The Anypoint Provider Terraform provider enables you to manage Anypoint Platform resources declaratively using Infrastructure as Code (IaC). Define, provision, and update your API management configuration through Terraform plans.

What's included

This provider covers 108 documentation pages organized in 2 categories:

• Resources — 89 items across 6 subcategories
• Data Sources — 19 items across 5 subcategories

Getting started

1. Install Terraform CLI (v0.13+).
2. Add the provider to your Terraform configuration:

   terraform {
     required_providers {
       anypoint = {
         source  = "mulesoft/anypoint"
         version = "0.0.6"
       }
     }
   }
   
   provider "anypoint" {
     # Configuration options
   }

3. Run terraform init, terraform plan, and terraform apply.
4. For more details, visit the Terraform Registry.

anypoint_connected_app_scopes (Resource)

Manages scopes for an Anypoint Connected Application using user authentication.

~> Note: This is an Access Management resource and requires the admin provider (anypoint.admin), which uses admin user credentials along with the client_id and client_secret of a connected app to authenticate on behalf of the user (auth_type = "user"). You must set provider = anypoint.admin on this resource. The default provider (connected app credentials only) does not have sufficient privileges for Access Management operations.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_connected_app_scopes" "example" {
  provider = anypoint.admin
  connected_app_id = "my-connected-app-id"

  scopes = [
    {
      scope = "admin:cloudhub"
      context_params = {
        org = "your-org-id"
      }
    },
    {
      scope = "read:applications"
      context_params = {
        org = "your-org-id"
        envId = "your-env-id"
      }
    }
  ]
}

Schema

Required

• connected_app_id (String) The ID of the connected application to manage scopes for.
• scopes (Block Set) The set of scopes to assign to the connected application. See below for nested schema.

Read-Only

• id (String) The unique identifier for the connected app scopes (same as connected_app_id).

<a id="nestedschema--scopes"></a>

Nested Schema for scopes

Required:

• scope (String) The scope name (e.g., 'admin:cloudhub', 'read:applications').

Optional:

• context_params (Map of String) Context parameters for the scope (e.g., organization ID).

Import

Import is supported using the following syntax:

terraform import anypoint_connected_app_scopes.example <connected_app_id>

anypoint_environment (Resource)

Manages an Anypoint Platform environment.

~> Note: This is an Access Management resource and requires the admin provider (anypoint.admin), which uses admin user credentials along with the client_id and client_secret of a connected app to authenticate on behalf of the user (auth_type = "user"). You must set provider = anypoint.admin on this resource. The default provider (connected app credentials only) does not have sufficient privileges for Access Management operations.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_environment" "example" {
  provider = anypoint.admin
  name            = "my-sandbox-env"
  type            = "sandbox"
  is_production   = false
  organization_id = "your-org-id"
}

Schema

Required

• name (String) The name of the environment.

Optional

• arc_namespace (String) The ARC namespace for the environment.
• client_id (String) The client ID associated with the environment.
• is_production (Boolean) Whether this is a production environment. Defaults to false.
• organization_id (String) The organization ID where the environment will be created. If not provided, the organization ID will be inferred from the connected app credentials.
• type (String) The type of the environment (e.g., 'design', 'sandbox', 'production'). Defaults to "sandbox".

Read-Only

• id (String) The unique identifier for the environment.

Import

Import is supported using the following syntax:

terraform import anypoint_environment.example <environment_id>

anypoint_organization (Resource)

Creates and manages an Anypoint Platform organization (business group).

~> Note: This is an Access Management resource and requires the admin provider (anypoint.admin), which uses admin user credentials along with the client_id and client_secret of a connected app to authenticate on behalf of the user (auth_type = "user"). You must set provider = anypoint.admin on this resource. The default provider (connected app credentials only) does not have sufficient privileges for Access Management operations.

Entitlement State Behaviour

The provider honours user-defined state for entitlements, not Platform defaults.

• If you declare an entitlement field in your Terraform config, the provider manages it: any Platform-side change will be reverted on the next apply.
• If you omit an entitlement field, the provider treats it as unmanaged. Platform-side updates to that field are not reflected in the plan and will not be reverted.
• Master-org-only entitlements (hybrid, omni_gateway, service_mesh, worker_logging_override, runtime_fabric, design_center) are inherited on sub-orgs and cannot be set via this resource on a business group. They are stripped from API requests to prevent HTTP 403 errors.

In short: only declare entitlement fields you want Terraform to own. Leave everything else out of your config.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_organization" "example" {
  provider = anypoint.admin

  name                   = "my-sub-org"
  parent_organization_id = "parent-org-id"
  owner_id               = "owner-user-id"

  entitlements = {
    create_sub_orgs     = false
    create_environments = true
    global_deployment   = false

    vcores_production = {
      assigned = 0
    }

    vcores_sandbox = {
      assigned = 0
    }

    vcores_design = {
      assigned = 0
    }

    vpcs = {
      assigned = 0
    }

    network_connections = {
      assigned = 0
    }

    managed_gateway_small = {
      assigned = 0
    }

    managed_gateway_large = {
      assigned = 0
    }
  }
}

Schema

Required

• name (String) The name of the organization.
• owner_id (String) The ID of the organization owner. Changing this forces a new resource.
• parent_organization_id (String) The ID of the parent organization. Changing this forces a new resource.

Optional

• entitlements (Block) Entitlements for the organization. Only declared fields are managed by Terraform — omitted fields are left to the Platform. See below for nested schema and the Entitlement State Behaviour section above.

Read-Only

• id (String) The unique identifier for the organization.
• client_id (String) The client ID associated with the organization.
• created_at (String) The creation timestamp of the organization.
• deleted_at (String) The deletion timestamp of the organization.
• domain (String) The domain of the organization.
• environments (Block List) The environments within the organization. See below for nested schema.
• gdot_id (String) The GDOT ID of the organization.
• idprovider_id (String) The ID provider ID for the organization.
• is_automatic_admin_promotion_exempt (Boolean) Whether the organization is exempt from automatic admin promotion.
• is_federated (Boolean) Whether the organization is federated.
• is_master (Boolean) Whether the organization is a master organization.
• is_root (Boolean) Whether the organization is a root organization.
• mfa_required (String) Whether MFA is required for the organization.
• org_type (String) The type of the organization.
• parent_organization_ids (List of String) List of parent organization IDs (ancestor chain).
• session_timeout (Number) The session timeout for the organization.
• sub_organization_ids (List of String) List of sub-organization IDs.
• subscription (Block) The subscription details for the organization. See below for nested schema.
• tenant_organization_ids (List of String) List of tenant organization IDs.
• updated_at (String) The last update timestamp of the organization.

<a id="nestedschema--entitlements"></a>

Nested Schema for entitlements

Only the fields you declare are managed by Terraform. Fields you omit are not tracked and will not be reverted if the Platform changes them.

Optional:

• create_environments (Boolean) Whether environments can be created. Defaults to false.
• create_sub_orgs (Boolean) Whether sub-organizations can be created. Defaults to false.
• global_deployment (Boolean) Whether global deployment is enabled. Defaults to false.
• design_center (Block) Design Center entitlement. Master-org-only — ignored on business groups. See below for nested schema.
• omni_gateway (Block) Omni Gateway entitlement. Master-org-only — ignored on business groups. See below for nested schema.
• gateways (Block) Gateways entitlement. See below for nested schema.
• hybrid (Block) Hybrid entitlement. Master-org-only — ignored on business groups. See below for nested schema.
• load_balancer (Block) Load balancer entitlement. See below for nested schema.
• managed_gateway_large (Block) Managed Gateway (large) entitlement. See below for nested schema.
• managed_gateway_small (Block) Managed Gateway (small) entitlement. See below for nested schema.
• mq_messages (Block) MQ messages entitlement. See below for nested schema.
• mq_requests (Block) MQ requests entitlement. See below for nested schema.
• network_connections (Block) Network connections entitlement. See below for nested schema.
• runtime_fabric (Boolean) Whether Runtime Fabric is enabled. Master-org-only — ignored on business groups.
• service_mesh (Block) Service Mesh entitlement. Master-org-only — ignored on business groups. See below for nested schema.
• vcores_design (Block) Design vCore entitlement. See below for nested schema.
• vcores_production (Block) Production vCore entitlement. See below for nested schema.
• vcores_sandbox (Block) Sandbox vCore entitlement. See below for nested schema.
• vpcs (Block) VPC entitlement. See below for nested schema.
• worker_logging_override (Block) Worker logging override entitlement. Master-org-only — ignored on business groups. See below for nested schema.

