IndyKite Developer Hub logo
Back to all guides
Environment

Create Terraform configurations in the IndyKite platform

How to use the IK Terraform plugin to create configurations in the IK platforms.

This Guide will help you create an environment to create Terraform configurations in the IndyKite platform.

Install Terraform

Mac:

brew tap hashicorp/tap
brew install hashicorp/tap/terraform
terraform --version

Ubuntu:

sudo apt update
brew install terraform
terraform -v
or
sudo apt install terraform -y
terraform -version

Credentials

Credentials: export INDYKITE_SERVICE_ACCOUNT_CREDENTIALS_FILE=lnk-to-the-service-account-credentials
Or export INDYKITE_SERVICE_ACCOUNT_CREDENTIALS=content-of-service-account-credentials

Files

In a directory, create a main.tf file

Create project environment: ApplicationSpace (Project), Application, Application Agent, ApplicationAgent Credentials

terraform {
  required_providers {
    indykite = {
      source  = "indykite/indykite"
      version = 1.30.0 # or latest version
    }
  }
}

provider "indykite" {}

# call the indykite_customer datasource
data "indykite_customer" "customer1" {
  name = "your-customer-name"
}

# call the indykite_application_space resource to create a new project
resource "indykite_application_space" "appspace1" {
  customer_id  = data.indykite_customer.customer.id
  name         = "project-name"
  display_name = "Prject display name"
  description  = "Description of your project"
  region       = "us-east1"
  ikg_size       = "4GB"
  replica_region = "us-west1"
}

# call the indykite_application_space resource to create a new project with your own DB
resource "indykite_application_space" "appspace2" {
  customer_id    = data.indykite_customer.customer.id
  name           = "terraform-pipeline-appspace2"
  display_name   = "Terraform appspace 2"
  description    = "Application space for terraform pipeline"
  region       = "europe-west1" # or us-east1
  db_connection {
    url      = "neo4j+s://xxxxxxxx.databases.neo4j.io"
    username = "testuser"
    password = "testpass"
    name     = "testdb"
  }
}

# call the indykite_application resource to create a new application
resource "indykite_application" "application1" {
  app_space_id = indykite_application_space.appspace.id
  name         = "application-name"
  display_name = "Application display name"
  description  = "Description of your application"
}

# call the indykite_application_agent to create a new application agent
resource "indykite_application_agent" "agent" {
  application_id = indykite_application.application.id
  name           = "application-agent-name"
  display_name   = "Application agent display name"
  description    = "Description of your application agent"
}

# call the indykite_application_agent_credential to create a new application agent credential
resource "indykite_application_agent_credential" "with_public" {
  app_agent_id = indykite_application_agent.agent.id
  display_name = "Credential display name"
  expire_time  = "2026-12-31T12:34:56-01:00" #must be less than 2 years to generate a token
}

Create KBAC policy

terraform {
  required_providers {
    indykite = {
      source  = "indykite/indykite"
      version = 1.30.0 # or latest version
    }
  }
}

provider "indykite" {}

resource "indykite_authorization_policy" "policy_drive_car" {
  name         = "terraform-pipeline-policy-drive-car"
  display_name = "Terraform policy drive car"
  description  = "Policy for terraform pipeline"
  json = jsonencode({
    meta = {
      policyVersion = "1.0-indykite"
    },
    subject = {
      type = "Person"
    },
    actions = ["CAN_DRIVE"],
    resource = {
      type = "Car"
    },
    condition = {
      cypher = "MATCH (subject:Person)-[:OWNS]->(resource:Car)"
    }
  })
  location = indykite_application_space.appspace.id
  status   = "active"
}

Create CIQ policy and Knowledge Query with _Application as a subject

terraform {
  required_providers {
    indykite = {
      source  = "indykite/indykite"
      version = 1.30.0 # or latest version
    }
  }
}

provider "indykite" {}

resource "indykite_authorization_policy" "policy_for_ciq" {
  name         = "terraform-pipeline-policy-for-ciq"
  display_name = "Terraform policy for CIQ"
  description  = "Policy for CIQ in terraform pipeline"
  json = jsonencode({
    "meta": {
      "policy_version": "1.0-ciq"
    },
    "subject": {
      "type": "_Application"
    },
    "condition": {
      "cypher": "MATCH (subject:_Application) MATCH (person:Person)-[r1:ACCEPTED]->(contract:Contract)-[r2:COVERS]->(vehicle:Vehicle)-[r3:HAS]->(ln:LicenseNumber)",
      "filter": [
        {
          "operator": "AND",
          "operands": [
            {
              "attribute": "person.property.email",
              "operator": "=",
              "value": "$person_email"
          },
            {
              "attribute": "subject.external_id",
              "operator": "=",
              "value": "$_appId"
            }
          ]
        }
      ]
    },
    "allowed_reads":{
      "nodes":["ln.property.number", "ln.property.transferrable"],
      "relationships":[]
    }
  })
  location = indykite_application_space.appspace.id
  status   = "active"
}


resource "indykite_knowledge_query" "create-query" {
  name         = "terraform-knowledge-query"
  display_name = "Terraform knowledge-query"
  description  = "Knowledge query for terraform"
  location     = indykite_application_space.appspace.id
  query = jsonencode({
    "nodes" : ["ln.property.number"],
    "relationships" : [],
    "filter" : { "attribute" : "ln.property.number", "operator" : "=", "value" : "$ln_number" }
  })
  status    = "active"
  policy_id = indykite_authorization_policy.policy_for_ciq.id
}

Execute Terraform

Initialize a Terraform working directory:

terraform init

Show what Terraform will do without making any changes:

terraform plan

Actually apply the changes to your infrastructure:

terraform apply