Skip to main content
Updated May 10, 2026 Manages a custom IAM role. System roles (Owner, Admin, Operator, Member) are immutable and managed by the platform — they cannot be created, updated, or deleted via Terraform. The permissions attribute is a set; reordering does not produce a diff.

Example — account-scoped read-only

resource "raff_role" "auditor" {
  name        = "Auditor"
  slug        = "auditor"
  scope       = "account"
  description = "Read-only access for compliance reviews"

  permissions = [
    "account.audit.read",
    "billing.read",
    "members.read",
  ]
}

Example — project-scoped VM operator

resource "raff_role" "vm_operator" {
  name  = "VM Operator"
  slug  = "vm-operator"
  scope = "project"

  permissions = [
    "vm.read",
    "vm.power",
  ]
}

Argument reference

Required

ArgumentTypeDescription
namestringDisplay name. Updates rename in place
slugstringURL-safe identifier. ForceNew
scopestringaccount or project. ForceNew
permissionsset(string)Permission names. Browse via raff permission list --scope <scope>

Optional

ArgumentTypeDescription
descriptionstringFree-form description

Attribute reference (computed)

AttributeDescription
idRole UUID
is_systemtrue for system roles, false for custom
created_at / updated_atRFC3339 timestamps

Lifecycle

OperationBehavior
terraform apply (create)Creates the custom role
Change name, description, permissionsIn-place update
Change slug, scopeReplacement — destroy + recreate
terraform destroyDeletes the role. Members assigned to it must be reassigned first

Importing existing roles

terraform import raff_role.auditor <role-uuid>

Permissions

The API key managing roles needs role.create, role.manage, and role.delete at the account level. The system role Account Admin grants all of these.

Data sources

# Single role by UUID
data "raff_role" "owner" {
  id = "<role-uuid>"
}

# All roles, optionally filtered by scope
data "raff_roles" "account" {
  scope = "account"
}

raff_member

Account-scoped members get account-scoped roles.

raff_project_member

Project-scoped members get project-scoped roles.

CLI: raff permission list

Browse the permission catalog.
Last modified on May 11, 2026