Organizations are a shared space for one or more teams to collaborate on workspaces.
In addition to the Terraform Cloud UI, you can use the following methods to manage organizations:
Terraform Cloud displays your current organization in the bottom left of the sidebar. To select an organization:
- Click the current organization name to view a list of all the organizations where you are a member.
- Click an organization to select it. Terraform Cloud displays list of workspaces within that organization.
You can leave an organization from your user account settings. Refer to User Settings: Organizations for details.
On Terraform Enterprise, administrators can restrict your ability to create organizations. Refer to Administration: General Settings for details.
On Terraform Cloud, any user can create a new organization. If you do not belong to any organizations, Terraform Cloud prompts you to create one the first time you log in. To create an organization:
- Click the current organization name and select Create new organization. The Create a new organization page appears.
- Enter a unique Organization name Organization names can include numbers, letters, underscores (
_), and hyphens (
- Provide an Email address to receive notifications about the organization.
- Click Create organization.
Terraform Cloud shows the new organization and prompts you to create a new workspace. You can also invite other users to join the organization.
To view and manage an organization's settings, click Settings.
The contents of the organization settings depends on your permissions within the organization. All users can review the organization's contact email, view the membership of any teams they belong to, and view the organization's authentication policy. Organization owners can view and manage the entire list of organization settings. Refer to Organization Permissions for details.
You may be able to manage the following organization permissions.
Review the organization name and contact email. Organization owners can choose to change the organization name, contact email, and the default execution mode, or delete the organization. When an organization owner updates the default execution mode, all workspaces configured to inherit this value will be affected.
Organization owners can also choose whether workspace administrators can delete workspaces that are managing resources. Deleting a workspace with resources under management introduces risk because Terraform can no longer track or manage the infrastructure. The workspace's users must manually delete any remaining resources or import them into another Terraform workspace.
Warning: Deleting or renaming an organization can be very disruptive. We strongly recommend against deleting or renaming organizations with active members.
To rename an organization that manages infrastructure:
- Alert all members of the organization about the name change.
- Cancel in progress and pending runs or wait for them to finish. Terraform Cloud cannot change the name of an organization with runs in progress.
- Lock all workspaces to ensure that no new runs will start before you change the name.
- Rename the organization.
- Update all components using the Terraform Cloud API to the new organization name. This includes Terraform's
cloudblock CLI integration, the
tfeTerraform provider, and any external API integrations.
- Unlock workspaces and resume normal operations.
Review the organization's plan and any invoices for previous plan payments. Organization owners can also upgrade to one of Terraform Cloud's paid plans, downgrade to a free plan, or begin a free trial of paid features.
Review a list of tags for all resources across the organization. When you delete a tag from this page, Terraform Cloud removes it from all resources.
All users in an organization can access the Teams page, which displays a list of teams within the organization. This excludes secret teams where you are not a member. You can also view team membership and manage team API tokens.
Organization owners can also create and delete teams, and manage team API tokens. Both owners and users with Manage Membership permissions can manage the membership of teams. Remember that users must accept an invitation to the organization before you can add them to teams.
Organization owners and users with Manage Membership permissions can invite Terraform Cloud users into the organization, cancel invitations, and remove existing members.
The list of users is separated into one tab for active users and one tab for invited users who have not yet accepted their invitations. For active users, the list includes usernames, email addresses, avatar icons, two-factor authentication status, and current team memberships. Use the Search by username or email field to filter these lists.
User invitations are always sent by email; you cannot invite someone using their Terraform Cloud username. To invite a user to an organization:
- Click Invite a user. The invite a user box appears.
- Enter the user's email address and optionally add them to one or more teams. If the user accepts the invitation, Terraform Cloud will be automatically add them to the specified teams.
All permissions in Terraform Cloud are managed through teams. Users can join an organization without belonging to any teams, but they cannot use Teraform Cloud features until they belong to a team. Refer to permissions for details.
View all of the available variable sets and their variables. Users with
read and write variables permissions can also create variable sets and assign them to one or more workspaces.
