Terraform
Project notification configurations API reference
Use the project notifications API endpoints to configure notifications for an entire project instead of setting them up for individual workspaces. Project notifications apply to every workspace in the project.
Overview
This topic describes how to use the following endpoints to manage project notifications using the API:
| Method | Endpoint | Description |
|---|---|---|
POST | /projects/:project_id/notification-configurations | Create a new notification configuration for a project |
GET | /projects/:project_id/notification-configurations | List all notification configurations for a project |
GET | /notification-configurations/:notification-configuration-id | Retrieve details of a specific notification configuration |
PATCH | /notification-configurations/:notification-configuration-id | Update an existing notification configuration |
POST | /notification-configurations/:notification-configuration-id/actions/verify | Send a verification request to test a notification configuration |
DELETE | /notification-configurations/:notification-configuration-id | Delete a notification configuration |
Project notification configurations use the same generic notification configuration as workspaces. After you create a project notification configuration, you can manage it with the generic show, update, verify, and delete endpoints documented on this page.
For workspace notification configurations, refer to Workspace notification configurations API reference. For team notification configurations, refer to Team notification configurations API reference.
Notification triggers
Project notifications support the same triggers as workspace notifications.
| Display name | Value | Description |
|---|---|---|
| Created | "run:created" | A run is created and enters the pending stage. |
| Planning | "run:planning" | A run acquires the lock and starts to execute. |
| Needs attention | "run:needs_attention" | A plan has changes and Terraform requires user input to continue. This input may include approving the plan or a policy override. |
| Applying | "run:applying" | A run enters the apply stage, where Terraform makes the infrastructure changes described in the plan. |
| Completed | "run:completed" | A run completes successfully. |
| Errored | "run:errored" | A run terminates early due to error or cancellation. |
| Drifted | "assessment:drifted" | HCP Terraform detected configuration drift. This option is only available if you enabled drift detection for the workspace. |
| Checks failed | "assessment:check_failure" | One or more continuous validation checks did not pass. This option is only available if you enabled drift detection for the workspace. |
| Health assessment failed | "assessment:failed" | A health assessment failed. This option is only available if you enable health assessments for the workspace. |
| Auto destroy reminder | "workspace:auto_destroy_reminder" | An automated workspace destroy run is imminent. |
| Auto destroy results | "workspace:auto_destroy_run_results" | HCP Terraform attempted an automated workspace destroy run. |
Notification payload
Project notifications use the same generic run notification payload as workspace run notifications.
Run notification payload
Run events include detailed information about a specific run, including the time it began and the associated workspace and organization. Generic notifications for run events contain the following information:
| Name | Type | Description |
|---|---|---|
payload_version | number | Always "1". |
notification_configuration_id | string | The ID of the configuration associated with this notification. |
run_url | string | URL used to access the run UI page. |
run_id | string | ID of the run which triggered this notification. |
run_message | string | The reason the run was queued. |
run_created_at | string | Timestamp of the run's creation. |
run_created_by | string | Username of the user who created the run. |
workspace_id | string | ID of the run's workspace. |
workspace_name | string | Human-readable name of the run's workspace. |
organization_name | string | Human-readable name of the run's organization. |
notifications | array | List of events which caused this notification to be sent, with each event represented by an object. |
notifications[].message | string | Human-readable reason for the notification. |
notifications[].trigger | string | Value of the trigger which caused the notification to be sent. |
notifications[].run_status | string | Status of the run at the time of notification. |
notifications[].run_updated_at | string | Timestamp of the run's update. |
notifications[].run_updated_by | string | Username of the user who caused the run to update. |
Sample payload
{
"payload_version": 1,
"notification_configuration_id": "nc-AeUQ2zfKZzW9TiGZ",
"run_url": "https://app.terraform.io/app/acme-org/my-workspace/runs/run-FwnENkvDnrpyFC7M",
"run_id": "run-FwnENkvDnrpyFC7M",
"run_message": "Add five new queue workers",
"run_created_at": "2019-01-25T18:34:00.000Z",
"run_created_by": "sample-user",
"workspace_id": "ws-XdeUVMWShTesDMME",
"workspace_name": "my-workspace",
"organization_name": "acme-org",
"notifications": [
{
"message": "Run Canceled",
"trigger": "run:errored",
"run_status": "canceled",
"run_updated_at": "2019-01-25T18:37:04.000Z",
"run_updated_by": "sample-user"
}
]
}
Notification authenticity
If a token is configured, HCP Terraform provides an HMAC signature on all "generic" notification requests, using the token as the key. This is sent in the X-TFE-Notification-Signature header. The digest algorithm used is SHA-512. Notification target servers should verify the source of the HTTP request by computing the HMAC of the request body using the same shared secret, and dropping any requests with invalid signatures.
