Learn
Reference
Examples
Learn
Reference
Examples

Configuration Reference

How you configure Terrantula depends on which side you're on:

Resolution order is consistent across the CLI: flag → environment variable → config file → built-in default. A --flag always wins; the config file is the persistent fallback you set once with terrantula login and terrantula use.

# All three configure the same thing; the flag wins this invocation.
terrantula --base-url https://api.example.com --token terr_xxx entities list
TERRANTULA_BASE_URL=https://api.example.com TERRANTULA_TOKEN=terr_xxx terrantula entities list
terrantula login --base-url https://api.example.com --token terr_xxx   # persists to the config file

CLI config file

The CLI persists credentials and current selections to ~/.config/terrantula/config.json. terrantula login writes the credentials; terrantula use <project-id> and the --org / --env selections write the current context. The file is created with 0600 permissions (owner read/write only).

{
  "baseUrl": "https://api.example.com",
  "token": "terr_xxxxxxxxxxxxxxxx",
  "currentOrg": "acme",
  "currentProject": "cattle-saas",
  "currentEnv": "default"
}
KeyTypeDefaultDescription
baseUrlstringAPI base URL the CLI/SDK connects to. Set by login --base-url.
tokenstringBearer API token (terr_…). Set by login. Stored in plaintext on disk at 0600 — see caveats.
currentOrgstringDefault org slug for org/project-scoped commands. Set by --org / overridden per-invocation.
currentProjectstringDefault project for project-scoped commands. Set by terrantula use <project-id>.
currentEnvstringdefaultDefault environment for env-scoped commands. Every project ships a default env.
NOTE

Local-first mode (terrantula dashboard) doesn't use baseUrl / token. It runs an embedded server backed by ~/.config/terrantula/local.db (SQLite) so the first-five-minutes onboarding works with zero pre-existing infrastructure. See the CLI Reference.

Global flags

These flags are accepted by every command and override the config file for that invocation.

FlagOverrides config keyDescription
--base-url <url>baseUrlAPI base URL.
--token <token>tokenAPI token (terr_…).
--org <id>currentOrgOrg slug for org/project-scoped commands.
--project <id>currentProjectProject ID for project-scoped commands.
--env <name>currentEnvEnvironment name for env-scoped commands. Defaults to default.
--jsonOutput raw JSON instead of pretty JSON. Use in scripts/CI.
--file [path]Path to a JSON/YAML file providing complex or bulk fields. Explicit flags override file values. Accepts ----separated multi-document blueprints.
TIP

For scripted/CI callers, prefer the environment variables over the config file — they let a Makefile or pipeline drive the CLI without a login step and without touching ~/.config.

CLI environment variables

Read by the CLI and SDK. Each maps to a flag or config key in the resolution chain above.

VariableMaps toDefaultDescription
TERRANTULA_BASE_URL--base-url / baseUrlAPI base URL. Required (via flag, env, or config) for any non-local command.
TERRANTULA_TOKEN--token / tokenBearer API token (terr_…).
TERRANTULA_ORG_ID--org / currentOrgOrg slug for org/project-scoped commands.
TERRANTULA_PROJECT_ID--project / currentProjectterrantula (import commands only)Project ID for project-scoped commands.
TERRANTULA_ENV_NAME--env / currentEnvdefaultEnvironment name for env-scoped commands.
TERRANTULA_DEBUGunsetWhen set (any value), prints extra error detail (stack traces) on failure.
NO_COLORunsetWhen set, disables ANSI color in CLI output (honors the NO_COLOR convention).
TERRANTULA_TFC_ALLOW_CUSTOM_HOSTunsetSet to 1 to allow import-terraform to read state from a non-app.terraform.io TFC/TFE host. A safety gate — off by default.
TERRANTULA_TFC_SUPPRESS_HOST_WARNINGunsetSet to 1 to silence the custom-host warning emitted by the TFC reader.
# Drive the CLI from CI with no login step:
export TERRANTULA_BASE_URL=https://api.example.com
export TERRANTULA_TOKEN=terr_xxxxxxxxxxxxxxxx
export TERRANTULA_ORG_ID=acme
export TERRANTULA_PROJECT_ID=cattle-saas
terrantula apply --file blueprint.yaml --json

Project API tokens

Tokens are how the CLI, SDK, and any integration authenticate. They are terr_-prefixed bearer tokens sent as Authorization: Bearer terr_…. Tokens are org-owned API keys scoped to one project; mint and revoke them under /orgs/:orgId/projects/:projectId/tokens (requires the tokens:manage permission — admin/owner).

# The raw token value is returned EXACTLY ONCE, at creation.
curl -X POST https://api.example.com/orgs/acme/projects/cattle-saas/tokens \
  -H "Authorization: Bearer terr_existing" \
  -H "Content-Type: application/json" \
  -d '{"name":"ci-deploy","role":"member","envName":"prod"}'
FieldTypeDefaultDescription
namestringHuman label for the token. Required.
roleowner | admin | member | viewermemberThe role the token authenticates as. Determines which permissions it has — see RBAC & Drift.
envNamestring— (all envs)Restricts the token to a single environment. Omit for project-wide access.
cellScopesstring[]— (all cells)Restricts the token to entities/relationships/action-runs in the listed cells. Omit for all-cells access.
expiresAtISO 8601 datetime— (no expiry)When the token stops working. Omit for a non-expiring token.
WARNING

The raw token value is returned once, at creation, and never again. Only the terr_prefix is stored (the value is SHA-256 hashed at rest), so a leaked token cannot be recovered from the database — you can only revoke and re-mint. Store the value in your secret manager immediately.

INFO

A token scoped to one org cannot authenticate against the same project name in a different org — token auth is scoped by both org and project. This is why --org (or TERRANTULA_ORG_ID) is required for project-scoped commands.

Environments

Every project ships a default environment. Environments isolate data and secret values: the same secret name (e.g. tfc-api-token) can hold a different value per env, and a value set in one env is decrypted only for runs in that env. Select the active env with --env, TERRANTULA_ENV_NAME, or the currentEnv config key. Tokens can be pinned to one env via envName.

See the Secret catalog kind for how secrets reference env-scoped values, and the How-To pocket for the environments recipe.

Server environment variables

Set these on the API server (and worker), not on the CLI. They are required to self-host. Never commit their values; mount them as secrets.

Required

VariableDescription
DATABASE_URLPostgres connection string the API and migrations run against, e.g. postgresql://user:pass@host:5432/terrantula.
ENCRYPTION_KEY32-byte hex key used to encrypt third-party credentials at rest (OIDC client secrets, etc.). Generate with openssl rand -hex 32.
BETTER_AUTH_SECRETSecret used by better-auth for session signing and for HS256-signing the GitHub App install-state JWTs. Must be ≥ 32 bytes.
API_BASE_URLThe public URL the API is reachable at. Required because action webhooks and repository_dispatch workflows call back to ${API_BASE_URL}/…/action-runs/<run>/callback. Unset blocks post-merge dispatch with a clear error rather than parking runs forever.

Optional / deployment

VariableDefaultDescription
TERRANTULA_DEPLOYMENTcloudoss or cloud. cloud mounts SSO, GitHub App, and (future) billing routes; oss runs the bare self-hostable server (those paths return 404). Self-hosters who don't need hosted integrations set oss.
PORT3000Port the server listens on.
QUEUE_DRIVERpgJob-queue backend. pg (Postgres-backed) for self-host; sqs is for AWS Lambda deployments only.
BETTER_AUTH_URLPublic base URL of the auth handler. Used for OAuth/SSO callback and invite-acceptance links.
TRUSTED_ORIGINSemptyComma-separated list of origins allowed for browser auth (CORS/CSRF).
TERRANTULA_UI_BASE_URLPublic URL of the proprietary hosted UI, used when building user-facing links.

GitHub App (cloud deployments)

Required only when TERRANTULA_DEPLOYMENT=cloud and you connect the GitHub App. See Triggers, GitHub App, Actions & Webhooks.

VariableDescription
GITHUB_APP_IDThe GitHub App's numeric ID.
GITHUB_APP_NAMEThe GitHub App's slug/name.
GITHUB_APP_PRIVATE_KEYThe App's PEM private key (PKCS#8). Mount as a multiline secret; never commit.
GITHUB_APP_WEBHOOK_SECRETHMAC secret used to verify inbound GitHub webhooks.
DANGER

DATABASE_URL, ENCRYPTION_KEY, BETTER_AUTH_SECRET, and GITHUB_APP_PRIVATE_KEY are secrets. Mount them from your secret manager; never commit them, log them, or print their values. Rotating ENCRYPTION_KEYrequires re-encrypting every stored credential — treat it as long-lived.

Bootstrap mode

On a fresh database with no tokens, the API runs in bootstrap mode: all requests are accepted without authentication so you can mint your first token. Creating any project token (POST /orgs/:orgId/projects/:projectId/tokens) closes bootstrap mode and turns on token enforcement for every subsequent request.

# Fresh DB: mint the first token while bootstrap mode is open.
curl -X POST https://api.example.com/orgs/terrantula/projects/terrantula/tokens \
  -H "Content-Type: application/json" \
  -d '{"name":"bootstrap","role":"owner"}'
WARNING

Bootstrap mode is open access. Mint your first token immediately on a fresh deployment, and never expose a tokenless server on a public network.

Secrets and storage

  • CLI token at rest. ~/.config/terrantula/config.json stores the token in plaintext at 0600. On a shared machine, prefer TERRANTULA_TOKEN (from your secret manager) over login.
  • Server credentials at rest. Third-party credentials (OIDC client secrets, catalog Secrets) are encrypted with ENCRYPTION_KEY. terr_ tokens are SHA-256 hashed — only the prefix is stored.
  • In logs. Terrantula logs only token prefixes (terr_xxxxxxxx…), never full values.

Related

ON THIS PAGE