KodeKloud Notes

Welcome back! In this lab, you’ll learn how to implement role-based access control (RBAC) using Terraform Cloud Teams. By the end of this walkthrough, you will be able to:

Upgrade your Terraform Cloud plan to Team & Governance
Create and configure teams (org_admins, app_developers, managers)
Invite users and assign them to the correct teams
Grant workspace permissions across development, staging, and production

Let’s dive in.

1. Upgrade to Team & Governance Plan

Terraform Cloud’s free tier does not support teams. To enable Teams & Governance features:

Go to your Terraform Cloud organization.
Navigate to Organization Settings > Plan & billing.
Select Team & Governance and click Start free trial.

The image shows a KodeKloud lab interface for Terraform Cloud Teams, with instructions on activating the "Team and Governance" plan and a file explorer on the right.

The image shows a pricing plan page for a software service, detailing different subscription options including Free, Trial, Team, and Team & Governance plans. The sidebar highlights the "Plan & billing" section, and there's an arrow pointing to a "Free Trial Available" upgrade option.

Note

HashiCorp offers a 30-day trial for Team & Governance. Once activated, you can create and manage teams under Organization Settings > Teams.

2. Create Your Teams

Terraform Cloud ships with a default owners team. We’ll add three more:

Team	Org-Level Access	Purpose
org_admins	Full (policies, workspaces, VCS, SSO, billing)	Organization administrators
app_developers	None	Application development
managers	None	Oversight and read-only review

Steps to Add Teams

In Terraform Cloud, go to Organization Settings > Teams.
Click New Team, name it org_admins, and grant the permissions shown here:
Under Organization Access, enable all checkboxes for policies, workspaces, VCS, SSO, and billing:
Repeat to create:
- app_developers (no org-level access)
- managers (no org-level access)

Your organization now has four teams: owners, org_admins, app_developers, and managers.

3. Invite Users

Add teammates by sending invites via email:

Go to Organization Settings > Users and click Invite users.
Enter the email (e.g., [email protected]) and assign the app_developers team.
After Bryan accepts the email invitation, he’ll select your organization:
Confirm his membership under Users:

4. Configure Workspace Permissions

We’ll set up three workspaces—MyAppDev, MyAppStaging, and MyAppProd—with different roles for each team.

4.1. Development Workspace

Open MyAppDev > Settings > Team Access.
Assign:
- app_developers: plan (read + run)
- managers: read
Verify both teams appear with the correct roles:

4.2. Staging Workspace

Repeat the same steps for MyAppStaging:

app_developers: plan
managers: read

4.3. Production Workspace

For MyAppProd, assign read-only access to both teams:

app_developers: read
managers: read
Confirm on the Team Access page:

Workspace Permissions Overview

Workspace	app_developers	managers
Development	plan	read
Staging	plan	read
Production	read	read

Warning

Ensure you save permissions after each change. Unsaved changes will not apply to runs.

5. Verify as a Team Member

When Bryan logs in:

MyAppDev: he can view state, variables, settings, and queue new plans.
MyAppStaging: same plan/run capabilities.
MyAppProd: only read access—no Queue plan or settings controls.

The image shows a Terraform Cloud workspace dashboard for "devops-aws-myapp-dev," displaying details of the latest run, including resources, metrics, and settings options.

This confirms our RBAC setup is working as intended.

Summary

In this lab, you have:

Upgraded to the Team & Governance plan
Created org_admins, app_developers, and managers teams
Invited users and assigned them to the correct teams
Set workspace-level permissions for development, staging, and production

Your Terraform Cloud organization now follows a secure, role-based access model.

Lab Solution Teams