• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Cloud and Enterprise

  • Overview
  • Plans and Features
  • Getting Started
    • API Docs template
    • Overview
    • Account
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • IP Ranges
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Changelog
    • Stability Policy
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Drift Detection
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
      • Overview
      • Microsoft Azure AD
      • Okta
      • SAML
      • Linking a User Account
      • Testing
    • Overview
    • GitHub.com
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Cloud
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Splunk Integration
    • Kubernetes Integration
    • Run Tasks Integration
    • Overview
    • IP Ranges
    • Data Security
    • Security Model
    • Overview
    • Part 1: Overview of Our Recommended Workflow
    • Part 2: Evaluating Your Current Provisioning Practices
    • Part 3: How to Evolve Your Provisioning Practices
    • Part 3.1: From Manual Changes to Semi-Automation
    • Part 3.2: From Semi-Automation to Infrastructure as Code
    • Part 3.3: From Infrastructure as Code to Collaborative Infrastructure as Code
    • Part 3.4: Advanced Workflow Improvements

  • Terraform Cloud Agents

  • Terraform Enterprise Admin

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»Team Access API

Note: Team management is a paid feature, available as part of the Team upgrade package. Learn more about Terraform Cloud pricing here.

The team access APIs are used to associate a team to permissions on a workspace. A single team-workspace resource contains the relationship between the Team and Workspace, including the privileges the team has on the workspace.

Note: A team-workspace resource represents a team's local permissions on a specific workspace. Teams can also have organization-level permissions that grant access to workspaces, and Terraform Cloud uses whichever access level is higher. (For example: a team with the "manage workspaces" permission has admin access on all workspaces, even if their team-workspace on a particular workspace only grants read access.) For more information, see Managing Workspace Access.

Any member of an organization can view team access relative to their own team memberships, including secret teams of which they are a member. Organization owners and workspace admins can modify team access or view the full set of secret team accesses. The organization token and the owners team token can act as an owner on these endpoints. (More about permissions.)

»List Team Access to a Workspace

GET /team-workspaces

StatusResponseReason
200JSON API document (type: "team-workspaces")The request was successful
404JSON API error objectWorkspace not found or user unauthorized to perform action

»Query Parameters

These are standard URL query parameters; remember to percent-encode [ as %5B and ] as %5D if your tooling doesn't automatically encode URLs.

This endpoint supports pagination with standard URL query parameters. If neither pagination query parameters are provided, the endpoint will not be paginated and will return all results.

ParameterDescription
filter[workspace][id]Required. The workspace ID to list team access for. Obtain this from the workspace settings or the Show Workspace endpoint.
page[number]Optional.
page[size]Optional.

»Sample Request

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  "https://app.terraform.io/api/v2/team-workspaces?filter%5Bworkspace%5D%5Bid%5D=ws-XGA52YVykdTgryTN"
$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  "https://app.terraform.io/api/v2/team-workspaces?filter%5Bworkspace%5D%5Bid%5D=ws-XGA52YVykdTgryTN"

»Sample Response

{
  "data": [
    {
      "id": "tws-19iugLwoNgtWZbKP",
      "type": "team-workspaces",
      "attributes": {
        "access": "custom",
        "runs": "apply",
        "variables": "none",
        "state-versions": "none",
        "sentinel-mocks": "none",
        "workspace-locking": false,
        "run-tasks": false
      },
      "relationships": {
        "team": {
          "data": {
            "id": "team-DBycxkdQrGFf5zEM",
            "type": "teams"
          },
          "links": {
            "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
          }
        },
        "workspace": {
          "data": {
            "id": "ws-XGA52YVykdTgryTN",
            "type": "workspaces"
          },
          "links": {
            "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
          }
        }
      },
      "links": {
        "self": "/api/v2/team-workspaces/tws-19iugLwoNgtWZbKP"
      }
    }
  ]
}
{
  "data": [
    {
      "id": "tws-19iugLwoNgtWZbKP",
      "type": "team-workspaces",
      "attributes": {
        "access": "custom",
        "runs": "apply",
        "variables": "none",
        "state-versions": "none",
        "sentinel-mocks": "none",
        "workspace-locking": false,
        "run-tasks": false
      },
      "relationships": {
        "team": {
          "data": {
            "id": "team-DBycxkdQrGFf5zEM",
            "type": "teams"
          },
          "links": {
            "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
          }
        },
        "workspace": {
          "data": {
            "id": "ws-XGA52YVykdTgryTN",
            "type": "workspaces"
          },
          "links": {
            "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
          }
        }
      },
      "links": {
        "self": "/api/v2/team-workspaces/tws-19iugLwoNgtWZbKP"
      }
    }
  ]
}

