Terraform Provider for Ory Network
Special Thanks Shoutout to Jason Hernandez and the Materialize team for creating the initial version of this provider! Also see NOTICE.md
A Terraform provider for managing Ory Network resources using infrastructure-as-code.
Note: This provider is for Ory Network (the managed SaaS offering) only. It does not support self-hosted Ory deployments.
Migrating Deprecated ory_project_config Attributes
Many attributes in the ory_project_config resource have been renamed to follow the OpenAPI spec naming convention. The old names still work but will show deprecation warnings in Terraform output and will be removed in a future major version. Run ./scripts/migrate-deprecated-attrs.sh to see the full list of renames.
Examples of renamed attributes:
| Old Name | New Name |
|---|---|
enable_password |
selfservice_methods_password_enabled |
login_ui_url |
selfservice_flows_login_ui_url |
oauth2_access_token_lifespan |
oauth2_ttl_access_token |
password_min_length |
selfservice_methods_password_config_min_password_length |
smtp_from_address |
courier_smtp_from_address |
To migrate your .tf files automatically, run the provided migration script:
./scripts/migrate-deprecated-attrs.sh /path/to/your/terraform/configsThe script creates .bak backups of each modified file. After migrating, run terraform plan to verify no changes are detected.
For the full list of renamed attributes, see the project_config resource docs.
Requirements
- Terraform >= 1.0
- Go (see version in
go.mod; for building from source) - An Ory Network account
Installation
terraform {
required_providers {
ory = {
source = "ory/ory"
}
}
}Authentication
Ory Network uses two types of API keys:
| Key Type | Prefix | Purpose |
|---|---|---|
| Workspace API Key | ory_wak_... |
Projects, organizations, workspace management |
| Project API Key | ory_pat_... |
Identities, OAuth2 clients, relationships |
export ORY_WORKSPACE_API_KEY="ory_wak_..."
export ORY_PROJECT_API_KEY="ory_pat_..."
export ORY_PROJECT_ID="your-project-uuid"
export ORY_PROJECT_SLUG="your-project-slug"Or configure directly in the provider block:
provider "ory" {
workspace_api_key = var.ory_workspace_key # or ORY_WORKSPACE_API_KEY env var
project_api_key = var.ory_project_key # or ORY_PROJECT_API_KEY env var
project_id = var.ory_project_id # or ORY_PROJECT_ID env var
project_slug = var.ory_project_slug # or ORY_PROJECT_SLUG env var
}Quick Start
terraform {
required_providers {
ory = {
source = "ory/ory"
}
}
}
provider "ory" {}
# Configure project settings
resource "ory_project_config" "main" {
cors_enabled = true
cors_origins = ["https://app.example.com"]
password_min_length = 10
session_lifespan = "720h0m0s" # 30 days
}
# Add Google social login
resource "ory_social_provider" "google" {
provider_id = "google"
provider_type = "google"
client_id = var.google_client_id
client_secret = var.google_client_secret
scope = ["email", "profile"]
}
# Create a webhook for new registrations
resource "ory_action" "welcome_email" {
flow = "registration"
timing = "after"
auth_method = "password"
url = "https://api.example.com/webhooks/welcome"
method = "POST"
}For all available resources, data sources, and their attributes, see the Terraform Registry documentation or browse the examples/ directory.
Documentation
Documentation is auto-generated from templates in templates/ using tfplugindocs. Do NOT edit files in docs/ directly — they are overwritten by make format.
Contributing
See CONTRIBUTING.md for development setup, testing, and contribution guidelines.
License
Apache License, Version 2.0. See LICENSE.