website-monitoring.googleapis.com gcp:projects:Service ayr-website-cloudtrace.googleapis.com gcp:projects:Service ayr-website-clouderrorreporting.googleapis.com gcp:projects:Service ayr-website-clouddebugger.googleapis.com gcp:projects:Service ayr-website-cloudprofiler.googleapis.com + github:index:ActionsSecret tripletex-agent-gcp-project create gcp:projects:Service ayr-website-iam.googleapis.com gcp:secretmanager:Secret reseller-sa-key google-native:cloudscheduler/v1:Job workspace-agent + github:index:ActionsSecret workspace-agent-gcp-project create + github:index:ActionsSecret consumer-api-gcp-project create github:index:ActionsSecret infra-core-cluster-core-gke-project-id github:index:ActionsSecret core-gcp-project @ previewing update.... pulumi:providers:gcp core-google github:index:ActionsSecret core-backoffice-gcp-project gcp:projects:Service ayr-website-servicemanagement.googleapis.com github:index:ActionsSecret onboarding-gcp-project gcp:storage:BucketObject console-new-log-entry [diff: ~__defaults,detectMd5hash,source] gcp:cloudrun:Service workspace-agent [diff: ~template] pulumi:providers:gcp main-gcp pulumi:providers:google-native main-google google-native:run/v1:ServiceIamPolicy workspace-agent-v2 google-native:bigquery/v2:TableIamPolicy console google-native:run/v1:ServiceIamPolicy consumer-api gcp:cloudrun:DomainMapping consumer-api google-native:run/v1:ServiceIamPolicy tripletex-agent gcp:projects:Service onboard-iam.googleapis.com gcp:projects:Service onboard-appengine.googleapis.com gcp:pubsub:Topic onboarding-logger gcp:projects:Service onboard-cloudbuild.googleapis.com gcp:projects:Service onboard-cloudresourcemanager.googleapis.com gcp:projects:Service onboard-serviceusage.googleapis.com gcp:projects:Service onboard-servicemanagement.googleapis.com gcp:projects:Service onboard-servicecontrol.googleapis.com gcp:projects:Service onboard-container.googleapis.com gcp:projects:Service onboard-compute.googleapis.com gcp:projects:Service onboard-logging.googleapis.com gcp:projects:Service onboard-stackdriver.googleapis.com gcp:projects:Service onboard-monitoring.googleapis.com gcp:projects:Service onboard-cloudtrace.googleapis.com gcp:projects:Service onboard-clouderrorreporting.googleapis.com gcp:projects:Service onboard-clouddebugger.googleapis.com gcp:projects:Service onboard-cloudprofiler.googleapis.com gcp:projects:Service onboard-cloudfunctions.googleapis.com github:index:ActionsSecret studio-ayrbot-token github:index:ActionsSecret meraki-to-slack-notify-ayrbot-token github:index:ActionsSecret moment-workspace-scripts-ayrbot-token github:index:ActionsSecret calendar-agent-ayrbot-token github:index:ActionsSecret workspace-agent-ayrbot-token github:index:ActionsSecret support-tripletex-ayrbot-token github:index:ActionsSecret billing-api-ayrbot-token github:index:ActionsSecret freshworks-agent-ayrbot-token github:index:ActionsSecret timely-agent-ayrbot-token github:index:ActionsSecret sanity-ayrbot-token github:index:ActionsSecret moment-millnet-ayrbot-token github:index:ActionsSecret cloudiq-aws-invoice-ayrbot-token github:index:ActionsSecret core-ayrbot-token github:index:ActionsSecret backoffice-ayrbot-token github:index:ActionsSecret onboarding-ayrbot-token github:index:ActionsSecret tripletex-agent-ayrbot-token github:index:ActionsSecret consumer-api-ayrbot-token github:index:ActionsSecret cpanel-change-pw-ayrbot-token github:index:ActionsSecret also-sync-pricelist-ayrbot-token github:index:ActionsSecret ayr-oyatel-slack-ayrbot-token github:index:ActionsSecret pgadmin-ayrbot-token github:index:ActionsSecret docs-ayrbot-token github:index:ActionsSecret console-ayrbot-token gcp:artifactregistry:Repository docker-registry google-native:cloudresourcemanager/v1:ProjectIamPolicy onboarding-iam-policy gcp:serviceAccount:Key onboarding-deploy-sa-key google-native:storage/v1:BucketIamPolicy console-artifact-iam-policies google-native:cloudresourcemanager/v1:ProjectIamPolicy console-iam-policy gcp:serviceAccount:Key reseller-sa-key gcp:serviceAccount:Key console-deploy-sa-key google-native:secretmanager/v1:SecretIamPolicy reseller-sa-key-iam gcp:cloudfunctions:Function console-new-log-entry [diff: ~eventTrigger] gcp:projects:Service core-iap.googleapis.com gcp:serviceAccount:Account gke-service-account gcp:serviceAccount:Account docker-service-account google-native:iam/v1:ServiceAccount deploy-sa gcp:serviceAccount:Key core-deploy-sa-key gcp:iam:WorkloadIdentityPool core-github-actions