Introduction
You want to find out when a workspace variable was updated and by whom.
In this how to guide we will utilize Terraform Enterprise Audit Logs.
For this guide we have a Terraform Enterprise instance with
- a user called stamatios
- an organization with name: myorg
- a workspace with name: myworkspace
- two environment variables in the workspace with name and value:
- TEST_VAR_ONE : mytestvalue1
- TEST_VAR_TWO: mytestvalue2
Prerequisites
- Terraform Enterprise user with access to the workspace and ssh access to Terraform Enterprise host
Things to consider
Terraform Enterprise application is running on a container. If the container restart or crash the logs before the restart or crash are gone. Consider to use Terraform Enterprise Log Forwarding to keep the logs on a more persistent way.
Procedure
To search for the variable updates you need the workspace id and variable id.
Get the workspace id
- Navigate in TFE UI to the workspace or visit the URL below and
replace MY_TFE_FQDN, MY_ORG_NAME and MY_WORKSPACE_NAME with your values:
https://MY_TFE_FQDN/app/MY_ORG_NAME/workspaces/MY_WORKSPACE_NAME
- On workspace overview capture the workspace id:
Get the variable id
- Use the workspace id captured in the previous step and visit the URL below,
replace MY_TFE_FQDN and MY_WORKSPACE_ID with your values:
https://MY_TFE_FQDN/api/v2/workspaces/MY_WORKSPACE_ID/vars
A page like this will appear (see below).
- Tick Pretty-print to get a readable json format
- The variable id for variable TEST_VAR_ONE
- The variable name (here TEST_VAR_ONE)
- The value of variable TEST_VAR_ONE
- Capture the variable id, here is var-GruQqesZGD9aSSDV
If you have more than one variables you can see the pattern repeating.
How to search in the Audit Logs for the variable update actions
- SSH into your TFE server
- Get the TFE container logs and use the grep command to filter the logs
- For Replicated and FDO Docker installations the command is
docker logs <container_name> 2>&1 | grep '\[Audit Log\].*<VARIABLE_ID>' | grep update | jq
- For FDO Podman installation the command is
podman logs <container_name> 2>&1 | grep '\[Audit Log\].*<VARIABLE_ID>' | grep update | jq
- For Replicated and FDO Docker installations the command is
Example output:
{
"log": "2025-03-19 08:58:00 [INFO] [df27c518-683e-46d7-8c40-158fe502aac7] [dd.service=atlas dd.trace_id=290909420650898818 dd.span_id=0 ddsource=ruby] [Audit Log] {\"resource\":\"var\",\"action\":\"update\",\"resource_id\":\"var-GruQqesZGD9aSSDV\",\"organization\":\"myorg\",\"organization_id\":\"org-SdhN6LiwQAV5GGgv\",\"actor\":\"stamatios\",\"timestamp\":\"2025-03-19T08:58:00Z\",\"actor_ip\":\"10.10.10.10\"}",
"component": "atlas"
}
Brief explanation of the output
{\"resource\":\"var\", | the resource the log line is for, here var means variable |
\"action\":\"update\", | the action that took place, here is update, it means the variable name or value was updated |
\"resource_id\":\"var-GruQqesZGD9aSSDV\", | the resource id, here is variable_id |
\"organization\":\"myorg\", | the organization name the resource belongs to |
\"organization_id\":\"org-SdhN6LiwQAV5GGgv\", | the organization id the resource belongs to |
\"actor\":\"stamatios\", |
the user who performed the action |
\"timestamp\":\"2025-03-19T08:58:00Z\", |
the timestamp of the action |
\"actor_ip\":\"10.10.10.10\"}", |
the ip of the user who performed the action |
What if my variable was deleted?
If you are looking for a deleted variable and you don't have the variable id, you can alter the logs command to filter for destroy action and remove the variable id.
An example command looks like this:
podman logs terraform-enterprise-terraform-enterprise 2>&1 | grep '\[Audit Log\]' | grep destroy | jq
Example output:
{
"log": "2025-03-19 09:13:03 [INFO] [7bac88af-fa37-4637-a8e6-5b6bf4a09887] [dd.service=atlas dd.trace_id=2097930286361476031 dd.span_id=0 ddsource=ruby] [Audit Log] {\"resource\":\"var\",\"action\":\"destroy\",\"resource_id\":\"var-GruQqesZGD9aSSDV\",\"organization\":\"myorg\",\"organization_id\":\"org-SdhN6LiwQAV5GGgv\",\"actor\":\"stamatios\",\"timestamp\":\"2025-03-19T09:13:03Z\",\"actor_ip\":\"10.11.11.11\"}",
"component": "atlas"
}
Additional Information
How-to Find Out What User Performed an Action Within Terraform Enterprise (Audit Logs)
Terraform Enterprise Audit Logs