feat: add org-level IAM setup and use ORG_ID in GCP cloud connectors

[amirbenun]

Adds organization-level IAM setup to the GCP cloud connectors deployment and renames the organization scope environment variable from ORGANIZATION_ID to ORG_ID for consistency. When ORG_ID is set, setup.sh now grants the deployment service account the roles/iam.securityAdmin role at the organization level (instead of roles/resourcemanager.organizationAdmin), and the README is updated to document the storage.admin role for Terraform state and the new variable name. This enables customers to deploy Elastic Cloud Connectors with organization-level monitoring using the recommended, least-privilege securityAdmin role.

[mergify]

This pull request does not have a backport label. Could you fix it @amirbenun? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[Copilot]

Pull request overview

This PR updates the GCP Infrastructure Manager “cloud connectors” deployment to support optional organization-scope deployments by introducing ORG_ID (renaming from ORGANIZATION_ID) and granting an org-level IAM role when that variable is provided.

Changes:

• Add an optional ORG_ID parameter to setup.sh and, when set, grant roles/iam.securityAdmin at the organization level.
• Update deploy.sh to pass ORG_ID through and use it to set scope=organizations and parent_id=<ORG_ID>.
• Update README documentation to reflect the ORG_ID rename and document roles/storage.admin for Terraform state.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
deploy/infrastructure-manager/gcp-cloud-connectors/setup.sh	Adds optional org-level IAM binding (securityAdmin) when ORG_ID is provided.
deploy/infrastructure-manager/gcp-cloud-connectors/deploy.sh	Switches org-scope env var usage to ORG_ID and passes it into setup + TF inputs.
deploy/infrastructure-manager/gcp-cloud-connectors/README.md	Updates deployment instructions and required permissions to match ORG_ID and new IAM role guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[amirbenun]

Testing steps:

0. GCP account with org level permissions
1. Deploy infra-manager scripts and use custom aws role - arn:aws:iam::548875586927:role/amir_cloudconnectors_globalrole.
2. Creating CSPM from dev tools with:

        "cloud_security_posture.findings": {
          "enabled": true,
          "vars": {
            "gcp.account_type": "organization-account",
            "gcp.organization_id": "229135500492",
            "gcp.credentials.type": "cloud_connectors",
            "gcp.credentials.service_account_email": "elastic-agent-sa-xxxxx@starry-descent-486215-b2.iam.gserviceaccount.com",
            "gcp.credentials.audience": "//iam.googleapis.com/projects/173086727153/locations/global/workloadIdentityPools/elastic-pool-xxxxx/providers/elastic-aws-provider-xxxxx",
            "gcp_credentials_cloud_connector_id": "amiramir-cc-id"
          }

3. Show findings dashboard