Commands
Available Commands​
Currently, the CLI supports the following commands:
- admin — Activate or deactivate admin mode.
- apply — Apply a Terraform run.
- caller-identity — Get the caller's identity.
- configure — Create or update a profile.
- destroy — Destroy workspace resources.
- gpg-key — Do operations on GPG keys.
- group — Do operations on groups.
- managed-identity — Do operations on a managed identity.
- managed-identity-access-rule — Do operations on a managed identity access rule.
- managed-identity-alias — Do operations on a managed identity alias.
- mcp — Start the Tharsis MCP server.
- membership — Do operations on namespace memberships.
- module — Do operations on a terraform module.
- plan — Create a speculative plan.
- resource-limit — Do operations on resource limits.
- role — Do operations on roles.
- run — Do operations on runs.
- runner-agent — Do operations on runner agents.
- service-account — Do operations on service accounts.
- sso — Log in to the OAuth2 provider and return an authentication token.
- state-version — Do operations on state versions.
- team — Do operations on teams.
- terraform-provider — Do operations on a terraform provider.
- terraform-provider-mirror — Mirror Terraform providers from any Terraform registry.
- tf-exec — Run terraform with Tharsis auth and workspace variables injected.
- user — Do operations on users.
- vcs-provider — Do operations on VCS providers.
- vcs-provider-link — Do operations on workspace VCS provider links.
- version — Get the CLI's version.
- workspace — Do operations on workspaces.
tharsis [command] or tharsis [command] -h will output the help menu for that specific command.
Commands and options may evolve between major versions. Options must come before any arguments.
Check the FAQ to see if there's already an answer.
- *Â Â required
- !  deprecated
- ... repeatable
Global Options​
disable-autocomplete​
Uninstall shell autocompletion.
enable-autocomplete​
Install shell autocompletion.
h, help​
Show help output.
log​
Set the verbosity of log output for debugging.
Values: debug, error, info, off, trace, warn
Default: off
Env: THARSIS_CLI_LOG
no-color​
Disable colored output.
Default: false
Env: NO_COLOR
p, profile​
Profile to use from the configuration file.
Default: default
Env: THARSIS_PROFILE
v, version​
Show the version information.
admin command​
Activate or deactivate admin mode.
Subcommands:
activate- Activate admin mode.deactivate- Deactivate admin mode.
Admin mode grants temporary elevated privileges to the currently authenticated user. Use activate to enable admin mode (defaults to 30 minutes, max 6 hours) and deactivate to disable it.
admin activate subcommand​
Activate admin mode.
Activates admin mode for the currently authenticated user. Admin mode grants elevated privileges for a limited duration.
If no duration is specified, the API defaults to 30 minutes. Maximum duration is 6 hours.
tharsis admin activate
tharsis admin activate -duration 2h
Options​
duration​
Duration for admin mode (e.g. 30m, 2h). Defaults to 30m, max 6h.
json​
Show final output as JSON.
admin deactivate subcommand​
Deactivate admin mode.
Deactivates admin mode for the currently authenticated user.
tharsis admin deactivate
apply command​
Apply a Terraform run.
Creates and applies a Terraform run. First creates a plan, then applies after approval. Supports run-scoped Terraform and environment variables.
Terraform variables may be passed in via supported options or from the environment with a 'TF_VAR_' prefix.
tharsis apply -directory-path "./terraform" trn:workspace:<workspace_path>
Options​
auto-approve​
Skip interactive approval of the plan.
Default: false
directory-path​
The path of the root module's directory.
Conflicts: module-source
env-var ...​
An environment variable as a key=value pair.
env-var-file ...​
The path to an environment variables file.
include-module-prereleases​
When module-version is empty or a constraint range, allow prerelease module versions to be selected as latest.
Default: false
input​
Ask for input for variables if not directly set.
Default: true
module-source​
Remote module source specification.
Conflicts: directory-path
module-version​
Remote module version number. Uses latest if empty.
refresh​
Whether to do the usual refresh step.
Default: true
refresh-only​
Whether to do ONLY a refresh operation.
Default: false
target ...​
The Terraform address of the resources to be acted upon.
terraform-version​
The Terraform CLI version to use for the run.
tf-var ...​
A terraform variable as a key=value pair.
tf-var-file ...​
The path to a .tfvars variables file.
caller-identity command​
Get the caller's identity.
Returns information about the authenticated caller (User or ServiceAccount).
tharsis caller-identity
Options​
json​
Show final output as JSON.
configure command​
Create or update a profile.
