Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rafftechnologies.com/llms.txt

Use this file to discover all available pages before exploring further.

Updated May 10, 2026 Creates a Raff API key. The plaintext secret is returned once on create and stored in the secret attribute (sensitive). Anyone with read access to your Terraform state can use the key — store state in a backend with strict access controls (S3 + KMS, Terraform Cloud, etc.) and never commit terraform.tfstate to git.

Example — minimal

resource "raff_api_key" "ci" {
  name = "ci-deploy"
}

Example — full

resource "raff_api_key" "ci" {
  name            = "ci-deploy"
  rate_limit_tier = "standard"             # or "high" (requires approval)
  expires_at      = "2026-12-31T23:59:59Z"  # RFC3339
  is_active       = true
}

# Use the secret to drive a downstream provider
provider "raff" {
  alias   = "ci"
  api_key = raff_api_key.ci.secret
}

Argument reference

Required

ArgumentTypeDescription
namestringDisplay name

Optional

ArgumentTypeDescription
rate_limit_tierstringstandard (default, 30 RPS) or high (100 RPS, requires support approval)
expires_atstringExpiration in RFC3339. Omit for never-expires
is_activeboolDefaults to true. Set to false to suspend without revoking

Attribute reference (computed)

AttributeDescription
idAPI key UUID
key_prefixFirst 13 characters of the key (e.g. raff_pub_17d70fcf)
secretSensitive. Full plaintext API key. Returned only on create — never re-fetchable
created_atRFC3339 timestamp

Lifecycle

OperationBehavior
terraform apply (create)Creates the key. secret is returned once and saved to state
Change name, rate_limit_tier, is_active, expires_atIn-place update
terraform destroyPermanently revokes the key
There is no managed re-fetch of secret after create. If you lose the secret, the only recovery is to revoke and recreate the key. Note: the provider does not yet expose regenerate as a resource action — use raff api-key regenerate when rotation is needed.

Importing existing keys

terraform import raff_api_key.ci <key-uuid>
After import, secret will be empty in state — the API key works, but Terraform cannot supply the secret to a downstream provider. Use the CLI to rotate and capture the new secret.

Permissions

The API key managing other API keys needs api_key.create, api_key.manage, and api_key.delete at the account level. The system role Account Admin grants all of these.

Data sources

# Single API key by UUID (no secret)
data "raff_api_key" "ci" {
  id = raff_api_key.ci.id
}

# All API keys (no secrets)
data "raff_api_keys" "all" {}

raff_role

Custom roles assigned to API keys via raff_member.

raff_member

Grant the key account-level access.

CLI: raff api-key

Imperative equivalent (incl. regenerate).
Last modified on May 11, 2026