access_control
The access_control
configuration provides a powerful and flexible way to manage who can perform various operations on your Terraform resources. By defining policies based on user roles, GitHub teams, and repository collaborators, you can ensure that only authorized individuals can trigger potentially impactful actions like applying changes to your infrastructure.
Default Configuration
Keys
Key | Type | Description |
---|---|---|
apply_require_all_dirspace_access | boolean | If true, the user must have permission to all targeted dirspace to trigger an apply operation. Default is true. |
ci_config_update | array | Ruleset for which users can trigger a Terrateam operation on a pull request with a change to the Terrateam CI/CD configuration. Default is ['*'] |
enabled | boolean | Set to true to enable access control. Default is true . |
files | object | An object where the key is a file path and the value is a ruleset for which users can trigger a Terrateam operation on a pull request with a change to the file. |
plan_require_all_dirspace_access | boolean | If true, the user must have permission to all targeted dirspaces to trigger a plan operation. Default is false . |
policies | array | A list of policy objects that define access rules for various operations. |
terrateam_config_update | array | Ruleset for which users can trigger a Terrateam operation on a pull request with a Terrateam configuration file change. Default is ['*'] . |
unlock | array | Ruleset for which users can trigger an unlock operation on a pull request. Default is ['*'] . |
Policies
Key | Type | Description |
---|---|---|
apply | array | Users who can trigger an apply, including autoapply. |
apply_autoapprove | array | Users who can trigger an apply auto-approve operations. |
apply_force | array | Users who can trigger an apply-force operation. |
apply_with_superapproval | array | Allows a user to trigger an apply operation if a user matching the superapproval list has approved the pull request. |
plan | array | Users who can trigger a plan operation, including autoplan. |
superapproval | array | Define a list of users whose approvals are considered super approvals. |
tag_query | string | See tag queries. |
Rule Syntax
Syntax | Description |
---|---|
* | Matches anyone. |
user:username | Matches a specific user. |
team:teamname | Matches any user who is a member of the specified GitHub team. |
role:rolename | Matches users with the specified repository role. Valid roles are read , triage , write , maintain , and admin . |
GitHub team names must be specified using their slug, which can be retrieved using the GitHub CLI command gh api orgs/<ORG>/teams
.
Examples
Here are a few examples of common access control configurations: