From cfe3ca0a588015e464a223c10c1d8eafce0303ae Mon Sep 17 00:00:00 2001
From: Jon Buckley <jbuckley@mozilla.com>
Date: Fri, 20 Mar 2026 15:42:58 -0400
Subject: [PATCH] feat(google_permissions): Allow roles/datastore.user for
 folder, nonprod, and prod roles

MZCLD-2439
---
 google_permissions/other_roles.tf | 45 +++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/google_permissions/other_roles.tf b/google_permissions/other_roles.tf
index e5f40407..21a2d7e1 100644
--- a/google_permissions/other_roles.tf
+++ b/google_permissions/other_roles.tf
@@ -6,6 +6,51 @@
 //
 */
 
+locals {
+  allowed_folder_roles = [
+    "roles/datastore.user",
+  ]
+  allowed_nonprod_roles = [
+    "roles/datastore.user",
+  ]
+  allowed_prod_roles = [
+    "roles/datastore.user",
+  ]
+}
+
+resource "google_folder_iam_binding" "developers_folder_roles" {
+  for_each = setunion(
+    local.allowed_folder_roles,
+    [for role in var.folder_roles : role if !var.admin_only],
+  )
+
+  folder  = var.google_folder_id
+  role    = each.value
+  members = module.developers_workgroup.members
+}
+
+resource "google_project_iam_binding" "developers_nonprod_roles" {
+  for_each = setunion(
+    local.allowed_nonprod_roles,
+    [for role in var.nonprod_roles : role if !var.admin_only && var.google_nonprod_project_id != ""],
+  )
+
+  project = var.google_nonprod_project_id
+  role    = each.value
+  members = module.developers_workgroup.members
+}
+
+resource "google_project_iam_binding" "developers_prod_roles" {
+  for_each = setunion(
+    local.allowed_prod_roles,
+    [for role in var.prod_roles : role if !var.admin_only && var.google_prod_project_id != ""],
+  )
+
+  project = var.google_prod_project_id
+  role    = each.value
+  members = module.developers_workgroup.members
+}
+
 resource "google_folder_iam_binding" "bq_job_user" {
   //
   // NOTE: this uses bq_data_viewer as well as the next resource block so that those we grant data viewer