This optional module is used to create custom roles at organization or project level. The module supports creating custom rules optionally using predefined roles as a base, with additional permissions or excluded permissions.
Permissions that are unsupported from custom roles are automatically excluded.
module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
target_level = "org"
target_id = "123456789"
role_id = "custom_role_id"
title = "Custom Role Unique Title"
description = "Custom Role Description"
base_roles = ["roles/iam.serviceAccountAdmin"]
permissions = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
members = ["user:[email protected]", "group:[email protected]"]
}
module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
target_level = "project"
target_id = "project_id_123"
role_id = "custom_role_id"
title = "Custom Role Unique Title"
description = "Custom Role Description"
base_roles = ["roles/iam.serviceAccountAdmin"]
permissions = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
members = ["serviceAccount:member01@${var.target_id}.iam.gserviceaccount.com", "serviceAccount:member02@${var.target_id}.iam.gserviceaccount.com"]
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
base_roles | List of base predefined roles to use to compose custom role. | list(string) |
[] |
no |
description | Description of Custom role. | string |
"" |
no |
excluded_permissions | List of permissions to exclude from custom role. | list(string) |
[] |
no |
members | List of members to be added to custom role. | list(string) |
n/a | yes |
permissions | IAM permissions assigned to Custom Role. | list(string) |
n/a | yes |
role_id | ID of the Custom Role. | string |
n/a | yes |
stage | The current launch stage of the role. Defaults to GA. | string |
"GA" |
no |
target_id | Variable for project or organization ID. | string |
n/a | yes |
target_level | String variable to denote if custom role being created is at project or organization level. | string |
"project" |
no |
title | Human-readable title of the Custom Role, defaults to role_id. | string |
"" |
no |
Name | Description |
---|---|
custom_role_id | ID of the custom role created. |