diff --git a/.gitignore b/.gitignore
index cd75da4de..7a1f1d585 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,5 @@ docs/cli-docs/
 
 # generated test 'actuals'
 kong2kic/testdata/**/*-actual.*
+kong2tf/testdata/**/*-actual.*
+kong2tf/terraform
diff --git a/cmd/file_kong2tf.go b/cmd/file_kong2tf.go
new file mode 100644
index 000000000..5fbae1c15
--- /dev/null
+++ b/cmd/file_kong2tf.go
@@ -0,0 +1,95 @@
+package cmd
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/kong/deck/kong2tf"
+	"github.com/kong/go-apiops/filebasics"
+	"github.com/kong/go-apiops/logbasics"
+	"github.com/kong/go-database-reconciler/pkg/file"
+	"github.com/spf13/cobra"
+)
+
+var (
+	cmdKong2TfInputFilename                    string
+	cmdKong2TfOutputFilename                   string
+	cmdKong2TfGenerateImportsForControlPlaneID string
+	cmdKong2TfIgnoreCredentialChanges          bool
+)
+
+// Executes the CLI command "kong2Tf"
+func executeKong2Tf(cmd *cobra.Command, _ []string) error {
+	_ = sendAnalytics("file-kong2Tf", "", modeLocal)
+	var (
+		result string
+		err    error
+	)
+
+	verbosity, _ := cmd.Flags().GetInt("verbose")
+	logbasics.Initialize(log.LstdFlags, verbosity)
+
+	logbasics.Info("Starting execution of executeKong2Tf")
+
+	inputContent, err := file.GetContentFromFiles([]string{cmdKong2TfInputFilename}, false)
+	if err != nil {
+		log.Printf("Error reading input file '%s'; %v", cmdKong2TfInputFilename, err)
+		return fmt.Errorf("failed reading input file '%s'; %w", cmdKong2TfInputFilename, err)
+	}
+	logbasics.Info("Successfully read input file '%s'", cmdKong2TfInputFilename)
+
+	logbasics.Info("Converting Kong configuration to Terraform")
+
+	var generateImportsForControlPlaneID *string
+	if cmdKong2TfGenerateImportsForControlPlaneID != "" {
+		generateImportsForControlPlaneID = &cmdKong2TfGenerateImportsForControlPlaneID
+	}
+	result, err = kong2tf.Convert(inputContent, generateImportsForControlPlaneID, cmdKong2TfIgnoreCredentialChanges)
+	if err != nil {
+		log.Printf("Error converting Kong configuration to Terraform; %v", err)
+		return fmt.Errorf("failed converting Kong configuration to Terraform; %w", err)
+	}
+	logbasics.Info("Successfully converted Kong configuration to Terraform")
+
+	logbasics.Info("Writing output to file '%s'", cmdKong2TfOutputFilename)
+	err = filebasics.WriteFile(cmdKong2TfOutputFilename, []byte(result))
+	if err != nil {
+		log.Printf("Error writing output to file '%s'; %v", cmdKong2TfOutputFilename, err)
+		return err
+	}
+	logbasics.Info("Successfully wrote output to file '%s'", cmdKong2TfOutputFilename)
+
+	logbasics.Info("Finished execution of executeKong2Tf")
+	return nil
+}
+
+//
+//
+// Define the CLI data for the kong2Tf command
+//
+//
+
+func newKong2TfCmd() *cobra.Command {
+	kong2TfCmd := &cobra.Command{
+		Use:   "kong2tf",
+		Short: "Convert Kong configuration files to Terraform resources",
+		Long: `Convert Kong configuration files to Terraform resources.
+		
+The kong2tf subcommand transforms Kong Gateway entities in deck format, 
+into Terraform resources.`,
+		RunE: executeKong2Tf,
+		Args: cobra.NoArgs,
+	}
+
+	kong2TfCmd.Flags().StringVarP(&cmdKong2TfInputFilename, "state", "s", "-",
+		"decK file to process. Use - to read from stdin.")
+	kong2TfCmd.Flags().StringVarP(&cmdKong2TfOutputFilename, "output-file", "o", "-",
+		"Output file to write. Use - to write to stdout.")
+	kong2TfCmd.Flags().StringVarP(&cmdKong2TfGenerateImportsForControlPlaneID,
+		"generate-imports-for-control-plane-id", "g", "", "Generate terraform import statements for the control plane ID.")
+	kong2TfCmd.Flags().BoolVar(&cmdKong2TfIgnoreCredentialChanges, "ignore-credential-changes", false,
+		"Enable flag to add a 'lifecycle' block to each consumer credential, "+
+			"that ignores any changes from local to remote state.")
+
+	return kong2TfCmd
+}
diff --git a/cmd/root.go b/cmd/root.go
index fee3bef69..6db964918 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -253,6 +253,7 @@ It can be used to export, import, or sync entities to Kong.`,
 		fileCmd.AddCommand(newConvertCmd(false))
 		fileCmd.AddCommand(newValidateCmd(false, false)) // file-based validation
 		fileCmd.AddCommand(newKong2KicCmd())
+		fileCmd.AddCommand(newKong2TfCmd())
 	}
 	return rootCmd
 }
diff --git a/go.mod b/go.mod
index 626632de5..9d92585ad 100644
--- a/go.mod
+++ b/go.mod
@@ -102,6 +102,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/hashstructure v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
diff --git a/go.sum b/go.sum
index 9b2a4448b..12b83d268 100644
--- a/go.sum
+++ b/go.sum
@@ -218,6 +218,8 @@ github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZ
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0=
+github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
diff --git a/kong2tf/builder.go b/kong2tf/builder.go
new file mode 100644
index 000000000..7f4666cb9
--- /dev/null
+++ b/kong2tf/builder.go
@@ -0,0 +1,51 @@
+package kong2tf
+
+import (
+	"github.com/kong/go-database-reconciler/pkg/file"
+)
+
+type ITerraformBuilder interface {
+	buildControlPlaneVar(*string)
+	buildServices(*file.Content, *string)
+	buildRoutes(*file.Content, *string)
+	buildGlobalPlugins(*file.Content, *string)
+	buildConsumers(*file.Content, *string, bool)
+	buildConsumerGroups(*file.Content, *string)
+	buildUpstreams(*file.Content, *string)
+	buildCACertificates(*file.Content, *string)
+	buildCertificates(*file.Content, *string)
+	buildVaults(*file.Content, *string)
+	getContent() string
+}
+
+func getTerraformBuilder() ITerraformBuilder {
+	return newDefaultTerraformBuilder()
+}
+
+type Director struct {
+	builder ITerraformBuilder
+}
+
+func newDirector(builder ITerraformBuilder) *Director {
+	return &Director{
+		builder: builder,
+	}
+}
+
+func (d *Director) builTerraformResources(
+	content *file.Content,
+	generateImportsForControlPlaneID *string,
+	ignoreCredentialChanges bool,
+) string {
+	d.builder.buildControlPlaneVar(generateImportsForControlPlaneID)
+	d.builder.buildGlobalPlugins(content, generateImportsForControlPlaneID)
+	d.builder.buildServices(content, generateImportsForControlPlaneID)
+	d.builder.buildUpstreams(content, generateImportsForControlPlaneID)
+	d.builder.buildRoutes(content, generateImportsForControlPlaneID)
+	d.builder.buildConsumers(content, generateImportsForControlPlaneID, ignoreCredentialChanges)
+	d.builder.buildConsumerGroups(content, generateImportsForControlPlaneID)
+	d.builder.buildCACertificates(content, generateImportsForControlPlaneID)
+	d.builder.buildCertificates(content, generateImportsForControlPlaneID)
+	d.builder.buildVaults(content, generateImportsForControlPlaneID)
+	return d.builder.getContent()
+}
diff --git a/kong2tf/builder_default_terraform.go b/kong2tf/builder_default_terraform.go
new file mode 100644
index 000000000..fb11d791f
--- /dev/null
+++ b/kong2tf/builder_default_terraform.go
@@ -0,0 +1,441 @@
+package kong2tf
+
+import (
+	"crypto/md5" //nolint:gosec
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/kong/go-database-reconciler/pkg/file"
+)
+
+type DefaultTerraformBuider struct {
+	content string
+}
+
+func newDefaultTerraformBuilder() *DefaultTerraformBuider {
+	return &DefaultTerraformBuider{}
+}
+
+// Generic function that takes type T and returns map[string]any using JSON marshalling
+func toMapAny(resource any) map[string]any {
+	resourceMap := make(map[string]interface{})
+	resourceJSON, err := json.Marshal(resource)
+	if err != nil {
+		log.Fatal(err, "Failed to marshal resource")
+		return resourceMap
+	}
+	err = json.Unmarshal(resourceJSON, &resourceMap)
+	if err != nil {
+		log.Fatal(err, "Failed to unmarshal resource")
+		return resourceMap
+	}
+	return resourceMap
+}
+
+func (b *DefaultTerraformBuider) buildControlPlaneVar(controlPlaneID *string) {
+	cpID := "YOUR_CONTROL_PLANE_ID"
+	if controlPlaneID != nil {
+		cpID = *controlPlaneID
+	}
+	b.content += fmt.Sprintf(`variable "control_plane_id" {
+  type = "string"
+  default = "%s"
+}`, cpID) + "\n\n"
+}
+
+func (b *DefaultTerraformBuider) buildServices(content *file.Content, controlPlaneID *string) {
+	for _, service := range content.Services {
+		parentResourceName := strings.ReplaceAll(*service.Name, "-", "_")
+		b.content += generateResource(
+			"gateway_service",
+			parentResourceName,
+			toMapAny(service),
+			map[string]string{},
+			importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": service.ID,
+				},
+			},
+			[]string{},
+		)
+
+		for _, route := range service.Routes {
+			resourceName := strings.ReplaceAll(*route.Name, "-", "_")
+			b.content += generateResource("gateway_route", resourceName, toMapAny(route), map[string]string{
+				"service": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": route.ID,
+				},
+			}, []string{})
+
+			for _, plugin := range route.Plugins {
+				pluginName := strings.ReplaceAll(*plugin.Name, "-", "_")
+				b.content += generateResource("gateway_plugin", pluginName, toMapAny(plugin), map[string]string{
+					"route": resourceName,
+				}, importConfig{
+					controlPlaneID: controlPlaneID,
+					importValues: map[string]*string{
+						"id": plugin.ID,
+					},
+				}, []string{})
+			}
+		}
+
+		for _, plugin := range service.Plugins {
+			resourceName := strings.ReplaceAll(*plugin.Name, "-", "_")
+			b.content += generateResource("gateway_plugin", resourceName, toMapAny(plugin), map[string]string{
+				"service": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": plugin.ID,
+				},
+			}, []string{})
+		}
+	}
+}
+
+func (b *DefaultTerraformBuider) buildRoutes(content *file.Content, controlPlaneID *string) {
+	for _, route := range content.Routes {
+		parentResourceName := strings.ReplaceAll(*route.Name, "-", "_")
+		parents := map[string]string{}
+		if route.Service != nil {
+			parents["service"] = strings.ReplaceAll(*route.Service.Name, "-", "_")
+		}
+		b.content += generateResource("gateway_route", parentResourceName, toMapAny(route), parents, importConfig{
+			controlPlaneID: controlPlaneID,
+			importValues: map[string]*string{
+				"id": route.ID,
+			},
+		}, []string{})
+
+		for _, plugin := range route.Plugins {
+			resourceName := strings.ReplaceAll(*plugin.Name, "-", "_")
+			b.content += generateResource("gateway_plugin", resourceName, toMapAny(plugin), map[string]string{
+				"route": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": plugin.ID,
+				},
+			}, []string{})
+		}
+	}
+}
+
+func (b *DefaultTerraformBuider) buildGlobalPlugins(content *file.Content, controlPlaneID *string) {
+	for _, globalPlugin := range content.Plugins {
+		resourceName := strings.ReplaceAll(*globalPlugin.Name, "-", "_")
+		b.content += generateResource(
+			"gateway_plugin",
+			resourceName,
+			toMapAny(globalPlugin),
+			map[string]string{},
+			importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": globalPlugin.ID,
+				},
+			},
+			[]string{},
+		)
+	}
+}
+
+func (b *DefaultTerraformBuider) buildConsumers(
+	content *file.Content,
+	controlPlaneID *string,
+	ignoreCredentialChanges bool,
+) {
+	for _, consumer := range content.Consumers {
+		parentResourceName := strings.ReplaceAll(*consumer.Username, "-", "_")
+		b.content += generateResource(
+			"gateway_consumer",
+			parentResourceName,
+			toMapAny(consumer),
+			map[string]string{},
+			importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": consumer.ID,
+				},
+			},
+			[]string{},
+		)
+
+		for _, cg := range consumer.Groups {
+			resourceName := strings.ReplaceAll(*cg.Name, "-", "_")
+
+			b.content += generateRelationship(
+				"gateway_consumer_group_member",
+				resourceName+"_"+parentResourceName,
+				map[string]string{
+					"consumer":       parentResourceName,
+					"consumer_group": resourceName,
+				},
+				toMapAny(consumer),
+				importConfig{
+					controlPlaneID: controlPlaneID,
+					importValues: map[string]*string{
+						"consumer_id":       consumer.ID,
+						"consumer_group_id": cg.ID,
+					},
+				},
+			)
+		}
+
+		for _, acl := range consumer.ACLGroups {
+			resourceName := "acl_" + strings.ReplaceAll(*acl.Group, "-", "_")
+			b.content += generateResource("gateway_acl", resourceName, toMapAny(acl), map[string]string{
+				"consumer_id": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id":          acl.ID,
+					"consumer_id": consumer.ID,
+				},
+			}, []string{})
+		}
+
+		for _, basicauth := range consumer.BasicAuths {
+			lifecycle := []string{}
+
+			if ignoreCredentialChanges {
+				lifecycle = []string{
+					"password",
+				}
+			}
+
+			resourceName := "basic_auth_" + strings.ReplaceAll(*basicauth.Username, "-", "_")
+			b.content += generateResource("gateway_basic_auth", resourceName, toMapAny(basicauth), map[string]string{
+				"consumer_id": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id":          basicauth.ID,
+					"consumer_id": consumer.ID,
+				},
+			}, lifecycle)
+		}
+
+		for _, keyauth := range consumer.KeyAuths {
+			resourceName := "key_auth_" + strings.ReplaceAll(*keyauth.Key, "-", "_")
+			b.content += generateResource("gateway_key_auth", resourceName, toMapAny(keyauth), map[string]string{
+				"consumer_id": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id":          keyauth.ID,
+					"consumer_id": consumer.ID,
+				},
+			}, []string{})
+		}
+
+		for _, jwt := range consumer.JWTAuths {
+			lifecycle := []string{}
+
+			if ignoreCredentialChanges {
+				lifecycle = []string{
+					"secret", "key",
+				}
+			}
+			resourceName := "jwt_" + strings.ReplaceAll(*jwt.Key, "-", "_")
+			b.content += generateResource("gateway_jwt", resourceName, toMapAny(jwt), map[string]string{
+				"consumer_id": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id":          jwt.ID,
+					"consumer_id": consumer.ID,
+				},
+			}, lifecycle)
+		}
+
+		for _, hmacauth := range consumer.HMACAuths {
+			resourceName := "hmac_auth_" + strings.ReplaceAll(*hmacauth.Username, "-", "_")
+			b.content += generateResource("gateway_hmac_auth", resourceName, toMapAny(hmacauth), map[string]string{
+				"consumer_id": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id":          hmacauth.ID,
+					"consumer_id": consumer.ID,
+				},
+			}, []string{})
+		}
+
+		for _, plugin := range consumer.Plugins {
+			pluginName := strings.ReplaceAll(*plugin.Name, "-", "_")
+			b.content += generateResource("gateway_plugin", pluginName, toMapAny(plugin), map[string]string{
+				"consumer": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": plugin.ID,
+				},
+			}, []string{})
+		}
+
+	}
+}
+
+func (b *DefaultTerraformBuider) buildConsumerGroups(content *file.Content, controlPlaneID *string) {
+	for _, cg := range content.ConsumerGroups {
+		parentResourceName := strings.ReplaceAll(*cg.Name, "-", "_")
+		parents := map[string]string{}
+		b.content += generateResource("gateway_consumer_group", parentResourceName, toMapAny(cg), parents, importConfig{
+			controlPlaneID: controlPlaneID,
+			importValues: map[string]*string{
+				"id": cg.ID,
+			},
+		}, []string{})
+
+		// We intentionally don't generate consumers here. Consumers is a FK reference, not a definition.
