The kubiya_inline_source resource allows you to define tools and workflows directly in your Terraform configuration. This is ideal for custom tools, quick prototypes, and workflows that don’t require a separate Git repository. For Git-based sources, use the kubiya_source resource instead.
Inline sources are perfect for custom automation that’s tightly coupled with your infrastructure configuration, enabling rapid prototyping and deployment-specific tools.

Container-First Architecture

Kubiya uses a container-first architecture where every tool is backed by a Docker image. This ensures:
  • Secure, isolated execution environments - Each tool runs in its own container
  • Predictable and reproducible results - Consistent execution across environments
  • Language-agnostic tool implementation - Support for any programming language
  • Easy integration with existing containerized workflows - Leverage existing Docker images

Prerequisites

Before using this resource, ensure you have:
  1. A Kubiya account with API access
  2. An API key (generated from Kubiya dashboard under Admin → Kubiya API Keys)
  3. Docker images accessible from your runner environment
  4. Understanding of tool and workflow structure in Kubiya

Quick Start

resource "kubiya_inline_source" "hello_tool" {
  name   = "hello-world-tool"
  runner = "kubiya-hosted"
  
  tools = jsonencode([
    {
      name        = "say-hello"
      description = "A simple greeting tool"
      type        = "docker"
      image       = "alpine:latest"
      content     = "echo 'Hello, World!'"
    }
  ])
}

resource "kubiya_agent" "basic_agent" {
  name         = "greeting-agent"
  runner       = "kubiya-hosted"
  description  = "Agent with hello world tool"
  instructions = "You are a friendly agent that can greet users."
  
  sources = [kubiya_inline_source.hello_tool.id]
}

Configuration Examples

Create automation workflows for deployment processes:
resource "kubiya_inline_source" "deployment_workflows" {
  name   = "deployment-automation"
  runner = "kubiya-hosted"
  
  workflows = jsonencode([
    {
      name        = "blue-green-deployment"
      description = "Blue-green deployment strategy"
      steps = [
        {
          name        = "validate-config"
          description = "Validate deployment configuration"
          executor = {
            type = "command"
            config = {
              command = "kubectl apply --dry-run=client -f deployment.yaml"
            }
          }
        },
        {
          name        = "deploy-green"
          description = "Deploy green environment"
          depends     = ["validate-config"]
          executor = {
            type = "command"
            config = {
              command = "kubectl apply -f green-deployment.yaml"
            }
          }
        },
        {
          name        = "health-check"
          description = "Check green environment health"
          depends     = ["deploy-green"]
          executor = {
            type = "command"
            config = {
              command = "kubectl wait --for=condition=ready pod -l version=green --timeout=300s"
            }
          }
          output = "HEALTH_STATUS"
        },
        {
          name        = "switch-traffic"
          description = "Switch traffic to green"
          depends     = ["health-check"]
          executor = {
            type = "command"
            config = {
              command = "kubectl patch service app -p '{\"spec\":{\"selector\":{\"version\":\"green\"}}}'"
            }
          }
        }
      ]
    }
  ])
}

resource "kubiya_agent" "deployment_agent" {
  name         = "deployment-orchestrator"
  runner       = "kubiya-hosted"
  description  = "Deployment automation agent"
  instructions = "You orchestrate deployments using blue-green strategy."
  
  sources = [kubiya_inline_source.deployment_workflows.id]
}

Advanced Configurations

Combine tools and workflows in one comprehensive source:
resource "kubiya_inline_source" "devops_toolkit" {
  name   = "complete-devops-toolkit"
  runner = "kubiya-hosted"
  
  tools = jsonencode([
    {
      name        = "k8s-diagnostics"
      description = "Kubernetes cluster diagnostics"
      type        = "docker"
      image       = "bitnami/kubectl:latest"
      content     = <<-BASH
        echo "=== Cluster Status ==="
        kubectl cluster-info
        echo ""
        echo "=== Node Status ==="
        kubectl get nodes
        echo ""
        echo "=== Pod Issues ==="
        kubectl get pods --all-namespaces | grep -v Running
      BASH
    },
    {
      name        = "docker-cleanup"
      description = "Clean up Docker resources"
      type        = "docker"
      image       = "docker:latest"
      content     = <<-BASH
        echo "Cleaning up Docker resources..."
        docker system prune -f
        docker image prune -a -f
        echo "Cleanup completed"
      BASH
    }
  ])
  
