Hi,
I am reading about the permissions in TF Cloud in the context of API tokens and I am a bit confused.
I understand that you should use an User API token for terraform CLI operations.
But with that API token and suitable client one can do destructive stuff in TF Cloud directly.
Then what permissions should I grant a team where a user is a member of so that this user can only be able to do terraform init/plan/apply from CLI?
Example situation:
I am provisioning in TF Cloud a user for a client of mine.
In TF Cloud I have private registry with plenty of modules and I set up the client’s infrastructure in a repo where these modules are extensively used.
Now for my client to be able to work with its infrastructure code he will need an API token.
So what kind of permissions should I grant the user I will make for that client so that he will be able to do his normal infra work from cli but not being able to change anything in my TF Cloud setup?
I assume there is a permission only for him to be able to get the modules with terraform get and init and go local from there?