HCP Terraform adds granular API access for audit trails

Today we’d like to share the latest improvement to HCP Terraform’s permissions capabilities: read-only permission to the HCP Terraform audit trails endpoint. Available now in HCP Terraform, this new feature enables organization owners to generate a dedicated API key for least-privilege access to audit trails.

HCP Terraform audit trails let organization administrators quickly review the actions performed by members of their organization. It includes details such as who performed the action, what the action was, and when it was performed. It also contains the evaluation results of compliance-related features like policy enforcement and run tasks. When paired with the Splunk app it provides near real-time visibility into key actions. You can quickly see which workspaces are generating the most frequent changes, which policies are being evaluated most frequently, and which users are most active.

In the past, within HCP Terraform, organization owners were required to create an organization API token to grant access to the audit trail endpoint. However, the excessive permissions associated with this token meant users had to vigilantly protect these credentials.

»The new audit token for HCP Terraform audit trails

The new audit token type simplifies and enhances privilege management within organizations by letting owners adhere to the principle of least privilege access. This type allows read-only access to the HCP Terraform audit trail endpoint. By incorporating token expiration, organization owners gain complete control over the token's entire lifecycle, letting them specify when the audit token should expire. Users also now have the capability to effortlessly regenerate the token, which is particularly useful in situations where token rotation is required following a security incident. This advancement eliminates the need for users to possess owner-level access or manage the highly privileged organization API token.

»Creating an audit token

To create an audit token, navigate to the API Tokens section within the Organization Settings page. Click the Generate an audit token button and configure the expiration settings as needed.

»Getting started

This feature is now available in HCP Terraform. Please refer to Terraform’s API token documentation for details on how to get started.

If you are new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience.