This topic provides reference information for the following endpoints:
/admin/general-settings/admin/data-retention-policy-settings/admin/cost-estimation-settings/admin/saml-settings/admin/smtp-settings/admin/twilio-settings/admin/customization-settings/admin/oidc-settingsTerraform Enterprise Only: The admin API is exclusive to Terraform Enterprise, and can only be used by the admins and operators who install and maintain their organization's Terraform Enterprise instance.
GET /api/v2/admin/general-settings
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/admin/general-settings
{
"data": {
"id": "general",
"type": "general-settings",
"attributes": {
"limit-user-organization-creation": true,
"api-rate-limiting-enabled": true,
"api-rate-limit": 30,
"plan-timeout": "2h",
"apply-timeout": "24h",
"send-passing-statuses-for-untriggered-speculative-plans": false,
"allow-speculative-plans-on-pull-requests-from-forks": false,
"default-remote-state-access": true
}
}
}
PATCH /api/v2/admin/general-settings
This PATCH endpoint requires a JSON object with the following properties as a request payload.
Key path Type Default Descriptiondata.attributes.allow-speculative-plans-on-pull-requests-from-forks bool false When set to false, speculative plans are not run on pull requests from forks of a repository. It is currently supported for the following VCS providers: GitHub.com, GitHub.com (OAuth), GitHub Enterprise, Bitbucket Cloud, Azure DevOps Server, Azure DevOps Services. To learn more about this setting, refer to the documentation data.attributes.api-rate-limit integer 30 The number of allowable API requests per second for any client. This value cannot be less than 30. To learn more about API Rate Limiting, refer to the rate limiting documentation data.attributes.api-rate-limiting-enabled bool true Whether or not rate limiting is enabled for API requests. To learn more about API Rate Limiting, refer to the rate limiting documentation data.attributes.default-remote-state-access bool true Determines the default value for the global-remote-state attribute on new workspaces. For more details, refer to Administration: General Settings and Workspaces API: Create a Workspace. data.attributes.limit-user-organization-creation bool true When set to true, limits the ability to create organizations to users with the site-admin permission only. data.attributes.send-passing-statuses-for-untriggered-speculative-plans bool false When set to true, workspaces automatically send passing commit statuses for any pull requests that don't affect their tracked files. data.attributes.plan-timeout string 2h Default maximum run time for Terraform plans. Can be overridden on a per-organization basis. Specify a duration with a decimal number and a unit suffix. data.attributes.apply-timeout string 24h Default maximum run time for Terraform applies. Can be overridden on a per-organization basis. Specify a duration with a decimal number and a unit suffix. data.attributes.terraform-build-worker-plan-timeout string 2h Deprecated. Please use data.attributes.plan-timeout instead. data.attributes.terraform-build-worker-apply-timeout string 24h Deprecated. Please use data.attributes.apply-timeout instead. Sample Payload
{
"data": {
"attributes": {
"limit-user-organization-creation": true,
"api-rate-limiting-enabled": true,
"api-rate-limit": 50,
"plan-timeout": "2h",
"apply-timeout": "24h"
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/admin/general-settings
{
"data": {
"id": "general",
"type": "general-settings",
"attributes": {
"limit-user-organization-creation": true,
"api-rate-limiting-enabled": true,
"api-rate-limit": 50,
"send-passing-statuses-for-untriggered-speculative-plans": false,
"allow-speculative-plans-on-pull-requests-from-forks": false,
"plan-timeout": "2h",
"apply-timeout": "24h",
"default-remote-state-access": true
}
}
}
GET /api/v2/admin/data-retention-policy-settings
This endpoint returns the global data retention policy for all organizations. When a global data retention policy is not set, organizations retain all backing data by default. Read more about admin data retention policy settings.
Admin settings only support the data-retention-policy-delete-olders policy type.
Refer to Data Retention Policy API for details.
POST /api/v2/admin/data-retention-policy-settings
This endpoint creates a default data retention policy for all organizations on the site. When a global data retention policy is not set, organizations retain all backing data by default. Read more about admin data retention policy settings.
Admin settings only support the data-retention-policy-delete-olders policy type.
Refer to Data Retention Policy API for details.
DELETE /api/v2/admin/data-retention-policy-settings
This endpoint removes the data retention policy set at the site admin level. When a data retention policy is not set for the site admin, organizations retain all backing data by default.
Read more about admin data retention policy settings.
See Data Retention Policy API for details.
GET /api/v2/admin/cost-estimation-settings
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/admin/cost-estimation-settings
{
"data": {
"id": "cost-estimation",
"type": "cost-estimation-settings",
"attributes": {
"enabled": true,
"aws-access-key-id": "AKIAIOSFODNN7EXAMPLE",
"aws-secret-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"gcp-credentials": "{\"private_key\":\"-----BEGIN PRIVATE KEY-----\\n....=\\n-----END PRIVATE KEY-----\",\"private_key_id\":\"some_id\",...}",
"azure-client-id": "9b516fe8-415s-9119-bab0-EXAMPLEID1",
"azure-client-secret": "9b516fe8-415s-9119-bab0-EXAMPLESEC1",
"azure-subscription-id": "9b516fe8-415s-9119-bab0-EXAMPLEID2",
"azure-tenant-id": "9b516fe8-415s-9119-bab0-EXAMPLEID3"
}
}
}
PATCH /api/v2/admin/cost-estimation-settings
This PATCH endpoint requires a JSON object with the following properties as a request payload.
If data.attributes.enabled is set to true, there must be at least one set of credentials populated with valid values. For example, either both aws-access-key-id and aws-secret-key must be set, or gcp-credentials must be set.
See SAML Configuration for more details on attribute values.
Key path Type Default Descriptiondata.attributes.enabled bool false Allows organizations to opt-in to the Cost Estimation feature. data.attributes.aws-access-key-id string An AWS Access Key ID that the Cost Estimation feature will use to authorize to AWS's Pricing API. data.attributes.aws-secret-key string An AWS Secret Key that the Cost Estimation feature will use to authorize to AWS's Pricing API. data.attributes.gcp-credentials string A JSON string containing GCP credentials that the Cost Estimation feature will use to authorize to the Google Cloud Platform's Pricing API. This must be the contents of a valid JSON key that is downloaded when creating a Service Account in GCP. data.attributes.azure-client-id string An Azure Client ID that the Cost Estimation feature will use to authorize to Azure's RateCard API. data.attributes.azure-client-secret string An Azure Client Secret that the Cost Estimation feature will use to authorize to Azure's RateCard API. data.attributes.azure-subscription-id string An Azure Subscription ID that the Cost Estimation feature will use to authorize to Azure's RateCard API. data.attributes.azure-tenant-id string An Azure Tenant ID that the Cost Estimation feature will use to authorize to Azure's RateCard API.
{
"data": {
"attributes": {
"enabled": true,
"aws-access-key-id": "AKIAIOSFODNN7EXAMPLE",
"aws-secret-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"gcp-credentials": "{\"private_key\":\"-----BEGIN PRIVATE KEY-----\\n....=\\n-----END PRIVATE KEY-----\",\"private_key_id\":\"some_id\",...}",
"azure-client-id": "9b516fe8-415s-9119-bab0-EXAMPLEID1",
"azure-client-secret": "9b516fe8-415s-9119-bab0-EXAMPLESEC1",
"azure-subscription-id": "9b516fe8-415s-9119-bab0-EXAMPLEID2",
"azure-tenant-id": "9b516fe8-415s-9119-bab0-EXAMPLEID3"
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/admin/cost-estimation-settings
{
"data": {
"id": "cost-estimation",
"type": "cost-estimation-settings",
"attributes": {
"enabled": true,
"aws-access-key-id": "AKIAIOSFODNN7EXAMPLE",
"aws-secret-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"gcp-credentials": "{\"private_key\":\"-----BEGIN PRIVATE KEY-----\\n....=\\n-----END PRIVATE KEY-----\",\"private_key_id\":\"some_id\",...}",
"azure-client-id": "9b516fe8-415s-9119-bab0-EXAMPLEID1",
"azure-client-secret": "9b516fe8-415s-9119-bab0-EXAMPLESEC1",
"azure-subscription-id": "9b516fe8-415s-9119-bab0-EXAMPLEID2",
"azure-tenant-id": "9b516fe8-415s-9119-bab0-EXAMPLEID3"
}
}
}
GET /api/v2/admin/saml-settings
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/admin/saml-settings
{
"data": {
"id": "saml",
"type": "saml-settings",
"attributes": {
"enabled": true,
"debug": false,
"old-idp-cert": null,
"idp-cert": "SAMPLE-CERTIFICATE",
"slo-endpoint-url": "https://example.com/slo",
"sso-endpoint-url": "https://example.com/sso",
"attr-username": "Username",
"attr-groups": "MemberOf",
"attr-site-admin": "SiteAdmin",
"site-admin-role": "site-admins",
"sso-api-token-session-timeout": 1209600,
"acs-consumer-url": "https://example.com/users/saml/auth",
"metadata-url": "https://example.com/users/saml/metadata"
}
}
}
PATCH /api/v2/admin/saml-settings
This PATCH endpoint requires a JSON object with the following properties as a request payload.
