Introduction
When a workspace gets deleted it is possible to find out who deleted the workspace and at what time. This article will describe the steps to get this information.
Please note that the approaches currently differ for Terraform Cloud and Terraform Enterprise.
Solution for Terraform Cloud
Terraform Cloud retains 14 days of audit log information. Included in these logs is the information of workspace that are deleted. This information can be accessed by using the Audit Trail API of Terraform Cloud. See here for more details
Prerequisites:
- Make sure you have the jq tool installed
- Make sure you have an organization token available for use
- Have the workspace id is useful for recognition, but not necessary
Example
- set your token
export TOKEN=<your organization token>
- Get all the the workspaces that have been deleted since a certain date.
curl \
--header "Authorization: Bearer $TOKEN" \
--request GET \
"https://app.terraform.io/api/v2/organization/audit-trail?since=2022-06-24T17:52:46.000Z" | jq '[.data[] | select(.resource.action|test("destroy")) | select(.resource.type|test("workspace"))]'
- example output deleted workspace
{
"id": "9860030d-b6a3-4cdf-aad1-edababbc6a47",
"version": "0",
"type": "Resource",
"timestamp": "2022-06-27T09:58:51.000Z",
"auth": {
"accessor_id": "user-gH8emuYZYxTi5w7K",
"description": "patrickmunne",
"type": "Client",
"impersonator_id": null,
"organization_id": "org-Q9Ao32MNTMUtsxUs",
"organization_name": "patrickmunne"
},
"request": {
"id": "7308733e-ec44-45d7-fb48-3e6b443cfac5"
},
"resource": {
"id": "ws-P6jBfzaapo5sdegF",
"type": "workspace",
"action": "destroy",
"meta": null
}
}
- get details about the user (accessor_id) that deleted the workspace from the former output
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/users/<change_to_your_accessor_id>| jq .data
- example output of user details
{
"id": "user-gH8emuYZYxTi5w7K",
"type": "users",
"attributes": {
"username": "patrickmunne",
"is-service-account": false,
...
...
...
}
Solution for Terraform Enterprise
At the moment the audit logs API isn't available for Terraform Enterprise like it is for Terraform Cloud. With Terraform Enterprise there is the ability to create a support bundle which has the required logfiles to find information details about a deleted workspace.
Prerequisites:
- Generate a Terraform Enterprise support bundle. See here for details.
Example
- unpack the support bundle
- Go into the unzipped directory on your command prompt
- find all the workspaces that have been deleted with the following command
grep '"action":"destroy"' primary/app/logs/*atlas.stdout | grep '"resource":"workspace"'
-
example output
2022-06-28T13:22:12.817294337Z 2022-06-28 13:22:12 [INFO] [81a68968-4476-4f8f-ae34-9ddbea65de65] [Audit Log] {"resource":"workspace","action":"destroy","resource_id":"ws-es8ssXQuGVC9mZFg","organization":"test","organization_id":"org-DfvRy1SKJ5qydr19","actor":"admin","timestamp":"2022-06-28T13:22:12Z","actor_ip":"163.158.123.194"}