use owner roles and required outside of owner

main.tf

@@ -72,6 +72,36 @@ resource "google_folder_iam_member" "folder_gh_owner" {
   member = "serviceAccount:${module.project.service_account_email}"
 }
 
+resource "google_folder_iam_member" "folder_gh_folder_viewer" {
+  folder = module.folder_gh.id
+  role   = "roles/resourcemanager.folderViewer"
+  member = "serviceAccount:${module.project.service_account_email}"
+}
+
+resource "google_folder_iam_member" "folder_gh_owner_owner" {
+  folder = module.folder_gh_owner.id
+  role   = "roles/owner"
+  member = "serviceAccount:${module.project.service_account_email}"
+}
+
+resource "google_folder_iam_member" "folder_gh_owner_folder_viewer" {
+  folder = module.folder_gh_owner.id
+  role   = "roles/resourcemanager.folderViewer"
+  member = "serviceAccount:${module.project.service_account_email}"
+}
+
+resource "google_folder_iam_member" "folder_gh_project_creator" {
+  folder = module.folder_gh.id
+  role   = "roles/resourcemanager.projectCreator"
+  member = "serviceAccount:${module.project.service_account_email}"
+}
+
+resource "google_project_iam_member" "project" {
+  project = module.project.project_id
+  role    = "roles/owner"
+  member  = "serviceAccount:${module.project.service_account_email}"
+}
+
 resource "google_billing_account_iam_member" "billing_account_iam_binding" {
   billing_account_id = var.gcp_billing_account_id
   role               = "roles/billing.user"