Audit Trails API

HCP Terraform retains 14 days of audit log information. The audit trails API exposes a stream of audit events, which describe changes to the application entities (workspaces, runs, etc.) that belong to an HCP Terraform organization. Unlike other APIs, the Audit Trails API does not use the JSON API specification.

Note: Audit trails are available in HCP Terraform Plus Edition. Refer to HCP Terraform pricing for details. The Audit Trails API is not available for Terraform Enterprise.

List an organization's audit events

GET /organization/audit-trail

Note: This endpoint cannot be accessed with a user token or team token. You must access it with an organization token.

Query Parameters

These are standard URL query parameters. Remember to percent-encode [ as %5B and ] as %5D if your tooling doesn't automatically encode URLs.

Parameter	Description
`since`	Optional. Returns only audit trails created after this date (UTC and in ISO8601 Format - YYYY-MM-DDTHH:MM:SS.SSSZ)
`page[number]`	Optional. If omitted, the endpoint will return the first page.
`page[size]`	Optional. If omitted, the endpoint will return 1000 audit events per page.

Sample Request

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --request GET \
  "https://app.terraform.io/api/v2/organization/audit-trail?page[number]=1&since=2020-05-30T17:52:46.000Z"

Sample Response

{
  "data": [
    {
      "id": "ae66e491-db59-457c-8445-9c908ee726ae",
      "version": "0",
      "type": "Resource",
      "timestamp": "2020-06-30T17:52:46.000Z",
      "auth": {
        "accessor_id": "user-MaPuLxAXvtq2PWTH",
        "description": "pveverka",
        "type": "Client",
        "impersonator_id": null,
        "organization_id": "org-AGLwRmx1snv34Yts"
      },
      "request": {
        "id": "4df584d4-7e2a-01e6-6cc0-4adbefa020e6"
      },
      "resource": {
        "id": "at-sjt83qTw3GZatuPm",
        "type": "authentication_token",
        "action": "create",
        "meta": null
      }
    }
  ],
  "pagination": {
    "current_page": 1,
    "prev_page": null,
    "next_page": 2,
    "total_pages": 8,
    "total_count": 778
  }
}

Standard response fields

Every audit log event in the response array includes the following standard fields:

Key	Data Type or format	Description
`id`	UUID	The ID of this audit trail
`version`	number	The audit trail schema version
`type`	string	The type of audit trail (defaults to `Resource`)
`timestamp`	string	UTC ISO8601 DateTime (for example,`2020-06-16T20:26:58.000Z`)
`auth.accessor_id`	string	The ID of audited actor (for example, `user-V3R563qtJNcExAkN`)
`auth.description`	string	Username of audited actor
`auth.type`	string	Authentication type, is either `Client`, `Impersonated`, or `System`.
`auth.impersonator_id`	string	The ID of impersonating actor (if available)
`auth.organization_id`	string	The ID of organization (for example, `org-QpXoEnULx3r2r1CA`)
`request.id`	UUID	The ID for request (if available)
`resource.id`	string	The ID of resource (for example,`run-FwnENkvDnrpyFC7M`)
`resource.type`	string	Type of resource (for example, `run`)
`resource.action`	string	Action audited (for example, `applied`)
`resource.meta`	map	Key-value metadata about this audited event (defaults to `null`)

The following audit trail events only contain these standard fields:

Event	Action	Description
`agent`	`destroy`	Logged when an agent is destroyed.
`authentication_token`	`create`, `show`, `destroy`	Events related to authentication tokens.
`configuration_version`	`show`, `download`	Events related to configuration versions.
`notification_configuration`	`create`, `update`, `destroy`, `enable`	Events related to notification configurations.
`oauth_client`	`create`, `update`, `destroy`	Events related to OAuth clients.
`oauth_token`	`index`, `show`, `update`, `destroy`	Events related to OAuth tokens.
`organization`	`create`, `update`, `destroy`	Events related to organizations.
`organization_user`	`create`, `update`, `destroy`	Events related to organization users.
`policy`	`update`, `destroy`	Events related to policies.
`policy_check`	`override`	Events related to policy checks.
`policy_config`	`create`	Events related to policy configurations.
`policy_set`	`destroy`	Events related to policy sets.
`policy_version`	`create`	Events related to policy versions.
`project`	`create`, `update`, `destroy`	Events related to projects.
`registry_module`	`destroy`, `update`	Events related to registry modules.
`registry_provider`	`create`, `destroy`	Events related to registry providers.
`registry_provider_platform`	`create`, `destroy`	Events related to registry provider platforms.
`registry_provider_version`	`create`, `destroy`	Events related to registry provider versions.
`run`	`apply`, `cancel`, `force_cancel`, `discard`, `force_execute`, `create`	Events related to runs.
`run_trigger`	`create`, `destroy`	Events related to run triggers.
`saml_configuration`	`create`, `update`, `destroy`, `enable`, `disable`	Events related to SAML configurations.
`ssh_key`	`index`, `show`, `create`, `update`, `destroy`	Events related to SSH keys.
`stack`	`create`	Events related to creating stacks.
`state_version`	`index`, `show`, `create`, `soft_delete_backing_data`, `restore_backing_data`, `permanently_delete_backing_data`	Events related to state versions.
`task_stage`	`override`	Events related to an overriden task stage.
`user`	`index`	Events related to indexing users.
`var`	`index`, `show`, `create`, `update`, `destroy`	Events related to variables.
`vcs_repo`	`create`	Events related to creating a connection to a VCS repo.

