Terraform Cloud API Token

Bridgecrew Policy ID: BC_GIT_47
Chekov Check ID: CKV_SECRET_47
Severity: LOW

Terraform Cloud API Token

Description

Terraform Cloud supports three distinct types of API tokens with varying levels of access: user, team, and organization. API tokens are displayed only once when they are created, and are obfuscated thereafter. If the token is lost, it must be regenerated.

User API Tokens

User tokens are the most flexible token type because they inherit permissions from the user they are associated with.

Team API Tokens

Team API tokens allow access to the workspaces that the team has access to, without being tied to any specific user. Each team can have one valid API token at a time, and any member of a team can generate or revoke that team's token. When a token is regenerated, the previous token immediately becomes invalid.

Organization API Tokens

Organization API tokens allow access to the organization-level settings and resources, without being tied to any specific team or user. To manage the API token for an organization, go to Organization settings > API Token and use the controls under the "Organization Tokens" header. Each organization can have one valid API token at a time. Only organization owners can generate or revoke an organization's token.

Fix - Buildtime

Terraform Cloud

DELETE /authentication-tokens/:id

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request DELETE \
  https://app.terraform.io/api/v2/authentication-tokens/at-6yEmxNAhaoQLH1Da