Terraform
Terraform configures supported Keel control-plane resources as code. It is not used to execute, proxy, stream, or inspect AI requests.
Current provider surface
The current public Terraform provider supports:
| Type | Name | Purpose |
|---|---|---|
| Resource | keel_api_key | Manage project API keys for runtime callers. |
| Resource | keel_organization_member | Manage organization membership. |
| Data source | keel_permit | Read permit records for policy-as-code checks and governance gates. |
Workspaces, policy attachments, audit export configuration, provider-key management, budgets, and routing configuration are not part of the current public Terraform surface.
Install
terraform {
required_providers {
keel = {
source = "keelapi/keel"
version = "~> 1.0"
}
}
}
provider "keel" {
base_url = "https://api.keelapi.com"
api_key = var.keel_api_key
}You can also set KEEL_API_KEY in the environment.
API key resource
resource "keel_api_key" "backend" {
project_id = var.project_id
name = "backend-service"
}Use project API keys for runtime callers. Provider credentials remain managed in Keel and are not exposed through this resource.
Organization member resource
resource "keel_organization_member" "reviewer" {
organization_id = var.organization_id
email = "reviewer@example.com"
role = "member"
}Permit data source
data "keel_permit" "recent_denial" {
permit_id = var.permit_id
}Use permit reads when Terraform or an external policy gate needs to assert that a specific governance decision exists before proceeding.
OPA gate pattern
The provider repo includes an OPA example that evaluates a Terraform plan JSON:
terraform show -json tfplan > plan.json
opa eval -d policy.rego -i plan.json 'data.policy.deny'This is useful for checking whether a proposed infrastructure change has the required Keel governance evidence.
Runtime integrations
For governed execution, use the runtime API or SDKs instead: