Terraform Registry
The Speakeasy Generation GitHub Action can be configured to publish a generated Terraform provider. However, Terraform provider generation with Speakeasy is not supported while operating in monorepo mode. A separate repository for the Terraform provider is required and must be named using the appropriate name format.
Use the following steps to publish a generated Terraform provider to the HashiCorp Terraform Registry.
-
Create a repository for the Terraform provider:
- Name the repository
terraform-provider-{NAME}
, with theNAME
containing lowercase letters. - Ensure it is a public repository.
- Name the repository
-
Sign your Terraform provider releases with a signing key. Create and export a GNU Privacy Guard (GPG) signing key following the instructions in the GitHub guide to Generating a new GPG key (opens in a new tab). Generate your GPG key using either the Digital Signature Algorithm (DSA) or the Rivest–Shamir–Adleman (RSA) algorithm.
-
Take note of the following values:
- The GPG private key.
- The GPG passphrase.
- The GPG public key.
-
Add the ASCII-armored public key to the Terraform repository.
-
The GPG private key and GPG passphrase are configured automatically when entered into the Speakeasy CLI. Ensure the following secrets are available to the repository:
- The GPG private key,
terraform_gpg_secret_key
. - The GPG passphrase,
terraform_gpg_passphrase
.
- The GPG private key,
-
The first time a Terraform provider is created and published using the Speakeasy Generation GitHub Action, it must be manually added to the Terraform Registry. Subsequent updates will be published automatically. To begin this process, follow the Terraform Registry instructions (opens in a new tab) and agree to the Terraform terms and conditions. Note that organizational admin privileges are required to complete this step.
-
Add the following file to your
.github/workflows
directory to indicate create releases for your Terraform provider using GoReleaser. If all the above steps have been completed, the HashiCorp registry will automatically pick up new changes.terraform_publish.yaml# Terraform Provider release workflow.name: Release# This GitHub Action creates a release when a tag that matches the pattern# "v*" (e.g. v0.1.0) is created.on:push:tags:- 'v*'workflow_dispatch:# Releases need permission to read and write the repository contents.# GitHub considers creating releases and uploading assets as writing content.permissions:contents: writejobs:goreleaser:runs-on: ubuntu-lateststeps:- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2with:# Allow GoReleaser to access older tag information.fetch-depth: 0- uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0with:go-version-file: 'go.mod'cache: true- name: Import GPG keyuses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0id: import_gpgwith:gpg_private_key: ${{ secrets.terraform_gpg_secret_key }}passphrase: ${{ secrets.terraform_gpg_passphrase }}- name: Run GoReleaseruses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0with:args: release --cleanenv:# GitHub sets the GITHUB_TOKEN secret automatically.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} -
Finally, create a GoReleaser (opens in a new tab) file in the root of your repository:
.goreleaser.yml# Visit https://goreleaser.com for documentation on how to customize this# behavior.version: 2before:hooks:# This is just an example and not a requirement for building or publishing providers.- go mod tidybuilds:- env:# GoReleaser does not work with CGO and could also complicate# usage by users in CI/CD systems, like Terraform Cloud, where# users are unable to install libraries.- CGO_ENABLED=0mod_timestamp: '{{ .CommitTimestamp }}'flags:- -trimpathldflags:- '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'goos:- freebsd- windows- linux- darwingoarch:- amd64- '386'- arm- arm64ignore:- goos: darwingoarch: '386'binary: '{{ .ProjectName }}_v{{ .Version }}'archives:- format: zipname_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'checksum:extra_files:- glob: 'terraform-registry-manifest.json'name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'algorithm: sha256signs:- artifacts: checksumargs:# If you are using this in a GitHub Action or some other automated pipeline, you# need to pass the batch flag to indicate it's not interactive.- "--batch"- "--local-user"- "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key- "--output"- "${signature}"- "--detach-sign"- "${artifact}"release:extra_files:- glob: 'terraform-registry-manifest.json'name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'# If you want to manually examine the release before it goes live, uncomment this line:# draft: truechangelog:disable: true
Whenever you generate and merge a new PR for your Terraform provider, it will be automatically versioned and released to the HashiCorp Registry.