Manage permissions in Terraform Cloud
As your Terraform usage grows, you may need to control which resources Terraform Cloud users can access. In this tutorial, you will create a team, assign it permissions for a workspace, and invite users to the team.
An organization owner can assign teams either fixed permission sets or custom permissions at the workspace or project level. We recommend following the principle of least privilege when possible and only giving teams access to the resources they need for their job function.
Note
Teams are available in Terraform Cloud Standard Edition. Refer to Terraform Cloud pricing for details.
Prerequisites
For this tutorial, you will need:
- A Terraform Cloud account.
- Organization owner permissions for a Standard edition Terraform Cloud organization.
Create a new team
The owners team is the default team of a Terraform Cloud organization. This team has every available permission in the organization, so it is important to create restricted team access before adding new members.
To add a new team, navigate to your organization Settings > Teams. Click Create a team.
Enter the name Dev-Team, then click Create.
The team settings page lets you configure broad organization-level permissions.
Leave these permissions blank. In the next section, you will assign workspace-level permissions, which grant more targeted access than organization-level permissions.
Assign workspace permissions
Navigate to the Projects & workspaces page and create a new CLI-driven workspace named dev-webapp in your organization's Default project.
Then, go to the dev-webapp workspace's Settings > Team Access page.
Click Add team and permissions.
Fixed permission sets let you easily set predefined collections of privileges for common job functions. You can also set custom permissions if you need to define more granular scope.
In the Team dropdown, select the Dev-Team. Then, select the Write permissions set. On the righthand side, the workspace displays the permissions in this fixed permission set. Click Assign permissions.
The Dev-Team now has Write permissions to this workspace, but the team does not yet have any members.
Invite a user to your organization and team
To collaborate with your team members in Terraform Cloud, you need to grant them access to the same Terraform Cloud organization. You can add users to an organization by inviting them using their email address. Even if your team member has not signed up for Terraform Cloud yet, they can still accept the invitation and create a new account.
Navigate to your Organization Settings > Users, then click Invite a user.
Enter the email address of the teammate you need to add and select Dev-Team from the Add to teams dropdown. Then, click Invite user.
Terraform Cloud will send the user an email invite that they must accept to join your organization. If the user does not yet have an account, Terraform Cloud will prompt them to create one and automatically add them to your organization and team.
Review team membership
Once your teammates accept their invitations, navigate to Organization Settings > Teams and select your Dev-Team. The Members section now lists the new team member.
You can manage team membership for users already in your organization from this page.
Next steps
In this tutorial, you created a new team in your organization, assigned the team workspace-specific privileges, and invited a new user to your Terraform Cloud organization and team. You also reviewed how to add existing organization users to teams.
Review the following resources to learn more about managing permissions and enabling your team in Terraform Cloud:
- Learn how to assign project-specific permissions to teams.
- Review the interaction of workspace, project, and organization-wide permissions in Terraform Cloud.
- Learn how to enable no-code Terraform provisioning for self-service workflows.
- Learn how to use short-lived dynamic provider credentials.