If data.attributes.enabled is set to true, all remaining attributes must have valid values. You can omit attributes if they have a default value, or if a value was set by a previous update. Omitted attributes keep their previous values.
See SAML Configuration for more details on attribute values.
Key path Type Default Descriptiondata.attributes.enabled bool false Allows SAML to be used. If true, all remaining attributes must have valid values. data.attributes.debug bool false Enables a SAML debug dialog that allows an admin to see the SAMLResponse XML and processed values during login. data.attributes.idp-cert string Identity Provider Certificate specifies the PEM encoded X.509 Certificate as provided by the IdP configuration. data.attributes.slo-endpoint-url string Single Log Out URL specifies the HTTPS endpoint on your IdP for single logout requests. This value is provided by the IdP configuration. data.attributes.sso-endpoint-url string Single Sign On URL specifies the HTTPS endpoint on your IdP for single sign-on requests. This value is provided by the IdP configuration. data.attributes.attr-username string "Username" Username Attribute Name specifies the name of the SAML attribute that determines the user's username. data.attributes.attr-groups string "MemberOf" Team Attribute Name specifies the name of the SAML attribute that determines team membership. data.attributes.attr-site-admin string "SiteAdmin" Specifies the role for site admin access. Overrides the "Site Admin Role" method. data.attributes.site-admin-role string "site-admins" Specifies the role for site admin access, provided in the list of roles sent in the Team Attribute Name attribute. data.attributes.sso-api-token-session-timeout integer 1209600 Specifies the Single Sign On session timeout in seconds. Defaults to 14 days.
{
"data": {
"attributes": {
"enabled": true,
"debug": false,
"idp-cert": "NEW-CERTIFICATE",
"slo-endpoint-url": "https://example.com/slo",
"sso-endpoint-url": "https://example.com/sso",
"attr-username": "Username",
"attr-groups": "MemberOf",
"attr-site-admin": "SiteAdmin",
"site-admin-role": "site-admins",
"sso-api-token-session-timeout": 1209600
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/admin/saml-settings
{
"data": {
"id": "saml",
"type": "saml-settings",
"attributes": {
"enabled": true,
"debug": false,
"old-idp-cert": "SAMPLE-CERTIFICATE",
"idp-cert": "NEW-CERTIFICATE",
"slo-endpoint-url": "https://example.com/slo",
"sso-endpoint-url": "https://example.com/sso",
"attr-username": "Username",
"attr-groups": "MemberOf",
"attr-site-admin": "SiteAdmin",
"site-admin-role": "site-admins",
"sso-api-token-session-timeout": 1209600,
"acs-consumer-url": "https://example.com/users/saml/auth",
"metadata-url": "https://example.com/users/saml/metadata"
}
}
}
POST /api/v2/admin/saml-settings/actions/revoke-old-certificate
When reconfiguring the IdP certificate, Terraform Enterprise will retain the old IdP certificate to allow for a rotation period. This PUT endpoint will revoke the older IdP certificate when the new IdP certificate is known to be functioning correctly.
