generate-terraform-provider
generate-terraform-provider
Generate a Terraform provider from an OpenAPI specification using the Speakeasy CLI. This skill covers the full lifecycle: annotating your spec with entity metadata, mapping CRUD operations, generating the provider, configuring workflows, and publishing to the Terraform Registry.
Content Guides
| Topic | Guide |
|---|---|
| Advanced Customization | content/customization.md |
The customization guide covers entity mapping placement, multi-operation resources, async polling, property customization, plan modification, validation, and state upgraders.
When to Use
- Generating a new Terraform provider from an OpenAPI spec
- Annotating an OpenAPI spec with
x-speakeasy-entityandx-speakeasy-entity-operation - Mapping API operations to Terraform CRUD methods
- Understanding Terraform type inference from OpenAPI schemas
- Configuring
workflow.yamlfor Terraform provider generation - Publishing a provider to the Terraform Registry
- User says: "terraform provider", "generate terraform", "create terraform provider", "CRUD mapping", "x-speakeasy-entity", "terraform resource", "terraform registry"
Inputs
| Input | Required | Description |
|---|---|---|
| OpenAPI spec | Yes | OpenAPI 3.0 or 3.1 specification (local file, URL, or registry source) |
| Provider name | Yes | PascalCase name for the provider (e.g., Petstore) |
| Package name | Yes | Lowercase package identifier (e.g., petstore) |
| Entity annotations | Yes | x-speakeasy-entity on schemas, x-speakeasy-entity-operation on operations |
Outputs
| Output | Location |
|---|---|
| Workflow config | .speakeasy/workflow.yaml |
| Generation config | gen.yaml |
| Generated Go provider | Output directory (default: current dir) |
| Terraform examples | examples/ directory |
Prerequisites
- Speakeasy CLI installed and authenticated
- OpenAPI 3.0 or 3.1 specification with entity annotations
- Go installed (Terraform providers are written in Go)
- Authentication: Set
SPEAKEASY_API_KEYenv var or runspeakeasy auth login
export SPEAKEASY_API_KEY="<your-api-key>"
Run speakeasy auth login to authenticate interactively, or set the SPEAKEASY_API_KEY environment variable.
Command
First-time generation (quickstart)
speakeasy quickstart --skip-interactive --output console \
-s <spec-path> \
-t terraform \
-n <ProviderName> \
-p <package-name>
Regenerate after changes
speakeasy run --output console
Regenerate a specific target
speakeasy run -t <target-name> --output console
Entity Annotations
Before generating, annotate your OpenAPI spec with two extensions:
1. Mark schemas as entities
Add x-speakeasy-entity to component schemas that should become Terraform resources:
components:
schemas:
Pet:
x-speakeasy-entity: Pet
type: object
properties:
id:
type: string
readOnly: true
name:
type: string
price:
type: number
required:
- name
- price
2. Map operations to CRUD methods
Add x-speakeasy-entity-operation to each API operation:
paths:
/pets:
post:
x-speakeasy-entity-operation: Pet#create
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/Pet"
responses:
"200":
content:
application/json:
schema:
$ref: "#/components/schemas/Pet"
/pets/{id}:
parameters:
- name: id
in: path
required: true
schema:
type: string
get:
x-speakeasy-entity-operation: Pet#read
responses:
"200":
content:
application/json:
schema:
$ref: "#/components/schemas/Pet"
put:
x-speakeasy-entity-operation: Pet#update
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/Pet"
responses:
"200":
content:
application/json:
schema:
$ref: "#/components/schemas/Pet"
delete:
x-speakeasy-entity-operation: Pet#delete
responses:
"204":
description: Deleted
CRUD Mapping Summary
| HTTP Method | Path | Annotation | Purpose |
|---|---|---|---|
POST |
/resource |
Entity#create |
Create a new resource |
GET |
/resource/{id} |
Entity#read |
Read a single resource |
PUT |
/resource/{id} |
Entity#update |
Update a resource |
DELETE |
/resource/{id} |
Entity#delete |
Delete a resource |
Data sources (list): For list endpoints (GET /resources), use a separate plural entity name with #read (e.g., Pets#read). Do NOT use #list -- it is not a valid operation type.