gcp:projects:Service core-cloudbuild.googleapis.com gcp:projects:Service core-cloudresourcemanager.googleapis.com gcp:projects:Service core-serviceusage.googleapis.com gcp:projects:Service core-servicemanagement.googleapis.com gcp:projects:Service core-servicecontrol.googleapis.com gcp:projects:Service core-container.googleapis.com gcp:projects:Service core-compute.googleapis.com gcp:projects:Service core-logging.googleapis.com gcp:projects:Service core-stackdriver.googleapis.com gcp:projects:Service core-monitoring.googleapis.com gcp:projects:Service core-cloudtrace.googleapis.com gcp:projects:Service core-clouderrorreporting.googleapis.com gcp:projects:Service core-clouddebugger.googleapis.com gcp:projects:Service core-cloudprofiler.googleapis.com gcp:projects:Service core-cloudfunctions.googleapis.com gcp:projects:Service core-iam.googleapis.com gcp:projects:Service core-appengine.googleapis.com gcp:projects:Service core-secretmanager.googleapis.com gcp:projects:Service core-sqladmin.googleapis.com gcp:projects:Service core-storage.googleapis.com gcp:projects:Service core-cloudkms.googleapis.com gcp:artifactregistry:Repository main-artifact-registry google-native:run/v1:ServiceIamPolicy workspace-agent gcp:serviceAccount:Account container-service-account gcp:iam:WorkloadIdentityPool main-identity-pool google-native:compute/v1:Address ayr-core-address google-native:container/v1:Cluster main-cluster google-native:iam/v1:ServiceAccount calendar-agent gcp:cloudfunctions:CallbackFunction onboarding-new-log-entry gcp:logging:ProjectSink onboarding-slack-logger gcp:appengine:Application onboarding github:index:ActionsSecret workspace-agent-main-repo gcp:artifactregistry:RepositoryIamMember docker-registry-so@bjerk.io gcp:artifactregistry:RepositoryIamMember docker-registry-brage@bjerk.io gcp:artifactregistry:RepositoryIamMember docker-registry github:index:ActionsSecret onboarding-gcp-sa-key github:index:ActionsSecret freshworks-agent-main-repo github:index:ActionsSecret workspace-agent-gcp-sa-key github:index:ActionsSecret consumer-api-gcp-sa-key github:index:ActionsSecret tripletex-agent-gcp-sa-key gcp:serviceAccount:Key service-account-key gcp:cloudfunctions:FunctionIamMember console-new-log-entry-invoker [diff: ~cloudFunction] google-native:cloudresourcemanager/v1:ProjectIamPolicy project-iam-policy gcp:iam:WorkloadIdentityPoolProvider core-github-actions github:index:ActionsSecret infra-core-cluster-core-gke-docker-service-account github:index:ActionsSecret core-gcp-sa-key github:index:ActionsSecret core-backoffice-gcp-sa-key @ previewing update.... gcp:cloudrun:Service freshworks-agent gcp:serviceAccount:IAMMember gke-iam-infra-core-cluster gcp:serviceAccount:IAMMember gke-iam-token-infra-core-cluster google-native:cloudresourcemanager/v1:ProjectIamPolicy core-iam-policy ~ google-native:cloudresourcemanager/v1:ProjectIamPolicy main-iam-policy update [diff: ] gcp:cloudrun:Service calendar-agent gcp:appengine:Application core gcp:storage:Bucket onboarding-new-log-entry gcp:secretmanager:SecretVersion reseller-sa-key gcp:serviceAccount:IAMMember core-iam-service-freshworks-agent gcp:serviceAccount:IAMMember core-iam-service-token-freshworks-agent gcp:artifactregistry:Repository core-docker-registry gcp:serviceAccount:IAMMember core-iam-service-tripletex-agent gcp:serviceAccount:IAMMember core-iam-service-token-tripletex-agent gcp:serviceAccount:IAMMember core-iam-service-workspace-agent google-native:pubsub/v1:Subscription workspace-agent gcp:serviceAccount:IAMMember core-iam-service-token-workspace-agent gcp:artifactregistry:RepositoryIamMember main-artifact-iam-so@bjerk.io gcp:artifactregistry:RepositoryIamMember main-artifact-registry gcp:artifactregistry:RepositoryIamMember main-artifact-iam-brage@bjerk.io github:index:ActionsSecret billing-api-core-artifact-registry github:index:ActionsSecret calendar-agent-core-artifact-registry gcp:iam:WorkloadIdentityPoolProvider main-identity-pool-provider github:index:ActionsSecret consumer-api-core-artifact-registry gcp:pubsub:TopicIAMMember onboarding-slack-log-sink-pubsub-publisher [diff: ~topic] github:index:ActionsSecret billing-api-main-service-account github:index:ActionsSecret freshworks-agent-core-artifact-registry github:index:ActionsSecret calendar-agent-main-service-account github:index:ActionsSecret tripletex-agent-core-artifact-registry github:index:ActionsSecret consumer-api-main-service-account github:index:ActionsSecret