Appearance
Configure the Provider
The provider has one required configuration: an API endpoint and an API key. Everything else is optional.
Provider block
hcl
provider "agentcy" {
endpoint = "https://api.tenant.example.com"
api_key = var.agentcy_api_key
}| Argument | Required | Env | Description |
|---|---|---|---|
endpoint | yes | AGENTCY_ENDPOINT | Tenant API base URL — no trailing slash, no /api/v1 suffix. |
api_key | yes | AGENTCY_API_KEY | Bearer token. Generate via Settings → API Keys or POST /api/v1/api-keys. JWT bearer tokens also work. |
org_id | no | AGENTCY_ORG_ID | Override the org. Inferred from the token when omitted. |
insecure | no | AGENTCY_INSECURE=1 | Skip TLS verification (dev only). |
user_agent | no | AGENTCY_USER_AGENT | Override the User-Agent — useful when running behind an audit-logging proxy. |
Any HCL value can come from an env var instead — useful for CI where you don't want secrets in tfvars files.
Cloud control-plane block (optional)
If your config touches both a tenant and the Agentcy Cloud control plane (e.g. provisioning a new tenant and then populating it), add a cloud block:
hcl
provider "agentcy" {
endpoint = "https://api.tenant.example.com"
api_key = var.agentcy_api_key
cloud {
endpoint = "https://cloud.agentcylabs.com"
api_key = var.cloud_api_key
}
}The cloud block is currently reserved for future agentcy_cloud_* resources. It's accepted today so configs written now won't need to change when those resources land.
Authenticating in CI
The recommended pattern: mint a long-lived API key scoped to exactly the resources you need, store it in your CI secret store, and read it via env:
bash
export AGENTCY_ENDPOINT="https://api.tenant.example.com"
export AGENTCY_API_KEY="ak_..."
terraform planAPI keys can be scoped to specific connector sources via source_ids — useful when you want a CI key that can only manage the resources it provisioned.
State
State files contain sensitive values: connector credentials, webhook secrets, API key plaintext. Use a remote backend with at-rest encryption (S3 + KMS, GCS + CMEK, Terraform Cloud, etc.). Local state on a developer laptop is acceptable for prototyping but not for production.
The provider marks the following attributes sensitive = true so they don't print in plan output:
agentcy_source.configagentcy_webhook.secret_tokenagentcy_api_key.keyagentcy_gateway.api_keyagentcy_policy_source.git_ssh_key- the provider-level
api_key
terraform output will refuse to print them unless you pass -raw and the output is itself marked sensitive.
Logging
Set TF_LOG=DEBUG to see every API request the provider makes. Sensitive request body fields are redacted (the provider replaces values for keys named api_key, token, secret, or password with ***).