»Show a Team Access relationship

GET /team-workspaces/:id

StatusResponseReason
200JSON API document (type: "team-workspaces")The request was successful
404JSON API error objectTeam access not found or user unauthorized to perform action
ParameterDescription
:idThe ID of the team/workspace relationship. Obtain this from the list team access action described above.

Note: As mentioned in Add Team Access to a Workspace and Update Team Access to a Workspace, several permission attributes are not editable unless access is set to custom. When access is read, plan, write, or admin, these attributes are read-only and reflect the implicit permissions granted to the current access level.

»Sample Request

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  https://app.terraform.io/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8
$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  https://app.terraform.io/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8

»Sample Response

{
  "data": {
    "id": "tws-s68jV4FWCDwWvQq8",
    "type": "team-workspaces",
    "attributes": {
      "access": "write",
      "runs": "apply",
      "variables": "write",
      "state-versions": "write",
      "sentinel-mocks": "read",
      "workspace-locking": true,
      "run-tasks": false
    },
    "relationships": {
      "team": {
        "data": {
          "id": "team-DBycxkdQrGFf5zEM",
          "type": "teams"
        },
        "links": {
          "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
        }
      },
      "workspace": {
        "data": {
          "id": "ws-XGA52YVykdTgryTN",
          "type": "workspaces"
        },
        "links": {
          "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
        }
      }
    },
    "links": {
      "self": "/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8"
    }
  }
}
{
  "data": {
    "id": "tws-s68jV4FWCDwWvQq8",
    "type": "team-workspaces",
    "attributes": {
      "access": "write",
      "runs": "apply",
      "variables": "write",
      "state-versions": "write",
      "sentinel-mocks": "read",
      "workspace-locking": true,
      "run-tasks": false
    },
    "relationships": {
      "team": {
        "data": {
          "id": "team-DBycxkdQrGFf5zEM",
          "type": "teams"
        },
        "links": {
          "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
        }
      },
      "workspace": {
        "data": {
          "id": "ws-XGA52YVykdTgryTN",
          "type": "workspaces"
        },
        "links": {
          "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
        }
      }
    },
    "links": {
      "self": "/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8"
    }
  }
}

»Add Team Access to a Workspace

POST /team-workspaces

StatusResponseReason
200JSON API document (type: "team-workspaces")The request was successful
404JSON API error objectWorkspace or Team not found or user unauthorized to perform action
422JSON API error objectMalformed request body (missing attributes, wrong types, etc.)

»Request Body

This POST endpoint requires a JSON object with the following properties as a request payload.

Properties without a default value are required.

