Skip to content

Instantly share code, notes, and snippets.

@rssnyder
Created June 18, 2025 17:11
Show Gist options
  • Save rssnyder/6910525d4a0a6c3a2121b48b19634625 to your computer and use it in GitHub Desktop.
Save rssnyder/6910525d4a0a6c3a2121b48b19634625 to your computer and use it in GitHub Desktop.
Create a copy of the default Project Admin role
#
# Create a copy of a built in role by copying the permissions and removing any that are not needed
#
# usage: tf apply -var org_id=default -var project_id=default -var scopes_to_remove='["iac_workspace_approve","idp_plugin_edit"]'
#
terraform {
required_providers {
harness = {
source = "harness/harness"
}
}
}
variable "org_id" {
type = string
}
variable "project_id" {
type = string
}
variable "scopes_to_remove" {
type = list(string)
}
data "harness_platform_organization" "this" {
identifier = var.org_id
}
data "harness_platform_project" "this" {
org_id = data.harness_platform_organization.this.id
identifier = var.project_id
}
data "harness_platform_roles" "project_admin" {
org_id = data.harness_platform_organization.this.id
project_id = data.harness_platform_project.this.id
identifier = "_project_admin"
}
resource "harness_platform_roles" "custom_project_admin" {
org_id = data.harness_platform_organization.this.id
project_id = data.harness_platform_project.this.id
identifier = "custom_project_admin"
name = "Custom Project Admin"
permissions = [for scope in data.harness_platform_roles.project_admin.permissions : scope if !contains(var.scopes_to_remove, scope)]
allowed_scope_levels = ["project"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment