Provider Configuration

Example Usage

WebSocket Mode (Recommended)

Connect to a running OpenClaw gateway for live configuration:

provider "openclaw" {
  gateway_url = "ws://127.0.0.1:18789"
  token       = var.gateway_token
}

File Mode

Manage the config file directly without a running gateway:

provider "openclaw" {
  config_path = "~/.openclaw/openclaw.json"
}

Environment Variables Only

All provider attributes can be set via environment variables, allowing a zero-config provider block:

provider "openclaw" {}

export OPENCLAW_GATEWAY_URL="ws://127.0.0.1:18789"
export OPENCLAW_GATEWAY_TOKEN="your-secret-token"
terraform apply

Argument Reference

Mode Selection

The provider automatically selects its transport mode:

1. If gateway_url is set (or OPENCLAW_GATEWAY_URL), WebSocket mode is used. The provider connects to the gateway's WS RPC API and applies changes via config.patch.
2. Otherwise, File mode is used. The provider reads and writes the JSON config file at config_path.

WebSocket Mode

• Requires a running OpenClaw gateway
• Changes are applied via the config.patch RPC
• Config reloads happen according to the gateway's reload_mode setting
• The openclaw_health data source is only available in this mode
• Supports authentication via token

File Mode

• No running gateway required
• Reads and writes openclaw.json directly
• Uses a mutex to safely handle parallel resource operations
• The openclaw_health data source will return an error in this mode
• Useful for pre-provisioning configs before deploying the gateway

Authentication

When the gateway has gateway.auth.mode set to "token", you must provide the matching token:

variable "gateway_token" {
  type      = string
  sensitive = true
}

provider "openclaw" {
  gateway_url = "ws://127.0.0.1:18789"
  token       = var.gateway_token
}

Or via environment variable:

export OPENCLAW_GATEWAY_TOKEN="your-secret-token"

If the gateway has no auth configured (auth.mode = "none"), the token argument can be omitted.