Note: static_ips and vpns entitlements are managed server-side by Anypoint and are not settable via Terraform. Configure them through the Anypoint UI or API.

<a id="nestedschema--entitlements--vcore_entitlement"></a>

Nested Schema for vcores_production / vcores_sandbox / vcores_design / vpcs / network_connections

Optional:

• assigned (Number) The number of assigned units. Defaults to 0.
• reassigned (Number) The number of reassigned units. Defaults to 0.

<a id="nestedschema--entitlements--enabled_entitlement"></a>

Nested Schema for hybrid / omni_gateway / worker_logging_override / service_mesh

Optional:

• enabled (Boolean) Whether this feature is enabled.

<a id="nestedschema--entitlements--assigned_entitlement"></a>

Nested Schema for gateways / load_balancer / managed_gateway_small / managed_gateway_large

Optional:

• assigned (Number) The number of assigned units.

<a id="nestedschema--entitlements--mq_entitlement"></a>

Nested Schema for mq_messages / mq_requests

Optional:

• add_on (Number) The add-on number of MQ units. Defaults to 0.
• base (Number) The base number of MQ units. Defaults to 0.

<a id="nestedschema--entitlements--design_center"></a>

Nested Schema for design_center

Optional:

• api (Boolean) Whether API Designer is enabled.
• mozart (Boolean) Whether Flow Designer (Mozart) is enabled.

<a id="nestedschema--subscription"></a>

Nested Schema for subscription

Read-Only:

• category (String) The subscription category.
• expiration (String) The subscription expiration date.
• type (String) The subscription type.

Optional:

• justification (String) The subscription justification.

<a id="nestedschema--environments"></a>

Nested Schema for environments

~> Note: When a new organization is created, Anypoint Platform automatically provisions two environments: Sandbox and Production. These appear in the environments read-only attribute after the first apply and do not need to be declared in your configuration.

Read-Only:

• client_id (String) The environment client ID.
• id (String) The environment ID.
• is_production (Boolean) Whether the environment is a production environment.
• name (String) The environment name.
• organization_id (String) The organization ID.
• type (String) The environment type.

Optional:

• arc_namespace (String) The ARC namespace of the environment.

Import

Existing Anypoint organizations can be imported using their organization ID:

terraform import anypoint_organization.example_org 00000000-0000-0000-0000-000000000000

Your HCL must declare name, parent_organization_id, and owner_id before you import — those are Required attributes on the resource. The first terraform plan after import refreshes all Read-Only and Optional attributes (including entitlements) from the Anypoint API.

parent_organization_id is derived from the server-returned ancestor chain (parent_organization_ids) on the first refresh. If the derivation doesn't match what you wrote in HCL, update the HCL to match — changing parent_organization_id triggers a destroy+recreate because it has the RequiresReplace plan modifier.

anypoint_team (Resource)

Manages an Anypoint Platform team.

~> Note: This is an Access Management resource and requires the admin provider (anypoint.admin), which uses admin user credentials along with the client_id and client_secret of a connected app to authenticate on behalf of the user (auth_type = "user"). You must set provider = anypoint.admin on this resource. The default provider (connected app credentials only) does not have sufficient privileges for Access Management operations.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_team" "example" {
  provider = anypoint.admin
  team_name      = "Development Team"
  parent_team_id = "root-team-id"
  team_type      = "internal"
}

resource "anypoint_team" "sub_team" {
  provider = anypoint.admin
  team_name      = "Frontend Team"
  parent_team_id = anypoint_team.example.id
  team_type      = "internal"
}

Schema

Required

• parent_team_id (String) The ID of the parent team.
• team_name (String) The name of the team.
• team_type (String) The type of the team.

Optional

• organization_id (String) The organization ID where the team will be created. If not provided, the organization ID will be inferred from the connected app credentials.

Read-Only

• created_at (String) The timestamp when the team was created.
• id (String) The unique identifier for the team.
• updated_at (String) The timestamp when the team was last updated.

Import

Import is supported using the following syntax:

terraform import anypoint_team.example <team_id>

anypoint_agent_instance (Resource)

Manages an Agent instance in Anypoint API Manager. An Agent instance represents an Agent specification deployed to a Omni Gateway target with routing rules and upstream backends.

-> Status after create: After a successful terraform apply the status field is populated from a GET request made immediately after the POST. The Platform typically returns status = "active" right away. If your Gateway is not yet ready the provider retries the POST up to 5 times with a 20-second backoff before failing.

-> upstream_uri vs routing: upstream_uri and routing are mutually exclusive. Use upstream_uri for a single upstream — the provider expands it to [{upstreams: [{weight: 100, uri: <value>}]}] automatically. Only one upstream per route is supported; multi-upstream weighted routing is not available for Agent instances.

Example Usage

Basic Agent Instance with upstream_uri

resource "anypoint_agent_instance" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  technology      = "omniGateway"
  instance_label  = "customer-support-agent"

  spec = {
    asset_id = "my-agent-spec"
    group_id = var.organization_id
    version  = "1.0.0"
  }

  endpoint = {
    deployment_type = "HY"
    base_path       = "agent/support"
  }

  gateway_id   = var.gateway_id
  upstream_uri = "http://agent-service.internal:8080"
}

Agent Instance with explicit routing

resource "anypoint_agent_instance" "advanced" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  technology      = "omniGateway"
  instance_label  = "sales-agent"

  spec = {
    asset_id = "my-agent-spec"
    group_id = var.organization_id
    version  = "1.0.0"
  }

  endpoint = {
    deployment_type = "HY"
    base_path       = "agent/sales"
  }

  gateway_id = var.gateway_id

  routing = [
    {
      upstreams = [
        {
          weight = 100
          uri    = "http://sales-agent.internal:8080"
        }
      ]
    }
  ]
}

Schema

Required

• environment_id (String) The environment ID where the Agent instance will be created.
• spec (Block) The Exchange asset specification backing this Agent instance. See spec below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• technology (String) The gateway technology. Valid values: omniGateway, mule4, serviceMesh. Defaults to omniGateway.
• provider_id (String) The identity provider ID for the Agent.
• instance_label (String) A human-readable label for this Agent instance.
• approval_method (String) Client approval method. Valid values: manual, automatic. Defaults to null (no approval required).
• endpoint (Block) Endpoint / proxy configuration for the Agent instance. See endpoint below.
• consumer_endpoint (String) Consumer-facing endpoint URI (the public URL clients use to reach the Agent). Maps to top-level endpointUri in the Agent.
• upstream_uri (String) Shorthand for a single-upstream routing configuration. When set, the provider constructs routing as [{upstreams: [{weight: 100, uri: <value>}]}]. Mutually exclusive with the routing block.
• gateway_id (String) The Omni Gateway UUID. When provided, the deployment block is auto-populated by fetching gateway details (target_id, target_name, gateway_version) from the Gateway Manager Agent. Mutually exclusive with specifying a full deployment block.
• deployment (Block) Deployment target configuration. Auto-populated when gateway_id is set. See deployment below.
• routing (Block List) Routing rules with weighted upstream backends. See routing below.

Read-Only

• id (String) The numeric identifier of the Agent instance (stored as string for Terraform compatibility).
• status (String) The current status of the Agent instance.
• asset_id (String) The Exchange asset ID (computed from Agent response).
• asset_version (String) The Exchange asset version (computed from Agent response).
• product_version (String) The product version (computed from Agent response).

<a id="nestedschema--spec"></a>

Nested Schema for spec

Required:

• asset_id (String) The Exchange asset ID.
• group_id (String) The Exchange group (organization) ID.
• version (String) The asset version.

<a id="nestedschema--endpoint"></a>

Nested Schema for endpoint

Optional:

• deployment_type (String) Deployment type. Valid values: HY (hybrid), CH (CloudHub), RF (Runtime Fabric). Defaults to HY.
• type (String) Endpoint protocol type. For agent instances, this is a2a (Agent-to-Agent). Defaults to a2a.
• base_path (String) Agent base path for Omni Gateway (e.g. my-agent). The provider constructs the full proxy URI as http://0.0.0.0:8081/<base_path>. Required when technology=omniGateway. Mutually exclusive with uri.
• uri (String) Direct implementation URI for Mule4 or other technologies (e.g. http://www.google.com). Required when technology=mule4. Mutually exclusive with base_path.
• response_timeout (Number) Response timeout in milliseconds.

<a id="nestedschema--deployment"></a>

Nested Schema for deployment

Optional:

• environment_id (String) The environment ID for deployment (usually matches the top-level environment_id).
• type (String) Deployment type. Valid values: HY, CH, RF. Defaults to HY.
• expected_status (String) Expected deployment status. Valid values: deployed, undeployed. Defaults to deployed.
• overwrite (Boolean) Whether to overwrite an existing deployment.
• target_id (String) The target gateway ID to deploy to.
• target_name (String) The target gateway name.
• gateway_version (String) The Omni Gateway runtime version.

<a id="nestedschema--routing"></a>

Nested Schema for routing

Optional:

• label (String) A label for this route.
• rules (Block) Match conditions for this route (methods, path, headers). See routing.rules below.

Required:

• upstreams (Block List) Weighted upstream backends for this route. See routing.upstreams below.

<a id="nestedschema--routing--rules"></a>

Nested Schema for routing.rules

Optional:

• methods (String) Pipe-separated HTTP methods (e.g. GET, POST|PUT).
• path (String) URL path pattern to match (e.g. /api/*).
• host (String) Host header value to match.
• headers (Map) Header key-value pairs to match.

<a id="nestedschema--routing--upstreams"></a>

Nested Schema for routing.upstreams

Required:

• uri (String) The upstream backend URI.

Optional:

• weight (Number) Traffic weight percentage (0-100). Weights across upstreams should sum to 100. Defaults to 100.
• label (String) A label for this upstream.
• tls_context_id (String) TLS context for upstream connections. Format: secretGroupId/tlsContextId.

anypoint_mcp_server (Resource)

Manages an MCP server in Anypoint API Manager. An MCP server represents an MCP server specification deployed to a Omni Gateway target with routing rules and upstream backends.

-> Status after create: After a successful terraform apply the status field is populated from a GET request made immediately after the POST. The Platform typically returns status = "active" right away.

-> upstream_uri vs routing: upstream_uri and routing are mutually exclusive. Use upstream_uri for a single upstream. Only one upstream per route is supported for MCP servers — multi-upstream weighted routing is not available.

-> upstream_id: The computed upstream_id attribute is the server-assigned ID for the first upstream. Reference it in outbound policy upstream_ids to bind policies to this MCP server's upstream.

Example Usage

Basic MCP Server with upstream_uri

resource "anypoint_mcp_server" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  technology      = "omniGateway"
  instance_label  = "atlassian-mcp-server"

  spec = {
    asset_id = "my-mcp-spec"
    group_id = var.organization_id
    version  = "1.0.0"
  }

  endpoint = {
    deployment_type = "HY"
    base_path       = "mcp1"
  }

  gateway_id   = var.gateway_id
  upstream_uri = "http://example.com"
}

MCP Server with explicit routing

resource "anypoint_mcp_server" "advanced" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  technology      = "omniGateway"
  instance_label  = "enterprise-tools-mcp"

  spec = {
    asset_id = "postman-mcp-server"
    group_id = var.organization_id
    version  = "1.0.0"
  }

  endpoint = {
    deployment_type = "HY"
    base_path       = "mcp-tools"
  }

  gateway_id = var.gateway_id

  routing = [
    {
      upstreams = [
        {
          weight = 100
          uri    = "http://mcp-tools.internal:8080"
        }
      ]
    }
  ]
}

Schema

Required

• environment_id (String) The environment ID where the MCP server will be created.
• spec (Block) The Exchange asset specification backing this MCP server. See spec below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• technology (String) The gateway technology. Valid values: omniGateway, mule4, serviceMesh. Defaults to omniGateway.
• provider_id (String) The identity provider ID for the MCP server.
• instance_label (String) A human-readable label for this MCP server.
• approval_method (String) Client approval method. Valid values: manual, automatic. Defaults to null (no approval required).
• endpoint (Block) Endpoint / proxy configuration for the MCP server. See endpoint below.
• consumer_endpoint (String) Consumer-facing endpoint URI (the public URL clients use to reach the MCP server). Maps to top-level endpointUri in the MCP server. For MCP, this is the proxy_uri that clients connect to.
• upstream_uri (String) Shorthand for a single-upstream routing configuration. When set, the provider constructs routing as [{upstreams: [{weight: 100, uri: <value>}]}]. Mutually exclusive with the routing block. For MCP servers, this is typically the upstream MCP server URI that the proxy_uri forwards to.
• gateway_id (String) The Omni Gateway UUID. When provided, the deployment block is auto-populated by fetching gateway details (target_id, target_name, gateway_version) from the Gateway Manager MCP server. Mutually exclusive with specifying a full deployment block.
• deployment (Block) Deployment target configuration. Auto-populated when gateway_id is set. See deployment below.
• routing (Block List) Routing rules with weighted upstream backends. For MCP servers, upstreams typically point to the actual MCP server implementation URIs. See routing below.

Read-Only

• id (String) The numeric identifier of the MCP server (stored as string for Terraform compatibility).
• status (String) The current status of the MCP server.
• asset_id (String) The Exchange asset ID (computed from MCP server response).
• asset_version (String) The Exchange asset version (computed from MCP server response).
• product_version (String) The product version (computed from MCP server response).
• upstream_id (String) The server-assigned upstream ID for the first upstream. Populated automatically after creation. Use this to reference the upstream in outbound policy upstream_ids.

<a id="nestedschema--spec"></a>

Nested Schema for spec

Required:

• asset_id (String) The Exchange asset ID.
• group_id (String) The Exchange group (organization) ID.
• version (String) The asset version.

<a id="nestedschema--endpoint"></a>

Nested Schema for endpoint

Optional:

• deployment_type (String) Deployment type. Valid values: HY (hybrid), CH (CloudHub), RF (Runtime Fabric). Defaults to HY.
• type (String) Endpoint protocol type. For MCP servers, this is mcp. Defaults to mcp.
• base_path (String) MCP server base path for Omni Gateway (e.g. my-mcp-server). The provider constructs the full proxy URI as http://0.0.0.0:8081/<base_path>. Required when technology=omniGateway. Mutually exclusive with uri.
• uri (String) Direct implementation URI for Mule4 or other technologies (e.g. http://www.google.com). Required when technology=mule4. Mutually exclusive with base_path.
• response_timeout (Number) Response timeout in milliseconds.

<a id="nestedschema--deployment"></a>

Nested Schema for deployment

Optional:

• environment_id (String) The environment ID for deployment (usually matches the top-level environment_id).
• type (String) Deployment type. Valid values: HY, CH, RF. Defaults to HY.
• expected_status (String) Expected deployment status. Valid values: deployed, undeployed. Defaults to deployed.
• overwrite (Boolean) Whether to overwrite an existing deployment.
• target_id (String) The target gateway ID to deploy to.
• target_name (String) The target gateway name.
• gateway_version (String) The Omni Gateway runtime version.

<a id="nestedschema--routing"></a>

Nested Schema for routing

Optional:

• label (String) A label for this route.
• rules (Block) Match conditions for this route (methods, path, headers). See routing.rules below.

Required:

• upstreams (Block List) Weighted upstream backends for this route. For MCP servers, these are the actual MCP server implementation endpoints. See routing.upstreams below.

<a id="nestedschema--routing--rules"></a>

Nested Schema for routing.rules

Optional:

• methods (String) Pipe-separated HTTP methods (e.g. GET, POST|PUT).
• path (String) URL path pattern to match (e.g. /api/*).
• host (String) Host header value to match.
• headers (Map) Header key-value pairs to match.

<a id="nestedschema--routing--upstreams"></a>

Nested Schema for routing.upstreams

Required:

• uri (String) The upstream backend URI. For MCP servers, this is the actual MCP server implementation URI that requests are forwarded to.

Optional:

• weight (Number) Traffic weight percentage (0-100). Weights across upstreams should sum to 100. Defaults to 100.
• label (String) A label for this upstream.
• tls_context_id (String) TLS context for upstream connections. Format: secretGroupId/tlsContextId.

anypoint_api_instance (Resource)

Manages an API instance in Anypoint API Manager. An API instance represents an API specification deployed to a Omni Gateway target with routing rules and upstream backends.

