Introduction

You want to find out when a workspace variable was updated and by whom.
In this how to guide we will utilize Terraform Enterprise Audit Logs.

For this guide we have a Terraform Enterprise instance with

• a user called stamatios
• an organization with name: myorg
• a workspace with name: myworkspace
• two environment variables in the workspace with name and value:
  • TEST_VAR_ONE : mytestvalue1
  • TEST_VAR_TWO: mytestvalue2 

Prerequisites

• Terraform Enterprise user with access to the workspace and ssh access to Terraform Enterprise host

Things to consider

Terraform Enterprise application is running on a container. If the container restart or crash the logs before the restart or crash are gone. Consider to use Terraform Enterprise Log Forwarding to keep the logs on a more persistent way. 

Procedure

To search for the variable updates you need the workspace id and variable id.

Get the workspace id

• Navigate in TFE UI to the workspace or visit the URL below and
  replace MY_TFE_FQDN, MY_ORG_NAME and MY_WORKSPACE_NAME with your values:

https://MY_TFE_FQDN/app/MY_ORG_NAME/workspaces/MY_WORKSPACE_NAME

• On workspace overview capture the workspace id:

Get the variable id

• Use the workspace id captured in the previous step and visit the URL below,
  replace MY_TFE_FQDN and MY_WORKSPACE_ID with your values:
  https://MY_TFE_FQDN/api/v2/workspaces/MY_WORKSPACE_ID/vars

A page like this will appear (see below).

1. Tick Pretty-print to get a readable json format
2. The variable id for variable TEST_VAR_ONE
3. The variable name (here TEST_VAR_ONE)
4. The value of variable TEST_VAR_ONE

• Capture the variable id, here is var-GruQqesZGD9aSSDV

If you have more than one variables you can see the pattern repeating.

How to search in the Audit Logs for the variable update actions

• SSH into your TFE server
• Get the TFE container logs and use the grep command to filter the logs
  • For Replicated and FDO Docker installations the command is
    

    docker logs <container_name> 2>&1 | grep '\[Audit Log\].*<VARIABLE_ID>' | grep update | jq

  • For FDO Podman installation the command is
    

    podman logs <container_name> 2>&1 | grep '\[Audit Log\].*<VARIABLE_ID>' | grep update | jq

Example output:

{
"log": "2025-03-19 08:58:00 [INFO] [df27c518-683e-46d7-8c40-158fe502aac7] [dd.service=atlas dd.trace_id=290909420650898818 dd.span_id=0 ddsource=ruby] [Audit Log] {\"resource\":\"var\",\"action\":\"update\",\"resource_id\":\"var-GruQqesZGD9aSSDV\",\"organization\":\"myorg\",\"organization_id\":\"org-SdhN6LiwQAV5GGgv\",\"actor\":\"stamatios\",\"timestamp\":\"2025-03-19T08:58:00Z\",\"actor_ip\":\"10.10.10.10\"}",
"component": "atlas"
}

Brief explanation of the output

What if my variable was deleted?

If you are looking for a deleted variable and you don't have the variable id, you can alter the logs command to filter for destroy action and remove the variable id.
An example command looks like this:

podman logs terraform-enterprise-terraform-enterprise 2>&1 | grep '\[Audit Log\]' | grep destroy | jq

Example output:

{
"log": "2025-03-19 09:13:03 [INFO] [7bac88af-fa37-4637-a8e6-5b6bf4a09887] [dd.service=atlas dd.trace_id=2097930286361476031 dd.span_id=0 ddsource=ruby] [Audit Log] {\"resource\":\"var\",\"action\":\"destroy\",\"resource_id\":\"var-GruQqesZGD9aSSDV\",\"organization\":\"myorg\",\"organization_id\":\"org-SdhN6LiwQAV5GGgv\",\"actor\":\"stamatios\",\"timestamp\":\"2025-03-19T09:13:03Z\",\"actor_ip\":\"10.11.11.11\"}",
"component": "atlas"
}

Additional Information

How-to Find Out What User Performed an Action Within Terraform Enterprise (Audit Logs)

Terraform Enterprise Logging

Terraform Enterprise Audit Logs