Appearance
Resource Reference
All 14 managed resources. Each entry shows: HCL, the most important arguments, what's computed, and the immutable / sensitive fields.
Conventions used throughout:
- Required — must be set in HCL.
- Optional — has a default or is genuinely optional.
- Computed — never set in HCL; populated from the API after apply.
- Sensitive — masked in plan output and
terraform output. Stored in state; protect your state. - Immutable — changing forces destroy + recreate (
RequiresReplace).
agentcy_source
Ingestion connector. The set of valid source_type values is exposed by the agentcy_agent_types-equivalent connector catalog at GET /api/v1/sources/catalog.
hcl
resource "agentcy_source" "github" {
source_type = "github_pat" # Required, immutable
name = "main-monorepo" # Required
config = jsonencode({ # Required, sensitive
token = var.gh_token
repositories = ["acme/monorepo"]
})
schedule = "0 */6 * * *" # Optional cron
visibility = "organization" # Optional
realm = "engineering" # Optional, defaults from source_type
}| Argument | Notes |
|---|---|
source_type | Required, immutable. One of github_pat, aws, gcp, vercel, csv, sql, mongodb, etc. |
config | Required, sensitive. Per-type JSON object — see the connector docs. |
schedule | Optional cron expression for auto-sync. Empty string disables. |
Computed: id, status, created_at.
agentcy_settings
Singleton — one per organization. Create and Update both PUT the desired state; Delete is a no-op.
hcl
resource "agentcy_settings" "this" {
organization_name = "Acme"
llm_provider = "openai"
llm_model = "gpt-4o"
llm_base_url = "https://api.openai.com/v1"
embedding_model = "all-MiniLM-L6-v2"
auto_embed_on_ingest = true
approval_timeout_secs = 300
}id is always org-settings.
agentcy_realm
Graph namespace. The default realm exists automatically and cannot be deleted.
hcl
resource "agentcy_realm" "engineering" {
name = "engineering" # Required, immutable, lowercase a-z0-9-_, ≤100
display_name = "Engineering Team"
description = "Eng-only graph data"
color = "#3b82f6"
}agentcy_agent
Typed agent (enrichment, anomaly detection, relationship discovery, …).
hcl
resource "agentcy_agent" "enricher" {
agent_type = "enrichment" # Required, immutable
name = "team-enricher" # Required
config = jsonencode({}) # Optional
enabled = true # Optional, defaults true
}Use the agentcy_agent_types data source for the catalog of valid agent_type values.
agentcy_webhook
Inbound webhook endpoint. The secret_token is plaintext only at create time and is recorded in state as a sensitive computed value.
hcl
resource "agentcy_webhook" "alerts" {
name = "alerts-hook"
description = "PagerDuty alerts"
payload_template = "{ \"alert\": {{json .body}} }"
system_prompt = "Triage incoming alerts and route to oncall."
}
output "alert_url" { value = agentcy_webhook.alerts.url }
output "alert_secret" { value = agentcy_webhook.alerts.secret_token, sensitive = true }Computed: id, slug, secret_token, url, created_at.
To rotate the secret: destroy and recreate. There's no in-place rotation today.
agentcy_skill
Versioned, named, scope-tagged content blob agents can call.
hcl
resource "agentcy_skill" "summarize" {
name = "Summarize PR"
slug = "summarize-pr" # Required, immutable
description = "Summarize a GitHub PR"
version = "0.1.0"
tags = ["github", "summary"]
content = file("${path.module}/skills/summarize-pr.md")
scope = "org" # Optional, immutable; "org" or "user"
}agentcy_memory
Persistent memory entries.
hcl
resource "agentcy_memory" "house_style" {
content = "Default response tone: concise, technical, no fluff."
title = "House style"
memory_type = "guideline"
tags = ["style", "tone"]
realm = "engineering" # Optional, immutable
}The
importancefield (0.0–1.0) is intentionally not exposed in v1 — the backend stores it as 32-bit float, which round-trips with precision drift. Manage importance via the API directly.
