This optional module is used to create custom roles at organization or project level. The module supports creating custom rules optionally using predefined roles as a base, with additional permissions or excluded permissions.
Permissions that are unsupported from custom roles are automatically excluded.
module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
version = "~> 8.0"
target_level = "org"
target_id = "123456789"
role_id = "custom_role_id"
title = "Custom Role Unique Title"
description = "Custom Role Description"
base_roles = ["roles/iam.serviceAccountAdmin"]
permissions = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
members = ["user:user01@domain.com", "group:group01@domain.com"]
}module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
target_level = "project"
target_id = "project_id_123"
role_id = "custom_role_id"
title = "Custom Role Unique Title"
description = "Custom Role Description"
base_roles = ["roles/iam.serviceAccountAdmin"]
permissions = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
members = ["serviceAccount:member01@${var.target_id}.iam.gserviceaccount.com", "serviceAccount:member02@${var.target_id}.iam.gserviceaccount.com"]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| base_roles | List of base predefined roles to use to compose custom role. Either base_roles or permissions must be set with some values | list(string) |
[] |
no |
| description | Description of Custom role. | string |
"" |
no |
| excluded_permissions | List of permissions to exclude from custom role. | list(string) |
[] |
no |
| members | List of members to be added to custom role. | list(string) |
[] |
no |
| permissions | IAM permissions assigned to Custom Role. Either base_roles or permissions must be set with some values | list(string) |
[] |
no |
| role_id | ID of the Custom Role. | string |
n/a | yes |
| stage | The current launch stage of the role. Defaults to GA. | string |
"GA" |
no |
| target_id | Variable for project or organization ID. | string |
n/a | yes |
| target_level | String variable to denote if custom role being created is at project or organization level. | string |
"project" |
no |
| title | Human-readable title of the Custom Role, defaults to role_id. | string |
"" |
no |
| Name | Description |
|---|---|
| custom_role_id | ID of the custom role created. |
| custom_role_name | Name of the custom role created in the format {{target_level}}/{{target_id}}/roles/{{role_id}}, for use as a reference in other resources such as IAM role bindings. |