mh roles update

Author: max-ostapenko

infra/tf/masthead/main.tf

@@ -58,16 +58,12 @@ resource "google_project_iam_custom_role" "masthead_bq_meta_reader" {
   title       = "masthead_bq_meta_reader"
 }
 
-resource "google_project_iam_binding" "masthead_bq_meta_reader_binding" {
-  role    = google_project_iam_custom_role.masthead_bq_meta_reader.id
-  members = ["serviceAccount:masthead-data@masthead-prod.iam.gserviceaccount.com"]
-  project = var.project
-}
-
 resource "google_project_iam_member" "masthead_pubsub_subscriber_member" {
-  role    = "roles/pubsub.subscriber"
-  member  = "serviceAccount:masthead-data@masthead-prod.iam.gserviceaccount.com"
+  for_each = toset(["roles/bigquery.metadataViewer", "roles/bigquery.resourceViewer", "roles/pubsub.subscriber"])
+
   project = var.project
+  role    = each.value
+  member  = "serviceAccount:masthead-data@masthead-prod.iam.gserviceaccount.com"
 }
 
 # 4. Grant Masthead Service Account to quickly onboard from retrospective data