Terraform Registry

The Speakeasy Generation GitHub Action can be configured to publish a generated Terraform provider. However, Terraform providers cannot be generated with Speakeasy while operating in monorepo mode. This requires a separate repository for the Terraform provider, and the repository must be named using the appropriate name format.

Use the following steps to publish a generated Terraform provider to the HashiCorp Terraform Registry.

1. Create a repository for the Terraform provider:

   • Name the repository terraform-provider-{NAME}, with the NAME containing lowercase letters.
   • Ensure it is a public repository.

2. Sign your Terraform provider releases with a signing key. Create and export a GNU Privacy Guard (GPG) signing key following the instructions in the GitHub guide to Generating a new GPG key . Generate your GPG key using either the Digital Signature Algorithm (DSA) or the Rivest–Shamir–Adleman (RSA) algorithm.

3. Take note of the following values:

   • The GPG private key.
   • The GPG passphrase.
   • The GPG public key.

4. Add the ASCII-armored public key to the Terraform repository.

5. Your GPG private key and GPG passphrase will be configured automatically when entered into the Speakeasy CLI. Ensure the following secrets are available to your repository:

   • The GPG private key, terraform_gpg_secret_key.
   • The GPG passphrase, terraform_gpg_passphrase.

6. The first time you create and publish a Terraform provider using the Speakeasy Generation GitHub Action, you need to manually add it to the Terraform Registry. Subsequent updates will be published automatically. To begin this process, follow the Terraform Registry instructions  and agree to the Terraform terms and conditions. Note that you will need to be an organizational admin to complete this step.

7. Add the following file to the .github/workflows directory to create releases for the Terraform provider using GoReleaser. If all the above steps are complete, the HashiCorp registry automatically picks up new changes.

   # Terraform Provider release workflow.
   name: Release
   
   # This GitHub Action creates a release when a tag that matches the pattern
   # "v*" (e.g. v0.1.0) is created.
   on:
     push:
       tags:
         - 'v*'
     workflow_dispatch:
   
   # Releases need permission to read and write the repository contents.
   # GitHub considers creating releases and uploading assets as writing content.
   permissions:
     contents: write
   
   jobs:
     goreleaser:
       runs-on: ubuntu-latest
       steps:
         - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
           with:
             # Allow GoReleaser to access older tag information.
             fetch-depth: 0
         - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
           with:
             go-version-file: 'go.mod'
             cache: true
         - name: Import GPG key
           uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0
           id: import_gpg
           with:
             gpg_private_key: ${{ secrets.terraform_gpg_secret_key }}
             passphrase: ${{ secrets.terraform_gpg_passphrase }}
         - name: Run GoReleaser
           uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
           with:
             args: release --clean
           env:
             # GitHub sets the GITHUB_TOKEN secret automatically.
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
             GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}

8. Finally, create a GoReleaser  file in the root of your repository:

   # Visit https://goreleaser.com for documentation on how to customize this
   # behavior.
   version: 2
   
   before:
     hooks:
       # This is just an example and not a requirement for building or publishing providers.
       - go mod tidy
   builds:
     - env:
         # GoReleaser does not work with CGO and could also complicate
         # usage by users in CI/CD systems, like Terraform Cloud, where
         # users are unable to install libraries.
         - CGO_ENABLED=0
       mod_timestamp: '{{ .CommitTimestamp }}'
       flags:
         - -trimpath
       ldflags:
         - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
       goos:
         - freebsd
         - windows
         - linux
         - darwin
       goarch:
         - amd64
         - '386'
         - arm
         - arm64
       ignore:
         - goos: darwin
           goarch: '386'
       binary: '{{ .ProjectName }}_v{{ .Version }}'
   archives:
     - format: zip
       name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
   checksum:
     extra_files:
       - glob: 'terraform-registry-manifest.json'
         name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
     name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
     algorithm: sha256
   signs:
     - artifacts: checksum
       args:
         # If you are using this in a GitHub Action or some other automated pipeline, you
         # need to pass the batch flag to indicate it's not interactive.
         - "--batch"
         - "--local-user"
         - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key
         - "--output"
         - "${signature}"
         - "--detach-sign"
         - "${artifact}"
   release:
     extra_files:
       - glob: 'terraform-registry-manifest.json'
         name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
     # If you want to manually examine the release before it goes live, uncomment this line:
     # draft: true
   changelog:
     disable: true

Whenever you generate and merge a new PR for your Terraform provider, it will be automatically versioned and released to the HashiCorp Registry.