How-to Find out what user updated a workspace variable within Terraform Enterprise

Avatar
Stamatios Chrysinas
  • Updated

Introduction

This guide describes how to use Terraform Enterprise audit logs to identify which user updated a workspace variable and when the update occurred.

For this guide, the example Terraform Enterprise instance has the following configuration:

  • A user named stamatios
  • An organization named myorg
  • A workspace named myworkspace
  • Two environment variables in the workspace:
    • TEST_VAR_ONE with value mytestvalue1
    • TEST_VAR_TWO with value mytestvalue2

Example workspace variables in Terraform Enterprise UI

Expected Outcome

You will be able to query the Terraform Enterprise container logs to find the audit log entry corresponding to a workspace variable update, identifying the user, timestamp, and other relevant details.

Prerequisites

  • A Terraform Enterprise user account with access to the target workspace.
  • SSH access to the Terraform Enterprise host.

Important Considerations

The Terraform Enterprise application runs in a container. If the container restarts, the logs from before the restart are lost. To ensure log persistence, consider configuring Terraform Enterprise Log Forwarding.

Procedure

To search for variable updates, you must first retrieve the workspace ID and the specific variable ID.

  1. Retrieve the Workspace ID

    Navigate to the workspace in the Terraform Enterprise UI. The URL will follow this format: https://<MY_TFE_FQDN>/app/<MY_ORG_NAME>/workspaces/<MY_WORKSPACE_NAME>

    From the workspace overview page, locate and copy the workspace ID.

    Workspace ID shown in the Terraform Enterprise UI URL and overview page

  2. Retrieve the Variable ID

    Use the workspace ID from the previous step to construct the following API URL and open it in your browser. Replace <MY_TFE_FQDN> and <MY_WORKSPACE_ID> with your values. https://<MY_TFE_FQDN>/api/v2/workspaces/<MY_WORKSPACE_ID>/vars

    The browser will display a JSON response containing all variables for that workspace. You can use your browser's developer tools or a formatting tool to make the JSON more readable. Locate the variable you are investigating (e.g., TEST_VAR_ONE) and copy its id.

    Variable ID shown in the Terraform Enterprise API response

  3. Search the Audit Logs

    SSH into your Terraform Enterprise server and run the appropriate command for your installation type to search the container logs. Replace <container_name> and <VARIABLE_ID> with your values.

    • For Replicated and FDO Docker installations, run the following command.

      $ docker logs <container_name> 2>&1 | grep '[Audit Log].*<VARIABLE_ID>' | grep update | jq

    • For FDO Podman installations, run the following command.

      $ podman logs <container_name> 2>&1 | grep '[Audit Log].*<VARIABLE_ID>' | grep update | jq

    The command returns a JSON object containing the audit log entry for the variable update.

    Example Output:

    {
  "log": "[INFO] [df27c518-683e-46d7-8c40-158fe502aac7] [dd.service=atlas dd.trace_id=290909420650898818 dd.span_id=0 ddsource=ruby] [Audit Log] {\"resource\":\"var\",\"action\":\"update\",\"resource_id\":\"var-GruQqesZGD9aSSDV\",\"organization\":\"myorg\",\"organization_id\":\"org-SdhN6LiwQAV5GGgv\",\"actor\":\"stamatios\",\"timestamp\":\"2025-03-19T08:58:00Z\",\"actor_ip\":\"10.10.10.10\"}",
  "component": "atlas"
}

Interpreting the Audit Log

The nested JSON object within the log field contains the following key details:

  • "resource":"var": The resource type, which is var for a workspace variable.
  • "action":"update": The action performed.
  • "resource_id":"var-GruQqesZGD9aSSDV": The ID of the variable that was updated.
  • "organization":"myorg": The organization name.
  • "organization_id":"org-SdhN6LiwQAV5GGgv": The organization ID.
  • "actor":"stamatios": The username of the user who performed the action.
  • "timestamp":"2025-03-19T08:58:00Z": The timestamp of the action.
  • "actor_ip":"10.10.10.10": The IP address of the user who performed the action.

Finding Deleted Variables

If a variable was deleted, you will not be able to find its ID. In this case, you can modify the log search command to filter for the destroy action without specifying a variable ID.

$ podman logs terraform-enterprise-terraform-enterprise 2>&1 | grep '[Audit Log]' | grep destroy | jq

Example Output for a Deleted Variable:

{
  "log": "[INFO] [7bac88af-fa37-4637-a8e6-5b6bf4a09887] [dd.service=atlas dd.trace_id=2097930286361476031 dd.span_id=0 ddsource=ruby] [Audit Log] {\"resource\":\"var\",\"action\":\"destroy\",\"resource_id\":\"var-GruQqesZGD9aSSDV\",\"organization\":\"myorg\",\"organization_id\":\"org-SdhN6LiwQAV5GGgv\",\"actor\":\"stamatios\",\"timestamp\":\"2025-03-19T09:13:03Z\",\"actor_ip\":\"10.11.11.11\"}",
  "component": "atlas"
}

Additional Information

Articles in this section

See more

Related articles