Terraform
Managing Access to Workspaces
Note: Team management is a paid feature, available as part of the Team upgrade package. Learn more about Terraform Cloud pricing here.
Terraform Cloud workspaces can only be accessed by users with the correct permissions. You can manage permissions for a workspace on a per-team basis.
Teams with admin access on a workspace can manage permissions for other teams on that workspace. Since newly created workspaces don't have any team permissions configured, the initial setup of a workspace's permissions requires the owners team or a team with permission to manage workspaces. (More about permissions.)
API: See the Team Access APIs.
Terraform: See the tfe
provider's tfe_team_access
resource.
Background
Terraform Cloud manages users' permissions to workspaces with teams.
- Workspace-level permissions can be granted to an individual team on a particular workspace. These permissions can be managed on the workspace by anyone with admin access to the workspace.
- In addition, some organization-level permissions can be granted to a team which apply to every workspace in the organization. For example, the manage workspaces only and manage all projects & workspaces permissions grant the workspace-level admin permission to every workspace in the organization. Organization-level permissions can only be managed by organization owners.
Managing Workspace Access Permissions
When a user creates a workspace, only the owners team, teams with the "Manage Workspaces" or the “Manage Projects & Workspaces” organization permission, and teams with the “Project Admin” project permission can access a workspace with full admin permissions. You cannot override these teams' permissions through the workspace's specific permissions.
To manage a team's access to a workspace, select "Team Access" from the workspace's "Settings" menu.
This screen displays all teams granted workspace-level permissions to the workspace. To add a team, select "Add team and permissions".
Terraform Cloud displays the teams you can grant workspace access to. Select a team to continue and configure that team's permissions.
There are four fixed permissions sets available for basic usage: Read, Plan, Write, and Admin.
To enable finer-grained selection of non-admin permissions, select "Customize permissions for this team". On this screen, you can select specific permissions to grant the team for the workspace.
For more information on permissions, see the documentation on Workspace Permissions.