How-to Find Out What User Performed an Action Within Terraform Enterprise (Audit Logs)

Avatar
Zachary Isom
  • Updated

Introduction

Terraform Enterprise (TFE) emits audit logs together with its application logs. These audit log entries capture the username of the user that performed an operational action as the value for actor. There are two ways you can view these logs:

  • By having Log Forwarding configured with your log indexing system of choice, then filtering for log entries that contain the string [Audit Log]
  • By viewing the logged events of the ptfe_atlas or tfe-atlas container manually within your TFE server through SSH

Below are the steps to perform for viewing the audit logs manually within your TFE server through SSH:

Procedure

  1. SSH into your TFE server

  2. Use the grep tool against the log entries of the TFE application container the audit logs are contained within to only output the audit log entries: docker logs tfe-atlas 2>&1 | grep '\[Audit Log\]'
    • TFE installations that are version v202204-1 and below have the container named as ptfe_atlas
    • TFE installations that are version v202205-1 and higher have the container named as tfe-atlas
    • You will only be able to see the audit log events that have occurred since your TFE application last started. When the TFE application is restarted, the application containers are terminated, which causes the log associated to these containers to be wiped as well.

Example Scenario

Here's how to determine which user created a workspace:

  1. Through the TFE UI, go to Settings > General within the workspace in question to obtain that workspace's ID towards the top of that page
  2. Replace WORKSPACE_ID with the workspace's ID you obtained through the UI, then execute this command to view all the audit log events associated to the workspace: docker logs tfe-atlas 2>&1 | grep '\[Audit Log\].*WORKSPACE_ID' 
    • the first logged event would be an Audit Log event of the workspace being created, that would show the user as the value for actor within the event

Here's an example audit log entry below where the user testuser1 is shown to have created the workspace:

2022-08-18 22:29:56 [INFO] [ef3d94c1-4720-4ce1-afe7-4bbe64baba65] [Audit Log] {"resource":"workspace","action":"create","resource_id":"ws-3pqtYbYCfbVJnCh3","organization":"test-company","organization_id":"org-71MgPitqbLXTxyz3","actor":"testuser1","timestamp":"2022-08-18T22:29:56Z","actor_ip":"11.111.111.11"}

Articles in this section

See more

Related articles