  workflows = jsonencode([
    {
      name        = "incident-response"
      description = "Automated incident response"
      steps = [
        {
          name = "diagnose"
          executor = {
            type = "tool"
            config = {
              tool_name = "k8s-diagnostics"
            }
          }
          output = "DIAGNOSIS"
        },
        {
          name    = "cleanup"
          depends = ["diagnose"]
          executor = {
            type = "tool"
            config = {
              tool_name = "docker-cleanup"
            }
          }
        },
        {
          name    = "notify"
          depends = ["cleanup"]
          executor = {
            type = "agent"
            config = {
              teammate_name = "slack-notifier"
              message       = "Incident resolved. Diagnosis: ${DIAGNOSIS}"
            }
          }
        }
      ]
    }
  ])
}

resource "kubiya_agent" "devops_agent" {
  name         = "devops-specialist"
  runner       = "kubiya-hosted"
  description  = "DevOps agent with tools and workflows"
  instructions = "You are a DevOps specialist with diagnostic tools and incident response workflows."
  
  sources = [kubiya_inline_source.devops_toolkit.id]
}
Create security scanning and compliance tools:
resource "kubiya_inline_source" "security_tools" {
  name   = "security-scanning-tools"
  runner = "kubiya-hosted"
  
  tools = jsonencode([
    {
      name        = "dependency-check"
      description = "Check for vulnerable dependencies"
      type        = "docker"
      image       = "owasp/dependency-check:latest"
      content     = <<-BASH
        dependency-check.sh \
          --scan /src \
          --format JSON \
          --out /tmp/report.json \
          --suppression /tmp/suppressions.xml
        
        cat /tmp/report.json | jq '.dependencies[] | select(.vulnerabilities != null)'
      BASH
    },
    {
      name        = "secrets-scan"
      description = "Scan for exposed secrets"
      type        = "docker"
      image       = "trufflesecurity/trufflehog:latest"
      content     = <<-BASH
        trufflehog filesystem /src \
          --json \
          --only-verified
      BASH
    }
  ])
  
  workflows = jsonencode([
    {
      name        = "security-audit"
      description = "Complete security audit"
      steps = [
        {
          name = "scan-dependencies"
          executor = {
            type = "tool"
            config = {
              tool_name = "dependency-check"
            }
          }
          output = "DEPENDENCY_REPORT"
        },
        {
          name = "scan-secrets"
          executor = {
            type = "tool"
            config = {
              tool_name = "secrets-scan"
            }
          }
          output = "SECRETS_REPORT"
        },
        {
          name    = "generate-report"
          depends = ["scan-dependencies", "scan-secrets"]
          executor = {
            type = "agent"
            config = {
              teammate_name = "security-reporter"
              message       = "Generate security report from: Dependencies: ${DEPENDENCY_REPORT}, Secrets: ${SECRETS_REPORT}"
            }
          }
        }
      ]
    }
  ])
}
Create database management and migration tools:
resource "kubiya_inline_source" "db_tools" {
  name   = "database-management-tools"
  runner = "kubiya-hosted"
  
  tools = jsonencode([
    {
      name        = "db-backup"
      description = "Backup PostgreSQL database"
      type        = "docker"
      image       = "postgres:15-alpine"
      content     = <<-BASH
        PGPASSWORD=${DB_PASSWORD} pg_dump \
          -h ${DB_HOST} \
          -U ${DB_USER} \
          -d ${DB_NAME} \
          > /backup/backup_$(date +%Y%m%d_%H%M%S).sql
        
        echo "Backup completed successfully"
      BASH
      args = [
        {
          name        = "DB_HOST"
          type        = "string"
          description = "Database host"
          required    = true
        },
        {
          name        = "DB_NAME"
          type        = "string"
          description = "Database name"
          required    = true
        },
        {
          name        = "DB_USER"
          type        = "string"
          description = "Database user"
          required    = true
        },
        {
          name        = "DB_PASSWORD"
          type        = "string"
          description = "Database password"
          required    = true
        }
      ]
    }
  ])
  
  workflows = jsonencode([
    {
      name        = "database-migration"
      description = "Database migration workflow"
      steps = [
        {
          name = "backup-current"
          executor = {
            type = "tool"
            config = {
              tool_name = "db-backup"
            }
          }
        },
        {
          name    = "run-migration"
          depends = ["backup-current"]
          executor = {
            type = "command"
            config = {
              command = "flyway migrate"
            }
          }
        },
        {
          name    = "verify-migration"
          depends = ["run-migration"]
          executor = {
            type = "command"
            config = {
              command = "flyway info"
            }
          }
        }
      ]
    }
  ])
}

Arguments Reference

Required Arguments

name
string
required
The name of the inline source. Must be unique within your organization.