The following sections list the audit log events containing both the standard response schema and a specific payload for each action.

Data retention policy events

You can define data retention policies to help reduce object storage consumption.

Destroy

An HCP Terraform organization emits this event when it destroys a data retention policy(data_retention_policy). Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`delete_older_than_n_days`	integer	The number of days to retain data before deletion. Must be greater than 0.
`organization`	string	The organization associated with the data retention policy.
`organization_id`	string	The ID of the organization associated with the data retention policy.

Project events

Projects let you organize your workspaces and scope access to workspace resources.

Add Team

An HCP Terraform organization emits this event when someone in your organization adds a team(add_team) to a project. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`team`	string	The name or identifier of the team.
`permissions`	string	The permissions granted to the team.

Update Team Permissions

An HCP Terraform organization emits this event when someone in your organization updates the permissions(update_team_permissions) of a team on a project. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`team`	string	The name or identifier of the team.
`permissions`	string	The updated permissions for the team.

Remove Team

An HCP Terraform organization emits this event when someone in your organization removes a team(remove_team) from a project. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`team`	string	The name or identifier of the team.

Policy checks

Policy checks run Sentinel policies. Policy checks have a lifecycle that includes the following events:

Every policy check event in the response array includes the following standard fields:

Key	Data Type	Description
`comment`	`null` or string	The comment associated with the policy check.
`run.id`	string	The ID of the associated run.
`run.message`	string	The message associated with the run.
`workspace.id`	string	The ID of the associated workspace.
`workspace.name`	string	The name of the associated workspace.

Passed, soft failed, hard failed, and errored

Alongside the standard audit trail fields and standard policy check fields, certain policy check events include a result (includes_result) and return the following fields:

Key	Data Type	Description
`result`	[Policy Result]	An array of policy results.
`passed`	integer	Number of policy checks passed.
`total_failed`	integer	Total number of failed policy checks.
`hard_failed`	integer	Number of policy checks with hard failures.
`soft_failed`	integer	Number of policy checks with soft failures.
`advisory_failed`	integer	Number of policy checks with advisory failures.
`duration_ms`	integer	Duration of the policy check in milliseconds.
`sentinel`	string	The Sentinel policy associated with the check.

Overriden, canceled, and force canceled

Alongside the standard audit trail fields and standard policy check fields, certain event responses include the following fields:

Key	Data Type	Description
`actor`	string	The user who performed the action.

Policy evaluation

Policy evaluations run in the HCP Terraform agent in HCP Terraform's infrastructure. Policy evaluations have a lifecycle that includes the following events:

Every policy evaluation event in the response array includes the following standard fields:

Key	Data Type	Description
`comment`	`null` or string	The comment associated with policy evaluation.
`payload.workspace.id`	string	The ID of the associated workspace.
`payload.workspace.name`	string	The name of the associated workspace.
`payload.run.id`	string	The ID of the associated run.
`payload.run.message`	string	The message associated with the run.
`actor`	string	The policy owner.

Policy checks and policy evaluations serve the same purpose, but have different workflows for enforcing policies. For more information, refer to Differences between policy checks and policy evaluations.

Registry module events

HCP Terraform's private registry lets you share Terraform providers and Terraform modules across your organization.

Destroy version

An HCP Terraform organization emits this event when someone in your organization destroys a specific version of a registry module(destroy_version). Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`version`	integer	The version number of the registry module to destroy.

Run task events

You can create HCP Terraform run tasks at an organization level to directly integrate third-party tools and services at certain stages in the HCP Terraform run lifecycle. You can use run tasks to validate Terraform configuration files, analyze execution plans before applying them, scan for security vulnerabilities, or perform other custom actions.

Create

An HCP Terraform organization emits this event when someone in your organization creates a task. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_name`	string	The name of the task.
`task_category`	string	The task's category
`task_url`	string	The task's URL.
`task_enabled`	boolean	Indicates whether the task is enabled or not.
`task_hmac_key_present`	boolean	Specifies if an HMAC key is present for the task.

Destroy

An HCP Terraform organization emits this event when someone in your organization destroys a task. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_name`	string	The name of the task to be destroyed.
`task_category`	string	The category of the task to be destroyed.
`task_url`	string	The URL associated with the task to be destroyed.
`task_enabled`	boolean	Indicates whether the task to be destroyed is enabled.
`task_hmac_key_present`	boolean	Specifies if an HMAC key is present for the task to be destroyed.

Update

An HCP Terraform organization emits this event when someone in your organization updates a task. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_name`	string	The name of the task to be updated.
`task_category`	string	The updated category of the task.
`task_url`	string	The updated URL associated with the task.
`task_enabled`	boolean	Indicates whether the task is enabled after the update.
`task_hmac_key_present`	boolean	Specifies if an HMAC key is present for the updated task.
`task_hmac_key_changed`	boolean	Indicates whether the HMAC key for the task has changed during the update.

Callback

An HCP Terraform organization emits this event when a run task result's (task_result) callback action occurs. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_result_status`	string	The status of the task result.
`task_result_url`	string	The URL associated with the task result.
`task_result_message`	string	A message associated with the task result.
`workspace`	string	The workspace related to the task result.
`workspace_id`	string	The ID of the workspace related to the task result.
`run_id`	string	The ID of the run associated with the task result.
`run_created_at`	date (iso8601)	The timestamp when the run was created.
`run_created_by`	string	The user who created the run.
`run_message`	string	The message associated with the run.
`run_is_speculative`	boolean	Indicates whether the run is speculative or not.
`workspace_task_id`	string	The ID of the workspace task associated with the result.
`workspace_task_stage`	string	The stage of the workspace task.
`workspace_task_enforcement`	string	The enforcement level of the workspace task.
`organization_task`	string	The organization task related to the task result.
`organization_task_id`	string	The ID of the organization task related to the result.
`organization_task_url`	string	The URL associated with the organization task.

Create a workspace's run task

An HCP Terraform organization emits this event when someone in your organization associates a new run task with a workspace (workspace_task). Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_enforcement_level`	string	The task's enforcement level.
`task_stage`	string	The stage of the task.
`workspace`	string	The workspace associated with the task.
`workspace_id`	string	The ID of the workspace.
`organization_task`	string	The organization's task.
`organization_task_id`	string	The ID of the organization's task.

Update a workspace's run task

An HCP Terraform organization emits this event when someone in your organization updates a workspace's associated run task (workspace_task). Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_enforcement_level`	string	The task's enforcement level.
`task_stage`	string	The stage of the task.
`workspace`	string	The workspace associated with the task.
`workspace_id`	string	The ID of the workspace.
`organization_task`	string	The organization's task.
`organization_task_id`	string	The ID of the organization's task.

Destroy a workspace's run task

An HCP Terraform organization emits this event when someone in your organization destroys a workspace's associated run task (workspace_task). Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`task_enforcement_level`	string	The task's enforcement level.
`task_stage`	string	The stage of the task.
`workspace`	string	The workspace associated with the task.
`workspace_id`	string	The ID of the workspace.
`organization_task`	string	The organization's task.
`organization_task_id`	string	The ID of the organization's task.

Team events

Teams are groups of HCP Terraform users within an organization.

Add Member

An HCP Terraform organization emits this event when someone in your organization adds a member(add_member) to a team. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`user`	string	The user being added to the team.

Remove Member

An HCP Terraform organization emits this event when someone in your organization removes a member(remove_member) from a team. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`user`	string	The user being removed from the team.

Workspace comment events

Workspace comments allow users to leave feedback or record decisions about a run.

Create

An HCP Terraform organization emits this event when someone in your organization creates a comment on a workspace(workspace_comment). Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`resource`	string	The resource associated with the comment.

Workspace events

HCP Terraform manages infrastructure collections with workspaces.

Add Team

An HCP Terraform organization emits this event when someone in your organization adds a team(add_team) to a workspace. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`team`	string	The name or identifier of the team.
`permissions`	string	The permissions granted to the team.

Update Team Permissions

An HCP Terraform organization emits this event when someone in your organization updates the permissions(update_team_permissions) of a team on a workspace. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`team`	string	The name or identifier of the team.
`permissions`	string	The updated permissions for the team.

Remove Team

An HCP Terraform organization emits this event when someone in your organization removes a team(remove_team) from a workspace. Alongside the standard audit trail fields, this event response includes the following fields:

Key	Data Type	Description
`team`	string	The name or identifier of the team.