agentcy_api_key
Programmatic API key. The plaintext key is returned only at create and is persisted in state as a sensitive computed value. Delete is a soft revoke (the row stays in the DB with active = false).
hcl
resource "agentcy_api_key" "ci" {
name = "ci-pipeline"
permissions = ["agent:manage", "source:manage"]
source_ids = [agentcy_source.repo.id] # Optional scoping
expires_in_days = 90 # Immutable; rotate by recreating
}
output "ci_key" { value = agentcy_api_key.ci.key, sensitive = true }agentcy_task
Cron-scheduled task that runs an agent.
hcl
resource "agentcy_task" "morning_summary" {
name = "morning-summary"
cron_expression = "0 9 * * 1-5"
timezone = "UTC"
message_template = "Summarize yesterday's PRs."
system_prompt = "Be concise."
response_channel = "slack:#eng"
source_ids = [agentcy_source.repo.id]
is_active = true
trigger_type = "schedule" # Optional, immutable. "schedule" (default) or "webhook".
}For webhook tasks (trigger_type = "webhook"), webhook_slug and webhook_url are computed.
agentcy_role
RBAC role. Built-in roles (is_builtin = true) cannot be modified.
hcl
resource "agentcy_role" "viewer" {
name = "viewer"
description = "Read-only access"
permissions = ["graph:read", "agent:manage"]
}Use agentcy_permissions to discover valid permission strings.
agentcy_policy
Rego policy. Provide the body via rego_code (inline) or rego_file (path on the runner) — exactly one is required. The provider validates the Rego against the backend's /policies/policies/validate endpoint at plan time, so syntactic errors fail before apply.
hcl
resource "agentcy_policy" "business_hours" {
name = "business-hours-only"
package_path = "agentcy.business_hours"
rego_code = <<-EOT
package agentcy.business_hours
default allow := true
deny[msg] if {
input.action == "write"
hour := time.clock([time.now_ns(), "UTC"])[0]
hour < 9
msg := "Writes blocked before 09:00 UTC"
}
EOT
enabled = true
}
# Or load from a file:
resource "agentcy_policy" "from_file" {
name = "tenant-isolation"
package_path = "agentcy.tenant_iso"
rego_file = "${path.module}/policies/tenant_iso.rego"
}agentcy_policy_source
Git-backed source for Rego policies.
hcl
resource "agentcy_policy_source" "shared" {
name = "shared-policies"
source_type = "git_repo" # Required, immutable. "git_repo" or "inline".
git_url = "git@github.com:acme/shared-policies.git"
git_branch = "main"
git_path = "policies/"
git_ssh_key = file("~/.ssh/agentcy-deploy") # Sensitive
enabled = true
}Sync is RPC, not declarative — invoke POST /api/v1/policies/sources/{id}/sync after apply.
agentcy_channel
Messaging channel record (Slack, WhatsApp, Telegram, …). The provider manages the row only — connection (QR scan, OAuth handshake) is completed via the UI/API after the resource is created.
hcl
resource "agentcy_channel" "telegram" {
channel_type = "telegram" # Required, immutable
display_name = "Acme Bot"
system_prompt = "Reply concisely."
source_ids = [agentcy_source.repo.id]
response_mode = "agent" # "disabled", "enabled", or "agent"
is_active = true
filter_config = jsonencode({}) # Optional JSON
}instance_name is server-derived from channel_type and any existing instances.
agentcy_gateway
External orchestration engine connection (OpenFang, future providers). Manages the connection record — does not boot the engine.
hcl
resource "agentcy_gateway" "openfang" {
name = "primary"
engine_type = "openfang"
base_url = "http://openfang:4200"
api_key = var.openfang_key # Sensitive
is_default = true
context = jsonencode({}) # Optional JSON passed on every dispatch
}last_health_status is computed and updates after the API's health-check RPC.