Skip to content

access_control

The access_control configuration provides a powerful and flexible way to manage who can perform various operations on your Terraform resources. By defining policies based on user roles, GitHub teams, and repository collaborators, you can ensure that only authorized individuals can trigger potentially impactful actions like applying changes to your infrastructure.

Default Configuration

access_control:
apply_require_all_dirspace_access: true
ci_config_update: ['*']
enabled: true
files: {}
plan_require_all_dirspace_access: false
policies:
- apply: ['*']
apply_autoapprove: []
apply_force: []
apply_with_superapproval: []
plan: ['*']
superapproval: []
tag_query: ""
terrateam_config_update: ['*']
unlock: ['*']

Keys

KeyTypeDescription
apply_require_all_dirspace_accessbooleanIf true, the user must have permission to all targeted dirspace to trigger an apply operation. Default is true.
ci_config_updatearrayRuleset for which users can trigger a Terrateam operation on a pull request with a change to the Terrateam CI/CD configuration. Default is ['*']
enabledbooleanSet to true to enable access control. Default is true.
filesobjectAn object where the key is a file path and the value is a ruleset for which users can trigger a Terrateam operation on a pull request with a change to the file.
plan_require_all_dirspace_accessbooleanIf true, the user must have permission to all targeted dirspaces to trigger a plan operation. Default is false.
policiesarrayA list of policy objects that define access rules for various operations.
terrateam_config_updatearrayRuleset for which users can trigger a Terrateam operation on a pull request with a Terrateam configuration file change. Default is ['*'].
unlockarrayRuleset for which users can trigger an unlock operation on a pull request. Default is ['*'].

Policies

KeyTypeDescription
applyarrayUsers who can trigger an apply, including autoapply.
apply_autoapprovearrayUsers who can trigger an apply auto-approve operations.
apply_forcearrayUsers who can trigger an apply-force operation.
apply_with_superapprovalarrayAllows a user to trigger an apply operation if a user matching the superapproval list has approved the pull request.
planarrayUsers who can trigger a plan operation, including autoplan.
superapprovalarrayDefine a list of users whose approvals are considered super approvals.
tag_querystringSee tag queries.

Rule Syntax

SyntaxDescription
*Matches anyone.
user:usernameMatches a specific user.
team:teamnameMatches any user who is a member of the specified GitHub team.
role:rolenameMatches users with the specified repository role. Valid roles are read, triage, write, maintain, and admin.

GitHub team names must be specified using their slug, which can be retrieved using the GitHub CLI command gh api orgs/<ORG>/teams.

Examples

Here are a few examples of common access control configurations:

Allow Only SRE Team to Apply Changes

access_control:
policies:
- tag_query: ''
plan: ['*']
apply: ['team:sre']

Require Super Approval for Production Changes

access_control:
policies:
- tag_query: 'dir:production'
apply: []
apply_with_superapproval: ['*']
superapproval: ['team:sre']
- tag_query: ''
plan: ['*']
apply: ['*']

Allow Developers to Force Apply in Development Environment

access_control:
policies:
- tag_query: 'dir:development'
apply_force: ['team:developers']

Allow Only SRE Team when CI Configuration has Changed

access_control:
ci_config_update: ['team:sre']

Allow Only Repo Admins when a File is Changed

access_control:
files:
bin/script-that-handles-sensitive-things: ['role:admin']