When providing permissions to a service account, it is desired to provide the least access possible to avoid security concerns. This KB explains why read-only rights are not enough for a VCS service account in Terraform Cloud or Terraform Enterprise.
Is it possible to provide read-only rights to a VCS connection service account and manually create webhooks?
A VCS connection service account must have the rights needed to generate the webhooks required to communicate between the VCS and Terraform Cloud or Terraform Enterprise. It is not possible to manually create webhooks because the URL for each webhook is automatically generated and not known until workspace creation, module publish, etc.
It’s important to note that while the organization-level OAuth connection uses the user-provided callback URL, each workspace within Terraform Cloud and Terraform Enterprise that is connected to VCS creates a webhook on the repository it’s linked to. The additional callback URLs necessary to accomplish this are auto-generated.
This information applies to both Terraform Cloud and Terraform Enterprise instances