HCP Terraform adds granular API access for audit trails
HCP Terraform eliminates the need to rely on organization permissions to the audit trails endpoint, streamlining permissions workflows and reducing risk.
Today we’d like to share the latest improvement to HCP Terraform’s permissions capabilities: read-only permission to the HCP Terraform audit trails endpoint. Available now in HCP Terraform, this new feature enables organization owners to generate a dedicated API key for least-privilege access to audit trails.
HCP Terraform audit trails let organization administrators quickly review the actions performed by members of their organization. It includes details such as who performed the action, what the action was, and when it was performed. It also contains the evaluation results of compliance-related features like policy enforcement and run tasks. When paired with the Splunk app it provides near real-time visibility into key actions. You can quickly see which workspaces are generating the most frequent changes, which policies are being evaluated most frequently, and which users are most active.
In the past, within HCP Terraform, organization owners were required to create an organization API token to grant access to the audit trail endpoint. However, the excessive permissions associated with this token meant users had to vigilantly protect these credentials.
» The new audit token for HCP Terraform audit trails
The new audit token type simplifies and enhances privilege management within organizations by letting owners adhere to the principle of least privilege access. This type allows read-only access to the HCP Terraform audit trail endpoint. By incorporating token expiration, organization owners gain complete control over the token's entire lifecycle, letting them specify when the audit token should expire. Users also now have the capability to effortlessly regenerate the token, which is particularly useful in situations where token rotation is required following a security incident. This advancement eliminates the need for users to possess owner-level access or manage the highly privileged organization API token.
» Creating an audit token
To create an audit token, navigate to the API Tokens section within the Organization Settings page. Click the Generate an audit token button and configure the expiration settings as needed.

» Getting started
This feature is now available in HCP Terraform. Please refer to Terraform’s API token documentation for details on how to get started.
If you are new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience.
Sign up for the latest HashiCorp news
More blog posts like this one

Disaster recovery strategies with Terraform
Learn how Terraform can help play a key role in disaster recovery strategies by simplifying and accelerating the provisioning of DR related infrastructure, while simultaneously reducing costs.

Ephemeral values in Terraform
Ephemeral values, resources, and write-only arguments help keep your Terraform state file more secure. Learn how they work.

HashiCorp and Red Hat, better together
The IBM acquisition of HashiCorp sets up a vision for more tightly integrating HashiCorp Terraform and Vault with Red Hat Ansible and OpenShift