How-to Find Out What User Performed an Action Within Terraform Enterprise (Audit Logs)

Avatar
Zachary Isom
  • Updated

Introduction

Terraform Enterprise (TFE) includes audit logs that capture operational actions, including the username of the user who performed the action. You can access these logs through two primary methods:

  • Configuring Log Forwarding to send logs to an external indexing system.
  • Manually viewing logs from the application container on the TFE server via SSH.

This guide details the manual procedure for viewing audit logs directly on the TFE server.

Prerequisites

  • SSH access to your Terraform Enterprise server instance.

Procedure

This procedure explains how to connect to your TFE server and search the container logs for audit events.

  1. Connect to your TFE server using SSH.
  2. Identify the correct application container name based on your TFE version.
    • v202205-1 and higher:tfe-atlas
    • v202204-1 and below:ptfe_atlas

  3. Use the docker logs command combined with grep to filter for audit log entries. Replace tfe-atlas with ptfe_atlas if you are using an older version.

    $ docker logs tfe-atlas 2>&1 | grep '[Audit Log]'

    Note: Container logs are ephemeral. You can only view audit events that have occurred since the last time the TFE application was started or restarted. When containers are restarted, their previous logs are removed.

Example: Find Which User Created a Workspace

To find the user who created a specific workspace, you can refine your search with the workspace ID.

  1. From the TFE UI, navigate to the workspace and go to Settings > General. The workspace ID is displayed at the top of the page (e.g., ws-3pqtYbYCfbVJnCh3).

  2. Execute the docker logs command again, adding the workspace ID to your grep filter. Replace WORKSPACE_ID with the actual ID.

    $ docker logs tfe-atlas 2>&1 | grep '[Audit Log].*WORKSPACE_ID'

  3. Review the output. The first event for a given workspace is typically the create action, which includes the actor field identifying the user.

    The following example output shows that the user testuser1 created the workspace.

    {
  "resource": "workspace",
  "action": "create",
  "resource_id": "ws-3pqtYbYCfbVJnCh3",
  "organization": "test-company",
  "organization_id": "org-71MgPitqbLXTxyz3",
  "actor": "testuser1",
  "timestamp": "2022-08-18T22:29:56Z",
  "actor_ip": "11.111.111.11"
}

Articles in this section

See more

Related articles