HCP Terraform adds granular API access for audit trails
HCP Terraform eliminates the need to rely on organization permissions to the audit trails endpoint, streamlining permissions workflows and reducing risk.
Today we’d like to share the latest improvement to HCP Terraform’s permissions capabilities: read-only permission to the HCP Terraform audit trails endpoint. Available now in HCP Terraform, this new feature enables organization owners to generate a dedicated API key for least-privilege access to audit trails.
HCP Terraform audit trails let organization administrators quickly review the actions performed by members of their organization. It includes details such as who performed the action, what the action was, and when it was performed. It also contains the evaluation results of compliance-related features like policy enforcement and run tasks. When paired with the Splunk app it provides near real-time visibility into key actions. You can quickly see which workspaces are generating the most frequent changes, which policies are being evaluated most frequently, and which users are most active.
In the past, within HCP Terraform, organization owners were required to create an organization API token to grant access to the audit trail endpoint. However, the excessive permissions associated with this token meant users had to vigilantly protect these credentials.
» The new audit token for HCP Terraform audit trails
The new audit token type simplifies and enhances privilege management within organizations by letting owners adhere to the principle of least privilege access. This type allows read-only access to the HCP Terraform audit trail endpoint. By incorporating token expiration, organization owners gain complete control over the token's entire lifecycle, letting them specify when the audit token should expire. Users also now have the capability to effortlessly regenerate the token, which is particularly useful in situations where token rotation is required following a security incident. This advancement eliminates the need for users to possess owner-level access or manage the highly privileged organization API token.
» Creating an audit token
To create an audit token, navigate to the API Tokens section within the Organization Settings page. Click the Generate an audit token button and configure the expiration settings as needed.
» Getting started
This feature is now available in HCP Terraform. Please refer to Terraform’s API token documentation for details on how to get started.
If you are new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience.
Sign up for the latest HashiCorp news
More blog posts like this one
Automate AWS deployments with HCP Terraform and GitHub Actions
Learn how to use GitHub Actions to automate HCP Terraform operations.
Access AWS from HCP Terraform with OIDC federation
Securely access AWS from HCP Terraform using OIDC federation, eliminating the need to use access keys.
New infrastructure integrations with GitHub, Illumio, Palo Alto Networks, Tessell, and more
18 new Terraform and Packer integrations from 16 partners provide more options to automate and secure cloud infrastructure management.