Key pathTypeDefaultDescription
data.typestringMust be "team-workspaces".
data.attributes.accessstringThe type of access to grant. Valid values are read, plan, write, admin, or custom.
data.attributes.runsstring"read"If access is custom, the permission to grant for the workspace's runs. Can only be used when access is custom. Valid values include read, plan, or apply.
data.attributes.variablesstring"none"If access is custom, the permission to grant for the workspace's variables. Can only be used when access is custom. Valid values include none, read, or write.
data.attributes.state-versionsstring"none"If access is custom, the permission to grant for the workspace's state versions. Can only be used when access is custom. Valid values include none, read-outputs, read, or write.
data.attributes.sentinel-mocksstring"none"If access is custom, the permission to grant for the workspace's Sentinel mocks. Can only be used when access is custom. Valid values include none, or read.
data.attributes.workspace-lockingbooleanfalseIf access is custom, the permission granting the ability to manually lock or unlock the workspace. Can only be used when access is custom.
data.attributes.run-tasksbooleanfalseIf access is custom, this permission allows the team to manage run tasks within the workspace.
data.relationships.workspace.data.typestringMust be workspaces.
data.relationships.workspace.data.idstringThe workspace ID to which the team is to be added.
data.relationships.team.data.typestringMust be teams.
data.relationships.team.data.idstringThe ID of the team to add to the workspace.

»Sample Payload

{
  "data": {
    "attributes": {
      "access": "custom",
      "runs": "apply",
      "variables": "none",
      "state-versions": "read-outputs",
      "plan-outputs": "none",
      "sentinel-mocks": "read",
      "workspace-locking": false,
      "run-tasks": false
    },
    "relationships": {
      "workspace": {
        "data": {
          "type": "workspaces",
          "id": "ws-XGA52YVykdTgryTN"
        }
      },
      "team": {
        "data": {
          "type": "teams",
          "id": "team-DBycxkdQrGFf5zEM"
        }
      }
    },
    "type": "team-workspaces"
  }
}
{
  "data": {
    "attributes": {
      "access": "custom",
      "runs": "apply",
      "variables": "none",
      "state-versions": "read-outputs",
      "plan-outputs": "none",
      "sentinel-mocks": "read",
      "workspace-locking": false,
      "run-tasks": false
    },
    "relationships": {
      "workspace": {
        "data": {
          "type": "workspaces",
          "id": "ws-XGA52YVykdTgryTN"
        }
      },
      "team": {
        "data": {
          "type": "teams",
          "id": "team-DBycxkdQrGFf5zEM"
        }
      }
    },
    "type": "team-workspaces"
  }
}

»Sample Request

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request POST \
  --data @payload.json \
  https://app.terraform.io/api/v2/team-workspaces
$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request POST \
  --data @payload.json \
  https://app.terraform.io/api/v2/team-workspaces

»Sample Response

{
  "data": {
    "id": "tws-sezDAcCYWLnd3xz2",
    "type": "team-workspaces",
    "attributes": {
      "access": "custom",
      "runs": "apply",
      "variables": "none",
      "state-versions": "read-outputs",
      "sentinel-mocks": "read",
      "workspace-locking": false,
      "run-tasks": false
    },
    "relationships": {
      "team": {
        "data": {
          "id": "team-DBycxkdQrGFf5zEM",
          "type": "teams"
        },
        "links": {
          "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
        }
      },
      "workspace": {
        "data": {
          "id": "ws-XGA52YVykdTgryTN",
          "type": "workspaces"
        },
        "links": {
          "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
        }
      }
    },
    "links": {
      "self": "/api/v2/team-workspaces/tws-sezDAcCYWLnd3xz2"
    }
  }
}
{
  "data": {
    "id": "tws-sezDAcCYWLnd3xz2",
    "type": "team-workspaces",
    "attributes": {
      "access": "custom",
      "runs": "apply",
      "variables": "none",
      "state-versions": "read-outputs",
      "sentinel-mocks": "read",
      "workspace-locking": false,
      "run-tasks": false
    },
    "relationships": {
      "team": {
        "data": {
          "id": "team-DBycxkdQrGFf5zEM",
          "type": "teams"
        },
        "links": {
          "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
        }
      },
      "workspace": {
        "data": {
          "id": "ws-XGA52YVykdTgryTN",
          "type": "workspaces"
        },
        "links": {
          "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
        }
      }
    },
    "links": {
      "self": "/api/v2/team-workspaces/tws-sezDAcCYWLnd3xz2"
    }
  }
}

