Google Cloud Platform Organization IAM Custom Role

This page shows how to write Terraform for Cloud Platform Organization IAM Custom Role and write them securely.

google_organization_iam_custom_role (Terraform)

The Organization IAM Custom Role in Cloud Platform can be configured in Terraform with the resource name google_organization_iam_custom_role. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_organization_iam_custom_role" "dev-biquery-role" {
  role_id     = local.role_id
  org_id      = var.organization_id
  title       = "Bigquery dev role"
  description = "A description"
  permissions = var.admin-permissions
resource "google_organization_iam_custom_role" "custom-iam-role" {
  role_id     = var.role_id
  org_id      = var.org_id
  title       = var.title
  description = var.description
  permissions = var.permissions

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The current deleted state of the role.

A human-readable description for the role.

  • id optional computed - string
  • name optional computed - string

The name of the role in the format organizations/[[org_id]]/roles/[[role_id]]. Like id, this field can be used as a reference in other resources such as IAM role bindings.

The numeric ID of the organization in which you want to create a custom role.

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

The role id to use for this role.

The current launch stage of the role. Defaults to GA.

A human-readable title for the role.

Explanation in Terraform Registry

Allows management of a customized Cloud IAM organization role. For more information see the official documentation and API.

Warning: Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by Terraform, and new roles cannot share that name.

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.

Review your Google Cloud Platform settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Cloud Platform Organization IAM Custom Role?

Google Cloud Platform Organization IAM Custom Role is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Platform Organization IAM Custom Role?

For Terraform, the brownjasonj/gcpprojectsetup and leylmordor/gcp-custom-iam source code examples are useful. See the Terraform Example section for further details.