+		for _, consumer := range cg.Consumers {
+			resourceName := strings.ReplaceAll(*consumer.Username, "-", "_")
+
+			b.content += generateRelationship(
+				"gateway_consumer_group_member",
+				parentResourceName+"_"+resourceName,
+				map[string]string{
+					"consumer":       resourceName,
+					"consumer_group": parentResourceName,
+				},
+				toMapAny(consumer),
+				importConfig{
+					controlPlaneID: controlPlaneID,
+					importValues: map[string]*string{
+						"consumer_id":       consumer.ID,
+						"consumer_group_id": cg.ID,
+					},
+				},
+			)
+		}
+
+		for _, plugin := range cg.Plugins {
+			resourceName := strings.ReplaceAll(*plugin.Name, "-", "_")
+			b.content += generateResource("gateway_plugin", resourceName, toMapAny(plugin), map[string]string{
+				"consumer_group": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": plugin.ID,
+				},
+			}, []string{})
+		}
+	}
+}
+
+func (b *DefaultTerraformBuider) buildUpstreams(content *file.Content, controlPlaneID *string) {
+	for _, upstream := range content.Upstreams {
+		parentResourceName := strings.ReplaceAll(*upstream.Name, "-", "_")
+		parentResourceName = "upstream_" + strings.ReplaceAll(parentResourceName, ".", "_")
+		parents := map[string]string{}
+		b.content += generateResource("gateway_upstream", parentResourceName, toMapAny(upstream), parents, importConfig{
+			controlPlaneID: controlPlaneID,
+			importValues: map[string]*string{
+				"id": upstream.ID,
+			},
+		}, []string{})
+
+		for _, target := range upstream.Targets {
+			resourceName := strings.ReplaceAll(*target.Target.Target, ".", "_")
+			resourceName = "target_" + strings.ReplaceAll(resourceName, ":", "_")
+			b.content += generateResource("gateway_target", resourceName, toMapAny(target), map[string]string{
+				"upstream_id": parentResourceName,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id":          target.ID,
+					"upstream_id": upstream.ID,
+				},
+			}, []string{})
+		}
+	}
+}
+
+func (b *DefaultTerraformBuider) buildCACertificates(content *file.Content, controlPlaneID *string) {
+	idx := 0
+	for _, caCertificate := range content.CACertificates {
+		hashedCert := fmt.Sprintf("%x", md5.Sum([]byte(*caCertificate.Cert))) //nolint:gosec
+		resourceName := "ca_cert_" + hashedCert
+		idx++
+		b.content += generateResource(
+			"gateway_ca_certificate",
+			resourceName,
+			toMapAny(caCertificate),
+			map[string]string{},
+			importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": caCertificate.ID,
+				},
+			},
+			[]string{},
+		)
+	}
+}
+
+func (b *DefaultTerraformBuider) buildCertificates(content *file.Content, controlPlaneID *string) {
+	for _, certificate := range content.Certificates {
+		hashedCert := fmt.Sprintf("%x", md5.Sum([]byte(*certificate.Cert))) //nolint:gosec
+		resourceName := "cert_" + hashedCert
+		b.content += generateResource(
+			"gateway_certificate",
+			resourceName,
+			toMapAny(certificate),
+			map[string]string{},
+			importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": certificate.ID,
+				},
+			},
+			[]string{},
+		)
+
+		for _, sni := range certificate.SNIs {
+			resourceName := "sni_" + strings.ReplaceAll(*sni.Name, ".", "_")
+			b.content += generateResource("gateway_sni", resourceName, toMapAny(sni), map[string]string{
+				"certificate": "cert_" + hashedCert,
+			}, importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": sni.ID,
+				},
+			}, []string{})
+		}
+	}
+}
+
+func (b *DefaultTerraformBuider) buildVaults(content *file.Content, controlPlaneID *string) {
+	for _, vault := range content.Vaults {
+		parentResourceName := strings.ReplaceAll(*vault.Name, "-", "_")
+		parents := map[string]string{}
+		b.content += generateResourceWithCustomizations(
+			"gateway_vault",
+			parentResourceName,
+			toMapAny(vault),
+			parents,
+			map[string]string{
+				"config": "jsonencode",
+			},
+			importConfig{
+				controlPlaneID: controlPlaneID,
+				importValues: map[string]*string{
+					"id": vault.ID,
+				},
+			},
+			[]string{},
+		)
+	}
+}
+
+func (b *DefaultTerraformBuider) getContent() string {
+	return b.content
+}
diff --git a/kong2tf/generate_resource.go b/kong2tf/generate_resource.go
new file mode 100644
index 000000000..07295ee57
--- /dev/null
+++ b/kong2tf/generate_resource.go
@@ -0,0 +1,393 @@
+package kong2tf
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+)
+
+type importConfig struct {
+	controlPlaneID *string
+	importValues   map[string]*string
+}
+
+func generateResource(
+	entityType,
+	name string,
+	entity map[string]any,
+	parents map[string]string,
+	imports importConfig,
+	lifecycle []string,
+) string {
+	return generateResourceWithCustomizations(entityType, name, entity, parents, map[string]string{}, imports, lifecycle)
+}
+
+func generateResourceWithCustomizations(
+	entityType,
+	name string,
+	entity map[string]any,
+	parents map[string]string,
+	customizations map[string]string,
+	imports importConfig,
+	lifecycle []string,
+) string {
+	// Cache ID in case we need to use it for imports
+	entityID := ""
+	if entity["id"] != nil {
+		entityID = entity["id"].(string)
+	}
+
+	// Populate parents with foreign keys as needed
+	parentKeys := []string{"service", "route", "consumer", "upstream", "certificate", "consumer_group"}
+
+	// Populate parents with foreign keys as needed
+	for _, key := range parentKeys {
+		if entity[key] != nil {
+			// Switch on type of parent
+			switch entity[key].(type) {
+			case string:
+				parents[key] = entity[key].(string)
+			case map[string]interface{}:
+				parents[key] = entity[key].(map[string]interface{})["name"].(string)
+			default:
+				panic(fmt.Sprintf("Unknown type for parent %s", key))
+			}
+		}
+	}
+
+	// List of keys to remove
+	removeKeys := []string{
+		"id",
+	}
+
+	// Build a map of entity types to keys
+	entityTypeToKeys := map[string][]string{
+		"gateway_service": {"routes", "plugins"},
+		"gateway_route":   {"plugins", "service"},
+		"gateway_plugin":  {"service", "route", "consumer"},
+		"gateway_consumer": {
+			"groups", "acls", "basicauth_credentials", "keyauth_credentials",
+			"jwt_secrets", "hmacauth_credentials", "basicauth_credentials", "plugins",
+		},
+		"gateway_upstream":       {"targets"},
+		"gateway_consumer_group": {"consumers", "plugins"},
+		"gateway_certificate":    {"snis"},
+	}
+
+	if additionalKeys := entityTypeToKeys[entityType]; additionalKeys != nil {
+		removeKeys = append(removeKeys, additionalKeys...)
+	}
+
+	// Remove keys that are not needed
+	for _, k := range removeKeys {
+		delete(entity, k)
+	}
+
+	if entityType == "gateway_plugin" {
+		entityType = fmt.Sprintf("%s_%s", entityType, name)
+		delete(entity, "name")
+	}
+
+	// We don't need to prefix SNIs with the Cert name
+	// Or routes with the service name
+	if entityType != "gateway_sni" && entityType != "gateway_route" {
+		for k := range parents {
+			name = fmt.Sprintf("%s_%s", strings.ReplaceAll(parents[k], "-", "_"), name)
+		}
+	}
+
+	s := fmt.Sprintf(`
+resource "konnect_%s" "%s" {
+%s
+
+%s  control_plane_id = var.control_plane_id%s
+}
+`,
+		entityType, name,
+		strings.TrimRight(output(entityType, entity, 1, true, "\n", customizations), "\n"),
+		generateParents(parents),
+		generateLifecycle(lifecycle))
+
+	// Generate imports
+	if imports.controlPlaneID != nil && entityID != "" {
+		entity["id"] = entityID
+		s += generateImports(entityType, name, imports.importValues, imports.controlPlaneID)
+	}
+
+	return strings.TrimSpace(s) + "\n\n"
+}
+
+func generateRelationship(
+	entityType string,
+	name string,
+	relations map[string]string,
+	_ map[string]any, // 'entity' when TODO is resolved
+	_ importConfig, // 'imports' when TODO is resolved
+) string {
+	// TODO: We don't support relationship importing in the provider yet
+	// entityID := entity["id"].(string)
+
+	s := fmt.Sprintf(`resource "konnect_%s" "%s" {`, entityType, name)
+
+	// Extract keys to iterate in a deterministic order
+	keys := make([]string, 0)
+	for k := range relations {
+		keys = append(keys, k)
+	}
+
+	sort.Strings(keys)
+
+	// Output each item in the relationship
+	for _, k := range keys {
+		s += fmt.Sprintf("\n"+`  %s_id = konnect_gateway_%s.%s.id`, k, k, relations[k])
+	}
+	s += "\n  control_plane_id = var.control_plane_id"
+	s += "\n}\n\n"
+
+	// TODO: We don't support relationship importing in the provider yet
+	/*
+		│ Error: Not Implemented
+		│
+		│ No available import state operation is available for resource gateway_consumer_group_member.
+	*/
+	//if imports.controlPlaneID != nil {
+	//	entity["id"] = entityID
+	//	s += generateImports(entityType, name, entity, imports.importValues, imports.controlPlaneID) + "\n\n"
+	//}
+
+	return s
+}
+
+func generateImports(
+	entityType string,
+	name string,
+	keysFromEntity map[string]*string,
+	cpID *string,
+) string {
+	if len(keysFromEntity) == 0 {
+		return ""
+	}
+
+	return fmt.Sprintf("\n"+`import {
+  to = konnect_%s.%s
+  id = "%s"
+}`, entityType, name, generateImportKeys(keysFromEntity, cpID))
+}
+
+func generateImportKeys(keys map[string]*string, cpID *string) string {
+	if len(keys) == 0 {
+		return ""
+	}
+
+	s := "{"
+	for k, val := range keys {
+		s += fmt.Sprintf(`\"%s\": \"%s\", `, k, *val)
+	}
+
+	s += fmt.Sprintf(`\"control_plane_id\": \"%s\", `, *cpID)
+
+	s = strings.TrimRight(s, ", ")
+
+	s += "}"
+
+	return s
+}
+
+func generateLifecycle(lifecycle []string) string {
+	if len(lifecycle) == 0 {
+		return ""
+	}
+
+	s := `
+  lifecycle {
+    ignore_changes = [`
+	for _, l := range lifecycle {
+		s += "\n      " + l + ","
+	}
+	s = strings.TrimRight(s, ",")
+
+	s += `
+    ]
+  }
+`
+
+	return s
+}
+
+func generateParents(parents map[string]string) string {
+	if len(parents) == 0 {
+		return ""
+	}
+
+	var result []string
+	for k, v := range parents {
+		v = strings.ReplaceAll(v, "-", "_")
+		// if parent ends with _id, use it as-is
+		if strings.HasSuffix(k, "_id") {
+			result = append(result, fmt.Sprintf(`  %s = konnect_gateway_%s.%s.id`, k, strings.TrimSuffix(k, "_id"), v)+"\n")
+			continue
+		}
+		result = append(result, fmt.Sprintf(`  %s = {
+    id = konnect_gateway_%s.%s.id
+  }`+"\n", k, k, v))
+	}
+
+	return strings.Join(result, "\n") + "\n"
+}
+
+// Output function that handles the dynamic data
+func output(
+	entityType string,
+	object map[string]interface{},
+	depth int,
+	isRoot bool,
+	eol string,
+	customizations map[string]string,
+) string {
+	var result []string
+
+	// Loop through object in order of keys
+	keys := make([]string, 0)
+	for k := range object {
+		keys = append(keys, k)
+	}
+
+	sort.Strings(keys)
+
+	// Move the most common keys to the front
+	var prioritizedKeys []string
+	for _, k := range []string{"enabled", "name", "username"} {
+		if _, exists := object[k]; exists {
+			prioritizedKeys = append(prioritizedKeys, k)
+		}
+	}
+
+	// Append the rest of the keys
+	for _, k := range keys {
+		if contains(prioritizedKeys, k) {
+			continue
+		}
+		if k != "name" && k != "enabled" {
+			prioritizedKeys = append(prioritizedKeys, k)
+		}
+	}
+	keys = prioritizedKeys
+
+	for _, k := range keys {
+		v := object[k]
+
+		// TODO: Remove this once deck dump doesn't export nil values
+		if v == nil {
+			continue
+		}
+
+		switch v := v.(type) {
+		case map[string]interface{}:
+			result = append(result, outputHash(entityType, k, v, depth, isRoot, eol, customizations))
+		case []interface{}:
+			result = append(result, outputList(entityType, k, v, depth))
+		default:
+			result = append(result, line(fmt.Sprintf("%s = %s", k, quote(v)), depth, eol))
+		}
+	}
+	return strings.Join(result, "")
+}
+
+// Handles rendering a map (hash) in Go
+func outputHash(
+	entityType string,
+	key string,
+	input map[string]interface{},
+	depth int,
+	isRoot bool,
+	eol string,
+	customizations map[string]string,
+) string {
+	s := ""
+	if !isRoot {
+		s += "\n"
+	}
+
+	custom := customizations[key]
+
+	if custom != "" {
+		s += line(fmt.Sprintf("%s = %s({", key, custom), depth, eol)
+	} else {
+		s += line(fmt.Sprintf("%s = {", key), depth, eol)
+	}
+
+	s += output(entityType, input, depth+1, true, eol, customizations)
+
+	if custom != "" {
+		s += line("})", depth, eol)
+	} else {
+		s += line("}", depth, eol)
+	}
+	return s
+}
+
+// Handles rendering a map within a list in Go
+func outputHashInList(entityType string, input map[string]interface{}, depth int) string {
+	s := "\n"
+	s += line("{", depth+1, "\n")
+	s += output(entityType, input, depth+2, false, "\n", map[string]string{})
+	s += line("},", depth+1, "\n")
+	return s
+}
+
+// Handles rendering a list (array) in Go
+func outputList(entityType string, key string, input []interface{}, depth int) string {
+	s := line(fmt.Sprintf("%s = [", key), depth, "")
+	for _, v := range input {
+		switch v := v.(type) {
+		case map[string]interface{}:
+			s += outputHashInList(entityType, v, depth)
+		default:
+			s += fmt.Sprintf("%s, ", quote(v))
+		}
+	}
+	s = strings.TrimRight(s, ", ")
+	s += endList(input, depth)
+	return s
+}
+
+// Ends a list rendering in Go
+func endList(input []interface{}, depth int) string {
+	lastLine := line("]", depth, "\n")
+	if _, ok := input[len(input)-1].(map[string]interface{}); ok {
+		return lastLine
+	}
+	return strings.TrimLeft(lastLine, " ")
+}
+
+// Formats a line with proper indentation and end-of-line characters
+func line(input string, depth int, eol string) string {
+	return strings.Repeat("  ", depth) + input + eol
+}
+
+// Properly quotes a value based on its type
+func quote(input interface{}) string {
+	switch v := input.(type) {
+	case nil:
+		return ""
+	case bool, int, float64:
+		return fmt.Sprintf("%v", v)
+	case string:
+		if strings.Contains(v, "\n") {
+			return fmt.Sprintf("<<EOF\n%s\nEOF", strings.TrimRight(v, "\n"))
+		}
+		return fmt.Sprintf("\"%s\"", strings.ReplaceAll(v, "\"", "\\\""))
+	default:
+		return fmt.Sprintf("\"%v\"", v)
+	}
+}
+
+// contains checks if a slice contains a specific element
+func contains(slice []string, item string) bool {
+	for _, v := range slice {
+		if v == item {
+			return true
+		}
+	}
+	return false
+}
diff --git a/kong2tf/generate_resource_test.go b/kong2tf/generate_resource_test.go
new file mode 100644
index 000000000..c5cf122d3
--- /dev/null
+++ b/kong2tf/generate_resource_test.go
@@ -0,0 +1,205 @@
+package kong2tf
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateComplexLayout(t *testing.T) {
+	jsonInput := `{
+		"field1": "basic_string",
+		"field2": ["list", "of", "strings"],
+		"field3": {
+			"nested_field1": "nested_string",
+			"nested_field2": ["list", "of", "nested", "strings"],
+			"nested_field3": {
+				"nested_nested_field1": "nested_nested_string",
+				"nested_nested_field2": ["list", "of", "nested", "nested", "strings"],
+				"nested_nested_field3": {
+					"nested_nested_nested_field1": "nested_nested_nested_string"
+				}
+			}
+		}
+	}`
+
+	var entity map[string]any
+	err := json.Unmarshal([]byte(jsonInput), &entity)
+	require.NoError(t, err)
+
+	expected := `resource "konnect_entity_type" "some_service_name" {
+  field1 = "basic_string"
+  field2 = ["list", "of", "strings"]
+  field3 = {
+    nested_field1 = "nested_string"
+    nested_field2 = ["list", "of", "nested", "strings"]
+    nested_field3 = {
+      nested_nested_field1 = "nested_nested_string"
+      nested_nested_field2 = ["list", "of", "nested", "nested", "strings"]
+      nested_nested_field3 = {
+        nested_nested_nested_field1 = "nested_nested_nested_string"
+      }
+    }
+  }
+
+  service = {
+    id = konnect_gateway_service.some_service.id
+  }
+  control_plane_id = var.control_plane_id
+}
+`
+
+	result := generateResource("entity_type", "name", entity, map[string]string{
+		"service": "some_service",
+	}, importConfig{
+		controlPlaneID: new(string),
+		importValues:   map[string]*string{},
+	}, []string{})
+
+	require.Equal(t, strings.Fields(expected), strings.Fields(result))
+}
+
+func TestGenerateResourceWithoutParent(t *testing.T) {
+	entity := map[string]any{
+		"field1": "value1",
+		"field2": "value2",
+	}
+	parents := map[string]string{}
+
+	expected := `resource "konnect_entity_type" "name" {
+	field1 = "value1"
+	field2 = "value2"
+
+	control_plane_id = var.control_plane_id
+}
+`
+
+	result := generateResource("entity_type", "name", entity, parents, importConfig{
+		controlPlaneID: new(string),
+		importValues:   map[string]*string{},
+	}, []string{})
+	require.Equal(t, strings.Fields(expected), strings.Fields(result))
+}
+
+func TestGenerateResourceWithParent(t *testing.T) {
+	entity := map[string]any{
+		"field1": "value1",
+		"field2": "value2",
+	}
+	parents := map[string]string{
+		"parent1": "parent_value1",
+	}
+
+	expected := `resource "konnect_entity_type" "parent_value1_name" {
+	field1 = "value1"
+	field2 = "value2"
+
+	parent1 = {
+		id = konnect_gateway_parent1.parent_value1.id
+	}
+	control_plane_id = var.control_plane_id
+}
+`
+
+	result := generateResource("entity_type", "name", entity, parents, importConfig{
+		controlPlaneID: new(string),
+		importValues:   map[string]*string{},
+	}, []string{})
+	require.Equal(t, strings.Fields(expected), strings.Fields(result))
+}
+
+func TestGenerateRelationship(t *testing.T) {
+	entity := map[string]any{
+		"field1": "value1",
+		"field2": "value2",
+	}
+
+	relations := map[string]string{
+		"relation1": "relation_value1",
+		"relation2": "relation_value2",
+	}
+
+	expected := `resource "konnect_entity_type" "name" {
+	relation1_id = konnect_gateway_relation1.relation_value1.id
+	relation2_id = konnect_gateway_relation2.relation_value2.id
+	control_plane_id = var.control_plane_id
+}
+`
+
+	result := generateRelationship("entity_type", "name", relations, entity, importConfig{
+		controlPlaneID: new(string),
+		importValues:   map[string]*string{},
+	})
+	require.Equal(t, strings.Fields(expected), strings.Fields(result))
+}
+
+func TestLifecycle(t *testing.T) {
+	entity := map[string]any{
+		"field1": "value1",
+		"field2": "value2",
+	}
+
+	expected := `resource "konnect_entity_type" "name" {
+  field1 = "value1"
+  field2 = "value2"
+
+  control_plane_id = var.control_plane_id
+  lifecycle {
+    ignore_changes = [
+      ignore_this_one
+    ]
+  }
+
+}
+`
+
+	result := generateResource("entity_type", "name", entity, map[string]string{}, importConfig{
+		controlPlaneID: new(string),
+		importValues:   map[string]*string{},
+	}, []string{
+		"ignore_this_one",
+	})
+	require.Equal(t, strings.Fields(expected), strings.Fields(result))
+}
+
+func TestImports(t *testing.T) {
+	jsonInput := `{
+		"id": "some_id",
+		"field1": "basic_string",
+		"field2": {
+			"nested": "subkey"
+		}
+	}`
+
+	var entity map[string]any
+	err := json.Unmarshal([]byte(jsonInput), &entity)
+	require.NoError(t, err)
+
+	expected := `resource "konnect_entity_type" "name" {
+  field1 = "basic_string"
+  field2 = {
+    nested = "subkey"
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
+import {
+  to = konnect_entity_type.name
+  id = "{\"id\": \"some_id\", \"field2_nested\": \"subkey\", \"control_plane_id\": \"abc-123\"}"
+}`
+
+	cpID := new(string)
+	*cpID = "abc-123"
+
+	result := generateResource("entity_type", "name", entity, map[string]string{}, importConfig{
+		controlPlaneID: cpID,
+		importValues: map[string]*string{
+			"id":            func() *string { s := "some_id"; return &s }(),
+			"field2_nested": func() *string { s := "subkey"; return &s }(),
+		},
+	}, []string{})
+	require.Equal(t, strings.Fields(expected), strings.Fields(result))
+}
diff --git a/kong2tf/kong2tf.go b/kong2tf/kong2tf.go
new file mode 100644
index 000000000..d0ec74b20
--- /dev/null
+++ b/kong2tf/kong2tf.go
@@ -0,0 +1,13 @@
+package kong2tf
+
+import "github.com/kong/go-database-reconciler/pkg/file"
+
+type TfConfig struct {
+	ControlPlaneID string
+}
+
+func Convert(inputContent *file.Content, generateImports *string, ignoreCredentialChanges bool) (string, error) {
+	builder := getTerraformBuilder()
+	director := newDirector(builder)
+	return director.builTerraformResources(inputContent, generateImports, ignoreCredentialChanges), nil
+}
diff --git a/kong2tf/kong2tf_test.go b/kong2tf/kong2tf_test.go
new file mode 100644
index 000000000..fe444a355
--- /dev/null
+++ b/kong2tf/kong2tf_test.go
@@ -0,0 +1,205 @@
+package kong2tf
+
+import (
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/kong/go-database-reconciler/pkg/file"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var baseLocation = "testdata/"
+
+func compareFileContent(t *testing.T, expectedFilename string, actualContent []byte) {
+	expected, err := os.ReadFile(baseLocation + expectedFilename)
+	if err != nil {
+		assert.Fail(t, err.Error())
+	}
+
+	actualFilename := baseLocation + strings.Replace(expectedFilename, "-expected.", "-actual.", 1)
+	os.WriteFile(actualFilename, actualContent, 0o600)
+
+	// compare the actual content with the expected content
+	// both should be the same terraform file
+	// ignore differences in whitespace and newlines
+	expectedFields := strings.Fields(string(expected))
+	actualFields := strings.Fields(string(actualContent))
+
+	require.Equal(t, expectedFields, actualFields)
+}
+
+func Test_convertKongGatewayToTerraformWithImports(t *testing.T) {
+	tests := []struct {
+		name           string
+		inputFilename  string
+		outputFilename string
+		wantErr        bool
+	}{
+		{
+			name:           "consumer-jwt",
+			inputFilename:  "consumer-jwt-input.yaml",
+			outputFilename: "consumer-jwt-output-with-imports-expected.tf",
+			wantErr:        false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			inputContent, err := file.GetContentFromFiles([]string{baseLocation + tt.inputFilename}, false)
+			if err != nil {
+				assert.Fail(t, err.Error())
+			}
+
+			cpID := new(string)
+			*cpID = "abc-123"
+			output, err := Convert(inputContent, cpID, true)
+
+			if err == nil {
+				compareFileContent(t, tt.outputFilename, []byte(output))
+			} else if (err != nil) != tt.wantErr {
+				t.Errorf("KongToTerraform error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func Test_convertKongGatewayToTerraform(t *testing.T) {
+	tests := []struct {
+		name           string
+		inputFilename  string
+		outputFilename string
+		wantErr        bool
+	}{
+		{
+			name:           "service",
+			inputFilename:  "service-input.yaml",
+			outputFilename: "service-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "route",
+			inputFilename:  "route-input.yaml",
+			outputFilename: "route-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "ca-certificate",
+			inputFilename:  "ca-certificate-input.yaml",
+			outputFilename: "ca-certificate-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "certificate",
+			inputFilename:  "certificate-sni-input.yaml",
+			outputFilename: "certificate-sni-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-acl",
+			inputFilename:  "consumer-acl-input.yaml",
+			outputFilename: "consumer-acl-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-basic-auth",
+			inputFilename:  "consumer-basic-auth-input.yaml",
+			outputFilename: "consumer-basic-auth-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-hmac-auth",
+			inputFilename:  "consumer-hmac-auth-input.yaml",
+			outputFilename: "consumer-hmac-auth-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-jwt",
+			inputFilename:  "consumer-jwt-input.yaml",
+			outputFilename: "consumer-jwt-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-key-auth",
+			inputFilename:  "consumer-key-auth-input.yaml",
+			outputFilename: "consumer-key-auth-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-no-auth",
+			inputFilename:  "consumer-no-auth-input.yaml",
+			outputFilename: "consumer-no-auth-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-group",
+			inputFilename:  "consumer-group-input.yaml",
+			outputFilename: "consumer-group-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-group-plugin",
+			inputFilename:  "consumer-group-plugin-input.yaml",
+			outputFilename: "consumer-group-plugin-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "consumer-plugin",
+			inputFilename:  "consumer-plugin-input.yaml",
+			outputFilename: "consumer-plugin-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "global-plugin-oidc",
+			inputFilename:  "global-plugin-oidc-input.yaml",
+			outputFilename: "global-plugin-oidc-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "global-plugin-rate-limiting",
+			inputFilename:  "global-plugin-rate-limiting-input.yaml",
+			outputFilename: "global-plugin-rate-limiting-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "route-plugin",
+			inputFilename:  "route-plugin-input.yaml",
+			outputFilename: "route-plugin-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "service-plugin",
+			inputFilename:  "service-plugin-input.yaml",
+			outputFilename: "service-plugin-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "upstream",
+			inputFilename:  "upstream-target-input.yaml",
+			outputFilename: "upstream-target-output-expected.tf",
+			wantErr:        false,
+		},
+		{
+			name:           "vault",
+			inputFilename:  "vault-input.yaml",
+			outputFilename: "vault-output-expected.tf",
+			wantErr:        false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			inputContent, err := file.GetContentFromFiles([]string{baseLocation + tt.inputFilename}, false)
+			if err != nil {
+				assert.Fail(t, err.Error())
+			}
+
+			output, err := Convert(inputContent, nil, false)
+
+			if err == nil {
+				compareFileContent(t, tt.outputFilename, []byte(output))
+			} else if (err != nil) != tt.wantErr {
+				t.Errorf("KongToTerraform error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
diff --git a/kong2tf/testdata/ca-certificate-input.yaml b/kong2tf/testdata/ca-certificate-input.yaml
new file mode 100644
index 000000000..af4f06520
--- /dev/null
+++ b/kong2tf/testdata/ca-certificate-input.yaml
@@ -0,0 +1,16 @@
+ca_certificates:
+- cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIBfDCCASKgAwIBAgIRAJqcZC1VSvSQLMN1+7yAeswwCgYIKoZIzj0EAwIwHDEa
+    MBgGA1UEAxMRRGVtbyBLb25nIFJvb3QgQ0EwHhcNMjIwNjEzMTMzNzMzWhcNMjcw
+    NjEzMTkzNzMzWjAcMRowGAYDVQQDExFEZW1vIEtvbmcgUm9vdCBDQTBZMBMGByqG
+    SM49AgEGCCqGSM49AwEHA0IABOGR89IyhreSHRAi6wp9a5DBIDp4YYSdWzuEdlNx
+    7pX1G4T7x68xUXJZXRUPFyT8Xzn5KwCJm8RVT+nAhrsUx6SjRTBDMA4GA1UdDwEB
+    /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQ9CUiOPhjp7KD2
+    ScRDxX4IzDOrNzAKBggqhkjOPQQDAgNIADBFAiEAw6Dov0c0L++1W9VufAfSMdNR
+    PSDfPU0MiUiG59/VIBICIEFn/6c5eQc3hUUBL74/RmNT2b1zxBmp7RiPXJAnAAwJ
+    -----END CERTIFICATE-----
+  cert_digest: f1baffe9fe9cf8497e38a4271d67fab44423678b7e7c0f677a50f37c113d81b5
+  id: 8ccca140-aff4-411d-8e1c-fcfb3f932a8e
+  tags:
+  - root-ca
\ No newline at end of file
diff --git a/kong2tf/testdata/ca-certificate-output-expected.tf b/kong2tf/testdata/ca-certificate-output-expected.tf
new file mode 100644
index 000000000..90d22b371
--- /dev/null
+++ b/kong2tf/testdata/ca-certificate-output-expected.tf
@@ -0,0 +1,24 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_ca_certificate" "ca_cert_236f23c811e37d144f92767e6c845006" {
+  cert = <<EOF
+-----BEGIN CERTIFICATE-----
+MIIBfDCCASKgAwIBAgIRAJqcZC1VSvSQLMN1+7yAeswwCgYIKoZIzj0EAwIwHDEa
+MBgGA1UEAxMRRGVtbyBLb25nIFJvb3QgQ0EwHhcNMjIwNjEzMTMzNzMzWhcNMjcw
+NjEzMTkzNzMzWjAcMRowGAYDVQQDExFEZW1vIEtvbmcgUm9vdCBDQTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABOGR89IyhreSHRAi6wp9a5DBIDp4YYSdWzuEdlNx
+7pX1G4T7x68xUXJZXRUPFyT8Xzn5KwCJm8RVT+nAhrsUx6SjRTBDMA4GA1UdDwEB
+/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQ9CUiOPhjp7KD2
+ScRDxX4IzDOrNzAKBggqhkjOPQQDAgNIADBFAiEAw6Dov0c0L++1W9VufAfSMdNR
+PSDfPU0MiUiG59/VIBICIEFn/6c5eQc3hUUBL74/RmNT2b1zxBmp7RiPXJAnAAwJ
+-----END CERTIFICATE-----
+EOF
+  cert_digest = "f1baffe9fe9cf8497e38a4271d67fab44423678b7e7c0f677a50f37c113d81b5"
+  tags = ["root-ca"]
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/certificate-sni-input.yaml b/kong2tf/testdata/certificate-sni-input.yaml
new file mode 100644
index 000000000..68c999347
--- /dev/null
+++ b/kong2tf/testdata/certificate-sni-input.yaml
@@ -0,0 +1,60 @@
+certificates:
+- cert: |-
+    -----BEGIN CERTIFICATE-----
+    MIIECTCCAvGgAwIBAgIUAusYGP9BwoLFFAJdB/jY6eUzUyAwDQYJKoZIhvcNAQEL
+    BQAwgZIxCzAJBgNVBAYTAlVLMRIwEAYDVQQIDAlIYW1wc2hpcmUxEjAQBgNVBAcM
+    CUFsZGVyc2hvdDEQMA4GA1UECgwHS29uZyBVSzEQMA4GA1UECwwHU3VwcG9ydDEY
+    MBYGA1UEAwwPU3VwcG9ydCBSb290IENBMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29u
+    Z2hxLmNvbTAeFw0yMTAxMTUxMTE5NDNaFw0yMjA1MzAxMTE5NDNaMIGRMQswCQYD
+    VQQGEwJVSzESMBAGA1UECAwJSGFtcHNoaXJlMRIwEAYDVQQHDAlBbGRlcnNob3Qx
+    EDAOBgNVBAoMB0tvbmcgVUsxEDAOBgNVBAsMB1N1cHBvcnQxFzAVBgNVBAMMDnBy
+    b3h5LmtvbmcubGFuMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29uZ2hxLmNvbTCCASIw
+    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUbKiqoCK1BTNk/7l42n6ukyTEu
+    eLyB23e/90PzT/oz8wZzgwTodzbFAS2VtFr1EKqFzor0DrXp9CLnebOdiAR3I6LD
+    /WY/x0KW3lx3F35fGiUOSLPTH8zeiDTMx11CcKDxesA+M2/s5q0igkOQ4z4w3voz
+    m5a52IcQTSA8K5knNU1qUZBLpc+khxFcaheEK1jsISJJhcdizZBfGdk8S1vpyj5F
+    uCZ7oaRvNA6imHjSJwpgo36zd84TgrIgVj9R4QtJysWy/X+bbaKUiKBWwAtd4+DT
+    EP90l/ny9szu2fijk4/6k1ntXufGTyvM+J0/qJ13e99TVYOVanITnpTO+6cCAwEA
+    AaNWMFQwHwYDVR0jBBgwFoAUdskpf0wJRQxjtzQFZciWmUfl2bcwCQYDVR0TBAIw
+    ADALBgNVHQ8EBAMCBPAwGQYDVR0RBBIwEIIOcHJveHkua29uZy5sYW4wDQYJKoZI
+    hvcNAQELBQADggEBAJVrTWQRQzNtypa9OXFYADm8Fay1VMop3BY2kh0tfYgQEJ/4
+    pJUj6CaszQZ/Aix6LaPnXFcoPCDqqv00mgju86PMamr/zA9USXk8eTmzJkp5RklS
+    GdqiXboqESiQVvaNz3kdW7wgNz4FwaGCzkEi/dcc2LdtzLpWizx+TlxMMqjonUUM
+    ovZgZo+OlhWRsDVT/qy5SFtA0vlVNtdBr2egXb1H7J8UDC+fax/iKa7+fBUHZOO9
+    Fk9U8bxgfQ+jPIVVL8CfAtR68Sos7NpWH0S2emqZRnQvf0MSNdkTQKWn4qR9sckj
+    Ewxs5FbrMmgCOgwk1PtgRmdP3RME0HwK/B03saQ=
+    -----END CERTIFICATE-----
+  id: 507cc555-5b92-496d-9e89-bfc78dfcddbe
+  key: |-
+    -----BEGIN PRIVATE KEY-----
+    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCVGyoqqAitQUzZ
+    P+5eNp+rpMkxLni8gdt3v/dD80/6M/MGc4ME6Hc2xQEtlbRa9RCqhc6K9A616fQi
+    53mznYgEdyOiw/1mP8dClt5cdxd+XxolDkiz0x/M3og0zMddQnCg8XrAPjNv7Oat
+    IoJDkOM+MN76M5uWudiHEE0gPCuZJzVNalGQS6XPpIcRXGoXhCtY7CEiSYXHYs2Q
+    XxnZPEtb6co+Rbgme6GkbzQOoph40icKYKN+s3fOE4KyIFY/UeELScrFsv1/m22i
+    lIigVsALXePg0xD/dJf58vbM7tn4o5OP+pNZ7V7nxk8rzPidP6idd3vfU1WDlWpy
+    E56UzvunAgMBAAECggEAcq7lHNAHdHLgT8yrY41x/AwPryNGO/9JNW7SGVKAdjoU
+    tyaLZHAEmXynLk+R28/YFMA8H4Yd9m9OlrYhVjRZFM4p+5vxP/7YHPB7cPUsfcda
+    DZxR8PX25JVYf/vtb16V0ERLnKd62qCEwC/lr2A2WHQwXJLrHeAtmZzBJYUCJ5Xj
+    Dv1ZhyFjknswaV0vGXe6njTI6CzMQDTGysoagpCCo7RWgzjLREg2BGWd2UQpY4AW
+    nYAP4QNt82UMQbgIqsEMj64mzS9Q+o1P84J1naSP5sCI22LeFRp6iezZc+D8EH/5
+    RNONGSNWl3g6bsvN1VywYwjWn+waD3XAjXUu+peUgQKBgQDDu1QP28oSMKivHdfo
+    kQ1HrTNBRc9eWeAMZFuIbbPLN8rdEibpOm3DwTqithnahqS0NLOsBnXNtuLw1Qr/
+    zmOzn0yDO5XG8dlKr9vqWeBLdcRydLJBZwqEzWf4JwwwgfK3rItRaIbnAxnGUTS5
+    SrrhNfBAIGS9jx5X2kvLC7hFQQKBgQDDBIrpLTIjRDloWZcu03z9Bhb8jQCyGb5C
+    4MYs+duCnQIdNq/+maPspJzbVmF4b6S1zIPweI3fMvMeqRTbuf+drpElst1buFTO
+    P0UMMn4V+4qGIOOkIy5JIKwR8sJD9tNDUPtxuDEotTB9IyWx6pdmCFz5v/bggDCu
+    reoqflL+5wKBgQCDvb+L2QS+j4/KJk0flRoaJ2K7SVCVEesyjA3r2uLMImZhvAkC
+    rDgbLSDZSbZHFp8fR+WzILoD11gSf2Ki4PjMeqkWH3HlcP0vPwTHTO0h/UdXPmKI
+    kOFMl7CmHyoeMCj9JZ60EaXTMYwUpq3VFY6JbTOjBeqoh/8FZMHlDaNewQKBgCHg
+    ECEg8KyflTlDFrfTlMp+3E9STuShBCOp18LIRBEUJOHeNgQLvCXHElgnURcSjZHm
+    zKRgzIQQ3Zpd1Hm2fWhuglgCEeF0y4ZoBx5vRueaoh1aaTCBy/B39GvJt2UG4vu2
+    fXbrf96KWrnh+RJGpbXbjgr0BXZJzisJmrt25gPRAoGBAI3c+INpQXwrE+LBzCPu
+    LwIVvkm5NpeIlKQtDNrqG1QvUhqyZ2/Xitc4FyiccW7WHxkGKGZyj7GbmpqEOnyY
+    iVku0LSftZgycet2uMdp0HaVAgi5S6aVf5yN0U/8R5ToxcbuEfqwrBIyRgse8lx3
+    NNSvLxPAempmiFPSk9AtobYV
+    -----END PRIVATE KEY-----
+  snis:
+  - name: proxy.kong.lan
+  tags:
+  - proxy.kong.lan
\ No newline at end of file
diff --git a/kong2tf/testdata/certificate-sni-output-expected.tf b/kong2tf/testdata/certificate-sni-output-expected.tf
new file mode 100644
index 000000000..28bc8f451
--- /dev/null
+++ b/kong2tf/testdata/certificate-sni-output-expected.tf
@@ -0,0 +1,77 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_certificate" "cert_724715fca2416fb3c8f215f45d07fd43" {
+  cert = <<EOF
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIUAusYGP9BwoLFFAJdB/jY6eUzUyAwDQYJKoZIhvcNAQEL
+BQAwgZIxCzAJBgNVBAYTAlVLMRIwEAYDVQQIDAlIYW1wc2hpcmUxEjAQBgNVBAcM
+CUFsZGVyc2hvdDEQMA4GA1UECgwHS29uZyBVSzEQMA4GA1UECwwHU3VwcG9ydDEY
+MBYGA1UEAwwPU3VwcG9ydCBSb290IENBMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29u
+Z2hxLmNvbTAeFw0yMTAxMTUxMTE5NDNaFw0yMjA1MzAxMTE5NDNaMIGRMQswCQYD
+VQQGEwJVSzESMBAGA1UECAwJSGFtcHNoaXJlMRIwEAYDVQQHDAlBbGRlcnNob3Qx
+EDAOBgNVBAoMB0tvbmcgVUsxEDAOBgNVBAsMB1N1cHBvcnQxFzAVBgNVBAMMDnBy
+b3h5LmtvbmcubGFuMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29uZ2hxLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUbKiqoCK1BTNk/7l42n6ukyTEu
+eLyB23e/90PzT/oz8wZzgwTodzbFAS2VtFr1EKqFzor0DrXp9CLnebOdiAR3I6LD
+/WY/x0KW3lx3F35fGiUOSLPTH8zeiDTMx11CcKDxesA+M2/s5q0igkOQ4z4w3voz
+m5a52IcQTSA8K5knNU1qUZBLpc+khxFcaheEK1jsISJJhcdizZBfGdk8S1vpyj5F
+uCZ7oaRvNA6imHjSJwpgo36zd84TgrIgVj9R4QtJysWy/X+bbaKUiKBWwAtd4+DT
+EP90l/ny9szu2fijk4/6k1ntXufGTyvM+J0/qJ13e99TVYOVanITnpTO+6cCAwEA
+AaNWMFQwHwYDVR0jBBgwFoAUdskpf0wJRQxjtzQFZciWmUfl2bcwCQYDVR0TBAIw
+ADALBgNVHQ8EBAMCBPAwGQYDVR0RBBIwEIIOcHJveHkua29uZy5sYW4wDQYJKoZI
+hvcNAQELBQADggEBAJVrTWQRQzNtypa9OXFYADm8Fay1VMop3BY2kh0tfYgQEJ/4
+pJUj6CaszQZ/Aix6LaPnXFcoPCDqqv00mgju86PMamr/zA9USXk8eTmzJkp5RklS
+GdqiXboqESiQVvaNz3kdW7wgNz4FwaGCzkEi/dcc2LdtzLpWizx+TlxMMqjonUUM
+ovZgZo+OlhWRsDVT/qy5SFtA0vlVNtdBr2egXb1H7J8UDC+fax/iKa7+fBUHZOO9
+Fk9U8bxgfQ+jPIVVL8CfAtR68Sos7NpWH0S2emqZRnQvf0MSNdkTQKWn4qR9sckj
+Ewxs5FbrMmgCOgwk1PtgRmdP3RME0HwK/B03saQ=
+-----END CERTIFICATE-----
+EOF
+  key = <<EOF
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCVGyoqqAitQUzZ
+P+5eNp+rpMkxLni8gdt3v/dD80/6M/MGc4ME6Hc2xQEtlbRa9RCqhc6K9A616fQi
+53mznYgEdyOiw/1mP8dClt5cdxd+XxolDkiz0x/M3og0zMddQnCg8XrAPjNv7Oat
+IoJDkOM+MN76M5uWudiHEE0gPCuZJzVNalGQS6XPpIcRXGoXhCtY7CEiSYXHYs2Q
+XxnZPEtb6co+Rbgme6GkbzQOoph40icKYKN+s3fOE4KyIFY/UeELScrFsv1/m22i
+lIigVsALXePg0xD/dJf58vbM7tn4o5OP+pNZ7V7nxk8rzPidP6idd3vfU1WDlWpy
+E56UzvunAgMBAAECggEAcq7lHNAHdHLgT8yrY41x/AwPryNGO/9JNW7SGVKAdjoU
+tyaLZHAEmXynLk+R28/YFMA8H4Yd9m9OlrYhVjRZFM4p+5vxP/7YHPB7cPUsfcda
+DZxR8PX25JVYf/vtb16V0ERLnKd62qCEwC/lr2A2WHQwXJLrHeAtmZzBJYUCJ5Xj
+Dv1ZhyFjknswaV0vGXe6njTI6CzMQDTGysoagpCCo7RWgzjLREg2BGWd2UQpY4AW
+nYAP4QNt82UMQbgIqsEMj64mzS9Q+o1P84J1naSP5sCI22LeFRp6iezZc+D8EH/5
+RNONGSNWl3g6bsvN1VywYwjWn+waD3XAjXUu+peUgQKBgQDDu1QP28oSMKivHdfo
+kQ1HrTNBRc9eWeAMZFuIbbPLN8rdEibpOm3DwTqithnahqS0NLOsBnXNtuLw1Qr/
+zmOzn0yDO5XG8dlKr9vqWeBLdcRydLJBZwqEzWf4JwwwgfK3rItRaIbnAxnGUTS5
+SrrhNfBAIGS9jx5X2kvLC7hFQQKBgQDDBIrpLTIjRDloWZcu03z9Bhb8jQCyGb5C
+4MYs+duCnQIdNq/+maPspJzbVmF4b6S1zIPweI3fMvMeqRTbuf+drpElst1buFTO
+P0UMMn4V+4qGIOOkIy5JIKwR8sJD9tNDUPtxuDEotTB9IyWx6pdmCFz5v/bggDCu
+reoqflL+5wKBgQCDvb+L2QS+j4/KJk0flRoaJ2K7SVCVEesyjA3r2uLMImZhvAkC
+rDgbLSDZSbZHFp8fR+WzILoD11gSf2Ki4PjMeqkWH3HlcP0vPwTHTO0h/UdXPmKI
+kOFMl7CmHyoeMCj9JZ60EaXTMYwUpq3VFY6JbTOjBeqoh/8FZMHlDaNewQKBgCHg
+ECEg8KyflTlDFrfTlMp+3E9STuShBCOp18LIRBEUJOHeNgQLvCXHElgnURcSjZHm
+zKRgzIQQ3Zpd1Hm2fWhuglgCEeF0y4ZoBx5vRueaoh1aaTCBy/B39GvJt2UG4vu2
+fXbrf96KWrnh+RJGpbXbjgr0BXZJzisJmrt25gPRAoGBAI3c+INpQXwrE+LBzCPu
+LwIVvkm5NpeIlKQtDNrqG1QvUhqyZ2/Xitc4FyiccW7WHxkGKGZyj7GbmpqEOnyY
+iVku0LSftZgycet2uMdp0HaVAgi5S6aVf5yN0U/8R5ToxcbuEfqwrBIyRgse8lx3
+NNSvLxPAempmiFPSk9AtobYV
+-----END PRIVATE KEY-----
+EOF
+  tags = ["proxy.kong.lan"]
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_sni" "sni_proxy_kong_lan" {
+  name = "proxy.kong.lan"
+
+  certificate = {
+    id = konnect_gateway_certificate.cert_724715fca2416fb3c8f215f45d07fd43.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-acl-input.yaml b/kong2tf/testdata/consumer-acl-input.yaml
new file mode 100644
index 000000000..67fd7d240
--- /dev/null
+++ b/kong2tf/testdata/consumer-acl-input.yaml
@@ -0,0 +1,6 @@
+consumers:
+  - username: example-user
+    acls:
+      - group: demo_group
+        tags:
+          - internal
diff --git a/kong2tf/testdata/consumer-acl-output-expected.tf b/kong2tf/testdata/consumer-acl-output-expected.tf
new file mode 100644
index 000000000..daee55d7b
--- /dev/null
+++ b/kong2tf/testdata/consumer-acl-output-expected.tf
@@ -0,0 +1,20 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_acl" "example_user_acl_demo_group" {
+  group = "demo_group"
+  tags = ["internal"]
+
+  consumer_id = konnect_gateway_consumer.example_user.id
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-basic-auth-input.yaml b/kong2tf/testdata/consumer-basic-auth-input.yaml
new file mode 100644
index 000000000..fbf968557
--- /dev/null
+++ b/kong2tf/testdata/consumer-basic-auth-input.yaml
@@ -0,0 +1,7 @@
+consumers:
+  - username: example-user
+    basicauth_credentials:
+      - username: my_basic_user
+        password: my_basic_password
+        tags:
+          - internal
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-basic-auth-output-expected.tf b/kong2tf/testdata/consumer-basic-auth-output-expected.tf
new file mode 100644
index 000000000..c46d19c61
--- /dev/null
+++ b/kong2tf/testdata/consumer-basic-auth-output-expected.tf
@@ -0,0 +1,21 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_basic_auth" "example_user_basic_auth_my_basic_user" {
+  username = "my_basic_user"
+  password = "my_basic_password"
+  tags = ["internal"]
+
+  consumer_id = konnect_gateway_consumer.example_user.id
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-group-input.yaml b/kong2tf/testdata/consumer-group-input.yaml
new file mode 100644
index 000000000..82b380da8
--- /dev/null
+++ b/kong2tf/testdata/consumer-group-input.yaml
@@ -0,0 +1,4 @@
+consumer_groups:
+  - name: example-consumer-group
+    consumers:
+      - username: example-user
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-group-output-expected.tf b/kong2tf/testdata/consumer-group-output-expected.tf
new file mode 100644
index 000000000..7d4ceca0e
--- /dev/null
+++ b/kong2tf/testdata/consumer-group-output-expected.tf
@@ -0,0 +1,17 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer_group" "example_consumer_group" {
+  name = "example-consumer-group"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_consumer_group_member" "example_consumer_group_example_user" {
+  consumer_id = konnect_gateway_consumer.example_user.id
+  consumer_group_id = konnect_gateway_consumer_group.example_consumer_group.id
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-group-plugin-input.yaml b/kong2tf/testdata/consumer-group-plugin-input.yaml
new file mode 100644
index 000000000..6dfd167e2
--- /dev/null
+++ b/kong2tf/testdata/consumer-group-plugin-input.yaml
@@ -0,0 +1,16 @@
+consumer_groups:
+  - name: example-consumer-group
+    plugins:
+      - name: rate-limiting-advanced
+        config:
+          limit:
+          - 5
+          window_size:
+          - 30
+          identifier: consumer
+          sync_rate: -1
+          namespace: example_namespace
+          strategy: local
+          hide_client_headers: false
+          window_type: sliding
+          retry_after_jitter_max: 0
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-group-plugin-output-expected.tf b/kong2tf/testdata/consumer-group-plugin-output-expected.tf
new file mode 100644
index 000000000..7a8b82d2d
--- /dev/null
+++ b/kong2tf/testdata/consumer-group-plugin-output-expected.tf
@@ -0,0 +1,31 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer_group" "example_consumer_group" {
+  name = "example-consumer-group"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_plugin_rate_limiting_advanced" "example_consumer_group_rate_limiting_advanced" {
+  config = {
+    hide_client_headers = false
+    identifier = "consumer"
+    limit = [5]
+    namespace = "example_namespace"
+    retry_after_jitter_max = 0
+    strategy = "local"
+    sync_rate = -1
+    window_size = [30]
+    window_type = "sliding"
+  }
+
+  consumer_group = {
+    id = konnect_gateway_consumer_group.example_consumer_group.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-hmac-auth-input.yaml b/kong2tf/testdata/consumer-hmac-auth-input.yaml
new file mode 100644
index 000000000..e0c6b5a31
--- /dev/null
+++ b/kong2tf/testdata/consumer-hmac-auth-input.yaml
@@ -0,0 +1,5 @@
+consumers:
+  - username: example-user
+    hmacauth_credentials:
+      - username: example-user
+        secret: just-a-secret
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-hmac-auth-output-expected.tf b/kong2tf/testdata/consumer-hmac-auth-output-expected.tf
new file mode 100644
index 000000000..24675be71
--- /dev/null
+++ b/kong2tf/testdata/consumer-hmac-auth-output-expected.tf
@@ -0,0 +1,20 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_hmac_auth" "example_user_hmac_auth_example_user" {
+  username = "example-user"
+  secret = "just-a-secret"
+
+  consumer_id = konnect_gateway_consumer.example_user.id
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-jwt-input.yaml b/kong2tf/testdata/consumer-jwt-input.yaml
new file mode 100644
index 000000000..5e75fb42a
--- /dev/null
+++ b/kong2tf/testdata/consumer-jwt-input.yaml
@@ -0,0 +1,8 @@
+consumers:
+  - username: example-user
+    jwt_secrets:
+      - key: my_jwt_secret
+        algorithm: HS256
+        secret: my_secret_key
+        tags:
+          - internal
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-jwt-output-expected.tf b/kong2tf/testdata/consumer-jwt-output-expected.tf
new file mode 100644
index 000000000..b126ce540
--- /dev/null
+++ b/kong2tf/testdata/consumer-jwt-output-expected.tf
@@ -0,0 +1,22 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_jwt" "example_user_jwt_my_jwt_secret" {
+  algorithm = "HS256"
+  key = "my_jwt_secret"
+  secret = "my_secret_key"
+  tags = ["internal"]
+
+  consumer_id = konnect_gateway_consumer.example_user.id
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-jwt-output-with-imports-expected.tf b/kong2tf/testdata/consumer-jwt-output-with-imports-expected.tf
new file mode 100644
index 000000000..698018209
--- /dev/null
+++ b/kong2tf/testdata/consumer-jwt-output-with-imports-expected.tf
@@ -0,0 +1,29 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "abc-123"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_jwt" "example_user_jwt_my_jwt_secret" {
+  algorithm = "HS256"
+  key = "my_jwt_secret"
+  secret = "my_secret_key"
+  tags = ["internal"]
+
+  consumer_id = konnect_gateway_consumer.example_user.id
+
+  control_plane_id = var.control_plane_id
+  lifecycle {
+    ignore_changes = [
+      secret,
+      key
+    ]
+  }
+
+}
+
diff --git a/kong2tf/testdata/consumer-key-auth-input.yaml b/kong2tf/testdata/consumer-key-auth-input.yaml
new file mode 100644
index 000000000..4b7f9ea67
--- /dev/null
+++ b/kong2tf/testdata/consumer-key-auth-input.yaml
@@ -0,0 +1,6 @@
+consumers:
+  - username: example-user
+    keyauth_credentials:
+      - key: my_api_key
+        tags:
+          - internal
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-key-auth-output-expected.tf b/kong2tf/testdata/consumer-key-auth-output-expected.tf
new file mode 100644
index 000000000..753478f3c
--- /dev/null
+++ b/kong2tf/testdata/consumer-key-auth-output-expected.tf
@@ -0,0 +1,20 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_key_auth" "example_user_key_auth_my_api_key" {
+  key = "my_api_key"
+  tags = ["internal"]
+
+  consumer_id = konnect_gateway_consumer.example_user.id
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-no-auth-input.yaml b/kong2tf/testdata/consumer-no-auth-input.yaml
new file mode 100644
index 000000000..d738ea282
--- /dev/null
+++ b/kong2tf/testdata/consumer-no-auth-input.yaml
@@ -0,0 +1,5 @@
+consumers:
+  - username: example-user
+    custom_id: "1234567890"
+    tags:
+      - internal
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-no-auth-output-expected.tf b/kong2tf/testdata/consumer-no-auth-output-expected.tf
new file mode 100644
index 000000000..d218747a3
--- /dev/null
+++ b/kong2tf/testdata/consumer-no-auth-output-expected.tf
@@ -0,0 +1,13 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+  custom_id = "1234567890"
+  tags = ["internal"]
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/consumer-plugin-input.yaml b/kong2tf/testdata/consumer-plugin-input.yaml
new file mode 100644
index 000000000..04c160a67
--- /dev/null
+++ b/kong2tf/testdata/consumer-plugin-input.yaml
@@ -0,0 +1,14 @@
+consumers:
+  - username: example-user
+    plugins:
+      - name: rate-limiting-advanced
+        config:
+          limit:
+          - 5
+          window_size:
+          - 30
+          identifier: consumer
+          sync_rate: -1
