Google Cloud Platform Project IAM Custom Role

google_project_iam_custom_role (Terraform)

The Project IAM Custom Role in Cloud Platform can be configured in Terraform with the resource name google_project_iam_custom_role. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

ONSdigital/veeam-terraform-modules

resource "google_project_iam_custom_role" "veeam-default" {
  role_id = "veeam_default"
  title   = "veeam-default"
  permissions = [
    "compute.disks.addResourcePolicies",
    "compute.disks.get",

Biarca/patrol-k8s-marketplace

resource "google_project_iam_custom_role" "patrol-operations-custom-role" {
  project     = var.project_id
  role_id     = var.ops_id
  permissions = var.ops_perm
  title       = "Patrol Operations Role"
  description = "A Custom Role for Patrol Operations"

intetunder-temp/terraform-modules

resource "google_project_iam_custom_role" "custom_roles_chd_encrypt" {
  project     = google_project.chd.project_id
  role_id     = "lvhpaykmsencrypt"
  title       = "Terraform Managed Encrypt"
  description = "Terraform Managed"
  permissions = ["cloudkms.cryptoKeyVersions.useToEncrypt"]

nekoshita/gcp-cloud-nat-example

resource "google_project_iam_custom_role" "my_custom_role" {
  role_id = "MyCustomRole"
  title   = "My Custom Role"

  permissions = [
    # VMインスタンスにSSH接続するのに必要な権限

yoshinori-hardy/gcp

resource "google_project_iam_custom_role" "storage-object-ro" {
  role_id     = "object_ro"
  title       = "Storage Object RO"
  description = "Allow read access to bucket objects"
  permissions = ["storage.objects.get", "storage.objects.list"]
}

Parameters

• deleted optional computed - bool

The current deleted state of the role.

• description optional - string

A human-readable description for the role.

• id optional computed - string
• name optional computed - string

The name of the role in the format projects/[[project]]/roles/[[role_id]]. Like id, this field can be used as a reference in other resources such as IAM role bindings.

• permissions required - set of string

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

• project optional computed - string

The project that the service account will be created in. Defaults to the provider project configuration.

• role_id required - string

The camel case role id to use for this role. Cannot contain - characters.

• stage optional - string

The current launch stage of the role. Defaults to GA.

• title required - string

A human-readable title for the role.

Explanation in Terraform Registry

Allows management of a customized Cloud IAM project role. For more information see the official documentation and API.

Warning: Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by Terraform, and new roles cannot share that name.

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_project

Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.