Terraform Type Inference
Speakeasy infers Terraform schema types from the OpenAPI spec automatically:
| Rule | Condition | Terraform Attribute |
|---|---|---|
| Required | Property is required in CREATE request body |
Required: true |
| Optional | Property is not required in CREATE request body |
Optional: true |
| Computed | Property appears in response but not in CREATE request | Computed: true |
| ForceNew | Property exists in CREATE request but not in UPDATE request | ForceNew (forces resource recreation) |
| Enum validation | Property defined as enum | Validator added for runtime checks |
Every parameter needed for READ, UPDATE, or DELETE must either appear in the CREATE response or be required in the CREATE request.
Example
Full workflow: Petstore provider
# 1. Ensure your spec has entity annotations (see above)
# 2. Generate the provider
speakeasy quickstart --skip-interactive --output console \
-s ./openapi.yaml \
-t terraform \
-n Petstore \
-p petstore
# 3. Build and test
cd terraform-provider-petstore
go build ./...
go test ./...
# 4. After spec changes, regenerate
speakeasy run --output console
This produces a Terraform resource usable as:
resource "petstore_pet" "my_pet" {
name = "Buddy"
price = 1500
}
Workflow Configuration
Local spec
# .speakeasy/workflow.yaml
workflowVersion: 1.0.0
speakeasyVersion: latest
sources:
my-api:
inputs:
- location: ./openapi.yaml
targets:
my-provider:
target: terraform
source: my-api
Remote spec with overlays
For providers built against third-party APIs, fetch the spec remotely and apply local overlays:
# .speakeasy/workflow.yaml
workflowVersion: 1.0.0
speakeasyVersion: latest
sources:
vendor-api:
inputs:
- location: https://api.vendor.com/openapi.yaml
overlays:
- location: terraform_overlay.yaml
output: openapi.yaml
targets:
vendor-provider:
target: terraform
source: vendor-api
Use speakeasy overlay compare to track upstream API changes:
speakeasy overlay compare \
--before https://api.vendor.com/openapi.yaml \
--after terraform_overlay.yaml \
--out overlay-diff.yaml
Repository and Naming Conventions
Repository naming
Name the repository terraform-provider-XXX, where XXX is the provider type name. The provider type name should be lowercase alphanumeric ([a-z][a-z0-9]), though hyphens and underscores are permitted.
Entity naming
Use PascalCase for entity names so they translate correctly to Terraform's underscore naming:
| Entity Name | Terraform Resource |
|---|---|
Pet |
petstore_pet |
GatewayControlPlane |
konnect_gateway_control_plane |
MeshControlPlane |
konnect_mesh_control_plane |
For list data sources, use the plural PascalCase form (e.g., Pets).
Resource Importing
Generated providers support importing existing resources into Terraform state.
Simple keys
For resources with a single ID field:
terraform import petstore_pet.my_pet my_pet_id
Composite keys
For resources with multiple ID fields, pass a JSON-encoded object:
terraform import my_test_resource.my_example \
'{ "primary_key_one": "9cedad30-...", "primary_key_two": "e20c40a0-..." }'
Or use an import block:
import {
id = jsonencode({
primary_key_one: "9cedad30-..."
primary_key_two: "e20c40a0-..."
})
to = my_test_resource.my_example
}
Then generate configuration:
terraform plan -generate-config-out=generated.tf
Publishing to the Terraform Registry
Prerequisites
- Public repository named
terraform-provider-{name}(lowercase) - GPG signing key for release signing
- GoReleaser configuration
- Registration at registry.terraform.io
Step 1: Generate GPG Key
gpg --full-generate-key # Choose RSA, 4096 bits
gpg --armor --export-secret-keys YOUR_KEY_ID > private.key
gpg --armor --export YOUR_KEY_ID > public.key
Step 2: Configure Repository Secrets
Add to GitHub repository secrets:
terraform_gpg_secret_key- Private key contentterraform_gpg_passphrase- Key passphrase
Step 3: Add Release Workflow
# .github/workflows/release.yaml
name: Release
on:
push:
tags: ['v*']
permissions:
contents: write
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- uses: crazy-max/ghaction-import-gpg@v5
id: import_gpg
with:
gpg_private_key: ${{ secrets.terraform_gpg_secret_key }}
passphrase: ${{ secrets.terraform_gpg_passphrase }}
- uses: goreleaser/goreleaser-action@v6
with:
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
Step 4: Register with Terraform Registry
- Go to registry.terraform.io
- Sign in with GitHub (org admin required)
- Publish → Provider → Select your repository
After registration, releases auto-publish when tags are pushed.
Beta Provider Pattern
For large APIs, maintain separate stable and beta providers:
- Stable:
terraform-provider-{name}with semver (x.y.z) - Beta:
terraform-provider-{name}-betawith0.xversioning
Users can install both simultaneously. When beta features mature, graduate them to the stable provider. To set up a beta provider, create a separate terraform-provider-{name}-beta repository with its own gen.yaml using 0.x versioning, and publish it alongside the stable provider.
Testing the Provider
Add Test Dependency
In .speakeasy/gen.yaml:
terraform:
additionalDependencies:
github.com/hashicorp/terraform-plugin-testing: v1.13.3
Acceptance Test Structure
// internal/provider/resource_test.go
func TestAccPet_Lifecycle(t *testing.T) {
t.Parallel()
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV6ProviderFactories: testAccProviders(),
Steps: []resource.TestStep{
{
Config: testAccPetConfig("Buddy", 1500),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("petstore_pet.test", "name", "Buddy"),
),
},
{
ResourceName: "petstore_pet.test",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
Running Tests
# Unit tests
go test -v ./...
# Acceptance tests (REQUIRES TF_ACC=1)
TF_ACC=1 go test -v ./internal/provider/... -timeout 30m
Note: Without TF_ACC=1, tests silently skip with PASS status.
What NOT to Do
- Do NOT use
#listas an operation type -- onlycreate,read,update,deleteare valid - Do NOT modify generated Go code directly -- changes are overwritten on regeneration. Use overlays or hooks instead
- Do NOT omit the CREATE response body -- Terraform needs the response to populate computed fields (e.g.,
id) - Do NOT skip
x-speakeasy-entityon schemas -- without it, Speakeasy cannot identify Terraform resources - Do NOT use camelCase or snake_case for entity names -- use PascalCase so Terraform underscore naming works
- Do NOT generate Terraform providers in monorepo mode -- HashiCorp requires a dedicated repository
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
invalid entity operation type: list |
Used #list instead of #read |
Change to Entity#read; list endpoints use a plural entity name |
| Resource missing fields after import | READ operation does not return all attributes | Ensure the GET endpoint returns the complete resource schema |
ForceNew on unexpected field |
Field exists in CREATE but not UPDATE request | Add the field to the UPDATE request body if it should be mutable |
| Provider fails to compile | Missing Go dependencies | Run go mod tidy in the provider directory |
| Computed field not populated | Field absent from CREATE response | Ensure the CREATE response returns the full resource including computed fields |
| Entity not appearing as resource | Missing x-speakeasy-entity annotation |
Add x-speakeasy-entity: EntityName to the component schema |
| Auth not working | Missing API key | Set SPEAKEASY_API_KEY env var or run speakeasy auth login |
Related Skills
start-new-sdk-project- Initial project setupmanage-openapi-overlays- Add entity annotations via overlaydiagnose-generation-failure- Troubleshoot generation errors
More from speakeasy-api/skills
writing-openapi-specs
Reference guide for OpenAPI specification best practices, naming conventions, and expressing complex REST API patterns like polymorphism, enums, file uploads, and server-sent events. Use when writing or improving OpenAPI specs to ensure they follow established conventions and generate quality SDKs.
77extract-openapi-from-code
Use when extracting or generating an OpenAPI spec from existing API code. Triggers on "extract OpenAPI", "code first", "generate spec from code", "FastAPI OpenAPI", "Spring Boot OpenAPI", "NestJS swagger", "Django OpenAPI", "Flask OpenAPI", "Rails swagger", "Laravel OpenAPI", "existing API code
69speakeasy-context
Speakeasy workflow: run 'agent context' FIRST, do task, run 'agent feedback' LAST. Triggers on speakeasy, SDK, OpenAPI.
51diagnose-generation-failure
Use when SDK generation failed or seeing errors. Triggers on "generation failed", "speakeasy run failed", "SDK build error", "workflow failed", "Step Failed", "why did generation fail
50manage-openapi-overlays
Use when creating, applying, or validating overlay files including x-speakeasy extensions. Covers overlay syntax, JSONPath targeting, retries, pagination, naming, grouping, open enums, global headers, custom security. Triggers on "create overlay", "apply overlay", "overlay file", "x-speakeasy", "add extension", "configure retries", "add pagination", "overlay for retries".
49customize-sdk-hooks
|
48