Skip to content

Latest commit

 

History

History
45 lines (37 loc) · 2.26 KB

README.md

File metadata and controls

45 lines (37 loc) · 2.26 KB

Google Cloud Custom IAM Role Generator

Helper module to generate an organization-level custom IAM role based on predefined role and permissions inputs.

Currently, to compose a custom role, you must manually select individual permissions. This module allows users create a custom role based on predefined roles, which are regularly maintained by Google product teams.

For this module to be most effective, you'll need to re-run this on a regular basis so that your custom role is kept up-to-date with the latest permissions from predefined roles.

Compatibility

This module is meant for use with Terraform 0.13.

Usage

module "custom_role" {
  source      = "./custom-role-generator"
  org_id      = var.org_id
  role_id     = "Developer"
  title       = "Custom Developer Role"
  description = "Role for Developers"
  predefined_roles = [
    "roles/compute.instanceAdmin",
    "roles/bigquery.jobUser"
  ]
  additional_permissions = ["serviceusage.quotas.get"]
  excluded_permissions = ["compute.firewalls.create", "compute.firewalls.delete"]
}

Inputs

Name Description Type Default Required
org_id Organization to create custom role string n/a yes
role_id Identifier for custom role string n/a yes
title Human readable title for custom role string n/a yes
description Human readable dsecription for custom role string n/a yes
predefined_roles List of predefined roles used to compose permissions, e.g. ["roles/bigquery.admin", "roles/pubsub.admin"] list n/a yes
additional_permissions Additional permissions to include in custom role, e.g. ["storage.objects.getIamPolicy"] list [] no
excluded_permissions Permissions to exclude from custom roles. WARNING: This may break functionality in unexpected ways list [] no

Outputs

Name Description
id an identifier for the resource with the format organizations/{{org_id}}/roles/{{role_id}}
name The name of the role in the format organizations/{{org_id}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.