diff --git a/build/terraform b/build/terraform
index e9da75233dc1..612658c6ee17 160000
--- a/build/terraform
+++ b/build/terraform
@@ -1 +1 @@
-Subproject commit e9da75233dc1c477f53b08cedcbcb24c41948898
+Subproject commit 612658c6ee17c83c4c52f93a0f06c9b5a3281852
diff --git a/build/terraform-beta b/build/terraform-beta
index 646b8a036a52..afd390276e22 160000
--- a/build/terraform-beta
+++ b/build/terraform-beta
@@ -1 +1 @@
-Subproject commit 646b8a036a520c3f12c74dd214ab7b05e6f9a6db
+Subproject commit afd390276e22146699c12f06f82d0846c8154072
diff --git a/third_party/terraform/resources/resource_bigquery_dataset.go b/third_party/terraform/resources/resource_bigquery_dataset.go
index 098ee3ce4304..a8169aaf1b2f 100644
--- a/third_party/terraform/resources/resource_bigquery_dataset.go
+++ b/third_party/terraform/resources/resource_bigquery_dataset.go
@@ -6,7 +6,6 @@ import (
 	"regexp"
 
 	"github.com/hashicorp/terraform/helper/schema"
-	"github.com/hashicorp/terraform/helper/validation"
 	"google.golang.org/api/bigquery/v2"
 )
 
@@ -138,9 +137,8 @@ func resourceBigQueryDataset() *schema.Resource {
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"role": {
-							Type:         schema.TypeString,
-							Optional:     true,
-							ValidateFunc: validation.StringInSlice([]string{"OWNER", "WRITER", "READER"}, false),
+							Type:     schema.TypeString,
+							Optional: true,
 						},
 						"domain": {
 							Type:     schema.TypeString,
diff --git a/third_party/terraform/website/docs/r/bigquery_dataset.html.markdown b/third_party/terraform/website/docs/r/bigquery_dataset.html.markdown
index 56e8b5bd42b5..3c0f49176124 100644
--- a/third_party/terraform/website/docs/r/bigquery_dataset.html.markdown
+++ b/third_party/terraform/website/docs/r/bigquery_dataset.html.markdown
@@ -111,8 +111,11 @@ The `access` block supports the following fields (exactly one of `domain`,
 even though they are marked optional):
 
 * `role` - (Required unless `view` is set) Describes the rights granted to
-    the user specified by the other member of the access object. The following
-    string values are supported: `READER`, `WRITER`, `OWNER`.
+    the user specified by the other member of the access object. 
+    Primitive, Predefined and custom roles are supported.
+    Predefined roles that have equivalent primitive roles are swapped 
+    by the API to their Primitive counterparts, and will show a diff post-create. 
+    See [official docs](https://cloud.google.com/bigquery/docs/access-control).
 
 * `domain` - (Optional) A domain to grant access to.