Subcommands:
Creates or updates a profile. If no options are specified, the command prompts for values.
tharsis configure \
-http-endpoint "https://api.tharsis.example.com" \
-profile "prod-example"
Options​
endpoint-url !​
The Tharsis HTTP API endpoint.
Deprecated: use -http-endpoint instead
http-endpoint​
The Tharsis HTTP API endpoint.
insecure-tls-skip-verify​
Allow TLS but disable verification of the gRPC server's certificate chain and hostname. Only use for testing as it could allow connecting to an impersonated server.
Default: false
profile​
The name of the profile to set.
configure delete subcommand​
Remove a profile.
Removes a profile and its stored credentials.
tharsis configure delete prod-example
configure list subcommand​
Show all profiles.
Displays all configured profiles and their endpoints.
tharsis configure list
destroy command​
Destroy workspace resources.
Destroys all resources in a workspace. Creates a destroy plan, then applies after approval.
Terraform variables may be passed in via supported options or from the environment with a 'TF_VAR_' prefix.
tharsis destroy -directory-path "./terraform" trn:workspace:<workspace_path>
Options​
auto-approve​
Skip interactive approval of the plan.
Default: false
directory-path​
The path of the root module's directory.
Conflicts: module-source
env-var ...​
An environment variable as a key=value pair.
env-var-file ...​
The path to an environment variables file.
include-module-prereleases​
When module-version is empty or a constraint range, allow prerelease module versions to be selected as latest.
Default: false
input​
Ask for input for variables if not directly set.
Default: true
module-source​
Remote module source specification.
Conflicts: directory-path
module-version​
Remote module version number. Uses latest if empty.
refresh​
Whether to do the usual refresh step.
Default: true
target ...​
The Terraform address of the resources to be acted upon.
terraform-version​
The Terraform CLI version to use for the run.
tf-var ...​
A terraform variable as a key=value pair.
tf-var-file ...​
The path to a .tfvars variables file.
gpg-key command​
Do operations on GPG keys.
Subcommands:
create- Create a new GPG key.delete- Delete a GPG key.get- Get a GPG key.list- Retrieve a paginated list of GPG keys.
GPG keys are used for module attestation verification. Use gpg-key commands to create, delete, list, and get GPG keys within a group hierarchy.
gpg-key create subcommand​
Create a new GPG key.
Creates a new GPG key within a group. GPG keys are used to verify Terraform module attestations. The key is used to sign or verify module versions.
tharsis gpg-key create \
-group-id "trn:group:<group_path>" \
-ascii-armor "-----BEGIN PGP PUBLIC KEY BLOCK-----..."
Options​
ascii-armor *​
ASCII-armored GPG public key.
group-id *​
Group ID or TRN where the GPG key will be created.
json​
Show final output as JSON.
gpg-key delete subcommand​
Delete a GPG key.
Permanently removes a GPG key. This action is irreversible. Any module attestations signed with this key can no longer be verified.
tharsis gpg-key delete <gpg_key_id>
gpg-key get subcommand​
Get a GPG key.
Retrieves details about a GPG key including its ASCII-armored public key, fingerprint, and associated group.
tharsis gpg-key get <gpg_key_id>
Options​
json​
Show final output as JSON.
gpg-key list subcommand​
Retrieve a paginated list of GPG keys.
Lists GPG keys scoped to a namespace. Use -include-inherited to also show keys from parent groups. Supports pagination and sorting.
tharsis gpg-key list -namespace-path "<group_path>" -include-inherited -json
Options​
cursor​
The cursor string for manual pagination.
include-inherited​
Include GPG keys inherited from parent groups.
Default: false
json​
Show final output as JSON.
limit​
Maximum number of result elements to return.
Default: 100
namespace-path *​
Namespace path to list GPG keys for.
sort-by​
Sort by this field.
Values: GROUP_LEVEL_ASC, GROUP_LEVEL_DESC, UPDATED_AT_ASC, UPDATED_AT_DESC
group command​
Do operations on groups.
Subcommands:
add-membership- Add a membership to a group.create- Create a new group.delete- Delete a group.delete-terraform-var- Delete a terraform variable from a group.get- Get a single group.get-membership- Get a group membership.get-terraform-var- Get a terraform variable for a group.list- Retrieve a paginated list of groups.list-environment-vars- List all environment variables in a group.list-memberships- Retrieve a list of group memberships.list-terraform-vars- List all terraform variables in a group.migrate- Migrate a group to a new parent or to top-level.remove-membership- Remove a group membership.set-environment-vars- Set environment variables for a group.set-terraform-var- Set a terraform variable for a group.set-terraform-vars- Set terraform variables for a group.update- Update a group.update-membership- Update a group membership.
Groups are containers for organizing workspaces hierarchically. They can be nested and inherit variables and managed identities to children. Use group commands to create, update, delete groups, set Terraform and environment variables, manage memberships, and migrate groups between parents.
group add-membership subcommand​
Add a membership to a group.
Grants a user, service account, or team access to a group. Exactly one identity flag must be specified.
tharsis group add-membership \
-role-id "trn:role:<role_name>" \
-user-id "trn:user:<username>" \
trn:group:<group_path>
Options​
json​
Show final output as JSON.
role !​
The role for the membership.
Deprecated: use -role-id
role-id​
The role ID for the membership.
service-account-id​
The service account ID for the membership.
Conflicts: user-id, team-id, username, team-name
team-id​
The team ID for the membership.
Conflicts: user-id, service-account-id, username, team-name
team-name !​
The team name for the membership.
Deprecated: use -team-id
Conflicts: user-id, service-account-id, team-id, username
user-id​
The user ID for the membership.
Conflicts: service-account-id, team-id, username, team-name
username !​
The username for the membership.
Deprecated: use -user-id
Conflicts: user-id, service-account-id, team-id, team-name
group create subcommand​
Create a new group.
Creates a new group under a parent group with an optional description. Use -parents to automatically create any missing intermediate groups specified by -parent-group-id.
tharsis group create \
-parent-group-id "trn:group:<group_path>" \
-description "Operations group" \
<name>
tharsis group create -parents \
-parent-group-id "trn:group:xyz/team-a/dev" \
api
Options​
description​
Description for the new group.
if-not-exists​
Do not error if the group already exists; return the existing group instead.
Default: false
json​
Show final output as JSON.
parent-group-id​
Parent group ID.
parents​
Create missing intermediate groups specified by -parent-group-id.
Default: false
group delete subcommand​
Delete a group.
Permanently removes a group. Use -force to delete even if resources are deployed.
tharsis group delete \
-force \
trn:group:<group_path>
Options​
force, f​
Force delete the group.
version​
Optimistic locking version. Usually not required.
group delete-terraform-var subcommand​
Delete a terraform variable from a group.
Removes a Terraform variable from a group.
tharsis group delete-terraform-var \
-key "region" \
trn:group:<group_path>
Options​
key *​
Variable key.
version​
Optimistic locking version. Usually not required.
group get subcommand​
Get a single group.
Retrieves details about a group by ID or path.
tharsis group get \
-json \
trn:tharsis:group:<group_path>
Options​
json​
Show final output as JSON.
group get-membership subcommand​
Get a group membership.
Retrieves details about a specific group membership.
tharsis group get-membership \
-user-id "trn:user:<username>" \
trn:group:<group_path>
Options​
json​
Show final output as JSON.
service-account-id​
Service account ID to find the group membership for.
Conflicts: user-id, team-id, username, team-name
team-id​
Team ID to find the group membership for.
Conflicts: user-id, service-account-id, username, team-name
team-name !​
Team name to find the group membership for.
Deprecated: use -team-id
Conflicts: user-id, service-account-id, team-id, username
user-id​
User ID to find the group membership for.
Conflicts: service-account-id, team-id, username, team-name
username !​
Username to find the group membership for.
Deprecated: use -user-id
Conflicts: user-id, service-account-id, team-id, team-name
group get-terraform-var subcommand​
Get a terraform variable for a group.
Retrieves a Terraform variable from a group.
tharsis group get-terraform-var \
-key "region" \
trn:group:<group_path>
Options​
json​
Show final output as JSON.
key *​
Variable key.
show-sensitive​
Show the actual value of sensitive variables (requires appropriate permissions).
Default: false
group list subcommand​
Retrieve a paginated list of groups.
Lists groups with pagination, filtering, and sorting.
tharsis group list \
-parent-id "trn:group:<parent_group_path>" \
-sort-by "FULL_PATH_ASC" \
-limit 5 \
-json
Options​
cursor​
The cursor string for manual pagination.
json​
Show final output as JSON.
limit​
Maximum number of result elements to return.
Default: 100
parent-id​
Filter to only direct sub-groups of this parent group.
parent-path !​
Filter to only direct sub-groups of this parent group.
Deprecated: use -parent-id
search​
Filter to only groups containing this substring in their path.
sort-by​
Sort by this field.
Values: FULL_PATH_ASC, FULL_PATH_DESC, GROUP_LEVEL_ASC, GROUP_LEVEL_DESC, UPDATED_AT_ASC, UPDATED_AT_DESC
Conflicts: sort-order