Terraform provider for MCPG

The native terraform-provider-mcpg — typed MCPG custom resources with plan-time validation that mirrors the operator's admission webhook, so bad input fails locally before it reaches the cluster.

The native provider manages MCPG custom resources directly against the operator/CRD plane, adding what the module suite can't: it validates your resources at terraform plan using the same rules the operator's admission webhook enforces — so bad input fails locally, before it reaches the cluster.

Status: the provider ships the four core resources with plan-time validation and full CRUD. Fully-typed per-kind attribute schemas (today spec is JSON) and import / data-sources are on the roadmap.

Provider configuration

Auth mirrors the standard kubeconfig chain.

hcl

terraform {
  required_providers {
    mcpg = { source = "mcpg-dev/mcpg" }
  }
}

provider "mcpg" {
  kubeconfig = "~/.kube/config" # optional; falls back to KUBECONFIG / in-cluster
  context    = "prod"           # optional kubeconfig context
}

Argument	Type	Description
`kubeconfig`	string, optional	Path to a kubeconfig file.
`context`	string, optional	kubeconfig context to use.

Resources

All four resources share the same shape: a typed kind with a spec supplied as JSON (use jsonencode), validated at plan time. The provider applies them with server-side apply (field manager terraform-provider-mcpg).

Resource	Kind	Scope
`mcpg_gateway`	`MCPGGateway`	namespaced
`mcpg_plugin`	`MCPGPlugin`	cluster
`mcpg_plugin_set`	`MCPGPluginSet`	namespaced
`mcpg_revocation_list`	`MCPGRevocationList`	cluster

The full CRD set the operator reconciles is documented in the operator CRD reference.

Common attributes

Attribute	Type
`name`	string, required	resource name
`namespace`	string	required for namespaced kinds; ignored for cluster-scoped
`spec`	string, required	the CR spec as JSON (`jsonencode({...})`)
`id`	string, computed	`namespace/name` (or `name` for cluster-scoped)
`config_hash`	string, computed	the operator's `status.configHash`, when present (drift signal)

Example

hcl

resource "mcpg_gateway" "orders" {
  name      = "orders"
  namespace = "mcpg-system"
  spec = jsonencode({
    image    = { repository = "ghcr.io/mcpg-dev/gateway", tag = "v1.0.0-rc.17" }
    replicas = 2
    config   = { governance = { audit = { sinks = [{ kind = "dev.mcpg.builtin.audit.local-file" }] } } }
  })
}

resource "mcpg_revocation_list" "default" {
  name = "cluster-default"
  spec = jsonencode({
    version     = 1
    revocations = [{ artifactSha256 = "…64 hex…", reason = "compromised" }]
  })
}

The config block inside a gateway spec is the gateway's own AppConfig — see the configuration reference.

Plan-time validation

terraform plan runs the admission-mirror checks and fails with a clear error when input is invalid — no cluster round-trip needed. The rules:

gateway — image required; workloadIdentity exactly one of aws|gcp|azure|spiffe.
plugin — digest-pinned OR cosign identity; cosign certificateIdentityRegexp anchored with ^/$ and compiles; oidcIssuer set when cosign is present.
plugin-set — entries non-empty; entry ids unique.
revocation-list — version == 1; each artifactSha256 is 64 lowercase hex; no duplicates.

These validators are shared with the Pulumi CrossGuard pack and exercised by a cross-tool contract test, so all three surfaces stay aligned with admission.

Commands (Nx)

bash

nx run terraform-provider-mcpg:build   # go build ./...
nx run terraform-provider-mcpg:test    # go test ./...
nx run terraform-provider-mcpg:lint    # gofmt + go vet

Compatibility

Provider	Operator chart	CRD apiVersion	Terraform / OpenTofu
`0.x`	`0.1.x`	`v1alpha2`	≥ 1.7

A CRD apiVersion bump is a provider minor with a regenerated schema; a breaking CRD change is a major.

Module suite vs provider

	Module suite	Native provider
Language	HCL	HCL (provider in Go)
Plan-time validation	gateway boot	mirrors admission at plan
CR application	`kubectl_manifest`	typed resources + SSA
Best for	the 80% case, ship-first	strict shops wanting fail-fast plans

Both are fully supported; you can mix them.