See SAML Configuration for more details.
Sample Requestcurl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
https://app.terraform.io/api/v2/admin/saml-settings/actions/revoke-old-certificate
{
"data": {
"id": "saml",
"type": "saml-settings",
"attributes": {
"enabled": true,
"debug": false,
"old-idp-cert": null,
"idp-cert": "NEW-CERTIFICATE",
"slo-endpoint-url": "https://example.com/slo",
"sso-endpoint-url": "https://example.com/sso",
"attr-username": "Username",
"attr-groups": "MemberOf",
"attr-site-admin": "SiteAdmin",
"site-admin-role": "site-admins",
"sso-api-token-session-timeout": 1209600,
"acs-consumer-url": "https://example.com/users/saml/auth",
"metadata-url": "https://example.com/users/saml/metadata"
}
}
}
GET /api/v2/admin/smtp-settings
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/admin/smtp-settings
{
"data": {
"id": "smtp",
"type": "smtp-settings",
"attributes": {
"enabled": true,
"host": "example.com",
"port": 25,
"sender": "sample_user@example.com",
"auth": "login",
"username": "sample_user"
}
}
}
PATCH /api/v2/admin/smtp-settings
When a request to this endpoint is submitted, a test message will be sent to the specified test-email-address. If the test message delivery fails, the API will return an error code indicating the reason for the failure.
This PATCH endpoint requires a JSON object with the following properties as a request payload.
If data.attributes.enabled is set to true, all remaining attributes must have valid values. You can omit attributes if they have a default value, or if a value was set by a previous update. Omitted attributes keep their previous values.
data.attributes.enabled bool false Allows SMTP to be used. If true, all remaining attributes must have valid values. data.attributes.host string The host address of the SMTP server. data.attributes.port integer The port of the SMTP server. data.attributes.sender string The desired sender address. data.attributes.auth string "none" The authentication type. Valid values are "none", "plain", and "login". data.attributes.username string The username used to authenticate to the SMTP server. Only required if data.attributes.auth is set to "login" or "plain". data.attributes.password string The username used to authenticate to the SMTP server. Only required if data.attributes.auth is set to "login" or "plain". data.attributes.test-email-address string The email address to send a test message to. Not persisted and only used during testing. Sample Payload
{
"data": {
"attributes": {
"enabled": true,
"host": "example.com",
"port": 25,
"sender": "sample_user@example.com",
"auth": "login",
"username": "sample_user",
"password": "sample_password",
"test-email-address": "test@example.com"
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/admin/smtp-settings
{
"data": {
"id": "smtp",
"type": "smtp-settings",
"attributes": {
"enabled": true,
"host": "example.com",
"port": 25,
"sender": "sample_user@example.com",
"auth": "login",
"username": "sample_user"
}
}
}
GET /api/v2/admin/twilio-settings
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/admin/twilio-settings
{
"data": {
"id": "twilio",
"type": "twilio-settings",
"attributes": {
"enabled": true,
"account-sid": "12345abcd",
"from-number": "555-555-5555"
}
}
}
PATCH /api/v2/admin/twilio-settings
This PATCH endpoint requires a JSON object with the following properties as a request payload.
If data.attributes.enabled is set to true, all remaining attributes must have valid values. You can omit attributes if they have a default value, or if a value was set by a previous update. Omitted attributes keep their previous values.
data.attributes.enabled bool false Allows Twilio to be used. If true, all remaining attributes must have valid values. data.attributes.account-sid string The Twilio account id. data.attributes.auth-token string The Twilio authentication token. data.attributes.from-number string The Twilio registered phone number that will be used to send the message.
{
"data": {
"attributes": {
"enabled": true,
"account-sid": "12345abcd",
"auth-token": "sample_token",
"from-number": "555-555-5555"
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/admin/twilio-settings
{
"data": {
"id": "twilio",
"type": "twilio-settings",
"attributes": {
"enabled": true,
"account-sid": "12345abcd",
"from-number": "555-555-5555"
}
}
}
POST /api/v2/admin/twilio-settings/verify
Uses the test-number attribute to send a test SMS when Twilio is enabled.
