apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: grafana-sa-k8s-logging-folder-viewer
spec:
  member: serviceAccount:grafana-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/logging.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: grafana-sa-k8s-logging-folder-view-accesor
spec:
  member: serviceAccount:grafana-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/logging.viewAccessor
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: grafana-sa-k8s-logging-viewer
spec:
  member: serviceAccount:grafana-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/logging.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: grafana-sa-k8s-logging-view-accesor
spec:
  member: serviceAccount:grafana-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/logging.viewAccessor