Audit trails API reference
HCP Terraform retains 14 days of audit log information. The audit trails API exposes a stream of audit events, which describe changes to the application entities (workspaces, runs, etc.) that belong to an HCP Terraform organization. Unlike other APIs, the Audit Trails API does not use the JSON API specification.
Note: Audit trails are available in HCP Terraform Plus Edition. Refer to HCP Terraform pricing for details. The Audit Trails API is not available for Terraform Enterprise.
List an organization's audit events
GET /organization/audit-trail
Note: This endpoint cannot be accessed with a user token or team token. You must access it with an organization token.
Query Parameters
These are standard URL query parameters. Remember to percent-encode [
as %5B
and ]
as %5D
if your tooling doesn't automatically encode URLs.
Parameter | Description |
---|---|
since | Optional. Returns only audit trails created after this date (UTC and in ISO8601 Format - YYYY-MM-DDTHH:MM:SS.SSSZ) |
page[number] | Optional. If omitted, the endpoint will return the first page. |
page[size] | Optional. If omitted, the endpoint will return 1000 audit events per page. |
Sample Request
Sample Response
Standard response fields
Every audit log event in the response array includes the following standard fields:
Key | Data Type or format | Description |
---|---|---|
id | UUID | The ID of this audit trail |
version | number | The audit trail schema version |
type | string | The type of audit trail (defaults to Resource ) |
timestamp | string | UTC ISO8601 DateTime (for example,2020-06-16T20:26:58.000Z ) |
auth.accessor_id | string | The ID of audited actor (for example, user-V3R563qtJNcExAkN ) |
auth.description | string | Username of audited actor |
auth.type | string | Authentication type, is either Client , Impersonated , or System . |
auth.impersonator_id | string | The ID of impersonating actor (if available) |
auth.organization_id | string | The ID of organization (for example, org-QpXoEnULx3r2r1CA ) |
request.id | UUID | The ID for request (if available) |
resource.id | string | The ID of resource (for example,run-FwnENkvDnrpyFC7M ) |
resource.type | string | Type of resource (for example, run ) |
resource.action | string | Action audited (for example, applied ) |
resource.meta | map | Key-value metadata about this audited event (defaults to null ) |
The following audit trail events only contain these standard fields:
Event | Action | Description |
---|---|---|
agent | destroy | Logged when an agent is destroyed. |
authentication_token | create , show , destroy | Events related to authentication tokens. |
configuration_version | show , download | Events related to configuration versions. |
notification_configuration | create , update , destroy , enable | Events related to notification configurations. |
oauth_client | create , update , destroy | Events related to OAuth clients. |
oauth_token | index , show , update , destroy | Events related to OAuth tokens. |
organization | create , update , destroy | Events related to organizations. |
organization_user | create , update , destroy | Events related to organization users. |
policy | update , destroy | Events related to policies. |
policy_check | override | Events related to policy checks. |
policy_config | create | Events related to policy configurations. |
policy_set | destroy | Events related to policy sets. |
policy_version | create | Events related to policy versions. |
project | create , update , destroy | Events related to projects. |
registry_module | destroy , update | Events related to registry modules. |
registry_provider | create , destroy | Events related to registry providers. |
registry_provider_platform | create , destroy | Events related to registry provider platforms. |
registry_provider_version | create , destroy | Events related to registry provider versions. |
run | apply , cancel , force_cancel , discard , force_execute , create | Events related to runs. |
run_trigger | create , destroy | Events related to run triggers. |
saml_configuration | create , update , destroy , enable , disable | Events related to SAML configurations. |
ssh_key | index , show , create , update , destroy | Events related to SSH keys. |
stack | create | Events related to creating stacks. |
state_version | index , show , create , soft_delete_backing_data , restore_backing_data , permanently_delete_backing_data | Events related to state versions. |
task_stage | override | Events related to an overridden task stage. |
user | index | Events related to indexing users. |
var | index , show , create , update , destroy | Events related to variables. |
vcs_repo | create | Events related to creating a connection to a VCS repo. |
The following sections list the audit log events containing both the standard response schema and a specific payload for each action.
Data retention policy events
You can define data retention policies to help reduce object storage consumption.
Destroy
An HCP Terraform organization emits this event when it destroys a data retention policy(data_retention_policy
). Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
delete_older_than_n_days | integer | The number of days to retain data before deletion. Must be greater than 0. |
organization | string | The organization associated with the data retention policy. |
organization_id | string | The ID of the organization associated with the data retention policy. |
Project events
Projects let you organize your workspaces and scope access to workspace resources.
Add Team
An HCP Terraform organization emits this event when someone in your organization adds a team(add_team
) to a project. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
team | string | The name or identifier of the team. |
permissions | string | The permissions granted to the team. |
Update Team Permissions
An HCP Terraform organization emits this event when someone in your organization updates the permissions(update_team_permissions
) of a team on a project. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
team | string | The name or identifier of the team. |
permissions | string | The updated permissions for the team. |
Remove Team
An HCP Terraform organization emits this event when someone in your organization removes a team(remove_team
) from a project. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
team | string | The name or identifier of the team. |
Policy checks
Policy checks run Sentinel policies. Policy checks have a lifecycle that includes the following events:
Every policy check event in the response array includes the following standard fields:
Key | Data Type | Description |
---|---|---|
comment | null or string | The comment associated with the policy check. |
run.id | string | The ID of the associated run. |
run.message | string | The message associated with the run. |
workspace.id | string | The ID of the associated workspace. |
workspace.name | string | The name of the associated workspace. |
Passed, soft failed, hard failed, and errored
Alongside the standard audit trail fields and standard policy check fields, certain policy check events include a result (includes_result
) and return the following fields:
Key | Data Type | Description |
---|---|---|
result | [Policy Result] | An array of policy results. |
passed | integer | Number of policy checks passed. |
total_failed | integer | Total number of failed policy checks. |
hard_failed | integer | Number of policy checks with hard failures. |
soft_failed | integer | Number of policy checks with soft failures. |
advisory_failed | integer | Number of policy checks with advisory failures. |
duration_ms | integer | Duration of the policy check in milliseconds. |
sentinel | string | The Sentinel policy associated with the check. |
Overridden, canceled, and force canceled
Alongside the standard audit trail fields and standard policy check fields, certain event responses include the following fields:
Key | Data Type | Description |
---|---|---|
actor | string | The user who performed the action. |
Policy evaluation
Policy evaluations run in the HCP Terraform agent in HCP Terraform's infrastructure. Policy evaluations have a lifecycle that includes the following events:
Every policy evaluation event in the response array includes the following standard fields:
Key | Data Type | Description |
---|---|---|
comment | null or string | The comment associated with policy evaluation. |
payload.workspace.id | string | The ID of the associated workspace. |
payload.workspace.name | string | The name of the associated workspace. |
payload.run.id | string | The ID of the associated run. |
payload.run.message | string | The message associated with the run. |
actor | string | The policy owner. |
Policy checks and policy evaluations serve the same purpose, but have different workflows for enforcing policies. For more information, refer to Differences between policy checks and policy evaluations.
Registry module events
HCP Terraform's private registry lets you share Terraform providers and Terraform modules across your organization.
Destroy version
An HCP Terraform organization emits this event when someone in your organization destroys a specific version of a registry module(destroy_version
). Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
version | integer | The version number of the registry module to destroy. |
Run task events
You can create HCP Terraform run tasks at an organization level to directly integrate third-party tools and services at certain stages in the HCP Terraform run lifecycle. You can use run tasks to validate Terraform configuration files, analyze execution plans before applying them, scan for security vulnerabilities, or perform other custom actions.
Create
An HCP Terraform organization emits this event when someone in your organization creates a task. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_name | string | The name of the task. |
task_category | string | The task's category |
task_url | string | The task's URL. |
task_enabled | boolean | Indicates whether the task is enabled or not. |
task_hmac_key_present | boolean | Specifies if an HMAC key is present for the task. |
Destroy
An HCP Terraform organization emits this event when someone in your organization destroys a task. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_name | string | The name of the task to be destroyed. |
task_category | string | The category of the task to be destroyed. |
task_url | string | The URL associated with the task to be destroyed. |
task_enabled | boolean | Indicates whether the task to be destroyed is enabled. |
task_hmac_key_present | boolean | Specifies if an HMAC key is present for the task to be destroyed. |
Update
An HCP Terraform organization emits this event when someone in your organization updates a task. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_name | string | The name of the task to be updated. |
task_category | string | The updated category of the task. |
task_url | string | The updated URL associated with the task. |
task_enabled | boolean | Indicates whether the task is enabled after the update. |
task_hmac_key_present | boolean | Specifies if an HMAC key is present for the updated task. |
task_hmac_key_changed | boolean | Indicates whether the HMAC key for the task has changed during the update. |
Callback
An HCP Terraform organization emits this event when a run task result's (task_result
) callback action occurs. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_result_status | string | The status of the task result. |
task_result_url | string | The URL associated with the task result. |
task_result_message | string | A message associated with the task result. |
workspace | string | The workspace related to the task result. |
workspace_id | string | The ID of the workspace related to the task result. |
run_id | string | The ID of the run associated with the task result. |
run_created_at | date (iso8601) | The timestamp when the run was created. |
run_created_by | string | The user who created the run. |
run_message | string | The message associated with the run. |
run_is_speculative | boolean | Indicates whether the run is speculative or not. |
workspace_task_id | string | The ID of the workspace task associated with the result. |
workspace_task_stage | string | The stage of the workspace task. |
workspace_task_enforcement | string | The enforcement level of the workspace task. |
organization_task | string | The organization task related to the task result. |
organization_task_id | string | The ID of the organization task related to the result. |
organization_task_url | string | The URL associated with the organization task. |
Create a workspace's run task
An HCP Terraform organization emits this event when someone in your organization associates a new run task with a workspace (workspace_task
). Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_enforcement_level | string | The task's enforcement level. |
task_stage | string | The stage of the task. |
workspace | string | The workspace associated with the task. |
workspace_id | string | The ID of the workspace. |
organization_task | string | The organization's task. |
organization_task_id | string | The ID of the organization's task. |
Update a workspace's run task
An HCP Terraform organization emits this event when someone in your organization updates a workspace's associated run task (workspace_task
). Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_enforcement_level | string | The task's enforcement level. |
task_stage | string | The stage of the task. |
workspace | string | The workspace associated with the task. |
workspace_id | string | The ID of the workspace. |
organization_task | string | The organization's task. |
organization_task_id | string | The ID of the organization's task. |
Destroy a workspace's run task
An HCP Terraform organization emits this event when someone in your organization destroys a workspace's associated run task (workspace_task
). Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
task_enforcement_level | string | The task's enforcement level. |
task_stage | string | The stage of the task. |
workspace | string | The workspace associated with the task. |
workspace_id | string | The ID of the workspace. |
organization_task | string | The organization's task. |
organization_task_id | string | The ID of the organization's task. |
Team events
Teams are groups of HCP Terraform users within an organization.
Add Member
An HCP Terraform organization emits this event when someone in your organization adds a member(add_member
) to a team. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
user | string | The user being added to the team. |
Remove Member
An HCP Terraform organization emits this event when someone in your organization removes a member(remove_member
) from a team. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
user | string | The user being removed from the team. |
Workspace comment events
Workspace comments allow users to leave feedback or record decisions about a run.
Create
An HCP Terraform organization emits this event when someone in your organization creates a comment on a workspace(workspace_comment
). Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
resource | string | The resource associated with the comment. |
Workspace events
HCP Terraform manages infrastructure collections with workspaces.
Add Team
An HCP Terraform organization emits this event when someone in your organization adds a team(add_team
) to a workspace. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
team | string | The name or identifier of the team. |
permissions | string | The permissions granted to the team. |
Update Team Permissions
An HCP Terraform organization emits this event when someone in your organization updates the permissions(update_team_permissions
) of a team on a workspace. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
team | string | The name or identifier of the team. |
permissions | string | The updated permissions for the team. |
Remove Team
An HCP Terraform organization emits this event when someone in your organization removes a team(remove_team
) from a workspace. Alongside the standard audit trail fields, this event response includes the following fields:
Key | Data Type | Description |
---|---|---|
team | string | The name or identifier of the team. |