Terraform
Users
User accounts belong to individual people. Each user can be part of one or more teams, which are granted permissions on workspaces within an organization. A user can be a member of multiple organizations.
API
Use the Account API to get account details, update account information, and change your password.
Creating an Account
To use HCP Terraform or Enterprise, you must create an account through one of the following methods:
- Invitation Email: When a user sends you an invitation to join an existing HCP Terraform organization, the email includes a sign-up link. After you create an account, you can automatically join that organization and can begin using HCP Terraform.
- Sign-Up Page: Creating an account requires a username, an email address, and a password. For HCP Terraform, go to
https://app.terraform.io/public/signup/account
. For Terraform Enterprise, go tohttps://<TFE HOSTNAME>/public/signup/account
. After you create an account, you do not belong to any organizations. To begin using HCP Terraform, you can either create an organization or ask an organization owner to send you an invitation email to join their organization.
Joining Organizations and Teams
An organization owner or a user with Manage Membership permissions must invite you to join their organization and add you to one or more teams.
HCP Terraform sends user invitations by email. If the invited email address matches an existing HCP Terraform account, the invitee can join the organization with that account. Otherwise, they must create a new account and then join the organization.
Site Admin Permissions
On Terraform Enterprise instances, some user accounts have a special site admin permission that allows them to administer the entire instance.
Admin permissions are distinct from normal organization-level permissions, and they apply to a different set of UI controls and API endpoints. Admin users can administer any resource across the instance when using the site admin pages or the admin API, but they have normal user permissions when using an organization's standard UI controls and API endpoints. These normal user permissions are determined by team membership.
Refer to Administering Terraform Enterprise for more details.
Account Settings
To view your settings page, click your user icon and select Account settings. Your Profile page appears, showing your username, email address, and avatar.
Profile
Click Profile in the sidebar to view and edit the username and email address associated with your HCP Terraform account.
Important: HCP Terraform includes your username in URL paths to resources. If external systems make requests to these resources, you must update them before you change your username.
HCP Terraform uses Gravatar to display a user icon if you have associated one with your email address. Refer to the Gravatar documentation for details about changing your user icon.
Sessions
Click Sessions in the sidebar to view a list of sessions associated with your HCP Terraform account. You can revoke any sessions you do not recognize.
Organizations
Click Organizations in the sidebar to view a list of the organizations where you are a member. If you are on the owners team, the organization is marked with an OWNER badge.
To leave an organization, click the ellipses (...) next to the organization and select Leave organization. You do not need permission from the owners to leave an organization, but you cannot leave if you are the last member of the owners team. Either add a new owner and then leave, or delete the organization.
Password
Click Password in the sidebar to change your password.
Note: Password management is not available if your Terraform Enterprise instance uses SAML single sign on. Note: Passwords must be at least 10 characters in length, and you can use any type of character. Password management is not available if your Terraform Enterprise instance uses SAML single sign on.
Two-Factor Authentication
Click Two Factor Authentication in the sidebar to enable two-factor authentication. Two-factor authentication requires a TOTP-compliant application or an SMS-capable phone number. An organization can set policies that require two-factor authentication.
Refer to Two-Factor Authentication for details.
Tokens
Click Tokens in the sidebar to create, manage, and revoke API tokens. HCP Terraform has three kinds of API tokens: user, team, and organization. Users can be members of multiple organizations, so user tokens work with any organization where the associated user is a member. Refer to API Tokens for details.
API tokens are required for the following tasks:
- Authenticating with the HCP Terraform API. API calls require an
Authorization: Bearer <TOKEN>
HTTP header. - Authenticating with the HCP Terraform CLI integration or the
remote
backend. These require a token in the CLI configuration file or in the backend configuration. - Using private modules in command-line runs on local machines. This requires a token in the CLI configuration file.
Protect your tokens carefully because they contain the same permissions as your user account. For example, if you belong to a team with permission to read and write variables for a workspace, another user could use your API token to authenticate as your user account and also edit variables in that workspace. Refer to permissions for more details.
We recommend protecting your tokens by creating them with an expiration date and time. Refer to API Token Expiration for details.
Creating a Token
To create a new token:
- Click Create an API token. The Create API token box appears.
- Enter a Description that explains what the token is for and click Create API token.
- You can optionally enter the token's expiration date or time, or create a token that never expires. The UI displays a token's expiration date and time in your current time zone.
- Copy your token from the box and save it in a secure location. HCP Terraform only displays the token once, right after you create it. If you lose it, you must revoke the old token and create a new one.
Revoking a Token
To revoke a token, click the trash can next to it. That token will no longer be able to authenticate as your user account.
Note: HCP Terraform does not revoke a user API token's access to an organization when you remove the user from an SSO Identity Provider as the user may still be a member of the organization. To remove access to a user's API token, remove the user from the organization in the UI or with the Terraform Enterprise provider.
GitHub App OAuth Token
Click Tokens in the sidebar to manage your GitHub App token. This token lets you connect a workspaces to an available GitHub App installation.
Note: Only an HCP Terraform user can own a GitHub App token. Team and Organization API tokens are not able to own a GitHub App token.
A GitHub App token lets you:
- Connect workspaces, policy sets, and registry modules to a GitHub App installation with the HCP Terraform API and UI.
- View available GitHub App installations with the HCP Terraform API and UI.
After generating this token, you can use it to view information about your available installations for the Terraform Cloud GitHub App.
Creating a GitHub App token
To create a GitHub App token, click Create a GitHub App token. The GitHub App authorization pop-up window appears requesting authorization of the Terraform Cloud GitHub App.
Note: This does not grant HCP Terraform access to repositories.
Revoking the GitHub App token
To revoke the GitHub App token, click the ellipses button (...). The dropdown menu appears. Click the Delete Token option. This triggers a confirmation window to appear, which asks you to confirm that you want to revoke the token. Once confirmed, the token is revoked and you can no longer view GitHub App installations.