Variable sets let you reuse the same variables across multiple workspaces in the organization. For example, you could define a variable set of provider credentials and automatically apply it to several workspaces, rather than manually defining credential variables in each. Changes to variable sets instantly apply to all appropriate workspaces, saving time and reducing errors from manual updates.
Terraform Cloud can perform automatic health assessments in a workspace to assess whether its real infrastructure matches the requirements defined in its Terraform configuration. Health assessments include the following types of evaluations:
- Drift detection determines whether your real-world infrastructure matches your Terraform configuration. Drift detection requires Terraform version 0.15.4+.
- Continuous validation determines whether custom conditions in the workspace’s configuration continue to pass after Terraform provisions the infrastructure. Continuous validation requires Terraform version 1.3.0+.
You can enforce health assessments for all eligible workspaces or let each workspace opt in to health assessments through workspace settings. Refer to Health in the workspaces documentation for more details.
Enable and disable the cost estimation feature for all workspaces.
Policies let you define and enforce rules for Terraform runs. You can write them using either the Sentinel or Open Policy Agent (OPA) policy-as-code frameworks and then group them into policy sets that you can apply to workspaces in your organization. To create policies and policy sets, you must have permission to manage policies.
Create groups of policies and enforce those policy sets globally or on specific projects and workspaces. You can create policy sets through the Terraform API, by connecting a VCS repository containing policies, or directly in Terraform Cloud. To create policies and policy sets, you must have permission to manage policies.
Refer to Managing Policy Sets for details.
Manage the run tasks that you can add to workspaces within the organization. Run tasks let you integrate third-party tools and services at specific stages in the Terraform Cloud run lifecycle.
Create and manage Terraform Cloud agent pools. Terraform Cloud Agents let Terraform Cloud communicate with isolated, private, or on-premises infrastructure. This is useful for on-premises infrastructure types such as vSphere, Nutanix, OpenStack, enterprise networking providers, and infrastructure within a protected enclave.
Organization owners can set up a special Organization API Token that is not associated with a specific user or team.
Organization owners can determine when users must reauthenticate and require two-factor authentication for all members of the organization.
Manage SSH keys for cloning Git-based modules during Terraform runs. This does not include keys to access a connected VCS provider.
Organization owners can set up an SSO provider for the organization.
Note: This feature is in beta.
Review the event logs for GitLab.com connections.
Data retention policies are exclusive to Terraform Enterprise, and not available in Terraform Cloud. Learn more about Terraform Enterprise.
An organization owner can set or override the following data retention policies:
- Admin default policy
- Do not auto-delete
- Auto-delete data
Setting the data retention policy to Admin default policy disables the other data retention policy settings.
By default, the Do not auto-delete option is enabled for an organization. This option directs Terraform Enterprise to retain data associated with configuration and state versions, but organization owners can define configurable data retention policies that allow Terraform to soft delete the backing data associated with configuration versions and state versions. Soft deleting refers to marking a data object for garbage collection so that Terraform can delete the object after a set number of days.
Once an object is soft deleted, any attempts to read the object will fail. Until the garbage collection process begins, you can restore soft deleted objects using the APIs described in the configuration version documentation and the state version documentation. Terraform permanently deletes the archivist storage after the garbage collection grace period elapses.
The organization policy is the default policy applied to all workspaces, but members of individual workspaces can set overriding policies for their workspaces that take precedence over the organization policy.
Terraform Cloud paid features are available as a free trial. When a free trial has expired, the organization displays a banner reading TRIAL EXPIRED — Upgrade Required.
Organizations with expired trials return to the feature set of a free organization, but they retain any data created as part of paid features. Specifically, Terraform Cloud disables the following features:
- Teams other than
ownersand locks users who do not belong to the
ownersteam out of the organization. Terraform Cloud preserves team membership and permissions and re-enables them after you upgrade the organization.
- Sentinel policy checks. Terraform Cloud preserves existing policies and policy sets and re-enables them after you upgrade the organization.
- Cost estimation.