Sample Ruby code for verifying the HMAC:
token = SecureRandom.hex
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha512"), token, @request.body)
fail "Invalid HMAC" if hmac != @request.headers["X-TFE-Notification-Signature"]
Notification verification and delivery responses
When saving a configuration with enabled set to true, or when using the verify API, HCP Terraform sends a verification request to the configured URL. The response to this request is stored and available in the delivery-responses array of the notification-configuration resource.
Configurations cannot be enabled if the verification request fails. Success is defined as an HTTP response with status code of 2xx.
Configurations with destination_type email can only be verified manually, they do not require an HTTP response.
The most recent response is stored in the delivery-responses array.
Each delivery response has several fields:
| Name | Type | Description |
|---|---|---|
body | string | Response body (may be truncated). |
code | string | HTTP status code, e.g. 400. |
headers | object | All HTTP headers received, represented as an object with keys for each header name (lowercased) and an array of string values (most arrays will be size one). |
sent-at | date | The UTC timestamp when the notification was sent. |
successful | bool | Whether HCP Terraform considers this response to be successful. |
url | string | The URL to which the request was sent. |
Create a project notification configuration
If a notification configuration has no users assigned, HCP Terraform sends email notifications to all project members.
Use this endpoint to create a notification configuration to notify users.
POST /projects/:project_id/notification-configurations
| Parameter | Description |
|---|---|
:project_id | The ID of the project to create a configuration for. |
| Status | Response | Reason |
|---|---|---|
| 201 | JSON API document (type: "notification-configurations") | Successfully created a notification configuration |
| 400 | JSON API error object | Unable to complete verification request to destination URL |
| 404 | JSON API error object | Project not found, or user unauthorized to perform action |
| 422 | JSON API error object | Malformed request body (missing attributes, wrong types, etc.) |
Request body
This POST endpoint requires a JSON object with the following properties as a request payload. Properties without a default value are required.
If enabled is set to true, HCP Terraform sends a verification request before saving the configuration. If this request does not receive a response or the response is not successful (HTTP 2xx), the configuration will not be saved.
| Key path | Type | Default | Description |
|---|---|---|---|
data.type | string | Must be "notification-configuration". | |
data.attributes.destination-type | string | Type of notification payload to send. Valid values are "generic", "email", "slack" or "microsoft-teams". | |
data.attributes.enabled | bool | false | Disabled configurations will not send any notifications. |
data.attributes.name | string | Human-readable name for the configuration. | |
data.attributes.token | string or null | null | Optional write-only secure token, which can be used at the receiving server to verify request authenticity. See Notification Authenticity for more details. |
data.attributes.triggers | array | [] | Array of triggers for which this configuration will send notifications. See Notification Triggers for more details and a list of allowed values. |
data.attributes.url | string | HTTP or HTTPS URL to which notification requests will be made, only for configurations with "destination_type:" "slack", "microsoft-teams" or "generic" | |
data.attributes.email_all_members | bool | Email all project members, only for configurations with "destination_type:" "email". | |
data.relationships.users | array | Array of users part of the organization, only for configurations with "destination_type:" "email" |
Sample payload for generic notification configurations