Example Usage

Minimal configuration using upstream_uri shorthand

resource "anypoint_api_instance" "minimal" {
  environment_id = var.environment_id
  gateway_id     = var.gateway_id
  instance_label = "minimal-demo"
  upstream_uri   = "http://backend.internal:8080"

  spec = {
    asset_id = "my-api"
    group_id = var.organization_id
    version  = "1.0.0"
  }

  endpoint = {
    base_path = "minimal"
  }
}

Weighted multi-upstream routing (canary / blue-green)

resource "anypoint_api_instance" "weighted_routing" {
  environment_id = var.environment_id
  gateway_id     = var.gateway_id
  instance_label = "weighted-routing-demo"

  spec = {
    asset_id = "my-api"
    group_id = var.organization_id
    version  = "1.0.0"
  }

  endpoint = {
    base_path = "weightedRouting"
  }

  routing = [
    {
      label = "canary"
      upstreams = [
        {
          weight = 90
          uri    = "http://backend-stable.internal:8080"
          label  = "stable"
        },
        {
          weight = 10
          uri    = "http://backend-canary.internal:8080"
          label  = "canary"
        }
      ]
    }
  ]
}

Schema

Required

• environment_id (String) The environment ID where the API instance will be created.
• spec (Block) The Exchange asset specification backing this API instance. See below for nested schema.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• technology (String) The gateway technology. Valid values: omniGateway, mule4, serviceMesh. Defaults to omniGateway.
• provider_id (String) The identity provider ID for the API.
• instance_label (String) A human-readable label for this API instance.
• approval_method (String) Client approval method. Valid values: manual, automatic. Defaults to null (no approval required).
• consumer_endpoint (String) Consumer-facing endpoint URI (the public URL clients use to reach the API). Maps to top-level endpointUri in the API.
• upstream_uri (String) Shorthand for a single-upstream routing configuration. When set, the provider constructs routing as [{upstreams: [{weight: 100, uri: <value>}]}]. Mutually exclusive with the routing block.
• gateway_id (String) The Omni Gateway UUID. When provided, the deployment block is auto-populated by fetching gateway details (target_id, target_name, gateway_version) from the Gateway Manager API. Mutually exclusive with specifying a full deployment block.
• endpoint (Block) Endpoint / proxy configuration for the API instance. See below for nested schema.
• deployment (Block) Deployment target configuration. Auto-populated when gateway_id is set. See below for nested schema.
• routing (Block List) Routing rules with weighted upstream backends. See below for nested schema.

Read-Only

• id (String) The numeric identifier of the API instance (stored as string for Terraform compatibility).
• status (String) The current status of the API instance.
• asset_id (String) The Exchange asset ID (computed from API response).
• asset_version (String) The Exchange asset version (computed from API response).
• product_version (String) The product version (computed from API response).

<a id="nestedschema--spec"></a>

Nested Schema for spec

Required:

• asset_id (String) The Exchange asset ID.
• group_id (String) The Exchange group (organization) ID.
• version (String) The asset version.

<a id="nestedschema--endpoint"></a>

Nested Schema for endpoint

Optional:

• deployment_type (String) Deployment type. Valid values: HY (hybrid), CH (CloudHub), CH2, RF (Runtime Fabric). Defaults to HY.
• type (String) Endpoint protocol type. Valid values: http, rest, raml. Defaults to http.
• base_path (String) API base path for OmniGateway (e.g. 'my-api'). The provider constructs the full proxy URI as http://0.0.0.0:8081/<base_path>. Required when technology='omniGateway'. Mutually exclusive with uri.
• uri (String) Direct implementation URI for Mule4 or other technologies (e.g. 'http://www.google.com'). Required when technology='mule4'. Mutually exclusive with base_path.
• response_timeout (Number) Response timeout in milliseconds.

<a id="nestedschema--deployment"></a>

Nested Schema for deployment

Optional:

• environment_id (String) The environment ID for deployment (usually matches the top-level environment_id).
• type (String) Deployment type. Valid values: HY, CH, RF. Defaults to HY.
• expected_status (String) Expected deployment status. Valid values: deployed, undeployed. Defaults to deployed.
• overwrite (Boolean) Whether to overwrite an existing deployment.
• target_id (String) The target gateway ID to deploy to.
• target_name (String) The target gateway name.
• gateway_version (String) The Omni Gateway runtime version.

<a id="nestedschema--routing"></a>

Nested Schema for routing

Optional:

• label (String) A label for this route.
• rules (Block) Match conditions for this route (methods, path, headers). See below for nested schema.

Required:

• upstreams (Block List) Weighted upstream backends for this route. See below for nested schema.

<a id="nestedschema--routing--rules"></a>

Nested Schema for routing.rules

Optional:

• methods (String) Pipe-separated HTTP methods (e.g. 'GET', 'POST|PUT').
• path (String) URL path pattern to match (e.g. '/api/*').
• host (String) Host header value to match.
• headers (Map) Header key-value pairs to match.

<a id="nestedschema--routing--upstreams"></a>

Nested Schema for routing.upstreams

Required:

• uri (String) The upstream backend URI.

Optional:

• weight (Number) Traffic weight percentage (0-100). Weights across upstreams should sum to 100. Defaults to 100.
• label (String) A label for this upstream.
• tls_context_id (String) TLS context for upstream connections. Format: 'secretGroupId/tlsContextId'.

anypoint_api_instance_sla_tier (Resource)

Manages an SLA tier for an API instance in Anypoint API Manager.

Example Usage

resource "anypoint_api_instance_sla_tier" "gold" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = var.api_instance_id

  name        = "Gold"
  description = "Gold tier with high volume limits for premium customers"
  auto_approve = true
  status       = "ACTIVE"

  limits = [
    {
      time_period_in_milliseconds = 60000
      maximum_requests            = 1000
      visible                     = true
    },
    {
      time_period_in_milliseconds = 3600000
      maximum_requests            = 50000
      visible                     = true
    }
  ]
}

Schema

Required

• environment_id (String) Environment ID where the API instance lives.
• api_instance_id (String) Numeric ID of the API instance.
• name (String) Name of the SLA tier.
• limits (Block List) Rate limits for this SLA tier. See below for nested schema.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• description (String) Description of the SLA tier.
• auto_approve (Boolean) Whether requests for this SLA tier are auto-approved. Defaults to false.
• status (String) Status of the SLA tier. Valid values: ACTIVE, INACTIVE.

Read-Only

• id (String) Unique identifier of the SLA tier.

<a id="nestedschema--limits"></a>

Nested Schema for limits

Required:

• time_period_in_milliseconds (Number) Time period for the rate limit in milliseconds.
• maximum_requests (Number) Maximum number of requests allowed in the time period.

Optional:

• visible (Boolean) Whether this limit is visible to API consumers. Defaults to true.

Import

Import is supported using the following format:

terraform import anypoint_api_instance_sla_tier.example organization_id/environment_id/api_instance_id/tier_id

anypoint_api_policy (Resource)

Manages a policy applied to an API instance in Anypoint API Manager. Use policy_type for known policies (auto-resolves group_id, asset_id, and default version), or provide group_id + asset_id + asset_version directly for custom policies.

Example Usage

Using policy_type for a known policy

resource "anypoint_api_policy" "rate_limit" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = var.api_instance_id

  policy_type = "rate-limiting"
  label       = "rate-limit-100rpm"
  order       = 1

  configuration_data = jsonencode({
    key_selector = "#[attributes.queryParams['identifier']]"
    rate_limits = [
      {
        maximum_requests            = 100
        time_period_in_milliseconds = 60000
      }
    ]
    expose_headers = true
    clusterizable  = true
  })
}

Using explicit group_id, asset_id, asset_version for a custom policy

resource "anypoint_api_policy" "custom" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = var.api_instance_id

  group_id      = "my-org-id"
  asset_id      = "my-custom-policy"
  asset_version = "1.0.0"
  label         = "custom-policy"
  order         = 2

  configuration_data = jsonencode({
    custom_field = "value"
  })
}

Schema

Required

• environment_id (String) Environment ID where the API instance lives.
• api_instance_id (String) Numeric ID of the API instance this policy is applied to.
• configuration_data (String) Policy configuration as a JSON string. Use jsonencode() to set this. Fields vary by policy type; the provider validates known policies at plan time.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• policy_type (String) Known policy type name (e.g. 'rate-limiting', 'cors', 'jwt-validation'). When set, group_id, asset_id, and asset_version are auto-resolved from the built-in registry. You can still override asset_version to pin a specific version. For custom policies not in the registry, omit this and set group_id + asset_id + asset_version directly.
• group_id (String) Exchange group ID for the policy asset. Auto-resolved when policy_type is set.
• asset_id (String) Exchange asset ID that identifies the policy type. Auto-resolved when policy_type is set.
• asset_version (String) Version of the policy asset from Exchange. Auto-resolved to default when policy_type is set, but can be overridden.
• label (String) A human-readable label for this policy instance.
• order (Number) Execution order of the policy. Lower numbers execute first.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.