This POST endpoint requires a JSON object with the following properties as a request payload.
Key path Type Default Descriptiondata.attributes.test-number string The target phone number for the test SMS. Not persisted and only used during testing.
{
"data": {
"attributes": {
"test-number": "555-555-0000"
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
--data @payload.json \
https://app.terraform.io/api/v2/admin/twilio-settings/verify
GET /api/v2/admin/customization-settings
This API endpoint is available in Terraform Enterprise as of version 202003-1.
Sample Requestcurl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/admin/customization-settings
Note that the support-email-address attribute in the following example returns support@hashicorp.com, which is a not a functional email address. If you need assistance, visit the HashiCorp support page and open a ticket.
{
"data": {
"id": "customization",
"type": "customization-settings",
"attributes": {
"support-email-address": "support@hashicorp.com",
"login-help": "",
"footer": "",
"error": "",
"new-user": ""
}
}
}
PATCH /api/v2/admin/customization-settings
This PATCH endpoint requires a JSON object with the following properties as a request payload.
Key path Type Default Descriptiondata.attributes.support-email-address string "support@hashicorp.com"
Note that this is a non-functional address. If you need assistance, visit the HashiCorp support page and open a ticket.
The deprecated support address for outgoing emails.data.attributes.login-help string "" The login help text presented to users on the login page. data.attributes.footer string "" Custom footer content that is added to the application. data.attributes.error string "" Error instruction content that is presented to users upon unexpected errors. data.attributes.new-user string "" New user instructions that is presented when the user is not yet attached to an organization. Sample Payload
In the following example, the support-email-address attribute specifies support@hashicorp.com, which is not a functional email address. If you need assistance, visit the HashiCorp support page and open a ticket.
{
"data": {
"attributes": {
"support-email-address": "support@hashicorp.com",
"login-help": "<div>Login Help</div>",
"footer": "<p>Custom Footer Content</p>",
"error": "<em>Custom Error Instructions</em>",
"new-user": "New user? <a href=\"#\">Click Here</a>"
}
}
}
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/admin/customization-settings
In the following example, the support-email-address attribute specifies support@hashicorp.com, which is a not a functional address. If you need assistance, visit the HashiCorp support page and open a ticket.
{
"data": {
"id": "customization",
"type": "customization-settings",
"attributes": {
"support-email-address": "support@hashicorp.com",
"login-help": "\u003cdiv\u003eLogin Help\u003c/div\u003e",
"footer": "\u003cp\u003eCustom Footer Content\u003c/p\u003e",
"error": "\u003cem\u003eCustom Error Instructions\u003c/em\u003e",
"new-user": "New user? \u003ca href=\"#\"\u003eClick Here\u003c/a\u003e"
}
}
}
POST /api/v2/admin/oidc-settings/actions/rotate-key
This endpoint rotates the OIDC signing key used for signing tokens issued for dynamic provider credentials. This key automatically rotates every 90 days, hitting this endpoint resets this timer. Hitting this endpoint has no effect on the next trim time. This endpoint should only be used if a leak of the key is suspected.
Status Response Reason 204 none Successfully rotated key 422 JSON API error object Malformed request body (missing attributes, wrong types, etc.) Sample Requestcurl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
https://app.terraform.io/api/v2/admin/oidc-settings/actions/rotate-key
POST /api/v2/admin/oidc-settings/actions/trim-key
This endpoint trims the OIDC signing key used for signing tokens issued for dynamic provider credentials. This key automatically trims old versions 30 days after the last rotation, hitting this endpoint resets this timer. Hitting this endpoint has no effect on the next rotation time. This endpoint should only be used after rotating the key if a leak of the key is suspected.
Status Response Reason 204 none Successfully trimmed key 422 JSON API error object Malformed request body (missing attributes, wrong types, etc.) Sample Requestcurl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
https://app.terraform.io/api/v2/admin/oidc-settings/actions/trim-key
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4