+          namespace: example_namespace
+          strategy: local
+          hide_client_headers: false
\ No newline at end of file
diff --git a/kong2tf/testdata/consumer-plugin-output-expected.tf b/kong2tf/testdata/consumer-plugin-output-expected.tf
new file mode 100644
index 000000000..0650f0cad
--- /dev/null
+++ b/kong2tf/testdata/consumer-plugin-output-expected.tf
@@ -0,0 +1,29 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_consumer" "example_user" {
+  username = "example-user"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_plugin_rate_limiting_advanced" "example_user_rate_limiting_advanced" {
+  config = {
+    hide_client_headers = false
+    identifier = "consumer"
+    limit = [5]
+    namespace = "example_namespace"
+    strategy = "local"
+    sync_rate = -1
+    window_size = [30]
+  }
+
+  consumer = {
+    id = konnect_gateway_consumer.example_user.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/global-plugin-oidc-input.yaml b/kong2tf/testdata/global-plugin-oidc-input.yaml
new file mode 100644
index 000000000..de3a90503
--- /dev/null
+++ b/kong2tf/testdata/global-plugin-oidc-input.yaml
@@ -0,0 +1,14 @@
+plugins:
+  - name: openid-connect
+    enabled: true
+    config:
+      auth_methods:
+        - authorization_code
+        - session
+      issuer: http://example.org
+      client_id:
+        - "<client-id>"
+      client_secret:
+        - "<client-secret>"
+      session_secret: "<session-secret>"
+      response_mode: form_post
diff --git a/kong2tf/testdata/global-plugin-oidc-output-expected.tf b/kong2tf/testdata/global-plugin-oidc-output-expected.tf
new file mode 100644
index 000000000..0b402b1f4
--- /dev/null
+++ b/kong2tf/testdata/global-plugin-oidc-output-expected.tf
@@ -0,0 +1,19 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_plugin_openid_connect" "openid_connect" {
+  enabled = true
+  config = {
+    auth_methods = ["authorization_code", "session"]
+    client_id = ["<client-id>"]
+    client_secret = ["<client-secret>"]
+    issuer = "http://example.org"
+    response_mode = "form_post"
+    session_secret = "<session-secret>"
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/global-plugin-rate-limiting-input.yaml b/kong2tf/testdata/global-plugin-rate-limiting-input.yaml
new file mode 100644
index 000000000..121a06a1e
--- /dev/null
+++ b/kong2tf/testdata/global-plugin-rate-limiting-input.yaml
@@ -0,0 +1,7 @@
+plugins:
+  - name: rate-limiting
+    enabled: false
+    config:
+      second: 5
+      hour: 10000
+      policy: local
diff --git a/kong2tf/testdata/global-plugin-rate-limiting-output-expected.tf b/kong2tf/testdata/global-plugin-rate-limiting-output-expected.tf
new file mode 100644
index 000000000..5a19a1acb
--- /dev/null
+++ b/kong2tf/testdata/global-plugin-rate-limiting-output-expected.tf
@@ -0,0 +1,16 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_plugin_rate_limiting" "rate_limiting" {
+  enabled = false
+  config = {
+    hour = 10000
+    policy = "local"
+    second = 5
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/input.yaml b/kong2tf/testdata/input.yaml
new file mode 100644
index 000000000..4e5421e74
--- /dev/null
+++ b/kong2tf/testdata/input.yaml
@@ -0,0 +1,517 @@
+vaults:
+- config:
+    prefix: MY_SECRET_
+  description: ENV vault for secrets
+  name: env
+  prefix: my-env-vault
+  tags:
+    - env-vault
+ca_certificates:
+- cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIBfDCCASKgAwIBAgIRAJqcZC1VSvSQLMN1+7yAeswwCgYIKoZIzj0EAwIwHDEa
+    MBgGA1UEAxMRRGVtbyBLb25nIFJvb3QgQ0EwHhcNMjIwNjEzMTMzNzMzWhcNMjcw
+    NjEzMTkzNzMzWjAcMRowGAYDVQQDExFEZW1vIEtvbmcgUm9vdCBDQTBZMBMGByqG
+    SM49AgEGCCqGSM49AwEHA0IABOGR89IyhreSHRAi6wp9a5DBIDp4YYSdWzuEdlNx
+    7pX1G4T7x68xUXJZXRUPFyT8Xzn5KwCJm8RVT+nAhrsUx6SjRTBDMA4GA1UdDwEB
+    /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQ9CUiOPhjp7KD2
+    ScRDxX4IzDOrNzAKBggqhkjOPQQDAgNIADBFAiEAw6Dov0c0L++1W9VufAfSMdNR
+    PSDfPU0MiUiG59/VIBICIEFn/6c5eQc3hUUBL74/RmNT2b1zxBmp7RiPXJAnAAwJ
+    -----END CERTIFICATE-----
+  cert_digest: f1baffe9fe9cf8497e38a4271d67fab44423678b7e7c0f677a50f37c113d81b5
+  id: 8ccca140-aff4-411d-8e1c-fcfb3f932a8e
+  tags:
+  - root-ca
+- cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIBqTCCAVCgAwIBAgIQb5LqGa9gS3+Mc2ntWfSoJjAKBggqhkjOPQQDAjAcMRow
+    GAYDVQQDExFEZW1vIEtvbmcgUm9vdCBDQTAeFw0yMjA2MTMxMzM5MTVaFw0yMzA2
+    MTMxOTM5MTVaMCoxKDAmBgNVBAMTH0RlbW8gS29uZyBSb290IEludGVybWVkaWF0
+    ZTEgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQImvnSuvXkGy88lvx8a7of
+    e0MEMRI2siVvybvWXNpeXXlixgaq7weJ7pewf3HywfO68Va6kn8ehWh7s0D7SLHM
+    o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E
+    FgQUhuxCKmCSvZWf95+iZ+Wsz9DJJVMwHwYDVR0jBBgwFoAUPQlIjj4Y6eyg9knE
+    Q8V+CMwzqzcwCgYIKoZIzj0EAwIDRwAwRAIgNZ+JPA1OqF5DsPapAZ2YsUOgIpn3
+    ZbQuYKCAV0SD4EcCIFnfA5rWrc1AgtUw5inJQqJQRNgoPuC14vACqI48BiRl
+    -----END CERTIFICATE-----
+  cert_digest: dbef7ed285fb292e24f84ffba93c48d92fa322387d85469c460c655abedd5308
+  id: 2e5f8ad1-21ca-47f5-8af7-899486e82731
+  tags:
+  - intermediate_ca1
+- cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIBujCCAV+gAwIBAgIRAMkGpj7WZf+2RFE/q7ZhejEwCgYIKoZIzj0EAwIwKjEo
+    MCYGA1UEAxMfRGVtbyBLb25nIFJvb3QgSW50ZXJtZWRpYXRlMSBDQTAeFw0yMjA2
+    MTMxMzQwNTFaFw0yMjEyMTMwNDQwNTFaMCoxKDAmBgNVBAMTH0RlbW8gS29uZyBS
+    b290IEludGVybWVkaWF0ZTIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQB
+    my/zhZ3F2HvHFqtQzuD3lXX8SeYakxiBQvaGkGSLKD67N3vh7iC2rTSdj/vAs8ws
+    Y9X+mXzS6GDKC8PbSX6xo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgw
+    BgEB/wIBADAdBgNVHQ4EFgQURwCm53YPStZoAMfnVyknH4IgZa4wHwYDVR0jBBgw
+    FoAUhuxCKmCSvZWf95+iZ+Wsz9DJJVMwCgYIKoZIzj0EAwIDSQAwRgIhAN1pkUKc
+    azM4PiXOnkILB2KBDIF4XpHf+4ThDMODzXP8AiEA45KXA3qMrRPQV1oBfWZ3hLgX
+    gxUhveuHBXMWnzUbn6U=
+    -----END CERTIFICATE-----
+  cert_digest: 45b2b6dd9d4102955b1b1e4b540e677f140521462ed4f22fa5a713863ca84600
+  id: cab2565d-fed6-4a07-b25c-bab76fdfe071
+  tags:
+  - intermediate_ca2
+certificates:
+- cert: |-
+    -----BEGIN CERTIFICATE-----
+    MIIECTCCAvGgAwIBAgIUAusYGP9BwoLFFAJdB/jY6eUzUyAwDQYJKoZIhvcNAQEL
+    BQAwgZIxCzAJBgNVBAYTAlVLMRIwEAYDVQQIDAlIYW1wc2hpcmUxEjAQBgNVBAcM
+    CUFsZGVyc2hvdDEQMA4GA1UECgwHS29uZyBVSzEQMA4GA1UECwwHU3VwcG9ydDEY
+    MBYGA1UEAwwPU3VwcG9ydCBSb290IENBMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29u
+    Z2hxLmNvbTAeFw0yMTAxMTUxMTE5NDNaFw0yMjA1MzAxMTE5NDNaMIGRMQswCQYD
+    VQQGEwJVSzESMBAGA1UECAwJSGFtcHNoaXJlMRIwEAYDVQQHDAlBbGRlcnNob3Qx
+    EDAOBgNVBAoMB0tvbmcgVUsxEDAOBgNVBAsMB1N1cHBvcnQxFzAVBgNVBAMMDnBy
+    b3h5LmtvbmcubGFuMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29uZ2hxLmNvbTCCASIw
+    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUbKiqoCK1BTNk/7l42n6ukyTEu
+    eLyB23e/90PzT/oz8wZzgwTodzbFAS2VtFr1EKqFzor0DrXp9CLnebOdiAR3I6LD
+    /WY/x0KW3lx3F35fGiUOSLPTH8zeiDTMx11CcKDxesA+M2/s5q0igkOQ4z4w3voz
+    m5a52IcQTSA8K5knNU1qUZBLpc+khxFcaheEK1jsISJJhcdizZBfGdk8S1vpyj5F
+    uCZ7oaRvNA6imHjSJwpgo36zd84TgrIgVj9R4QtJysWy/X+bbaKUiKBWwAtd4+DT
+    EP90l/ny9szu2fijk4/6k1ntXufGTyvM+J0/qJ13e99TVYOVanITnpTO+6cCAwEA
+    AaNWMFQwHwYDVR0jBBgwFoAUdskpf0wJRQxjtzQFZciWmUfl2bcwCQYDVR0TBAIw
+    ADALBgNVHQ8EBAMCBPAwGQYDVR0RBBIwEIIOcHJveHkua29uZy5sYW4wDQYJKoZI
+    hvcNAQELBQADggEBAJVrTWQRQzNtypa9OXFYADm8Fay1VMop3BY2kh0tfYgQEJ/4
+    pJUj6CaszQZ/Aix6LaPnXFcoPCDqqv00mgju86PMamr/zA9USXk8eTmzJkp5RklS
+    GdqiXboqESiQVvaNz3kdW7wgNz4FwaGCzkEi/dcc2LdtzLpWizx+TlxMMqjonUUM
+    ovZgZo+OlhWRsDVT/qy5SFtA0vlVNtdBr2egXb1H7J8UDC+fax/iKa7+fBUHZOO9
+    Fk9U8bxgfQ+jPIVVL8CfAtR68Sos7NpWH0S2emqZRnQvf0MSNdkTQKWn4qR9sckj
+    Ewxs5FbrMmgCOgwk1PtgRmdP3RME0HwK/B03saQ=
+    -----END CERTIFICATE-----
+  id: 507cc555-5b92-496d-9e89-bfc78dfcddbe
+  key: |-
+    -----BEGIN PRIVATE KEY-----
+    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCVGyoqqAitQUzZ
+    P+5eNp+rpMkxLni8gdt3v/dD80/6M/MGc4ME6Hc2xQEtlbRa9RCqhc6K9A616fQi
+    53mznYgEdyOiw/1mP8dClt5cdxd+XxolDkiz0x/M3og0zMddQnCg8XrAPjNv7Oat
+    IoJDkOM+MN76M5uWudiHEE0gPCuZJzVNalGQS6XPpIcRXGoXhCtY7CEiSYXHYs2Q
+    XxnZPEtb6co+Rbgme6GkbzQOoph40icKYKN+s3fOE4KyIFY/UeELScrFsv1/m22i
+    lIigVsALXePg0xD/dJf58vbM7tn4o5OP+pNZ7V7nxk8rzPidP6idd3vfU1WDlWpy
+    E56UzvunAgMBAAECggEAcq7lHNAHdHLgT8yrY41x/AwPryNGO/9JNW7SGVKAdjoU
+    tyaLZHAEmXynLk+R28/YFMA8H4Yd9m9OlrYhVjRZFM4p+5vxP/7YHPB7cPUsfcda
+    DZxR8PX25JVYf/vtb16V0ERLnKd62qCEwC/lr2A2WHQwXJLrHeAtmZzBJYUCJ5Xj
+    Dv1ZhyFjknswaV0vGXe6njTI6CzMQDTGysoagpCCo7RWgzjLREg2BGWd2UQpY4AW
+    nYAP4QNt82UMQbgIqsEMj64mzS9Q+o1P84J1naSP5sCI22LeFRp6iezZc+D8EH/5
+    RNONGSNWl3g6bsvN1VywYwjWn+waD3XAjXUu+peUgQKBgQDDu1QP28oSMKivHdfo
+    kQ1HrTNBRc9eWeAMZFuIbbPLN8rdEibpOm3DwTqithnahqS0NLOsBnXNtuLw1Qr/
+    zmOzn0yDO5XG8dlKr9vqWeBLdcRydLJBZwqEzWf4JwwwgfK3rItRaIbnAxnGUTS5
+    SrrhNfBAIGS9jx5X2kvLC7hFQQKBgQDDBIrpLTIjRDloWZcu03z9Bhb8jQCyGb5C
+    4MYs+duCnQIdNq/+maPspJzbVmF4b6S1zIPweI3fMvMeqRTbuf+drpElst1buFTO
+    P0UMMn4V+4qGIOOkIy5JIKwR8sJD9tNDUPtxuDEotTB9IyWx6pdmCFz5v/bggDCu
+    reoqflL+5wKBgQCDvb+L2QS+j4/KJk0flRoaJ2K7SVCVEesyjA3r2uLMImZhvAkC
+    rDgbLSDZSbZHFp8fR+WzILoD11gSf2Ki4PjMeqkWH3HlcP0vPwTHTO0h/UdXPmKI
+    kOFMl7CmHyoeMCj9JZ60EaXTMYwUpq3VFY6JbTOjBeqoh/8FZMHlDaNewQKBgCHg
+    ECEg8KyflTlDFrfTlMp+3E9STuShBCOp18LIRBEUJOHeNgQLvCXHElgnURcSjZHm
+    zKRgzIQQ3Zpd1Hm2fWhuglgCEeF0y4ZoBx5vRueaoh1aaTCBy/B39GvJt2UG4vu2
+    fXbrf96KWrnh+RJGpbXbjgr0BXZJzisJmrt25gPRAoGBAI3c+INpQXwrE+LBzCPu
+    LwIVvkm5NpeIlKQtDNrqG1QvUhqyZ2/Xitc4FyiccW7WHxkGKGZyj7GbmpqEOnyY
+    iVku0LSftZgycet2uMdp0HaVAgi5S6aVf5yN0U/8R5ToxcbuEfqwrBIyRgse8lx3
+    NNSvLxPAempmiFPSk9AtobYV
+    -----END PRIVATE KEY-----
+  snis:
+  - name: proxy.kong.lan
+  tags:
+  - proxy.kong.lan
+- cert: |-
+    -----BEGIN CERTIFICATE-----
+    MIIFeDCCBGCgAwIBAgIUAusYGP9BwoLFFAJdB/jY6eUzUyQwDQYJKoZIhvcNAQEL
+    BQAwgZIxCzAJBgNVBAYTAlVLMRIwEAYDVQQIDAlIYW1wc2hpcmUxEjAQBgNVBAcM
+    CUFsZGVyc2hvdDEQMA4GA1UECgwHS29uZyBVSzEQMA4GA1UECwwHU3VwcG9ydDEY
+    MBYGA1UEAwwPU3VwcG9ydCBSb290IENBMR0wGwYJKoZIhvcNAQkBFg5zdHVAa29u
+    Z2hxLmNvbTAeFw0yMTAxMjAxNTA0NDVaFw0yMjAxMjAxNTA0NDVaMIGQMQswCQYD
+    VQQGEwJVSzESMBAGA1UECAwJSGFtcHNoaXJlMRIwEAYDVQQHDAlBbGRlcnNob3Qx
+    EDAOBgNVBAoMB0tvbmcgVUsxEDAOBgNVBAsMB1N1cHBvcnQxFjAUBgNVBAMMDW10
+    bHMtY29uc3VtZXIxHTAbBgkqhkiG9w0BCQEWDnN0dUBrb25naHEuY29tMIICIjAN
+    BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1/+83/YNiEVKYvcuVwYGve6afsg1
+    BYCn1+E9Uwgh0uwAenT/DKB8NhqoVxc7cZ2HaTI146IGmFICmctlTWvLPLglHmTo
+    byOUV6tIJAjvzyEOpC458hLGgbv8mhGXJWPxBVu7Wy6Hapz2bk0cEscfL7PHKaRu
+    3D6r8/zbhhWAqe4EIt+NVYT6baaYBs7bPZQXs/sluKI+DNYuDeaAmoSuCc4ein6z
+    0xDqCSMmPebzjns03ttB29vWL3eYY9dvgoCd+CPhXT/C4CHtvKbH+hOQYDtVF6MO
+    1mmABAQTQWMR/00+QI0xtvuXtEPurla5dA0TN6ddCTOOcILKx62z5oc3Kqr+nHHa
+    71zNzARUVaZ2vy1pRVr0DZgB7KqcFXhy/oy8IpmxUR1ASBDZl6B6RKrdQwvgLgmn
+    3M/roNLAU+3nz4itpt/zf+X0suwdthrflic1R68z1SlYbyoGARWkZ/pOl6kLNVK2
+    OsqQuICaajnW7t1oDd7z1+3hm+uoryDwvG6f3T9ZvWjKXYcKg7b+BjbFdahbDywD
+    PgnhSz9AaoVWhR+GHIPrjRClMpEkra/yGJFvH3UpXhgg9d0DrLZE51Z75a9SvnAj
+    vdLuNhx4bJbwLBgNGsJMkupzBrw4iCfbKFcBbP8o0Xjtarj7T/mkWuQ1GjWqfyrD
+    55NecBPNw5C9BR0CAwEAAaOBxTCBwjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQE
+    AwIFoDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENl
+    cnRpZmljYXRlMB0GA1UdDgQWBBSV3F+eicU8SVT4LcDJ6eMzP0todzAfBgNVHSME
+    GDAWgBR2ySl/TAlFDGO3NAVlyJaZR+XZtzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0l
+    BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQB5L0OZ
+    WELG9Pw6Ol1BsZYgpLR4PGNBB9dKm/9dd+q+ohZVFCfXcjZ3YOU1vh/HHQrALRNY
+    I58JxcVCOx/qIW2uA0iSCqIT0sNb9cJLxfZf7X+BzPPPnu0ugUJp7GzLNnHitrLC
+    Xb1nmmefwgraNzp+a5IrR8RcQG1mYDuS+2HK/rybo22XcCxhob8OiDEn8+ytkKyQ
+    Ipmrf9D+/68/ih6az0w1aakASMmFe8z/p6VgVQkCySCWWFG525BRdGmSImqVZ4xa
+    aQFN3L+oN+JJcCFTthLOAYo32JH+xLMz7PokzSL84g3b68h59hXDoMSwB10GthL5
+    T8tqV6i5miKWwvfZ
+    -----END CERTIFICATE-----
+  id: f3ae1bb2-ea6a-4caf-a7a7-2f078b7842db
+  key: |-
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIJKQIBAAKCAgEA1/+83/YNiEVKYvcuVwYGve6afsg1BYCn1+E9Uwgh0uwAenT/
+    DKB8NhqoVxc7cZ2HaTI146IGmFICmctlTWvLPLglHmTobyOUV6tIJAjvzyEOpC45