Read-Only

• id (String) Unique identifier of the applied policy.
• policy_template_id (String) Policy template ID assigned by the server.

Import

Import is supported using the following format:

terraform import anypoint_api_policy.example organization_id/environment_id/api_instance_id/policy_id

anypoint_managed_omni_gateway (Resource)

Manages a CloudHub 2.0 Managed Omni Gateway instance in Anypoint Platform.

-> Tracing note: The Gateway Manager API does not echo back configuration.tracing in POST/PUT responses. The provider retains the plan-requested value in state after create/update so that tracing.enabled = true works correctly. On the next terraform refresh or plan, the provider reads the live value from the API for accurate drift detection.

Example Usage

resource "anypoint_managed_omni_gateway" "example" {
  name           = "my-omni-gateway"
  environment_id = "env-id-here"
  target_id      = "target-private-space-id"

  release_channel = "lts"
  size            = "small"

  ingress = {
    forward_ssl_session = true
    last_mile_security  = true
  }

  properties = {
    upstream_response_timeout = 15
    connection_idle_timeout   = 60
  }

  logging = {
    level        = "info"
    forward_logs = true
  }

  tracing = {
    enabled = false
  }
}

Schema

Required

• name (String) The name of the managed Omni Gateway.
• environment_id (String) The environment ID where the gateway will be deployed.
• target_id (String) The target (private space) ID for the gateway deployment.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• runtime_version (String) The Omni Gateway runtime version (e.g., '1.9.9'). If omitted, the provider auto-selects the latest version for the chosen release_channel.
• release_channel (String) The release channel for the gateway. Valid values: lts, edge. Defaults to lts.
• size (String) The size of the gateway instance. Valid values: small, large. Defaults to small.
• ingress (Block) Ingress configuration for the gateway. See below for nested schema.
• properties (Block) Runtime properties for the gateway. See below for nested schema.
• logging (Block) Logging configuration for the gateway. See below for nested schema.
• tracing (Block) Distributed tracing configuration for the gateway. See below for nested schema.

Read-Only

• id (String) The unique identifier of the managed Omni Gateway.
• status (String) The current status of the managed Omni Gateway.

<a id="nestedschema--ingress"></a>

Nested Schema for ingress

Optional:

• public_url (String) The public URL for the gateway ingress. Auto-derived from the target domain when empty.
• internal_url (String) The internal URL for the gateway ingress. Auto-derived from the target domain when empty.
• forward_ssl_session (Boolean) Whether to forward SSL sessions to upstream services. Defaults to true.
• last_mile_security (Boolean) Whether to enable last-mile security (TLS between gateway and upstream). Defaults to true.

<a id="nestedschema--properties"></a>

Nested Schema for properties

Optional:

• upstream_response_timeout (Number) Timeout in seconds for upstream service responses. Defaults to 15.
• connection_idle_timeout (Number) Timeout in seconds for idle connections. Defaults to 60.

<a id="nestedschema--logging"></a>

Nested Schema for logging

Optional:

• level (String) The log level. Valid values: debug, info, warn, error. Defaults to info.
• forward_logs (Boolean) Whether to forward logs to Anypoint Monitoring. Defaults to true.

<a id="nestedschema--tracing"></a>

Nested Schema for tracing

Optional:

• enabled (Boolean) Whether distributed tracing is enabled. Defaults to false.

anypoint_api_policy_a2a_agent_card (Resource)

Manages a A2A Agent Card policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_a2a_agent_card" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    content        = "{\"name\": \"My Agent\", \"description\": \"An example A2A agent\"}"
    consumer_url   = "https://example.com/agent"
    card_path      = "/.well-known/agent-card.json"
    file_name      = "agent-card.json"
    file_mime_type = "application/json"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 2.0.0-20260327083212.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• content (String) The agent card content as a JSON string.

Optional:

• card_path (String) Path where the agent card is served.
• consumer_url (String) URL for the A2A agent consumer.
• file_mime_type (String) MIME type of the agent card file.
• file_name (String) Filename for the agent card.
• file_source (String) Source of the agent card file.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_a2a_agent_card.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_a2a_pii_detector (Resource)

Manages a A2A PII Detector policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_a2a_pii_detector" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    entities = ["EMAIL", "PHONE_NUMBER", "CREDIT_CARD"]
    action   = "mask"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• entities (Dynamic) Array of PII entity types to detect (e.g. EMAIL, PHONE_NUMBER).

Optional:

• action (String) Action to take when PII is detected (e.g. mask, block).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_a2a_pii_detector.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_a2a_prompt_decorator (Resource)

Manages a A2A Prompt Decorator policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_a2a_prompt_decorator" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    text_decorators = [
      {
        position = "prefix"
        text     = "You are a helpful assistant."
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• file_decorators (Dynamic) Array of file-based prompt decorators.
• text_decorators (Dynamic) Array of text-based prompt decorators.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_a2a_prompt_decorator.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_a2a_schema_validation (Resource)

Manages a A2A Schema Validation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_a2a_schema_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

This policy requires no configuration fields. Pass an empty configuration block (configuration = {}).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_a2a_schema_validation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_a2a_token_rate_limit (Resource)

Manages a A2A Token Rate Limit policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_a2a_token_rate_limit" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    maximum_tokens              = 10000
    time_period_in_milliseconds = 60000
    key_selector                = "#[attributes.headers['Authorization']]"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• maximum_tokens (Number) Maximum number of tokens allowed in the time period.
• time_period_in_milliseconds (Number) The time period in milliseconds for the rate limit or quota window.

Optional:

• key_selector (String) Expression to extract the rate limit key from the request.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_a2a_token_rate_limit.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_access_block (Resource)

Manages a Access Block policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_access_block" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

This policy requires no configuration fields. Pass an empty configuration block (configuration = {}).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_access_block.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_agent_connection_telemetry (Resource)

Manages a Agent Connection Telemetry policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_agent_connection_telemetry" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    source_agent_id = "agent-001"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• source_agent_id (String) Identifier for the source agent connection.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_agent_connection_telemetry.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_bedrock_llm_provider_policy (Resource)

Manages a Bedrock LLM Provider policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_bedrock_llm_provider_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    aws_access_key_id     = "AKIAIOSFODNN7EXAMPLE"
    aws_secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    aws_region            = "us-east-1"
    service_name          = "bedrock"
    timeout               = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.1.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• aws_access_key_id (String) AWS access key ID.
• aws_region (String) AWS region for the Bedrock service.
• aws_secret_access_key (String) AWS secret access key.

Optional:

• aws_session_token (String) AWS session token for temporary credentials.
• service_name (String) The AWS service name.
• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_bedrock_llm_provider_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_body_transformation (Resource)

Manages a Body Transformation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_body_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script       = "%%dw 2.0\noutput application/json\n---\npayload"
    request_flow = "request"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260127.133848.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• script (String) The DataWeave or transformation script.

Optional:

• request_flow (String) Which flow to apply the transformation to (request or response).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_body_transformation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_circuit_breaker (Resource)

Manages a Circuit Breaker policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_circuit_breaker" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    thresholds = {
      failure_rate_threshold          = 50
      slow_call_rate_threshold        = 80
      slow_call_duration_threshold    = 5000
      sliding_window_size             = 100
      minimum_number_of_calls         = 10
      wait_duration_in_open_state     = 60000
    }
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.1.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• thresholds (Dynamic) Circuit breaker threshold configuration object.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_circuit_breaker.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_client_id_enforcement (Resource)

Manages a Client ID Enforcement policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_client_id_enforcement" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    credentials_origin_has_http_basic_authentication_header = "customExpression"
    client_id_expression     = "#[attributes.headers['client_id']]"
    client_secret_expression = "#[attributes.headers['client_secret']]"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.3.3.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• client_id_expression (String) Expression to extract the client ID from the request.
• client_secret_expression (String) Expression to extract the client secret from the request.
• credentials_origin_has_http_basic_authentication_header (String) How client credentials are provided (e.g. customExpression, httpBasicAuthenticationHeader).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_client_id_enforcement.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_cors (Resource)

Manages a CORS policy on an Anypoint API instance.

Example Usage

Public resource (simple branch)

resource "anypoint_api_policy_cors" "public" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    public_resource     = true
    support_credentials = false
    origin_groups = [
      {
        origins  = ["https://example.com"]
        methods  = ["GET", "POST", "PUT"]
        headers  = ["Content-Type", "Authorization"]
      }
    ]
  }

  order = 1
}

Non-public resource (credentialed branch)

When public_resource = false the Platform enforces a stricter schema. Each origin group must include a name field and access_control_max_age. methods is mapped to allowedMethods objects (with isAllowed: true) automatically by the provider. Omitting any of these causes HTTP 400.

resource "anypoint_api_policy_cors" "private" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    public_resource     = false
    support_credentials = true

    origin_groups = [
      {
        name                    = "allowed-origins"
        origins                 = ["https://example.com"]
        methods                 = ["GET", "POST", "PUT"]
        headers                 = ["Content-Type", "Authorization"]
        access_control_max_age  = 600
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.3.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• origin_groups (Dynamic) Array of origin group configurations for CORS. Structure differs by branch — see below.

Optional:

• public_resource (Boolean) Whether the resource is publicly accessible. Defaults to false. Controls which Platform schema branch is used.
• support_credentials (Boolean) Whether to allow credentials in CORS requests.

origin_groups — public branch (public_resource = true)

Each element accepts:

Field	Type	Description
origins	list(string)	Allowed origin URLs.
methods	list(string)	Allowed HTTP methods, e.g. ["GET","POST"].
headers	list(string)	Allowed request headers.

origin_groups — non-public branch (public_resource = false)

Each element accepts:

Field	Required	Type	Description
name	yes	string	Unique label for this origin group. If omitted the provider synthesizes group-<index>.
origins	no	list(string)	Allowed origin URLs.
methods	no	list(string)	HTTP methods. The provider automatically converts these to allowedMethods objects ([{"methodName":"GET","isAllowed":true}]) required by the Platform.
headers	no	list(string)	Allowed request headers.
access_control_max_age	no	number	Preflight cache duration in seconds. Defaults to 30.

Note: Using flat fields like message or level directly inside configuration will be rejected by the Platform with HTTP 400. Always use the origin_groups array.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_cors.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_credential_injection_basic_auth (Resource)

Manages a Credential Injection Basic Auth policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_credential_injection_basic_auth" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    username  = "service-account"
    password  = "service-password"
    overwrite = true
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.1.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• password (String) The password for authentication.
• username (String) The username for authentication.

Optional:

• custom_header (String) Custom header name to use for injecting credentials instead of the standard Authorization header.
• overwrite (Boolean) Whether to overwrite an existing credential header on the request. Defaults to false. The provider always sends this field — omitting it does not cause HTTP 400.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_credential_injection_basic_auth.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_credential_injection_oauth2 (Resource)

Manages a Credential Injection OAuth2 policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_credential_injection_oauth2" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    oauth_service                    = "https://auth.example.com/oauth2/token"
    client_id                        = "my-client-id"
    client_secret                    = "my-client-secret"
    scope                            = ["read", "write"]
    overwrite                        = true
    token_fetch_timeout              = 5000
    allow_request_without_credential = false
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.1.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• oauth_service (String) URL of the OAuth 2.0 token service.
• client_id (String) The OAuth 2.0 client ID.
• client_secret (String) The OAuth 2.0 client secret.

Optional:

• scope (Dynamic) Array of OAuth 2.0 scopes.
• token_fetch_timeout (Number) Timeout in milliseconds for fetching the OAuth token. Defaults to 10000. The provider always sends this field (defaulting to 10000) — omitting it does not cause HTTP 400.
• overwrite (Boolean) Whether to overwrite an existing credential header on the request. Defaults to false. The provider always sends this field.
• allow_request_without_credential (Boolean) Whether to allow requests to pass through without injected credentials. Defaults to false. The provider always sends this field.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_credential_injection_oauth2.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_credential_injection_oauth2_obo (Resource)

Manages a Credential Injection OAuth2 On-Behalf-Of policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_credential_injection_oauth2_obo" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    flow           = "urn:ietf:params:oauth:grant-type:jwt-bearer"
    client_id      = "my-client-id"
    client_secret  = "my-client-secret"
    token_endpoint = "https://auth.example.com/oauth2/token"
    scope          = "openid profile"
    timeout        = 5000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.1.0.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• client_id (String) The OAuth 2.0 client ID.
• client_secret (String) The OAuth 2.0 client secret.
• flow (String) The OAuth 2.0 grant flow type.
• token_endpoint (String) URL of the OAuth 2.0 token endpoint.

Optional:

• ciba_enabled (Boolean) Whether CIBA (Client-Initiated Backchannel Authentication) is enabled.
• scope (String) Array or string of OAuth 2.0 scopes.
• target_type (String) The target resource type for on-behalf-of flow.
• target_value (String) The target resource value for on-behalf-of flow.
• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_credential_injection_oauth2_obo.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_dataweave_body_transformation (Resource)

Manages a DataWeave Body Transformation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_dataweave_body_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script       = "%%dw 2.0\noutput application/json\n---\npayload"
    request_flow = "request"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• script (String) The DataWeave or transformation script.

Optional:

• request_flow (String) Which flow to apply the transformation to (request or response).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_dataweave_body_transformation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_dataweave_headers_transformation (Resource)

Manages a DataWeave Headers Transformation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_dataweave_headers_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\npayload"
    requires_payload = false
    request_flow     = "request"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• script (String) The DataWeave or transformation script.

Optional:

• request_flow (String) Which flow to apply the transformation to (request or response).
• requires_payload (Boolean) Whether the script requires access to the payload.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_dataweave_headers_transformation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_dataweave_request_filter (Resource)

Manages a DataWeave Request Filter policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_dataweave_request_filter" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\ntrue"
    requires_payload = false
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• script (String) The DataWeave or transformation script.

Optional:

• requires_payload (Boolean) Whether the script requires access to the payload.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_dataweave_request_filter.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_external_oauth2_access_token_enforcement (Resource)

Manages a External OAuth 2.0 Access Token Enforcement policy on an Anypoint API instance. This policy is only supported on mule4 API instances.

Example Usage

resource "anypoint_api_policy_external_oauth2_access_token_enforcement" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    token_url                 = "https://auth.example.com/oauth2/token"
    scope_validation_criteria = "AND"
    scopes                    = "read write"
    expose_headers            = false
    skip_client_id_validation = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.6.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• token_url (String) URL of the OAuth 2.0 token endpoint.

Optional:

• authentication_timeout (Number) Authentication request timeout in milliseconds.
• expose_headers (Boolean) Whether to expose rate-limit headers in the response.
• max_cache_entries (Number) Maximum number of entries in the cache.
• scope_validation_criteria (String) How scopes are validated (AND or OR).
• scopes (String) Space-separated list of required OAuth scopes.
• secure_trust_store (Boolean) Whether to use a secure trust store for token validation.
• skip_client_id_validation (Boolean) Whether to skip client ID validation.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_external_oauth2_access_token_enforcement.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_gemini_llm_provider_policy (Resource)

Manages a Gemini LLM Provider policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_gemini_llm_provider_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    api_key = "AIzaSy-xxxxxxxxxxxx"
    timeout = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.0.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• api_key (String) API key for the LLM provider.

Optional:

• model_mapper (Dynamic) Array of model name mappings.
• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_gemini_llm_provider_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_gemini_transcoding_policy (Resource)

Manages a Gemini Transcoding policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_gemini_transcoding_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.0.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

This policy requires no configuration fields. Pass an empty configuration block (configuration = {}).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_gemini_transcoding_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_header_injection (Resource)

Manages a Header Injection policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_header_injection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    inbound_headers = [
      {
        name  = "X-Custom-Header"
        value = "custom-value"
      }
    ]
    outbound_headers = []
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.3.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• inbound_headers (Dynamic) Array of inbound headers to inject or remove.
• outbound_headers (Dynamic) Array of outbound headers to inject or remove.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_header_injection.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_header_removal (Resource)

Manages a Header Removal policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_header_removal" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    inbound_headers = [
      {
        name = "X-Remove-Me"
      }
    ]
    outbound_headers = []
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• inbound_headers (Dynamic) Array of inbound headers to inject or remove.
• outbound_headers (Dynamic) Array of outbound headers to inject or remove.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_header_removal.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_header_transformation (Resource)

Manages a Header Transformation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_header_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\npayload"
    requires_payload = false
    request_flow     = "request"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260127.134148.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• script (String) The DataWeave or transformation script.

Optional:

• request_flow (String) Which flow to apply the transformation to (request or response).
• requires_payload (Boolean) Whether the script requires access to the payload.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_header_transformation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_health_check (Resource)

Manages a Health Check policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_health_check" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    endpoint    = "/health"
    path        = "/health"
    status_code = "200"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• endpoint (String) The health check endpoint URL.
• path (String) The health check path.
• status_code (String) The expected HTTP status code for a healthy response.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_health_check.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_http_basic_authentication (Resource)

Manages a HTTP Basic Authentication policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_http_basic_authentication" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    username = "admin"
    password = "secret"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.3.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• password (String) The password for authentication.
• username (String) The username for authentication.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_http_basic_authentication.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_http_caching (Resource)

Manages a HTTP Caching policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_http_caching" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    http_caching_key       = "#[attributes.requestPath]"
    max_cache_entries      = 1000
    ttl                    = 600
    distributed            = false
    persist_cache          = false
    use_http_cache_headers = true
    invalidation_header    = "X-Cache-Invalidate"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• distributed (Boolean) Whether the cache is distributed across the cluster.
• http_caching_key (String) Expression to compute the cache key.
• invalidation_header (String) Header name that triggers cache invalidation.
• max_cache_entries (Number) Maximum number of entries in the cache.
• persist_cache (Boolean) Whether to persist the cache to disk.
• request_expression (String) Expression to evaluate on the request for caching decisions.
• response_expression (String) Expression to evaluate on the response for caching decisions.
• ttl (Number) Time-to-live in seconds for cached entries.
• use_http_cache_headers (Boolean) Whether to honor standard HTTP caching headers.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_http_caching.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_idle_timeout (Resource)

Manages a Idle Timeout policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_idle_timeout" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    timeout = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.1.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_idle_timeout.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_injection_protection (Resource)

Manages a Injection Protection policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_injection_protection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    protect_path_and_query = true
    protect_headers        = true
    protect_body           = true
    reject_requests        = true
    built_in_protections   = ["sql-injection", "script-injection"]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• built_in_protections (Dynamic) Array of built-in injection protection types to enable.
• custom_protections (Dynamic) Array of custom injection protection regex patterns.
• protect_body (Boolean) Whether to apply injection protection to the request body.
• protect_headers (Boolean) Whether to apply injection protection to headers.
• protect_path_and_query (Boolean) Whether to apply injection protection to path and query parameters.
• reject_requests (Boolean) Whether to reject requests that match injection patterns.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_injection_protection.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_intask_authentication_policy (Resource)

Manages a InTask Authentication policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_intask_authentication_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    secondary_auth_provider = "example-provider"
    authorization_endpoint  = "https://auth.example.com/authorize"
    token_endpoint          = "https://auth.example.com/token"
    redirect_uri            = "https://app.example.com/callback"
    scopes                  = "openid profile"
    response_type           = "code"
    token_timeout           = 3600
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260113204639.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• authorization_endpoint (String) URL of the OAuth 2.0 authorization endpoint.
• redirect_uri (String) The redirect URI for the OAuth 2.0 flow.
• secondary_auth_provider (String) Name of the secondary authentication provider.
• token_endpoint (String) URL of the OAuth 2.0 token endpoint.

Optional:

• body_encoding (String) Encoding for the token request body.
• challenge_response_status_code (Number) HTTP status code for the challenge response.
• code_challenge_method (String) The PKCE code challenge method (e.g. S256).
• response_type (String) The OAuth 2.0 response type (e.g. code).
• scopes (String) Space-separated list of required OAuth scopes.
• token_audience (String) Expected audience value for the token.
• token_timeout (Number) Token validity timeout in seconds.
• user_email_header (String) Header name to extract the user email from.
• user_id_header (String) Header name to extract the user ID from.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_intask_authentication_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_intask_authorization_code_policy (Resource)

Manages a InTask Authorization Code policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_intask_authorization_code_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    secondary_auth_provider = "example-provider"
    authorization_endpoint  = "https://auth.example.com/authorize"
    token_endpoint          = "https://auth.example.com/token"
    redirect_uri            = "https://app.example.com/callback"
    scopes                  = "openid profile"
    response_type           = "code"
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.0.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• authorization_endpoint (String) URL of the OAuth 2.0 authorization endpoint.
• redirect_uri (String) The redirect URI for the OAuth 2.0 flow.
• secondary_auth_provider (String) Name of the secondary authentication provider.
• token_endpoint (String) URL of the OAuth 2.0 token endpoint.

Optional:

• body_encoding (String) Encoding for the token request body.
• challenge_response_status_code (Number) HTTP status code for the challenge response.
• code_challenge_method (String) The PKCE code challenge method (e.g. S256).
• response_type (String) The OAuth 2.0 response type (e.g. code).
• scopes (String) Space-separated list of required OAuth scopes.
• token_timeout (Number) Token validity timeout in seconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_intask_authorization_code_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_ip_allowlist (Resource)

Manages a IP Allowlist policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_ip_allowlist" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    ip_expression  = "#[attributes.remoteAddress]"
    ips            = ["10.0.0.0/8", "172.16.0.0/12"]
    methods_string = "GET|POST"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• ip_expression (String) Expression to extract the client IP address from the request.
• ips (List of String) List of IP addresses or CIDR blocks. Must be a list of strings, not a comma-separated string.

Optional:

• methods_string (String) Pipe-separated list of HTTP methods to apply the policy to (e.g. GET|POST).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_ip_allowlist.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_ip_blocklist (Resource)

Manages a IP Blocklist policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_ip_blocklist" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    ip_expression  = "#[attributes.remoteAddress]"
    ips            = ["192.168.1.0/24", "10.0.0.1"]
    methods_string = "GET|POST"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• ip_expression (String) Expression to extract the client IP address from the request.
• ips (List of String) List of IP addresses or CIDR blocks. Must be a list of strings, not a comma-separated string.

Optional:

• methods_string (String) Pipe-separated list of HTTP methods to apply the policy to (e.g. GET|POST).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_ip_blocklist.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_json_threat_protection (Resource)

Manages a JSON Threat Protection policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_json_threat_protection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    max_container_depth          = 10
    max_string_value_length      = 256
    max_object_entry_name_length = 128
    max_object_entry_count       = 50
    max_array_element_count      = 50
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.2.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• max_array_element_count (Number) Maximum number of elements in a JSON array.
• max_container_depth (Number) Maximum nesting depth for JSON containers.
• max_object_entry_count (Number) Maximum number of entries in a JSON object.
• max_object_entry_name_length (Number) Maximum length for JSON object entry names.
• max_string_value_length (Number) Maximum length for JSON string values.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_json_threat_protection.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_jwt_validation (Resource)

Manages a JWT Validation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_jwt_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    jwt_origin                = "httpBearerAuthenticationHeader"
    signing_method            = "rsa"
    signing_key_length        = 256
    jwt_key_origin            = "jwks"
    jwks_url                  = "https://example.com/.well-known/jwks.json"
    skip_client_id_validation = true
    validate_aud_claim        = true
    mandatory_exp_claim       = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 0.12.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• jwt_origin (String) Where the JWT token is extracted from (e.g. httpBearerAuthenticationHeader).

Optional:

• claims_to_headers (Dynamic) Array mapping JWT claims to response headers.
• client_id_expression (String) Expression to extract the client ID from the request.
• custom_key_expression (String) Custom expression to resolve the signing key.
• jwks_service_connection_timeout (Number) Connection timeout in milliseconds for JWKS endpoint.
• jwks_service_time_to_live (Number) TTL in seconds for cached JWKS keys.
• jwks_url (String) URL to the JWKS endpoint for key retrieval.
• jwt_expression (String) Custom expression to extract the JWT token.
• jwt_key_origin (String) Source of the signing key (e.g. jwks, text).
• mandatory_aud_claim (Boolean) Whether the aud claim is mandatory.
• mandatory_custom_claims (Dynamic) Array of custom claims that must be present.
• mandatory_exp_claim (Boolean) Whether the exp (expiration) claim is mandatory.
• mandatory_nbf_claim (Boolean) Whether the nbf (not before) claim is mandatory.
• non_mandatory_custom_claims (Dynamic) Array of optional custom claims to validate if present.
• signing_key_length (Number) The key length for the signing algorithm.
• signing_method (String) The signing algorithm (e.g. rsa, hmac).
• skip_client_id_validation (Boolean) Whether to skip client ID validation.
• supported_audiences (String) Comma-separated list of supported audience values.
• text_key (String) The inline signing key when jwt_key_origin is text.
• validate_aud_claim (Boolean) Whether to validate the aud (audience) claim.
• validate_custom_claim (Boolean) Whether to validate custom claims.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_jwt_validation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_ldap_authentication (Resource)

Manages a LDAP Authentication policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_ldap_authentication" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    ldap_server_url           = "ldap://ldap.example.com:389"
    ldap_server_user_dn       = "cn=admin,dc=example,dc=com"
    ldap_server_user_password = "admin-password"
    ldap_search_base          = "ou=users,dc=example,dc=com"
    ldap_search_filter        = "(uid={0})"
    ldap_search_in_subtree    = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.4.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• ldap_search_base (String) Base DN for LDAP searches.
• ldap_search_filter (String) LDAP search filter expression.
• ldap_server_url (String) URL of the LDAP server.
• ldap_server_user_dn (String) Distinguished name of the LDAP bind user.
• ldap_server_user_password (String) Password for the LDAP bind user.