workspace-agent-core-artifact-registry github:index:ActionsSecret freshworks-agent-main-service-account github:index:ActionsSecret billing-api-main-artifact-repo github:index:ActionsSecret tripletex-agent-main-service-account github:index:ActionsSecret calendar-agent-main-artifact-repo github:index:ActionsSecret workspace-agent-main-service-account github:index:ActionsSecret consumer-api-main-artifact-repo gcp:serviceAccount:IAMMember core-iam-service-billing-api github:index:ActionsSecret freshworks-agent-main-artifact-repo gcp:serviceAccount:IAMMember core-iam-service-token-billing-api github:index:ActionsSecret tripletex-agent-main-artifact-repo gcp:serviceAccount:IAMMember core-iam-service-calendar-agent gcp:serviceAccount:IAMMember core-iam-service-token-calendar-agent github:index:ActionsSecret workspace-agent-main-artifact-repo gcp:serviceAccount:IAMMember core-iam-service-consumer-api pulumi:providers:gcp reseller-gcp-provider gcp:serviceAccount:IAMMember core-iam-service-token-consumer-api gcp:cloudscheduler:Job sync-companies gcp:cloudscheduler:Job report-dangling-companies google-native:run/v1:ServiceIamPolicy freshworks-agent github:index:ActionsSecret website-gcp-key github:index:ActionsSecret studio-gcp-key github:index:ActionsSecret infra-core-cluster-core-gke-identity-provider gcp:cloudscheduler:Job delete-unknown-companies github:index:ActionsSecret workspace-agent-core-identity-provider gcp:storage:BucketObject onboarding-new-log-entry [diff: ~__defaults,detectMd5hash,source] gcp:artifactregistry:RepositoryIamMember core-docker-registry-so@bjerk.io gcp:artifactregistry:RepositoryIamMember core-docker-registry-brage@bjerk.io gcp:artifactregistry:RepositoryIamMember core-docker-registry gcp:cloudrun:DomainMapping calendar-agent google-native:run/v1:ServiceIamPolicy calendar-agent github:index:ActionsSecret billing-api-core-identity-provider github:index:ActionsSecret calendar-agent-core-identity-provider github:index:ActionsSecret consumer-api-core-identity-provider github:index:ActionsSecret freshworks-agent-core-identity-provider github:index:ActionsSecret tripletex-agent-core-identity-provider gcp:pubsub:Subscription partner-watch-workspace-agent gcp:pubsub:Subscription partner-watch-workspace-agent-v2 gcp:cloudfunctions:Function onboarding-new-log-entry [diff: ~eventTrigger] pulumi:providers:kubernetes k8s-provider gcp:cloudfunctions:FunctionIamMember onboarding-new-log-entry-invoker [diff: ~cloudFunction] kubernetes:helm.sh/v3:Chart postgres-operator-ui kubernetes:helm.sh/v3:Chart caddy-ingress kubernetes:helm.sh/v3:Chart postgres-operator kubernetes:core/v1:Namespace caddy-system @ previewing update.... kubernetes:rbac.authorization.k8s.io/v1:ClusterRole postgres-operator-ui kubernetes:apps/v1:Deployment default/postgres-operator-ui kubernetes:rbac.authorization.k8s.io/v1:ClusterRoleBinding postgres-operator-ui kubernetes:core/v1:ServiceAccount default/postgres-operator-ui @ previewing update.... kubernetes:core/v1:Service default/postgres-operator-ui kubernetes:rbac.authorization.k8s.io/v1:ClusterRole caddy-system/caddy-ingress-controller-role kubernetes:apps/v1:Deployment caddy-system/caddy-ingress-caddy-ingress-controller kubernetes:core/v1:ServiceAccount caddy-system/caddy-ingress-controller kubernetes:core/v1:ConfigMap caddy-system/caddy-ingress-controller-configmap kubernetes:core/v1:Service caddy-system/caddy-ingress-caddy-ingress-controller kubernetes:policy/v1:PodDisruptionBudget caddy-system/caddy-ingress-caddy-ingress-controller kubernetes:rbac.authorization.k8s.io/v1:ClusterRoleBinding caddy-system/caddy-ingress-controller-role-binding kubernetes:rbac.authorization.k8s.io/v1:ClusterRole postgres-pod kubernetes:rbac.authorization.k8s.io/v1:ClusterRoleBinding postgres-operator kubernetes:core/v1:ServiceAccount default/postgres-operator kubernetes:core/v1:Service default/postgres-operator kubernetes:apiextensions.k8s.io/v1:CustomResourceDefinition postgresqls.acid.zalan.do kubernetes:apiextensions.k8s.io/v1:CustomResourceDefinition operatorconfigurations.acid.zalan.do kubernetes:apps/v1:Deployment default/postgres-operator kubernetes:acid.zalan.do/v1:OperatorConfiguration default/postgres-operator kubernetes:apiextensions.k8s.io/v1:CustomResourceDefinition postgresteams.acid.zalan.do kubernetes:rbac.authorization.k8s.io/v1:ClusterRole postgres-operator pulumi:pulumi:Stack infra-core-prod Resources: + 7 to create ~ 1 to update 8 changes. 363 unchanged ```

ayrorg / infra