Vengtoo Terraform Provider
Manage Vengtoo namespaces, resource types, resources, subjects, roles, groups, and policies as infrastructure as code.
Published at registry.terraform.io/providers/vengtoo/vengtoo.
Requires Terraform 1.0+.
Install
terraform {
required_providers {
vengtoo = {
source = "vengtoo/vengtoo"
version = "~> 0.2"
}
}
}
provider "vengtoo" {
# Credentials read from VENGTOO_CLIENT_ID / VENGTOO_CLIENT_SECRET env vars.
}
Run terraform init to download the provider.
Authentication
The provider uses the OAuth 2.0 Client Credentials flow. Create an OAuth client in the Vengtoo Console under Settings → API Access, open the OAuth Clients tab — client secrets are prefixed with azx_cs_.
The simplest setup is to export credentials as environment variables and leave the provider block empty:
export VENGTOO_CLIENT_ID=client_...
export VENGTOO_CLIENT_SECRET=azx_cs_...
terraform apply
Or set them explicitly in the provider block:
provider "vengtoo" {
client_id = "client_..."
client_secret = "azx_cs_..."
# endpoint = "https://api.vengtoo.com" # optional, or VENGTOO_ENDPOINT env var
}
The provider exchanges credentials for a short-lived access token at startup and refreshes automatically before expiry.
Quick example
resource "vengtoo_resource_type" "document" {
name = "document"
description = "Company documents and wikis"
actions = ["read", "write", "delete", "share"]
}
resource "vengtoo_subject" "alice" {
name = "Alice"
type = "user"
external_id = "alice-uuid-from-your-db"
description = "Alice from the engineering team"
}
resource "vengtoo_role" "editor" {
name = "editor"
description = "Can read and write documents"
}
resource "vengtoo_resource" "wiki" {
name = "Engineering Wiki"
external_id = "engineering-wiki-001"
type = vengtoo_resource_type.document.id
}
resource "vengtoo_policy" "editors_can_edit" {
name = "editors-can-edit"
description = "Editors can read and write the wiki"
effect = "ALLOW"
priority = 50
resources = [
{
resource_id = vengtoo_resource.wiki.id
actions = ["read", "write"]
},
]
}
resource "vengtoo_policy_assignment" "editors_can_edit" {
policy_id = vengtoo_policy.editors_can_edit.id
entity_type = "role"
entity_id = vengtoo_role.editor.id
}
resource "vengtoo_role_assignment" "alice_editor" {
subject_id = vengtoo_subject.alice.id
role_id = vengtoo_role.editor.id
}
After terraform apply, verify Alice can read the wiki:
curl -s -X POST https://api.vengtoo.com/access/v1/evaluation \
-H "Authorization: Bearer $VENGTOO_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"subject": { "external_id": "alice-uuid-from-your-db", "type": "user" },
"action": { "name": "read" },
"resource": { "external_id": "engineering-wiki-001", "type": "document" }
}'
# → {"decision": true}
Resources
Full documentation for every resource is on the Terraform Registry provider page.
Import
All resources support import by ID:
terraform import vengtoo_namespace.app <application-id>
terraform import vengtoo_role.editor <role-id>
terraform import vengtoo_policy.my_policy <policy-id>
Assignments use composite IDs:
terraform import vengtoo_policy_assignment.x <entity_type>:<entity_id>:<policy_id>
terraform import vengtoo_role_assignment.y <subject_id>:<role_id>
Source
github.com/vengtoo/terraform-provider-vengtoo — MPL-2.0 licensed.