AuthzX Terraform Provider
Manage AuthzX applications, resources, subjects, roles, groups, and policies as infrastructure as code.
Published at registry.terraform.io/providers/authzx/authzx.
Requires Terraform 1.0+.
Install
terraform {
required_providers {
authzx = {
source = "authzx/authzx"
version = "~> 0.2"
}
}
}
provider "authzx" {
# Credentials read from AUTHZX_CLIENT_ID / AUTHZX_CLIENT_SECRET env vars.
}
Run terraform init to download the provider.
Authentication
The provider uses the OAuth 2.0 Client Credentials flow. Create an OAuth client in the AuthzX console under Settings → API → OAuth Clients — client secrets are prefixed with azx_cs_.
The simplest setup is to export credentials as environment variables and leave the provider block empty:
export AUTHZX_CLIENT_ID=client_...
export AUTHZX_CLIENT_SECRET=azx_cs_...
terraform apply
Or set them explicitly in the provider block:
provider "authzx" {
client_id = "client_..."
client_secret = "azx_cs_..."
# endpoint = "https://api.authzx.com" # optional, or AUTHZX_ENDPOINT env var
}
The provider exchanges credentials for a short-lived access token at startup and refreshes automatically before expiry.
Quick example
resource "authzx_application" "app" {
name = "Documents"
description = "Document management app"
}
resource "authzx_resource_type" "document" {
application_id = authzx_application.app.id
name = "document"
actions = ["read", "write", "delete", "share"]
}
resource "authzx_subject" "alice" {
application_id = authzx_application.app.id
name = "Alice"
type = "user"
}
resource "authzx_role" "editor" {
application_id = authzx_application.app.id
name = "editor"
description = "Can read and write documents"
}
resource "authzx_resource" "wiki" {
application_id = authzx_application.app.id
name = "Engineering Wiki"
type = authzx_resource_type.document.id
}
resource "authzx_policy" "editors_can_edit" {
application_id = authzx_application.app.id
name = "editors-can-edit"
description = "Editors can read and write the wiki"
effect = "ALLOW"
priority = 50
resources = [
{
resource_id = authzx_resource.wiki.id
actions = ["read", "write"]
},
]
}
resource "authzx_policy_assignment" "editors_can_edit" {
policy_id = authzx_policy.editors_can_edit.id
entity_type = "role"
entity_id = authzx_role.editor.id
}
resource "authzx_role_assignment" "alice_editor" {
subject_id = authzx_subject.alice.id
role_id = authzx_role.editor.id
}
Resources
| Resource | Description |
|---|---|
authzx_application | Container for an authorization model. |
authzx_resource_type | Resource type with a set of available actions. |
authzx_resource | Instance of a resource type that policies reference. |
authzx_subject | User, service, or device that can be granted access. |
authzx_role | Named collection of policies for assigning to subjects or groups. |
authzx_group | Tenant-wide collection of subjects for bulk role/policy assignment. |
authzx_policy | ALLOW/DENY rule with priority and conditions. |
authzx_policy_assignment | Attach a policy to a role, subject, or group. |
authzx_role_assignment | Attach a role to a subject. |
Full per-resource documentation is available on the Terraform Registry provider page.
Import
All resources support import by ID:
terraform import authzx_application.app <application-id>
terraform import authzx_role.editor <role-id>
terraform import authzx_policy.my_policy <policy-id>
Assignments use composite IDs:
terraform import authzx_policy_assignment.x <entity_type>:<entity_id>:<policy_id>
terraform import authzx_role_assignment.y <subject_id>:<role_id>
Source
github.com/authzx/terraform-provider-authzx — MPL-2.0 licensed.