Skip to content

Latest commit

 

History

History
 
 

custom_role_iam

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

Module Custom Role IAM

This optional module is used to create custom roles at organization or project level. The module supports creating custom rules optionally using predefined roles as a base, with additional permissions or excluded permissions.

Permissions that are unsupported from custom roles are automatically excluded.

Usage - Custom Role at Organization Level

module "custom-roles" {
  source = "terraform-google-modules/iam/google//modules/custom_role_iam"

  target_level         = "org"
  target_id            = "123456789"
  role_id              = "custom_role_id"
  title                = "Custom Role Unique Title"
  description          = "Custom Role Description"
  base_roles           = ["roles/iam.serviceAccountAdmin"]
  permissions          = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
  excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
  members              = ["user:[email protected]", "group:[email protected]"]
}

Usage - Custom Role at Project Level

module "custom-roles" {
  source = "terraform-google-modules/iam/google//modules/custom_role_iam"

  target_level         = "project"
  target_id            = "project_id_123"
  role_id              = "custom_role_id"
  title                = "Custom Role Unique Title"
  description          = "Custom Role Description"
  base_roles           = ["roles/iam.serviceAccountAdmin"]
  permissions          = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
  excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
  members              = ["serviceAccount:member01@${var.target_id}.iam.gserviceaccount.com", "serviceAccount:member02@${var.target_id}.iam.gserviceaccount.com"]
}

Inputs

Name Description Type Default Required
base_roles List of base predefined roles to use to compose custom role. list(string) [] no
description Description of Custom role. string "" no
excluded_permissions List of permissions to exclude from custom role. list(string) [] no
members List of members to be added to custom role. list(string) n/a yes
permissions IAM permissions assigned to Custom Role. list(string) n/a yes
role_id ID of the Custom Role. string n/a yes
stage The current launch stage of the role. Defaults to GA. string "GA" no
target_id Variable for project or organization ID. string n/a yes
target_level String variable to denote if custom role being created is at project or organization level. string "project" no
title Human-readable title of the Custom Role, defaults to role_id. string "" no

Outputs

Name Description
custom_role_id ID of the custom role created.