Skip to content

Access Controls

Terrateam Configuration Terrateam behavior can be configured via a config.yml. This file is located in a directory named .terrateam at the root of your Terraform repository: .terrateam/config.yml.

See Configuration documentation for details.

Developers can Apply with Super Approvals

Allow any user to trigger an Apply operation only after a member of the SRE team has approved the pull request.

access_control:
policies:
- tag_query: ''
apply: []
superapproval: ['team:sre']
apply_with_superapproval: ['*']

Everyone can Plan but SRE can only Apply

Allow anyone to trigger a Plan operation but only allow members of the SRE team to trigger an Apply operation.

access_control:
policies:
- tag_query: ''
plan: ['*']
apply: ['team:sre']

Separate Controls per Directory

Define separate policies per directory.

dirs:
aws/qa:
tags: [aws, qa]
aws/production:
tags: [aws, production]
access_control:
policies:
- tag_query: aws qa
plan: ['*']
apply: ['*']
- tag_query: aws production
plan: ['*']
apply: ['team:sre']

Separate Controls per Workspace

Define separate policies per workspace.

dirs:
aws:
tags: [aws]
workspaces:
qa:
tags: [qa]
production:
tags: [production]
access_control:
policies:
- tag_query: aws qa
plan: ['*']
apply: ['*']
- tag_query: aws production
plan: ['*']
apply: ['team:sre']

SRE bypass Apply Requirements

Allow members of the SRE team to bypass Apply Requirements with Apply Force.

access_control:
policies:
- tag_query: ''
apply_force: ['team:sre']

SRE can only Unlock

Only members of the SRE team can trigger an Unlock operation.

access_control:
policies:
- tag_query: ''
unlock: ['team:sre']
We use cookies and similar technologies to provide certain features, enhance the user experience and deliver content that is relevant to your interests. Depending on their purpose, analysis and marketing cookies may be used in addition to technically necessary cookies. By clicking on "Agree and continue", you declare your consent to the use of the aforementioned cookies. Here you can make detailed settings or revoke your consent (in part if necessary) with effect for the future. For further information, please refer to our Privacy Policy .