»Update Team Access to a Workspace

PATCH /team-workspaces/:id

StatusResponseReason
200JSON API document (type: "team-workspaces")The request was successful
404JSON API error objectTeam Access not found or user unauthorized to perform action
422JSON API error objectMalformed request body (missing attributes, wrong types, etc.)
ParameterDescription
:idThe ID of the team/workspace relationship. Obtain this from the list team access action described above.
data.attributes.accessstringThe type of access to grant. Valid values are read, plan, write, admin, or custom.
data.attributes.runsstring"read"If access is custom, the permission to grant for the workspace's runs. Can only be used when access is custom.
data.attributes.variablesstring"none"If access is custom, the permission to grant for the workspace's variables. Can only be used when access is custom.
data.attributes.state-versionsstring"none"If access is custom, the permission to grant for the workspace's state versions. Can only be used when access is custom.
data.attributes.sentinel-mocksstring"none"If access is custom, the permission to grant for the workspace's Sentinel mocks. Can only be used when access is custom.
data.attributes.workspace-lockingbooleanfalseIf access is custom, the permission granting the ability to manually lock or unlock the workspace. Can only be used when access is custom.
data.attributes.run-tasksbooleanfalseIf access is custom, this permission allows the team to manage run tasks within the workspace.

»Sample Request

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request PATCH \
  --data @payload.json \
  https://app.terraform.io/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8
$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request PATCH \
  --data @payload.json \
  https://app.terraform.io/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8

»Sample Payload

{
  "data": {
    "attributes": {
      "access": "custom",
      "state-versions": "none"
    }
  }
}
{
  "data": {
    "attributes": {
      "access": "custom",
      "state-versions": "none"
    }
  }
}

»Sample Response

{
  "data": {
    "id": "tws-s68jV4FWCDwWvQq8",
    "type": "team-workspaces",
    "attributes": {
      "access": "custom",
      "runs": "apply",
      "variables": "write",
      "state-versions": "none",
      "sentinel-mocks": "read",
      "workspace-locking": true,
      "run-tasks": true
    },
    "relationships": {
      "team": {
        "data": {
          "id": "team-DBycxkdQrGFf5zEM",
          "type": "teams"
        },
        "links": {
          "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
        }
      },
      "workspace": {
        "data": {
          "id": "ws-XGA52YVykdTgryTN",
          "type": "workspaces"
        },
        "links": {
          "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
        }
      }
    },
    "links": {
      "self": "/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8"
    }
  }
}
{
  "data": {
    "id": "tws-s68jV4FWCDwWvQq8",
    "type": "team-workspaces",
    "attributes": {
      "access": "custom",
      "runs": "apply",
      "variables": "write",
      "state-versions": "none",
      "sentinel-mocks": "read",
      "workspace-locking": true,
      "run-tasks": true
    },
    "relationships": {
      "team": {
        "data": {
          "id": "team-DBycxkdQrGFf5zEM",
          "type": "teams"
        },
        "links": {
          "related": "/api/v2/teams/team-DBycxkdQrGFf5zEM"
        }
      },
      "workspace": {
        "data": {
          "id": "ws-XGA52YVykdTgryTN",
          "type": "workspaces"
        },
        "links": {
          "related": "/api/v2/organizations/my-organization/workspaces/my-workspace"
        }
      }
    },
    "links": {
      "self": "/api/v2/team-workspaces/tws-s68jV4FWCDwWvQq8"
    }
  }
}

»Remove Team Access to a Workspace

DELETE /team-workspaces/:id

StatusResponseReason
204The Team Access was successfully destroyed
404JSON API error objectTeam Access not found or user unauthorized to perform action
ParameterDescription
:idThe ID of the team/workspace relationship. Obtain this from the list team access action described above.

»Sample Request

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request DELETE \
  https://app.terraform.io/api/v2/team-workspaces/tws-sezDAcCYWLnd3xz2
$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request DELETE \
  https://app.terraform.io/api/v2/team-workspaces/tws-sezDAcCYWLnd3xz2
github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager