Administration: Managing Accounts and Resources
Site administrators have access to all organizations, users, runs, and workspaces. This visibility is intended to provide access to management actions such as adding administrators, updating Terraform versions or adding custom Terraform bundles, suspending or deleting users, and creating or deleting organizations. It also allows for "impersonation" to aid in assisting regular users with issues in the Terraform Cloud application.
Terraform Enterprise presents each type of account or resource as a searchable list that you can access by clicking the name of the resource. You can search and filter by relevant attributes, and the UI offers pre-existing filters to show useful sets, such as site administrators (users) or Needs Attention (workspaces, runs).
To access the list of all users in the Terraform Enterprise instance, click Users.
Selecting a user from the list shows their detail page, which includes their status and any organizations they belong to. The detail page offers four actions: promoting to administrator, suspending, deleting, and impersonating. For users with active two-factor authentication (2FA), it also offers an administrative option to disable their 2FA in the event that a reset is needed.
This adds the user to the list of site administrators, which grants them access to this administrative area. Because admins have a very wide purview, if SMTP is configured, it will also send an email to the other site administrators notifying them that a user was added.
To promote a user, click Promote to admin on the user detail page.
Suspending a user retains their account, but does not allow them to access any Terraform Cloud resources. Deleting a user removes their account completely; they would have to create a new account in order to log in again.
Suspended users can be unsuspended at any time. Deleted users cannot be recovered.
To suspend a user, click Suspend user. To delete them, click Delete User in the "Delete User" section.
User impersonation allows Terraform Enterprise admins to access organization and workspace data and view runs. As an administrator, direct access to these resources only supports urgent interventions like deletion or force-canceling; to view and interact with resources, impersonation is required.
When impersonating a user, a reason is required and will be logged to the audit log. Any actions taken while impersonating will record both the impersonating admin and the impersonated user as the actor.
Impersonation can be performed from multiple places:
- From a user details admin page, click Impersonate.
- From an organization, workspace, or run details admin page, all of which include a drop-down list of organization owners to impersonate.
- When a site admin encounters a 404 error for a resource that they do not have standard user access to.
If a user has lost access to their 2FA device, a site admin can disable the configured 2FA and allow the user to log in using only their username and password or perform a standard password reset. If the user has active 2FA, a button labeled Disable 2FA appears next to the admin promotion button.
Be sure that the user's identity and the validity of their request have been verified according to appropriate security procedures before disabling their configured 2FA.
Note: If the user belongs to an organization that requires 2FA, upon login, they will be redirected to set it up again before they can view any other part of TFE.
The Organizations page lets you configure the organizations in your Terraform Enterprise instance. If there are multiple organizations, click each one in the admin list to view its details.
You can disable or delete organizations, as well as impersonate an owner to modify an organization's settings, profile, and workspaces. You can also control whether the organization can use beta Terraform versions in runs, set timeouts for plans and applies, and set a limit on the number of workspaces that an organization can contain.
Typically, all organizations on a Terraform Enterprise instance are granted "Premium" plan status to ensure access to all available features. However, it's also possible to set other statuses. An organization whose trial period is expired will be unable to make use of features in the Terraform Cloud application.
The administrative view of workspaces and runs provides limited detail (name, status, and IDs) to avoid exposing sensitive data when it isn't needed. Site administrators can view and investigate workspaces and runs more deeply by impersonating a user with full access to the desired resource. (See Impersonating a User above.)
A workspace can be administratively deleted, using the Delete this Workspace button on its details page, if it should not have been created, or is presenting issues for the application.
A run can be administratively force-canceled if it becomes stuck or is presenting issues to the application. Runs can be force-canceled from the run list or the run details page. The run details page also offers the option to impersonate an organization owner for additional details on the run.
We recommend impersonating a user (if necessary) to view run details prior to force-canceling a run, to ensure that graceful cancellation was attempted, and that the run is no longer progressing.
Terraform Enterprise ships with a default list of Terraform versions. However, the addition of new versions after installation is the responsibility of site administrators.
To add a new version of Terraform, click Terraform Versions and then click Add Terraform Version. Provide the version number, Linux 64-bit download URL, and SHA256 checksum of the binary. Set the status to Beta to make the version available to site administrators, or Enabled to add it for everyone.
Important: Terraform Enterprise ships with a default list of Terraform versions. Any modifications to these default Terraform versions will be overwritten. As such, it is recommended to create new Terraform versions instead of modifying the default Terraform versions.
The versions you add may be recent standard Terraform releases from HashiCorp, or custom Terraform versions. One common use for custom versions is to add a Terraform bundle that includes pre-installed providers commonly needed by the instance.
Versions of Terraform can also be modified by clicking them in the list. They can be set to disabled (unavailable for use) if no workspaces are currently using them. The list indicates how many workspaces are currently using a given version.