+    8hLGgbv8mhGXJWPxBVu7Wy6Hapz2bk0cEscfL7PHKaRu3D6r8/zbhhWAqe4EIt+N
+    VYT6baaYBs7bPZQXs/sluKI+DNYuDeaAmoSuCc4ein6z0xDqCSMmPebzjns03ttB
+    29vWL3eYY9dvgoCd+CPhXT/C4CHtvKbH+hOQYDtVF6MO1mmABAQTQWMR/00+QI0x
+    tvuXtEPurla5dA0TN6ddCTOOcILKx62z5oc3Kqr+nHHa71zNzARUVaZ2vy1pRVr0
+    DZgB7KqcFXhy/oy8IpmxUR1ASBDZl6B6RKrdQwvgLgmn3M/roNLAU+3nz4itpt/z
+    f+X0suwdthrflic1R68z1SlYbyoGARWkZ/pOl6kLNVK2OsqQuICaajnW7t1oDd7z
+    1+3hm+uoryDwvG6f3T9ZvWjKXYcKg7b+BjbFdahbDywDPgnhSz9AaoVWhR+GHIPr
+    jRClMpEkra/yGJFvH3UpXhgg9d0DrLZE51Z75a9SvnAjvdLuNhx4bJbwLBgNGsJM
+    kupzBrw4iCfbKFcBbP8o0Xjtarj7T/mkWuQ1GjWqfyrD55NecBPNw5C9BR0CAwEA
+    AQKCAgEAymuOrG/hJKiS2oX8tm8eWFZIELI9BigYozYhCzQexpSGqjwEXOf1H5sB
+    0YQjIAlZwhrc57OK7KpGZ6x2BgUT1JZZqs80CBtWxIXuuF5rpje7id8MTLCNuTzb
+    r+L2O4Mad0QNI5lKLH5mbt3yhiJ3NnQLHBpODjbpXGDFtTVne1hkJe5MfC1/psyt
+    wguO6HllcTTWl93ruonpZPtz39qhYuz4MCAnE5DRUrjO+Mn7y7XoyUS+xnSRl7BD
+    bqWRicJQyB+P7px3WyZQri+6TsCQ164iw2D64bLC1oCfLvLSBeh0g3gOdAX5mGTl
+    RBpf98LdFJXSmXHodcYMlO5THqHu7mOE8zvPDbOzpwKftE11PS+lhuq/fREJnrAx
+    pbvTkv2c1nu90gkracv6PhRC8YhBIa2gqhoxY7rH7UpYa1c5QaJzg5ibiteTLRKC
+    e9ZmfoPWaY2ksY4gBWZ/p2wokJ8U6ZHEsEfQS9WibMpqRsdINWQ9JnIBLKnTuqB0
+    B29E9jHAl8rwMT2/DiIiVjHcdwpP37MxotKvYDFw+yDcZDeKTIh133XZNWyO/TcH
+    aDrNB0dymqunuNmfPts566AYErym0ndcmmLuGIKKE+l1h1+5CWjdsTdrkkXZK/w1
+    i/krfLruQqQcW3Bpng8JAKirvGfYJxIEaCLqtepb7YaHhaI3gz0CggEBAPO0UQ6e
+    oPzMYmEegp2LjAfHZhwGV0fpiC6nxEWKoEE7Tb5zyB8rlkFIpQlXmljQvf3xDmq/
+    Ta3JlkaY290oFc0ypp9zUY/sUGyc3pvltxl0gLKOPnIkoP3ma2HzBxQRrGRdcFhH
+    AHom80Bm9APm29L0MFuOuhGGxkGvQCxH+KmmohvZMUEqNIuWi8XB7maDXcAmSJ7x
+    YdQAgLspRJ+kkZM+59XijyvYvg04xCu1FSop+Lol+xBwWAR5OaKnbZ9L+jKtzbxC
+    IS7ERTlhsham2dYIm7SFcD/OcLV6luqreR0svS6HQis1kGxnNxkBAbrB1QZ+wLKp
+    QztnOk70H/eWP5sCggEBAOLllCHuRloqEyzDT5sVbflCMTVsXmHGJ4/qI4An+etI
+    3DComNLPAIBKYAiNgqWAm/wfLy5rHu2ZGzcPn7cQF/xKp00uDGKncQz3Z9JDofI1
+    rpLH+t3LJ9l/EzQv1tpzwOU5rhFNmqrJnwy17BtOmlCKAQnVmyDkLyR9AhWkCTi8
+    BLDq6mx1X61K6P11GAxAd70NFNzD8868Ddq2XInwEwXzf/FHQW/JVYZEAa7dn4KF
+    wQ/tPSspP0vGzDfgNI64PtNePnZ/e00XXqA7la2OScro+SDSyXGlDKX4XhwwTDD1
+    +u3VbUmjInpEJL3bU8c/qe36UhoseF1G0cm22sHqhacCggEAY3A+5r05KQ1oUwJ0
+    /z2ybHYjJuo7cN9MLuVLg6iVzSgah8yMapOJYqf2l0JEe1rpOxXB8TKPyoqHo9S5
+    WZsCklDJhiQysowVIMw9VNU9ichsvu6lckOZ4R/Ezxmv2LOBaQ5rScnm2vDLroqT
+    pIftSD1VAfbR21bnzGNqxuazAt44JS7RFyrWd+J8s7t2wCN3/HBij2Akr7Fo1XV4
+    R7+JmtA/HpmsG5L7sT9pZAAmW6b2k1XuBH4im+iu6LxyUV5Z/5XFbbx597AkIs7H
+    MNDx75BhoB4WeCKPAK29qJFBAPOBWdvc1u6rOGBBLhWoFAEFH/pWPFAuW626L/8S
+    kB6hYwKCAQB3/JIec2Pu0Gs9c7eIOofilXdyWfF7YQ+Q0m+dmQZXvzr53F6ctGz+
+    atZoD3V0UhOq+063DFzZpuq2bmO2qiMU/uGENgLEtOlawwa7MZrVfD/qTSjD22gi
+    Y0njghzrfuUWEy+S5OgSwvaCAT5vnlyKlMBB1BzqAuFPOXA9w3ZA82TDribz3goP
+    mRqm1iI2cG0ho2ZR7KnkvJvS+jbrlvJoZkFVdaoMFHtOum3tbDOrEVJsOrfrOC/J
+    wcJDFiSVCKfonOEJRxcMSHx43amkkydAz3zXN8DhgTe0GSijXYMdLSdaWFAn7cYQ
+    xDJt2CtwpaEWQRbj0nqAUTAlrLX4cC3nAoIBAQCl1cV86bYw8CKrCuf9TF0Kk5pd
+    REdilDpks4Z1RH4MpBDWLtvMeQqlNsN+/RugKQExO0HTdZIyn7cBRRloD2xcNcJA
+    G/rUMel/x4fhaEOE7Uw9rmTefvpcgWmtXw64sMA8KFA4oCXIcgbwL5Q+szqNNWAN
+    abpgl0DnU06YyBDoK/7D0B8Kt3qS1N6XX+Z5wtPvglbD2HCYy6rdkqi8IbQ/6OeS
+    wG7p/7g3JlOEyotMq9Cl2T0wTNDSLlma+mwc9mILITDXznWiLQSznE69mebWBUr3
+    Sbt91efH30inRx85H0pNJrpZsH0A6ayL0gTJSuUc0eJXYR5Po1gRQMOSIEWh
+    -----END RSA PRIVATE KEY-----
+plugins:
+- name: openid-connect
+  config:
+    auth_methods:
+    - authorization_code
+    - session
+    issuer: http://example.org
+    client_id:
+    - "<client-id>"
+    client_secret:
+    - "<client-secret>"
+    session_secret: "<session-secret>"
+    response_mode: form_post
+services:
+  - name: example-service
+    url: http://example-api.com
+    protocol: http
+    host: example-api.com
+    port: 80
+    path: /v1
+    retries: 5
+    connect_timeout: 5000
+    write_timeout: 60000
+    read_timeout: 60000
+    enabled: true
+    client_certificate: 4e3ad2e4-0bc4-4638-8e34-c84a417ba39b
+    plugins:
+      - name: rate-limiting-advanced
+        config:
+          limit:
+          - 5
+          window_size:
+          - 30
+          identifier: consumer
+          sync_rate: -1
+          namespace: example_namespace
+          strategy: local
+          hide_client_headers: false
+        ordering:
+          before:
+            access: 
+              - another-plugin
+          after:
+            access: 
+              - yet-another-plugin
+    tags:
+      - example
+      - api
+    routes:
+      - name: example-route
+        methods:
+          - GET
+          - POST
+        hosts:
+          - example.com
+          - another-example.com
+          - yet-another-example.com
+        paths:
+          - ~/v1/example/?$
+          - /v1/another-example
+          - /v1/yet-another-example
+        protocols:
+          - http
+          - https
+        headers:
+          x-my-header:
+            - ~*foos?bar$
+          x-another-header:
+            - first-header-value
+            - second-header-value
+        regex_priority: 1
+        strip_path: false
+        preserve_host: true
+        tags:
+          - version:v1
+        https_redirect_status_code: 302
+        snis:
+          - example.com
+        plugins:
+          - name: aws-lambda
+            config:
+              aws_key: my_key
+              aws_secret: my_secret
+              function_name: my_function
+              aws_region: us-west-2
+          - name: cors
+            config:
+              origins:
+                - example.com
+              methods:
+                - GET
+                - POST
+              headers:
+                - Authorization
+              exposed_headers:
+                - X-My-Header
+              max_age: 3600
+              credentials: true
+          - name: file-log
+            config:
+              path: /var/log/kong/kong.log
+              reopen: true
+          - name: http-log
+            config:
+              http_endpoint: http://example.com/logs
+              method: POST
+              content_type: application/json
+              timeout: 10000
+              keepalive: 60000
+              retry_count: 10
+              queue_size: 1000
+          - name: ip-restriction
+            config:
+              allow:
+                - 192.168.0.1/24
+              deny:
+                - 192.168.0.2/32
+          - name: rate-limiting-advanced
+            config:
+              limit:
+              - 5
+              window_size:
+              - 30
+              identifier: consumer
+              sync_rate: -1
+              namespace: example_namespace
+              strategy: local
+              hide_client_headers: false
+          - name: request-termination
+            config:
+              status_code: 403
+              message: Forbidden
+          - name: response-ratelimiting
+            config:
+              limits:
+                limit_name:
+                  minute: 10
+              policy: local
+          - name: tcp-log
+            config:
+              host: example.com
+              port: 1234
+          - name: basic-auth
+            config:
+              hide_credentials: false
+          - name: jwt
+            config:
+              uri_param_names:
+                - token
+              claims_to_verify:
+                - exp
+                - nbf
+              key_claim_name: kid
+              secret_is_base64: false
+              anonymous: null
+              run_on_preflight: true
+              maximum_expiration: 3600
+              header_names:
+                - Authorization
+          - name: key-auth
+            config:
+              hide_credentials: false
+              key_names:
+                - apikey
+              key_in_body: false
+              run_on_preflight: true
+          - name: acl
+            config:
+              allow: 
+                - admin
+upstreams:
+  - name: example-api.com
+    algorithm: round-robin
+    hash_on: none
+    hash_fallback: none
+    hash_on_cookie_path: "/"
+    slots: 10000
+    healthchecks:
+      passive:
+        type: http
+        healthy:
+          http_statuses:
+          - 200
+          - 201
+          - 202
+          - 203
+          - 204
+          - 205
+          - 206
+          - 207
+          - 208
+          - 226
+          - 300
+          - 301
+          - 302
+          - 303
+          - 304
+          - 305
+          - 306
+          - 307
+          - 308
+          successes: 0
+        unhealthy:
+          http_statuses:
+          - 429
+          - 500
+          - 503
+          timeouts: 0
+          http_failures: 0
+          tcp_failures: 0
+      active:
+        https_verify_certificate: true
+        healthy:
+          http_statuses:
+          - 200
+          - 302
+          successes: 0
+          interval: 0
+        unhealthy:
+          http_failures: 0
+          http_statuses:
+          - 429
+          - 404
+          - 500
+          - 501
+          - 502
+          - 503
+          - 504
+          - 505
+          timeouts: 0
+          tcp_failures: 0
+          interval: 0
+        type: http
+        concurrency: 10
+        headers:
+          x-my-header:
+            - foo
+            - bar
+          x-another-header:
+            - bla
+        timeout: 1
+        http_path: "/"
+        https_sni: example.com
+      threshold: 0
+    tags:
+    - user-level
+    - low-priority
+    host_header: example.com
+    use_srv_name: false
+    targets:
+    - target: 10.10.10.10:8000
+      weight: 100
+    - target: 10.10.10.11:8000
+      weight: 100
+consumers:
+  - username: example-user
+    custom_id: "1234567890"
+    tags:
+      - internal
+    acls:
+      - group: acl_group
+        tags:
+          - internal
+    basicauth_credentials:
+      - username: my_basic_user
+        password: my_basic_password
+        tags:
+          - internal
+    jwt_secrets:
+      - key: my_jwt_secret
+        algorithm: HS256
+        secret: my_secret_key
+        tags:
+          - internal
+    keyauth_credentials:
+      - key: my_api_key
+        tags:
+          - internal
+    mtls_auth_credentials:
+      - id: cce8c384-721f-4f58-85dd-50834e3e733a
+        subject_name: example-user@example.com
+    plugins:
+      - name: rate-limiting-advanced
+        config:
+          limit:
+          - 5
+          window_size:
+          - 30
+          identifier: consumer
+          sync_rate: -1
+          namespace: example_namespace
+          strategy: local
+          hide_client_headers: false
+consumer_groups:
+  - name: example-consumer-group
+    consumers:
+      - username: example-user
+    plugins:
+      - name: rate-limiting-advanced
+        config:
+          limit:
+          - 5
+          window_size:
+          - 30
+          identifier: consumer
+          sync_rate: -1
+          namespace: example_namespace
+          strategy: local
+          hide_client_headers: false
+          window_type: sliding
+          retry_after_jitter_max: 0
+    
+    
+    
\ No newline at end of file
diff --git a/kong2tf/testdata/route-input.yaml b/kong2tf/testdata/route-input.yaml
new file mode 100644
index 000000000..b4c32430c
--- /dev/null
+++ b/kong2tf/testdata/route-input.yaml
@@ -0,0 +1,48 @@
+services:
+  - name: example-service
+    url: http://example-api.com
+    routes:
+      - name: example-route
+        methods:
+          - GET
+          - POST
+        hosts:
+          - example.com
+          - another-example.com
+          - yet-another-example.com
+        paths:
+          - ~/v1/example/?$
+          - /v1/another-example
+          - /v1/yet-another-example
+        protocols:
+          - http
+          - https
+        headers:
+          x-my-header:
+            - ~*foos?bar$
+          x-another-header:
+            - first-header-value
+            - second-header-value
+        regex_priority: 1
+        strip_path: false
+        preserve_host: true
