Skip to main content

Terraform Cloud Actions

Port's Terraform Cloud Action can trigger a Terraform Cloud run using a customer provided input and port_payload.

Port Kafka Architecture

The steps shown in the image above are as follows:

  1. Port publishes an invoked Action message containing the pipeline details to a topic;
  2. A secure topic (ORG_ID.runs) holds all the action invocations;
  3. Port's execution agent pulls the new trigger event from your Kafka topic, and triggers your Terraform Cloud run.


  • Helm must be installed to use the chart. Please refer to Helm's documentation for further details on the installation;
  • The connection credentials to Kafka are provided to you by Port;
  • If you want to trigger a Terraform Cloud run, you need to have a Terraform Cloud User token or Team token.

Note: Terraform Cloud run endpoint cannot be accessed with organization tokens. You must access it with a user token or team token.

Further steps

Triggering example

Create the following blueprint, action and mapping to trigger a Terraform Cloud run.

"identifier": "terraform_cloud_workspace",
"title": "Terraform Cloud Workspace",
"icon": "Terraform",
"schema": {
"properties": {
"workspace_id": {
"title": "Workspace Id",
"type": "string"
"required": ["workspace_id"]
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
"identifier": "trigger_tf_run",
"title": "Trigger TF Cloud run",
"icon": "Terraform",
"userInputs": {
"properties": {},
"required": [],
"order": []
"invocationMethod": {
"type": "WEBHOOK",
"agent": true,
"synchronized": false,
"method": "POST",
"url": ""
"trigger": "DAY-2",
"requiredApproval": false
Mapping - (Should be saved as a file named invocations.json)

To read more about the controlThePayload configuration, please refer to the Control the payload documentation.

"enabled": ".action == \"trigger_tf_run\"",
"headers": {
"Authorization": "\"Bearer \" + env.TF_TOKEN",
"Content-Type": "\"application/vnd.api+json\""
"body": {
"data": {
"attributes": {
"is-destroy": false,
"message": "\"Triggered via Port\"",
"variables": " | to_entries | map({key: .key, value: .value})"
"type": "\"runs\"",
"relationships": {
"workspace": {
"data": {
"type": "\"workspaces\"",
"id": ""
"report": {
"status": "if .response.statusCode == 201 then \"SUCCESS\" else \"FAILURE\" end",
"link": "\"\" + + \"/workspaces/\" + + \"/runs/\" +",
"externalRunId": ""


  1. Add Port's Helm repo by using the following command:
helm repo add port-labs

If you already added this repo earlier, run helm repo update to retrieve the latest versions of the charts. You can then run helm search repo port-labs to see the charts.

  1. Create a JSON file named invocations.json with the mapping above.

  2. Install the port-agent chart by using the following command after filling in the required values:

helm install my-port-agent port-labs/port-agent \
--create-namespace --namespace port-agent \
--set-file controlThePayloadConfig=./invocations.json \
--set env.normal.PORT_ORG_ID=YOUR_ORG_ID \