{
"data": {
"type": "notification-configuration",
"attributes": {
"destination-type": "generic",
"enabled": true,
"name": "Webhook server test",
"url": "https://httpstat.us/200",
"triggers": [
"run:applying",
"run:completed",
"run:created",
"run:errored",
"run:needs_attention",
"run:planning"
]
}
}
}
Sample payload for email notification configurations
{
"data": {
"type": "notification-configurations",
"attributes": {
"destination-type": "email",
"enabled": true,
"name": "Email project members about workspace runs",
"triggers": [
"run:applying",
"run:completed",
"run:created",
"run:errored",
"run:needs_attention",
"run:planning"
]
},
"relationships": {
"users": {
"data": [{ "id": "organization-user-id", "type": "users" }]
}
}
}
}
Sample request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
--data @payload.json \
https://app.terraform.io/api/v2/projects/prj-ny19cRJJos5F5FQ5/notification-configurations
Sample response
{
"data": {
"id": "nc-AeUQ2zfKZzW9TiGZ",
"type": "notification-configurations",
"attributes": {
"enabled": true,
"name": "Webhook server test",
"url": "https://httpstat.us/200",
"destination-type": "generic",
"token": null,
"triggers": [
"run:applying",
"run:completed",
"run:created",
"run:errored",
"run:needs_attention",
"run:planning"
],
"delivery-responses": [
{
"url": "https://httpstat.us/200",
"body": "\"200 OK\"",
"code": "200",
"headers": {
"cache-control": ["private"],
"content-length": ["129"],
"content-type": ["application/json; charset=utf-8"],
"content-encoding": ["gzip"],
"vary": ["Accept-Encoding"],
"server": ["Microsoft-IIS/10.0"],
"x-aspnetmvc-version": ["5.1"],
"access-control-allow-origin": ["*"],
"x-aspnet-version": ["4.0.30319"],
"x-powered-by": ["ASP.NET"],
"set-cookie": ["ARRAffinity=77c477e3e649643e5771873e1a13179fb00983bc73c71e196bf25967fd453df9;Path=/;HttpOnly;Domain=httpstat.us"],
"date": ["Tue, 08 Jan 2024 21:34:37 GMT"]
},
"sent-at": "2024-01-08 21:34:37 UTC",
"successful": "true"
}
],
"created-at": "2024-01-08T21:32:14.125Z",
"updated-at": "2024-01-08T21:34:37.274Z"
},
"relationships": {
"subscribable": {
"data": {
"id": "prj-ny19cRJJos5F5FQ5",
"type": "projects"
}
}
},
"links": {
"self": "/api/v2/notification-configurations/nc-AeUQ2zfKZzW9TiGZ"
}
}
}
List project notification configurations
Use this endpoint to list notification configurations for a project.
GET /projects/:project_id/notification-configurations
| Parameter | Description |
|---|---|
:project_id | The ID of the project to list configurations from. |
Query parameters
This endpoint supports pagination with standard URL query parameters. Remember to percent-encode [ as %5B and ] as %5D if your tooling doesn't automatically encode URLs.
| Parameter | Description |
|---|---|
page[number] | Optional. If omitted, the endpoint will return the first page. |
page[size] | Optional. If omitted, the endpoint will return 20 notification configurations per page. |
Sample request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/projects/prj-ny19cRJJos5F5FQ5/notification-configurations
Sample response
{
"data": [
{
"id": "nc-W6VGEi8A7Cfoaf4K",
"type": "notification-configurations",
"attributes": {
"enabled": false,
"name": "Slack: #devops",
"url": "https://hooks.slack.com/services/T00000000/BC012345/0PWCpQmYyD4bTTRYZ53q4w",
"destination-type": "slack",
"token": null,
"triggers": [
"run:errored",
"run:needs_attention"
],
"delivery-responses": [],
"created-at": "2019-01-08T21:34:28.367Z",
"updated-at": "2019-01-08T21:34:28.367Z"
},
"relationships": {
"subscribable": {
"data": {
"id": "prj-ny19cRJJos5F5FQ5",
"type": "projects"
}
}
},
"links": {
"self": "/api/v2/notification-configurations/nc-W6VGEi8A7Cfoaf4K"
}
},
{
"id": "nc-AeUQ2zfKZzW9TiGZ",
"type": "notification-configurations",
"attributes": {
"enabled": true,
"name": "Webhook server test",
"url": "https://httpstat.us/200",
"destination-type": "generic",
"token": null,
"triggers": [
"run:applying",
"run:completed",
"run:created",
"run:errored",
"run:needs_attention",
"run:planning"
],
"delivery-responses": [
{
"url": "https://httpstat.us/200",
"body": "\"200 OK\"",
"code": "200",
"headers": {
"cache-control": ["private"],
"content-length": ["129"],
"content-type": ["application/json; charset=utf-8"],
"content-encoding": ["gzip"],
"vary": ["Accept-Encoding"],
"server": ["Microsoft-IIS/10.0"],
"x-aspnetmvc-version": ["5.1"],
"access-control-allow-origin": ["*"],
"x-aspnet-version": ["4.0.30319"],
"x-powered-by": ["ASP.NET"],
"set-cookie": ["ARRAffinity=77c477e3e649643e5771873e1a13179fb00983bc73c71e196bf25967fd453df9;Path=/;HttpOnly;Domain=httpstat.us"],
"date": ["Tue, 08 Jan 2019 21:34:37 GMT"]
},
"sent-at": "2019-01-08 21:34:37 UTC",
"successful": "true"
}
],
"created-at": "2019-01-08T21:32:14.125Z",
"updated-at": "2019-01-08T21:34:37.274Z"
},
"relationships": {
"subscribable": {
"data": {
"id": "prj-ny19cRJJos5F5FQ5",
"type": "projects"
}
}
},
"links": {
"self": "/api/v2/notification-configurations/nc-AeUQ2zfKZzW9TiGZ"
}
}
]
}
Show a project notification configuration
GET /notification-configurations/:notification-configuration-id
Use this endpoint to read an existing project notification configuration after you know its notification configuration ID.
Sample request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/notification-configurations/nc-AeUQ2zfKZzW9TiGZ
Successful responses return a JSON API document with type: "notification-configurations". In the response, relationships.subscribable.data references the project with type: "projects".
Update a project notification configuration
PATCH /notification-configurations/:notification-configuration-id
If the enabled attribute is true, updating the configuration causes HCP Terraform to send a verification request. If a response is received, it is stored and returned in the delivery-responses attribute.
Request body
| Key path | Type | Default | Description |
|---|---|---|---|
data.type | string | (previous value) | Must be "notification-configuration". |
data.attributes.enabled | bool | (previous value) | Disabled configurations will not send any notifications. |
data.attributes.name | string | (previous value) | User-readable name for the configuration. |
data.attributes.token | string | (previous value) | Optional write-only secure token. |
data.attributes.triggers | array | (previous value) | Array of triggers for sending notifications. |
data.attributes.url | string | (previous value) | HTTP or HTTPS URL to which notification requests will be made for generic, slack, or microsoft-teams destinations. |
data.relationships.users | array | Array of users in the organization, only for configurations with "destination_type:" "email". |
Sample request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/notification-configurations/nc-AeUQ2zfKZzW9TiGZ
Successful responses return a JSON API document with type: "notification-configurations" and relationships.subscribable.data.type set to "projects".
Verify a project notification configuration
POST /notification-configurations/:notification-configuration-id/actions/verify
This causes HCP Terraform to send a verification request for the specified configuration.
| Status | Response | Reason |
|---|---|---|
| 200 | JSON API document (type: "notification-configurations") | Successfully verified the notification configuration |
| 400 | JSON API error object | Unable to complete verification request to destination URL |
Sample request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
https://app.terraform.io/api/v2/notification-configurations/nc-AeUQ2zfKZzW9TiGZ/actions/verify
Delete a project notification configuration
DELETE /notification-configurations/:notification-configuration-id
| Status | Response | Reason |
|---|---|---|
| 204 | None | Successfully deleted the notification configuration |
| 404 | JSON API error object | Notification configuration not found, or user unauthorized to perform action |
Sample request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request DELETE \
https://app.terraform.io/api/v2/notification-configurations/nc-AeUQ2zfKZzW9TiGZ