Manage Permissions in Terraform Cloud
Note
This functionality is available in the Terraform Cloud Team tier and above, and in Terraform Enterprise. Organization owners can enable a 30-day free trial in their settings under "Plan & Billing".
As your Terraform usage grows, you may need to collaborate with more that five users in Terraform Cloud, and control their permissions. In this tutorial, you will learn how to invite users, create teams, and assign specific workspace permissions.
Terraform Cloud teams can have read, plan, write, or admin permissions on individual workspaces. Organization owners grant permissions by grouping users into teams and giving those teams privileges based on their need for access to individual workspaces. HashiCorp recommends following the principle of least privileges when assigning access to workspaces.
For this tutorial, you will need:
- A Terraform Cloud account with the Team tier.
- Organizer owner permissions of this account.
Create a new team
The default team in Terraform Cloud is the "owners" of that organization. This team has blanket admin privileges so it is important to create restricted team access before adding new members.
To add a new team, navigate to your organization Settings > Teams. Enter the name Dev-Team and choose "Create team" to save.
The organization access settings should all be unchecked for this new team.
This team doesn't have access to any workspaces yet, so now you need to assign permissions.
Assign team permissions
To assign workspace permissions for a team, navigate to the Workspace page in Terraform Cloud.
Create a test workspace called called dev-webapp so that you don't impact any real resources while following this example.
Click on the dev-webapp workspace and navigate to the Settings dropdown. From here, choose Team Access.
Choose "Add team and permissions."
Select the "Dev-Team."
Scroll down and assign Write permissions to your team.
"Dev-Team" has Write permissions to an explicit workspace now, but no users to execute operations. You will need to add users to your organization.
Invite a user to your organization
Warning
The Terraform Cloud Team tier is charged on a per-user basis so adding new users to your organization incurs cost. For more information on plan features and cost, see the product pricing information.
To collaborate with your colleagues in Terraform Cloud, you need to grant them access to the same Terraform Cloud organization. You can add users to an organization by inviting them using their email address. Even if your team member has not signed up for Terraform Cloud yet, they can still accept the invitation and create a new account.
To start inviting team members, navigate to your organization's Settings and selecting Users and click "Invite a User" to send an email invite.
Add a user to a team
Enter the email address of the teammate you need to add. From the "Add to teams" dropdown, choose Dev-Team. They will receive a Terraform Cloud invite to this email address and need to accept the invitation. If they do not have a Terraform Cloud account, when they accept the invitation, they will be taken to an account creation page and be automatically added to your organization.
Once your new team members accept their invitations, you will see them populate the Dev-Team member's settings.
Your Dev-Team members now have write permissions to the dev_webapp workspace.
Next Steps
This example scenario walked you through creating teams, inviting and assigning users, and applying workspace level permissions to teams. You can find more information on Team management settings in the Terraform Docs.