Updated May 10, 2026 Manages a custom IAM role. System roles (Owner, Admin, Operator, Member) are immutable and managed by the platform — they cannot be created, updated, or deleted via Terraform. TheDocumentation Index
Fetch the complete documentation index at: https://docs.rafftechnologies.com/llms.txt
Use this file to discover all available pages before exploring further.
permissions attribute is a set; reordering does not produce a diff.
Example — account-scoped read-only
Example — project-scoped VM operator
Argument reference
Required
| Argument | Type | Description |
|---|---|---|
name | string | Display name. Updates rename in place |
slug | string | URL-safe identifier. ForceNew |
scope | string | account or project. ForceNew |
permissions | set(string) | Permission names. Browse via raff permission list --scope <scope> |
Optional
| Argument | Type | Description |
|---|---|---|
description | string | Free-form description |
Attribute reference (computed)
| Attribute | Description |
|---|---|
id | Role UUID |
is_system | true for system roles, false for custom |
created_at / updated_at | RFC3339 timestamps |
Lifecycle
| Operation | Behavior |
|---|---|
terraform apply (create) | Creates the custom role |
Change name, description, permissions | In-place update |
Change slug, scope | Replacement — destroy + recreate |
terraform destroy | Deletes the role. Members assigned to it must be reassigned first |
Importing existing roles
Permissions
The API key managing roles needsrole.create, role.manage, and role.delete at the account level. The system role Account Admin grants all of these.
Data sources
Related
raff_member
Account-scoped members get account-scoped roles.
raff_project_member
Project-scoped members get project-scoped roles.
CLI: raff permission list
Browse the permission catalog.