This page lists the IAM roles to be granted and APIs to be enabled in order to execute the Forseti Terraform module.
For this module to work, you need the following roles enabled on the Service Account:
On the organization:
roles/resourcemanager.organizationAdmin
roles/iam.securityReviewer
On the project:
roles/owner
roles/compute.instanceAdmin
roles/compute.networkViewer
roles/compute.securityAdmin
roles/iam.serviceAccountAdmin
roles/serviceusage.serviceUsageAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/cloudsql.admin
On the host project (when using shared VPC)
roles/compute.securityAdmin
roles/compute.networkAdmin
For this module to work, you need the following APIs enabled on the Forseti project: