OpenMCF logoOpenMCF

Loading...

OpenFGA Store

Deploys an OpenFGA store — the top-level container for authorization models and relationship tuples. Each store provides isolated authorization data, making it suitable for separating environments, applications, or tenants. This component requires Terraform/Tofu as the provisioner; no Pulumi provider is available.

What Gets Created

When you deploy an OpenFgaStore resource, OpenMCF provisions:

  • OpenFGA Store — an openfga_store resource that creates a named store on the configured OpenFGA server

Prerequisites

  • OpenFGA server — a running OpenFGA instance (self-hosted or cloud-hosted)
  • OpenFGA credentials configured via environment variables: FGA_API_URL (required), plus either FGA_API_TOKEN for token-based auth or FGA_CLIENT_ID, FGA_CLIENT_SECRET, and FGA_API_TOKEN_ISSUER for client credentials auth
  • Terraform/Tofu — this component has no Pulumi provider; set the provisioner label to tofu

Quick Start

Create a file store.yaml:

apiVersion: openfga.openmcf.org/v1
kind: OpenFgaStore
metadata:
  name: my-store
  labels:
    openmcf.org/provisioner: tofu
spec:
  name: my-authorization-store

Deploy:

openmcf apply -f store.yaml

This creates a single OpenFGA store named my-authorization-store.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
namestringDisplay name of the store on the OpenFGA server. The name identifies the store in the OpenFGA API. Immutable — changing it requires replacing the store.Required

Optional Fields

This component has no optional fields.

Examples

Development Store

A store for local development or CI environments:

apiVersion: openfga.openmcf.org/v1
kind: OpenFgaStore
metadata:
  name: dev-authz
  labels:
    openmcf.org/provisioner: tofu
spec:
  name: dev-authorization-store

Per-Application Store

Separate stores isolate authorization data between applications running in the same OpenFGA server:

apiVersion: openfga.openmcf.org/v1
kind: OpenFgaStore
metadata:
  name: billing-authz
  labels:
    openmcf.org/provisioner: tofu
spec:
  name: billing-service-authz

Production Store

A production environment store with a descriptive name reflecting its scope:

apiVersion: openfga.openmcf.org/v1
kind: OpenFgaStore
metadata:
  name: prod-authz
  labels:
    openmcf.org/provisioner: tofu
spec:
  name: production-authorization-store

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
idstringUnique identifier of the OpenFGA store, required for creating authorization models and relationship tuples
namestringDisplay name of the store as configured in spec.name

Related Components

  • OpenFgaAuthorizationModel — defines the types, relations, and access rules within a store
  • OpenFgaRelationshipTuple — creates authorization data (who has what relation to which object) within a store

Next article

OPENSTACK

OPENSTACK The following OPENSTACK resources can be deployed using OpenMCF: Application Credential DNS Record DNS Zone Floating IP Floating IP Associate Image Instance Keypair Load Balancer Load Balancer Listener Load Balancer Member Load Balancer Monitor Load Balancer Pool Network Network Port Project Role Assignment Router Router Interface Security Group Security Group Rule Server Group Subnet Volume Volume Attach
Read next article
Presets
1 ready-to-deploy configurationView presets →