Manage permissions in HCP Terraform
As your Terraform usage grows, you may need to control which resources HCP Terraform users can access. In this tutorial, you will create a team, assign it permissions for a workspace, and invite users to the team.
An organization owner can assign teams either fixed permission sets or custom permissions at the workspace or project level. We recommend following the principle of least privilege when possible and only giving teams access to the resources they need for their job function.
Note
Teams are available in HCP Terraform Standard Edition. Refer to HCP Terraform pricing for details.
Prerequisites
For this tutorial, you will need:
- An HCP Terraform account.
- Organization owner permissions for a Standard edition HCP Terraform organization.
Create a new team
The owners team is the default team of an HCP Terraform organization. This team has every available permission in the organization, so it is important to create restricted team access before adding new members.
To add a new team, navigate to your organization Settings > Teams. Click Create a team.
Enter the name Dev-Team, then click Create.
The team settings page lets you configure broad organization-level permissions.
Leave these permissions blank. In the next section, you will assign workspace-level permissions, which grant more targeted access than organization-level permissions.
Assign workspace permissions
Navigate to the Workspaces page and create a new CLI-driven workspace named dev-webapp in your organization's Default project.
Then, go to the dev-webapp workspace's Settings > Team Access page.
Click Add team and permissions.
Fixed permission sets let you easily set predefined collections of privileges for common job functions. You can also set custom permissions if you need to define more granular scope.
In the Team dropdown, select the Dev-Team. Then, select the Write permissions set. On the righthand side, the workspace displays the permissions in this fixed permission set. Click Assign permissions.
The Dev-Team now has Write permissions to this workspace, but the team does not yet have any members.
Invite a user to your organization and team
To collaborate with your team members in HCP Terraform, you need to grant them access to the same HCP Terraform organization. You can add users to an organization by inviting them using their email address. Even if your team member has not signed up for HCP Terraform yet, they can still accept the invitation and create a new account.
Navigate to your Organization Settings > Users, then click Invite a user.
Enter the email address of the teammate you need to add and select Dev-Team from the Add to teams dropdown. Then, click Invite user.
HCP Terraform will send the user an email invite that they must accept to join your organization. If the user does not yet have an account, HCP Terraform will prompt them to create one and automatically add them to your organization and team.
Review team membership
Once your teammates accept their invitations, navigate to Organization Settings > Teams and select your Dev-Team. The Members section now lists the new team member.
You can manage team membership for users already in your organization from this page.
Next steps
In this tutorial, you created a new team in your organization, assigned the team workspace-specific privileges, and invited a new user to your HCP Terraform organization and team. You also reviewed how to add existing organization users to teams.
Review the following resources to learn more about managing permissions and enabling your team in HCP Terraform:
- Learn how to assign project-specific permissions to teams.
- Review the interaction of workspace, project, and organization-wide permissions in HCP Terraform.
- Learn how to enable no-code Terraform provisioning for self-service workflows.
- Learn how to use short-lived dynamic provider credentials.