+        tags:
+          - version:v1
+        https_redirect_status_code: 302
+        snis:
+          - example.com
+        sources:
+          - ip: 192.168.0.1
+        destinations:
+          - ip: 10.10.10.10
+            port: 8080
+
+routes:
+  - name: top-level-route
+    hosts:
+      - top-level.example.com
+  - name: top-level-with-service-route
+    service:
+      name: example-service
+    hosts:
+      - top-level-with-service.example.com
diff --git a/kong2tf/testdata/route-output-expected.tf b/kong2tf/testdata/route-output-expected.tf
new file mode 100644
index 000000000..bc879c61d
--- /dev/null
+++ b/kong2tf/testdata/route-output-expected.tf
@@ -0,0 +1,67 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_service" "example_service" {
+  name = "example-service"
+  host = "example-api.com"
+  port = 80
+  protocol = "http"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_route" "example_route" {
+  name = "example-route"
+  destinations = [
+    {
+      ip = "10.10.10.10"
+      port = 8080
+    },
+  ]
+  headers = {
+    x-another-header = ["first-header-value", "second-header-value"]
+    x-my-header = ["~*foos?bar$"]
+  }
+  hosts = ["example.com", "another-example.com", "yet-another-example.com"]
+  https_redirect_status_code = 302
+  methods = ["GET", "POST"]
+  paths = ["~/v1/example/?$", "/v1/another-example", "/v1/yet-another-example"]
+  preserve_host = true
+  protocols = ["http", "https"]
+  regex_priority = 1
+  snis = ["example.com"]
+  sources = [
+    {
+      ip = "192.168.0.1"
+    },
+  ]
+  strip_path = false
+  tags = ["version:v1"]
+
+  service = {
+    id = konnect_gateway_service.example_service.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_route" "top_level_route" {
+  name = "top-level-route"
+  hosts = ["top-level.example.com"]
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_route" "top_level_with_service_route" {
+  name = "top-level-with-service-route"
+  hosts = ["top-level-with-service.example.com"]
+
+  service = {
+    id = konnect_gateway_service.example_service.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/route-plugin-input.yaml b/kong2tf/testdata/route-plugin-input.yaml
new file mode 100644
index 000000000..59d47b0c1
--- /dev/null
+++ b/kong2tf/testdata/route-plugin-input.yaml
@@ -0,0 +1,21 @@
+services:
+  - name: example-service
+    url: http://example-api.com
+    routes:
+      - name: example-route
+        paths:
+          - ~/v1/example/?$
+        plugins:
+        - name: cors
+          config:
+            origins:
+              - example.com
+            methods:
+              - GET
+              - POST
+            headers:
+              - Authorization
+            exposed_headers:
+              - X-My-Header
+            max_age: 3600
+            credentials: true
\ No newline at end of file
diff --git a/kong2tf/testdata/route-plugin-output-expected.tf b/kong2tf/testdata/route-plugin-output-expected.tf
new file mode 100644
index 000000000..662d8b4ea
--- /dev/null
+++ b/kong2tf/testdata/route-plugin-output-expected.tf
@@ -0,0 +1,42 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_service" "example_service" {
+  name = "example-service"
+  host = "example-api.com"
+  port = 80
+  protocol = "http"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_route" "example_route" {
+  name = "example-route"
+  paths = ["~/v1/example/?$"]
+
+  service = {
+    id = konnect_gateway_service.example_service.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_plugin_cors" "example_route_cors" {
+  config = {
+    credentials = true
+    exposed_headers = ["X-My-Header"]
+    headers = ["Authorization"]
+    max_age = 3600
+    methods = ["GET", "POST"]
+    origins = ["example.com"]
+  }
+
+  route = {
+    id = konnect_gateway_route.example_route.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/service-input.yaml b/kong2tf/testdata/service-input.yaml
new file mode 100644
index 000000000..c25edb3dc
--- /dev/null
+++ b/kong2tf/testdata/service-input.yaml
@@ -0,0 +1,18 @@
+services:
+  - name: example-service
+    url: http://example-api.com
+    protocol: http
+    host: example-api.com
+    port: 80
+    path: /v1
+    retries: 5
+    connect_timeout: 5000
+    write_timeout: 60000
+    read_timeout: 60000
+    enabled: true
+    client_certificate: 4e3ad2e4-0bc4-4638-8e34-c84a417ba39b
+    tls_verify: true
+    tls_verify_depth: 1
+    tags:
+      - example
+      - api
\ No newline at end of file
diff --git a/kong2tf/testdata/service-output-expected.tf b/kong2tf/testdata/service-output-expected.tf
new file mode 100644
index 000000000..59128051e
--- /dev/null
+++ b/kong2tf/testdata/service-output-expected.tf
@@ -0,0 +1,24 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_service" "example_service" {
+  enabled = true
+  name = "example-service"
+  client_certificate = "4e3ad2e4-0bc4-4638-8e34-c84a417ba39b"
+  connect_timeout = 5000
+  host = "example-api.com"
+  path = "/v1"
+  port = 80
+  protocol = "http"
+  read_timeout = 60000
+  retries = 5
+  tags = ["example", "api"]
+  tls_verify = true
+  tls_verify_depth = 1
+  write_timeout = 60000
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/service-plugin-input.yaml b/kong2tf/testdata/service-plugin-input.yaml
new file mode 100644
index 000000000..b0656dd41
--- /dev/null
+++ b/kong2tf/testdata/service-plugin-input.yaml
@@ -0,0 +1,22 @@
+services:
+  - name: example-service
+    url: http://example-api.com
+    plugins:
+      - name: rate-limiting-advanced
+        config:
+          limit:
+          - 5
+          window_size:
+          - 30
+          identifier: consumer
+          sync_rate: -1
+          namespace: example_namespace
+          strategy: local
+          hide_client_headers: false
+        ordering:
+          before:
+            access: 
+              - another-plugin
+          after:
+            access: 
+              - yet-another-plugin
\ No newline at end of file
diff --git a/kong2tf/testdata/service-plugin-output-expected.tf b/kong2tf/testdata/service-plugin-output-expected.tf
new file mode 100644
index 000000000..ea871a4f1
--- /dev/null
+++ b/kong2tf/testdata/service-plugin-output-expected.tf
@@ -0,0 +1,40 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_service" "example_service" {
+  name = "example-service"
+  host = "example-api.com"
+  port = 80
+  protocol = "http"
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_plugin_rate_limiting_advanced" "example_service_rate_limiting_advanced" {
+  config = {
+    hide_client_headers = false
+    identifier = "consumer"
+    limit = [5]
+    namespace = "example_namespace"
+    strategy = "local"
+    sync_rate = -1
+    window_size = [30]
+  }
+  ordering = {
+    after = {
+      access = ["yet-another-plugin"]
+    }
+    before = {
+      access = ["another-plugin"]
+    }
+  }
+
+  service = {
+    id = konnect_gateway_service.example_service.id
+  }
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/upstream-target-input.yaml b/kong2tf/testdata/upstream-target-input.yaml
new file mode 100644
index 000000000..285ca28f8
--- /dev/null
+++ b/kong2tf/testdata/upstream-target-input.yaml
@@ -0,0 +1,84 @@
+upstreams:
+  - name: example-api.com
+    algorithm: round-robin
+    hash_on: none
+    hash_fallback: none
+    hash_on_cookie_path: "/"
+    slots: 10000
+    healthchecks:
+      passive:
+        type: http
+        healthy:
+          http_statuses:
+          - 200
+          - 201
+          - 202
+          - 203
+          - 204
+          - 205
+          - 206
+          - 207
+          - 208
+          - 226
+          - 300
+          - 301
+          - 302
+          - 303
+          - 304
+          - 305
+          - 306
+          - 307
+          - 308
+          successes: 0
+        unhealthy:
+          http_statuses:
+          - 429
+          - 500
+          - 503
+          timeouts: 0
+          http_failures: 0
+          tcp_failures: 0
+      active:
+        https_verify_certificate: true
+        healthy:
+          http_statuses:
+          - 200
+          - 302
+          successes: 0
+          interval: 0
+        unhealthy:
+          http_failures: 0
+          http_statuses:
+          - 429
+          - 404
+          - 500
+          - 501
+          - 502
+          - 503
+          - 504
+          - 505
+          timeouts: 0
+          tcp_failures: 0
+          interval: 0
+        type: http
+        concurrency: 10
+        headers:
+          x-my-header:
+            - foo
+            - bar
+          x-another-header:
+            - bla
+        timeout: 1
+        http_path: "/"
+        https_sni: example.com
+      threshold: 0
+    tags:
+    - user-level
+    - low-priority
+    host_header: example.com
+    use_srv_name: false
+    targets:
+    - target: 10.10.10.10:8000
+      weight: 100
+    - target: 10.10.10.11:8000
+      weight: 200
\ No newline at end of file
diff --git a/kong2tf/testdata/upstream-target-output-expected.tf b/kong2tf/testdata/upstream-target-output-expected.tf
new file mode 100644
index 000000000..fdb9eb0a1
--- /dev/null
+++ b/kong2tf/testdata/upstream-target-output-expected.tf
@@ -0,0 +1,77 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_upstream" "upstream_example_api_com" {
+  name = "example-api.com"
+  algorithm = "round-robin"
+  hash_fallback = "none"
+  hash_on = "none"
+  hash_on_cookie_path = "/"
+  healthchecks = {
+    active = {
+      concurrency = 10
+      headers = {
+        x-another-header = ["bla"]
+        x-my-header = ["foo", "bar"]
+      }
+      healthy = {
+        http_statuses = [200, 302]
+        interval = 0
+        successes = 0
+      }
+      http_path = "/"
+      https_sni = "example.com"
+      https_verify_certificate = true
+      timeout = 1
+      type = "http"
+      unhealthy = {
+        http_failures = 0
+        http_statuses = [429, 404, 500, 501, 502, 503, 504, 505]
+        interval = 0
+        tcp_failures = 0
+        timeouts = 0
+      }
+    }
+    passive = {
+      healthy = {
+        http_statuses = [200, 201, 202, 203, 204, 205, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308]
+        successes = 0
+      }
+      type = "http"
+      unhealthy = {
+        http_failures = 0
+        http_statuses = [429, 500, 503]
+        tcp_failures = 0
+        timeouts = 0
+      }
+    }
+    threshold = 0
+  }
+  host_header = "example.com"
+  slots = 10000
+  tags = ["user-level", "low-priority"]
+  use_srv_name = false
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_target" "upstream_example_api_com_target_10_10_10_10_8000" {
+  target = "10.10.10.10:8000"
+  weight = 100
+
+  upstream_id = konnect_gateway_upstream.upstream_example_api_com.id
+
+  control_plane_id = var.control_plane_id
+}
+
+resource "konnect_gateway_target" "upstream_example_api_com_target_10_10_10_11_8000" {
+  target = "10.10.10.11:8000"
+  weight = 200
+
+  upstream_id = konnect_gateway_upstream.upstream_example_api_com.id
+
+  control_plane_id = var.control_plane_id
+}
+
diff --git a/kong2tf/testdata/vault-input.yaml b/kong2tf/testdata/vault-input.yaml
new file mode 100644
index 000000000..ec9fa862d
--- /dev/null
+++ b/kong2tf/testdata/vault-input.yaml
@@ -0,0 +1,8 @@
+vaults:
+- config:
+    prefix: MY_SECRET_
+  description: ENV vault for secrets
+  name: env
+  prefix: my-env-vault
+  tags:
+    - env-vault
\ No newline at end of file
diff --git a/kong2tf/testdata/vault-output-expected.tf b/kong2tf/testdata/vault-output-expected.tf
new file mode 100644
index 000000000..1c1af8d8b
--- /dev/null
+++ b/kong2tf/testdata/vault-output-expected.tf
@@ -0,0 +1,17 @@
+variable "control_plane_id" {
+  type = "string"
+  default = "YOUR_CONTROL_PLANE_ID"
+}
+
+resource "konnect_gateway_vault" "env" {
+  name = "env"
+  config = jsonencode({
+    prefix = "MY_SECRET_"
+  })
+  description = "ENV vault for secrets"
+  prefix = "my-env-vault"
+  tags = ["env-vault"]
+
+  control_plane_id = var.control_plane_id
+}
+