Optional Arguments

runner
string
default:"kubiya-hosted"
The runner to use for executing tools and workflows from this source.
tools
string
JSON-encoded array of inline tool definitions. Each tool defines a containerized executable.
workflows
string
JSON-encoded array of workflow definitions. Each workflow defines a multi-step automation process.
dynamic_config
string
JSON-encoded configuration for dynamic parameters and source-level settings.

Tool Definition Structure

tools[].name
string
required
Unique identifier for the tool.
tools[].description
string
required
Human-readable description of what the tool does.
tools[].type
string
required
Execution type (usually “docker” for containerized tools).
tools[].image
string
required
Docker image to use for tool execution.
tools[].content
string
required
Command or script to execute within the container.
tools[].with_files
array
Optional files to create in the container before execution:
tools[].with_files[].destination
string
required
File path within the container where the file should be created.
tools[].with_files[].content
string
required
Content of the file to be created.
tools[].args
array
Optional arguments that the tool accepts:
tools[].args[].name
string
required
Name of the argument (used as environment variable).
tools[].args[].type
string
required
Type of the argument (e.g., “string”, “number”, “boolean”).
tools[].args[].description
string
required
Description of what the argument is used for.
tools[].args[].required
boolean
default:"false"
Whether the argument is required for tool execution.
tools[].args[].default
string
Default value for the argument if not provided.

Workflow Definition Structure

workflows[].name
string
required
Name identifier for the workflow.
workflows[].description
string
required
Description of the workflow’s purpose.
workflows[].steps
array
required
Array of workflow steps defining the execution sequence:
workflows[].steps[].name
string
required
Unique name for the step within the workflow.
workflows[].steps[].description
string
Optional description of what the step does.
workflows[].steps[].executor
object
required
Executor configuration defining how the step runs:
  • type: “tool”, “command”, or “agent”
  • config: Configuration specific to the executor type
workflows[].steps[].depends
array
Array of step names that must complete before this step runs.
workflows[].steps[].output
string
Variable name to store the step’s output for use in subsequent steps.

Attributes Reference

In addition to all arguments above, the following attributes are exported:
id
string
The unique identifier of the inline source.
type
string
The computed type of the source (always “inline”).

Import

Inline sources can be imported using their ID: 
terraform import kubiya_inline_source.example <inline-source-id>

Best Practices

Container Management

  • Use specific image tags rather than “latest” for reproducibility
  • Choose lightweight base images when possible (alpine, slim variants)
  • Consider resource requirements when selecting Docker images
  • Ensure images are accessible from your runner environment

Security

  • Never hardcode credentials in tool definitions; use Kubiya secrets
  • Use read-only file systems where possible
  • Implement proper input validation in tool scripts
  • Audit tool permissions and capabilities regularly

Development & Testing

  • Test tools and workflows in development before production use
  • Include error handling in tool scripts
  • Use echo statements and output variables for debugging workflows
  • Create focused, single-purpose tools that can be composed

Documentation & Maintenance

  • Include clear descriptions for tools and their parameters
  • Document expected inputs and outputs for each tool
  • Consider moving complex tools to Git repositories as they mature
  • Version control your Terraform configurations

Executor Types

Execute custom tools defined in the same source:
{
  "type": "tool",
  "config": {
    "tool_name": "my-custom-tool",
    "args": {
      "param1": "value1",
      "param2": "value2"
    }
  }
}

Compatibility

Requirements:
  • Kubiya Terraform Provider version >= 1.0.0
  • Terraform >= 1.0
  • Docker images must be accessible from the runner environment
  • Tools and workflows are defined inline, not from Git repositories
Important Considerations:
  • Inline sources must be created before agents can reference them
  • Large tool definitions may impact Terraform plan/apply performance
  • Complex tools should consider migration to Git-based sources
  • Container resource limits apply to tool execution

Troubleshooting

  • Verify Docker images are accessible from the runner environment
  • Check tool arguments and environment variable formatting
  • Ensure file paths in with_files are absolute and valid
  • Review container logs for execution errors
  • Validate step dependencies for circular references
  • Check output variable names match between steps
  • Ensure tool_name references match defined tool names
  • Verify executor configurations are properly formatted
  • Use jsonencode() function for complex structures
  • Validate JSON syntax with external tools if needed
  • Check for proper escaping of special characters
  • Ensure consistent indentation and formatting