Sunday, 29 June 2025

RBAC in Terraform Enterprise

 

🔐 1. What is RBAC in Terraform Enterprise? 

RBAC lets you control who can do what by assigning roles (sets of permissions) to users or teams at the organization and workspace level. 

This helps enforce: 

  • Least privilege access 

  • Team-based responsibilities 

  • Secure multi-user collaboration 

 

🎯 2. Built-In Roles in Terraform Cloud / Enterprise 

Terraform has two RBAC levels: 

🔹 A. Organization-Level Roles 

These apply to the whole organization: 

Role 

Permissions 

Owner 

Full control — manage teams, billing, settings 

Member 

Can view org and join workspaces they’re invited to 

Billing Manager 

View and manage billing settings 

 

🔹 B. Workspace-Level Roles 

These control what users can do inside individual workspaces: 

Role 

Can View 

Queue Plan 

Apply 

Manage Vars 

Manage State 

Manage Settings 

Reader 

 

 

 

 

 

 

Plan 

 

 

 

 

 

 

Plan + Write 

 

 

 

 

 

 

Admin 

 

 

 

 

 

 

🔐 You assign these roles to teams, not individual users directly. 

 

👥 3. How to Create Users and Teams 

🔧 A. Add Users to the Organization 

  1. Go to your TFE/TFC web console. 

  1. Navigate to Settings → Users. 

  1. Click Invite User → enter email. 

  1. Choose if they are: 

  1. Owner 

  1. Member 

  1. Billing Manager 

Once invited, users can join the org after accepting via email. 

 

🔧 B. Create Teams 

  1. Go to Settings → Teams. 

  1. Click "New Team" → e.g., devops, security, data-platform. 

  1. Add users to the team. 

You now manage access per team instead of per user (best practice). 

 

🗃️ 4. Assign Team to Workspace & Role 

  1. Go to Workspaces → <workspace-name> → Settings → Access. 

  1. Click "Add Team Access". 

  1. Select the team (e.g., devops). 

  1. Assign a role (Plan, Admin, Read, etc.). 

Now members of that team can operate in that workspace with scoped access. 

 

🛠️ 5. Custom Roles (Terraform Enterprise Only) 

Terraform Enterprise (self-hosted) allows defining custom roles with very fine-grained permissions. 

Not available in Terraform Cloud (even paid tiers). 

Example Permissions You Can Include in a Custom Role: 

{ 
  "name": "Audit Viewer", 
  "description": "Can only view plans and logs", 
  "permissions": [ 
    "read-runs", 
    "read-workspace-state-versions", 
    "read-outputs" 
  ] 
} 
 

Then use the TFE API or admin UI to assign this custom role to a team. 

 

🧠 Example Scenario: DevOps vs Developer Team 

Team 

Workspaces 

Role Assigned 

Capability 

devops 

all workspaces 

Admin 

Full control 

backend 

app-backend 

Plan + Write 

Can plan/apply/manage vars 

frontend 

app-frontend 

Plan 

Can only trigger plan runs 

security 

all 

Read 

View-only access (audit only) 

 

✅ Summary 

Feature 

Terraform Cloud 

Terraform Enterprise 

Built-in Roles 

 

 

Org-level RBAC 

 

 

Workspace-level RBAC 

 

 

Teams and Team Roles 

 

 

Custom Roles 

 

 

API for automation 

 

 

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)