What is Terraform?
Terraform is an infrastructure-as-code tool that lets you define and manage IndyKite configurations in declarative configuration files. This guide helps you set up Terraform to create configurations in the IndyKite platform.
How do I install Terraform?
Mac
brew tap hashicorp/tap
brew install hashicorp/tap/terraform
terraform --versionUbuntu
sudo apt update
brew install terraform
terraform -v
or
sudo apt install terraform -y
terraform -versionWhat credentials do I need?
You need Service Account credentials to use Terraform with IndyKite. Export them as environment variables:
Credentials: export INDYKITE_SERVICE_ACCOUNT_CREDENTIALS_FILE=lnk-to-the-service-account-credentials
Or export INDYKITE_SERVICE_ACCOUNT_CREDENTIALS=content-of-service-account-credentialsWhere do I get Service Account credentials?
- Create them in the IndyKite Hub at the Organization level
- See Credentials Guide for details
How do I structure my Terraform files?
Create a main.tf file in a directory. Each configuration requires:
- terraform block: Declares the IndyKite provider
- provider block: Configures the IndyKite provider
- resource/data blocks: Defines the resources to create or reference
How do I create a project environment?
This example creates the complete environment hierarchy: Project (ApplicationSpace), Application, Application Agent, and Credentials.
terraform {
required_providers {
indykite = {
source = "indykite/indykite"
version = 1.30.0 # or latest version
}
}
}
provider "indykite" {}
# call the indykite_customer datasource
data "indykite_customer" "customer1" {
name = "your-customer-name"
}
# call the indykite_application_space resource to create a new project
resource "indykite_application_space" "appspace1" {
customer_id = data.indykite_customer.customer.id
name = "project-name"
display_name = "Prject display name"
description = "Description of your project"
region = "us-east1"
ikg_size = "4GB"
replica_region = "us-west1"
}
# call the indykite_application_space resource to create a new project with your own DB
resource "indykite_application_space" "appspace2" {
customer_id = data.indykite_customer.customer.id
name = "terraform-pipeline-appspace2"
display_name = "Terraform appspace 2"
description = "Application space for terraform pipeline"
region = "europe-west1" # or us-east1
db_connection {
url = "neo4j+s://xxxxxxxx.databases.neo4j.io"
username = "testuser"
password = "testpass"
name = "testdb"
}
}
# call the indykite_application resource to create a new application
resource "indykite_application" "application1" {
app_space_id = indykite_application_space.appspace.id
name = "application-name"
display_name = "Application display name"
description = "Description of your application"
}
# call the indykite_application_agent to create a new application agent
resource "indykite_application_agent" "agent" {
application_id = indykite_application.application.id
name = "application-agent-name"
display_name = "Application agent display name"
description = "Description of your application agent"
}
# call the indykite_application_agent_credential to create a new application agent credential
resource "indykite_application_agent_credential" "with_public" {
app_agent_id = indykite_application_agent.agent.id
display_name = "Credential display name"
expire_time = "2026-12-31T12:34:56-01:00" #must be less than 2 years to generate a token
}What resources are created?
| Resource | Description |
|---|---|
indykite_application_space | Project container with its own IKG. Use ikg_size for managed IKG or db_connection for your own Neo4j. |
indykite_application | Application within the project |
indykite_application_agent | Agent identity for API authentication |
indykite_application_agent_credential | Token for the agent (expires in max 2 years) |
How do I create a KBAC policy?
KBAC policies define authorization rules. This example creates a policy that allows a Person to drive a Car they own.
terraform {
required_providers {
indykite = {
source = "indykite/indykite"
version = 1.30.0 # or latest version
}
}
}
provider "indykite" {}
resource "indykite_authorization_policy" "policy_drive_car" {
name = "terraform-pipeline-policy-drive-car"
display_name = "Terraform policy drive car"
description = "Policy for terraform pipeline"
json = jsonencode({
meta = {
policyVersion = "1.0-indykite"
},
subject = {
type = "Person"
},
actions = ["CAN_DRIVE"],
resource = {
type = "Car"
},
condition = {
cypher = "MATCH (subject:Person)-[:OWNS]->(resource:Car)"
}
})
location = indykite_application_space.appspace.id
status = "active"
}What are the key policy fields?
| Field | Description |
|---|---|
meta.policyVersion | Use 1.0-indykite for KBAC policies |
subject.type | Node type of the requesting entity (e.g., Person) |
actions | Array of action names (e.g., CAN_DRIVE, CAN_READ) |
resource.type | Node type of the resource being accessed (e.g., Car) |
condition.cypher | Graph pattern that must exist for access to be granted |
How do I create a CIQ policy and Knowledge Query?
CIQ (ContX IQ) policies use 1.0-ciq version and support read/write operations. This example uses _Application as the subject.
terraform {
required_providers {
indykite = {
source = "indykite/indykite"
version = 1.30.0 # or latest version
}
}
}
provider "indykite" {}
resource "indykite_authorization_policy" "policy_for_ciq" {
name = "terraform-pipeline-policy-for-ciq"
display_name = "Terraform policy for CIQ"
description = "Policy for CIQ in terraform pipeline"
json = jsonencode({
"meta": {
"policy_version": "1.0-ciq"
},
"subject": {
"type": "_Application"
},
"condition": {
"cypher": "MATCH (subject:_Application) MATCH (person:Person)-[r1:ACCEPTED]->(contract:Contract)-[r2:COVERS]->(vehicle:Vehicle)-[r3:HAS]->(ln:LicenseNumber)",
"filter": [
{
"operator": "AND",
"operands": [
{
"attribute": "person.property.email",
"operator": "=",
"value": "$person_email"
},
{
"attribute": "subject.external_id",
"operator": "=",
"value": "$_appId"
}
]
}
]
},
"allowed_reads":{
"nodes":["ln.property.number", "ln.property.transferrable"],
"relationships":[]
}
})
location = indykite_application_space.appspace.id
status = "active"
}
resource "indykite_knowledge_query" "create-query" {
name = "terraform-knowledge-query"
display_name = "Terraform knowledge-query"
description = "Knowledge query for terraform"
location = indykite_application_space.appspace.id
query = jsonencode({
"nodes" : ["ln.property.number"],
"relationships" : [],
"filter" : { "attribute" : "ln.property.number", "operator" : "=", "value" : "$ln_number" }
})
status = "active"
policy_id = indykite_authorization_policy.policy_for_ciq.id
}What is special about _Application as subject?
When using _Application as the subject type:
- The
$_appIdparameter is automatically populated with the Application’s external_id - No user access token is required for CIQ execution
- Useful for service-to-service authorization
What does the Knowledge Query define?
| Field | Description |
|---|---|
nodes | Node variables to return in results |
relationships | Relationship variables to return in results |
filter | Additional filters with partial parameters (prefixed with $) |
policy_id | Links the query to its authorization policy |
How do I execute Terraform?
Step 1: Initialize the working directory
Downloads the IndyKite provider and sets up the working directory.
terraform initStep 2: Preview the changes
Shows what Terraform will create, modify, or destroy without making changes.
terraform planStep 3: Apply the configuration
Creates or updates the resources in IndyKite.
terraform applyHow do I destroy resources?
To remove all resources defined in your configuration:
terraform destroyNext Steps
- Terraform provider documentation: IndyKite Terraform Provider
- External Data Resolver: Configure external API lookups
- Trust Score Profile: Assess data quality
- More Terraform examples: Terraform Configurations
- Full examples: Developer Hub Resources
- Credentials guide: Credentials Guide