Access Controls

Terrateam Configuration

Terrateam behavior can be configured via a config.yml. This file is located in a directory named .terrateam at the root of your Terraform repository: .terrateam/config.yml.

See Configuration documentation for details.

Developers can Apply with Super Approvals

Allow any user to trigger an Apply operation only after a member of the SRE team has approved the pull request.

access_control:
  policies:
    - tag_query: ''
      apply: []
      superapproval: ['team:sre']
      apply_with_superapproval: ['*']

Everyone can Plan but SRE can only Apply

Allow anyone to trigger a Plan operation but only allow members of the SRE team to trigger an Apply operation.

access_control:
  policies:
    - tag_query: ''
      plan: ['*']
      apply: ['team:sre']

Separate Controls per Directory

Define separate policies per directory.

dirs:
  aws/qa:
    tags: [aws, qa]
  aws/production:
    tags: [aws, production]
access_control:
  policies:
    - tag_query: aws qa
      plan: ['*']
      apply: ['*']
    - tag_query: aws production
      plan: ['*']
      apply: ['team:sre']

Separate Controls per Workspace

Define separate policies per workspace.

dirs:
  aws:
    tags: [aws]
    workspaces:
      qa:
        tags: [qa]
      production:
        tags: [production]
access_control:
  policies:
    - tag_query: aws qa
      plan: ['*']
      apply: ['*']
    - tag_query: aws production
      plan: ['*']
      apply: ['team:sre']

SRE bypass Apply Requirements

Allow members of the SRE team to bypass Apply Requirements with Apply Force.

access_control:
  policies:
    - tag_query: ''
      apply_force: ['team:sre']

SRE can only Unlock

Only members of the SRE team can trigger an Unlock operation.

access_control:
  policies:
    - tag_query: ''
      unlock: ['team:sre']

Welcome

Cloud Provider Setup

Using Terrateam

Features

Recipes

Migrating

Tutorials

Configuration as Code

Self-Hosted

Company