Wocha Docs

Terraform Provider

Manage Wocha auth platform resources as infrastructure-as-code with the wocha/wocha Terraform provider.

The Wocha Terraform provider (wocha/wocha) lets you manage Wocha auth platform resources as infrastructure-as-code. It complements the wocha config pull/push CLI commands for teams that prefer Terraform workflows.

Status: The provider defines resource and data source schemas. CRUD operations are still being implemented — use wocha config pull/push for production config sync today.

Requirements

  • Terraform 1.0+
  • A Wocha Management API key with appropriate scopes

Provider configuration

main.tf
terraform {
  required_providers {
    wocha = {
      source  = "wocha/wocha"
      version = "~> 0.1"
    }
  }
}
 
provider "wocha" {
  api_key     = var.wocha_api_key
  tenant_slug = "acme"
  # base_url  = "https://api.internal.example.com/v1" # optional, self-hosted
}
ArgumentDescriptionDefault
api_keyManagement API key$WOCHA_API_KEY
tenant_slugWocha Cloud tenant slug$WOCHA_TENANT
base_urlManagement API base URL (self-hosted)$WOCHA_API_URL

For Wocha Cloud, the API URL resolves to https://{tenant_slug}.api.wocha.ai/v1 automatically.

Resources

ResourceDescription
wocha_applicationOAuth 2.0 / OIDC application
wocha_connectionSocial, enterprise SSO, or SCIM connection
wocha_organisationOrganisation in the tenant hierarchy
wocha_webhookWebhook subscription
greet_actionCustom Action (sandboxed JavaScript hook)
wocha_token_ruleDeclarative token claim rule
wocha_api_keyManagement API key (secret returned on create only)
greet_roleSpiceDB role definition

Example: OAuth application and webhook

resource "wocha_application" "web" {
  client_name                = "Acme Web App"
  client_uri                 = "https://app.example.com"
  grant_types                = ["authorization_code", "refresh_token"]
  response_types             = ["code"]
  redirect_uris              = ["https://app.example.com/callback"]
  scope                      = "openid profile email"
  token_endpoint_auth_method = "client_secret_basic"
}
 
resource "wocha_webhook" "events" {
  url    = "https://api.example.com/webhooks/wocha"
  events = ["user.created", "user.updated", "session.created"]
  active = true
}

Example: Organisation and social connection

resource "wocha_organisation" "engineering" {
  slug         = "engineering"
  display_name = "Engineering"
  metadata = {
    team = "platform"
  }
}
 
resource "wocha_connection" "google" {
  name     = "Google"
  type     = "social"
  provider = "google"
  config = {
    client_id     = var.google_client_id
    client_secret = var.google_client_secret
    enabled       = "true"
  }
}

Example: Token rule and API key

resource "wocha_token_rule" "org_claims" {
  name        = "org-claims"
  target      = "access_token"
  status      = "active"
  priority    = 10
  description = "Inject organisation context into access tokens"
 
  claims = [
    {
      claim_name   = "org_id"
      source_type  = "org_field"
      source_field = "id"
    },
  ]
}
 
resource "wocha_api_key" "ci" {
  name   = "ci-deploy"
  scopes = ["applications:read", "applications:write"]
}

Data sources

Data sourceDescription
wocha_userLook up a user by email or ID
wocha_organisationLook up an organisation by slug or ID
data "wocha_user" "admin" {
  email = "admin@example.com"
}
 
data "wocha_organisation" "engineering" {
  slug = wocha_organisation.engineering.slug
}

Local development

Build and install the provider for local Terraform testing:

cd tools/terraform-provider-wocha
go mod tidy
go build -o terraform-provider-wocha

Configure a Terraform CLI dev override in ~/.terraformrc:

provider_installation {
  dev_overrides {
    "wocha/wocha" = "/absolute/path/to/tools/terraform-provider-wocha"
  }
  direct {}
}

Run the example:

cd tools/terraform-provider-wocha/examples
terraform init
terraform plan

Terraform vs wocha config

WorkflowToolBest for
YAML-based syncwocha config pull/pushGitOps, review diffs in PRs
Terraform statewocha/wocha providerTeams already on Terraform

Both approaches target the same Management API resources.

Learn more

On this page