In this quickstart, you'll learn how to configure a Grant Kit to automate access requests to yourself to approve or deny for a Null Resource.
A Null Resource acts as a do-nothing container, so we'll be effectively requesting and granting access to /dev/null. We're using a Null Resource so we can observe the end-to-end experience of what it's like to extend your existing Terraform setup from cloud infrastructure to access management. By using a Null Resource, we won't need additional dependencies to third-party systems.

Before you start

  1. 1.
    Make sure you have:

Step 1: Get the Abbey Starter Kit

Start by creating a new repository by copying the Abbey Starter Kit Quickstart template repository from
Step 1: Get the Abbey Starter Kit Quickstart
Create a new repository using the Repository Template.

Clone Your Starter Kit Repository

Clone your new repository using your preferred method.
For example:
Clone your repo

Step 2: Connect Your Starter Kit

Now that you have your new repository, you'll have to connect it to Abbey to be able to deploy your Starter Kit later.
To do this, go to the Abbey App and head over to the
Connections page ->
New Connection -> Fill in the name of your connector ->
Authenticate -> Create.

Step 3: Configure Your Starter Kit

Replace reviewers

In your file:
To find your Primary Identity, visit the Abbey App and click on your Profile Icon on the top right ->
Manage Account -> Look under Email addresses.
Find your Primary Identity on the Abbey App
Find your Primary Identity on the Abbey App.
What should it look like?
resource "abbey_grant_kit" "null_grant" {
workflow = {
steps = [
reviewers = {
one_of = ["[email protected]"]

Replace output.location

In your file:
  • Look for the location attribute. It'll be nested under output.
  • Replace the organization segment with your GitHub organization name.
  • Replace the repo segment with your repository name.
What should it look like?
resource "abbey_grant_kit" "null_grant" {
workflow = {
output = {
- location = "github://abbeylabs/starter-kit-quickstart/"
+ location = "github://{organization}/{repo}/"

Replace abbey_identity resource

In your file:
  • Look for the abbey_identity resource.
  • Look for the value attribute. It'll be nested under linked.abbey.
  • Replace the value with your Primary Identity.
What should it look like?
resource "abbey_identity" "user_1" {
linked = jsonencode({
abbey = [
type = "AuthId"


Find your API Key by going to the Developers page from your side navigation in the Abbey App.
Add this API Key as to your GitHub Repository Secret as ABBEY_TOKEN.
What should it look like?
If you cloned the Starter Kit to your Personal GitHub Account, you'll need to make sure your repository has the right permissions for GitHub Actions.
You can do this by going to your GitHub Repository's
Settings ->
Actions -> General -> Workflow permissions -> Click the "Read and write permissions" radio button -> Save.

Step 4: Deploy Your Starter Kit

To deploy, push to your main branch:
git push origin main
The deploy registers your resources with Abbey and effectively says "Hey Abbey, from this point forward, please manage permissions for these resources for me."
The starter kit uses a Abbey provided Terraform HTTP backend to persist state. Although this backend is secured with your Abbey API key, don't use this for production.
(Optional) Deploy without using CI
You can optionally deploy from your local machine without going through CI. To do this, you'll need to have Terraform installed. Once installed, you'll need to:
Initialize your Terraform configuration:
terraform init
(Optional) Plan your Terraform configuration:
You can optionally run terraform plan to get a sense of what changes would be made.
terraform plan
Before you deploy, make sure you push any changes to your repository. That way, Abbey has the latest changes when generating your Terraform output.
Deploy your Terraform configuration:
ABBEY_TOKEN=<your API key> terraform apply

Step 5: Automate Access Management

Congratulations! Abbey is now managing permissions to your Null Resource for you.
You can now log into the Abbey App, look under Resources, and send yourself a Request.
When you send a request, you'll see that a Pull Request was made. Normally Abbey will run any Workflow or Access Policies, but since we don't have any in this quickstart, the request will automatically get routed to you for an approve or deny decision.
Abbey strives to help you automate and secure access management without being intrusive.
To that end, this Pull Request contains native Terraform HCL code using the normal open source Terraform Null Provider library. It represents the permissions change. In this case, it's just a simple creation of a new Null Resource.
Now you can log into the Abbey App and approve or deny your Request. If you deny it, Abbey will close the corresponding Pull Request with a comment. If you approve, then Abbey will merge the Pull Request, in which your CI/CD system will materialize the changes using terraform apply.
Your CI/CD system should run terraform apply in the event of a push to your main branch.

Next Steps

To start automating and securing access to more interesting use cases, visit one of our Tutorials.
To learn more about Access Management as Code, start by visiting the Concepts.
  1. 1.
    Replace with your GitHub organization. name.
  2. 2.
    Replace with your GitHub repository name.