Support conformance env lifecycle in GCP CI Cloud Build

Author: roger2hk

deployment/modules/gcp/cloudbuild/main.tf

@@ -90,6 +90,12 @@ resource "google_project_iam_member" "iam_service_account_open_id_token_creator"
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
 
+resource "google_project_iam_member" "iam_service_account_viewer" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountViewer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
 resource "google_project_iam_member" "iam_service_account_admin" {
   project = var.project_id
   role    = "roles/iam.serviceAccountAdmin"
@@ -110,18 +116,6 @@ resource "google_project_iam_member" "run_developer" {
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
 
-resource "google_project_iam_member" "iam_service_account_viewer" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountViewer"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "iam_service_account_user" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountAdmin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
 resource "google_cloudbuild_trigger" "build_trigger" {
   name            = "build-docker-${var.docker_env}"
   service_account = google_service_account.cloudbuild_service_account.id