Optional:

• ldap_search_in_subtree (Boolean) Whether to search in subtrees.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_ldap_authentication.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_llm_gw_core_policy (Resource)

Manages a LLM Gateway Core Policy policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_llm_gw_core_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    header_name           = "X-LLM-Vendor"
    vendor_header_mapping = [
      {
        vendor       = "openai"
        header_value = "openai"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20251230075635.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• header_name (String) Name of the header used for vendor routing.
• vendor_header_mapping (Dynamic) Array mapping vendor names to header values.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_llm_gw_core_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_llm_proxy_core (Resource)

Manages a LLM Proxy Core policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_llm_proxy_core" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260127095720.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

This policy requires no configuration fields. Pass an empty configuration block (configuration = {}).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_llm_proxy_core.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_llm_proxy_core_policy (Resource)

Manages a LLM Proxy Core Policy policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_llm_proxy_core_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    header_name           = "X-LLM-Vendor"
    vendor_header_mapping = [
      {
        vendor       = "openai"
        header_value = "openai"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260108100848.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• header_name (String) Name of the header used for vendor routing.
• vendor_header_mapping (Dynamic) Array mapping vendor names to header values.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_llm_proxy_core_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_access_control (Resource)

Manages a MCP Access Control policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_access_control" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    rules = [
      {
        tool   = "list_files"
        action = "allow"
      }
    ]
    auth_type = "bearer"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• rules (Dynamic) Array of access control or policy rules.

Optional:

• auth_type (String) Authentication type (e.g. bearer, api_key).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_access_control.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_global_access_policy (Resource)

Manages a MCP Global Access Policy policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_global_access_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    rules = [
      {
        action = "allow"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• rules (Dynamic) Array of access control or policy rules.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_global_access_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_pii_detector (Resource)

Manages a MCP PII Detector policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_pii_detector" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    entities = ["EMAIL", "PHONE_NUMBER", "CREDIT_CARD"]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• entities (Dynamic) Array of PII entity types to detect (e.g. EMAIL, PHONE_NUMBER).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_pii_detector.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_schema_validation (Resource)

Manages a MCP Schema Validation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_schema_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    validate_tool_schema = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• validate_tool_schema (Boolean) Whether to validate MCP tool input/output against schema.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_schema_validation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_support (Resource)

Manages a MCP Support policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_support" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

This policy requires no configuration fields. Pass an empty configuration block (configuration = {}).

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_support.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_tool_mapping (Resource)

Manages a MCP Tool Mapping policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_tool_mapping" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    tool_mappings = [
      {
        source_tool = "original_tool"
        target_tool = "mapped_tool"
      }
    ]
    log_mappings = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• tool_mappings (Dynamic) Array of tool name mappings from source to target.

Optional:

• log_mappings (Boolean) Whether to log tool mapping operations.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_tool_mapping.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_mcp_transcoding_router (Resource)

Manages a MCP Transcoding Router policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_mcp_transcoding_router" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    transcoding_path = "/mcp"
    routes = [
      {
        tool    = "example_tool"
        backend = "https://backend.example.com"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1-20260414150102.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• routes (Dynamic) Array of routing rules.

Optional:

• transcoding_path (String) Base path for MCP transcoding requests.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_mcp_transcoding_router.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_message_logging (Resource)

Manages a Message Logging policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_message_logging" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    logging_configuration = [
      {
        item_name = "request"
        item_data = {
          message       = "#[payload]"
          conditional   = "#[true]"
          level         = "INFO"
          first_section = true
        }
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 2.0.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• logging_configuration (Dynamic) Array of logging rule objects. Each element must use the item_name + item_data wrapper — the Platform rejects any flat field structure with HTTP 400.

Required structure per element:

logging_configuration = [
  {
    item_name = "<string>"   # unique label for this logging rule
    item_data = {
      message        = "<string>"  # DataWeave expression or literal, e.g. "#[payload]"
      level          = "<string>"  # Log level: DEBUG, INFO, WARN, ERROR (default: INFO)
      conditional    = "<string>"  # Optional DataWeave boolean expression, e.g. "#[true]"
      category       = "<string>"  # Optional logger category name
      first_section  = <bool>      # Log on request phase (default: true)
      second_section = <bool>      # Log on response phase (default: false)
    }
  }
]

Note: Do not use flat fields (message, level, etc.) directly inside configuration — those are not valid for this policy and will cause an HTTP 400 at apply time.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_message_logging.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_message_logging_outbound (Resource)

Manages a Message Logging (Outbound) policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_message_logging_outbound" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    logging_configuration = [
      {
        item_name = "response"
        item_data = {
          message     = "#[payload]"
          conditional = "#[true]"
          level       = "INFO"
        }
      }
    ]
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 2.0.3.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• logging_configuration (Dynamic) Array of logging rule objects. Each element must use the item_name + item_data wrapper — the Platform rejects any flat field structure with HTTP 400.

Required structure per element:

logging_configuration = [
  {
    item_name = "<string>"   # unique label for this logging rule
    item_data = {
      message        = "<string>"  # DataWeave expression or literal, e.g. "#[payload]"
      level          = "<string>"  # Log level: DEBUG, INFO, WARN, ERROR (default: INFO)
      conditional    = "<string>"  # Optional DataWeave boolean expression, e.g. "#[true]"
      category       = "<string>"  # Optional logger category name
      first_section  = <bool>      # Log on request phase (default: true)
      second_section = <bool>      # Log on response phase (default: false)
    }
  }
]

Note: Do not use flat fields (message, level, etc.) directly inside configuration — those are not valid for this policy and will cause an HTTP 400 at apply time.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_message_logging_outbound.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_model_based_routing (Resource)

Manages a Model-Based Routing policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_model_based_routing" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    supported_vendors = [
      {
        vendor = "openai"
        models = ["gpt-4", "gpt-3.5-turbo"]
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260127100214.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• supported_vendors (Dynamic) Array of supported LLM vendor configurations.

Optional:

• fallback (Dynamic) Fallback vendor configuration object.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_model_based_routing.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_native_aws_lambda (Resource)

Manages a Native AWS Lambda policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_native_aws_lambda" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    arn                 = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
    payload_passthrough = false
    invocation_mode     = "synchronous"
    authentication_mode = "static_credentials"
    credentials = {
      access_key_id     = "AKIAIOSFODNN7EXAMPLE"
      secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    }
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.1.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• arn (String) The ARN of the AWS Lambda function.
• payload_passthrough (Boolean) Whether to pass the request payload directly to Lambda.
• invocation_mode (String) Lambda invocation mode (synchronous or asynchronous).
• authentication_mode (String) AWS authentication mode (e.g. static_credentials, iam_role).

Optional:

• credentials (Dynamic) AWS credentials object with access_key_id, secret_access_key, and optional session_token.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_native_aws_lambda.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_native_ext_authz (Resource)

Manages a Native External Authorization policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_native_ext_authz" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    uri             = "grpc://auth-service:9090"
    server_type     = "grpc"
    request_timeout = 5000
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.2.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• server_type (String) The server type (e.g. grpc, http).
• uri (String) The URI of the external service.

Optional:

• allowed_headers (Dynamic) Array of headers to forward to the external service.
• include_peer_certificate (Boolean) Whether to include the peer certificate in the authorization request.
• path_prefix (String) Path prefix for the external authorization request.
• request_timeout (Number) Request timeout in milliseconds.
• server_api_version (String) The API version of the external authorization server.
• service_request_headers_to_add (Dynamic) Array of headers to add to the authorization request.
• service_response_client_headers (Dynamic) Array of headers from the authorization response to send to the client.
• service_response_client_headers_on_success (Dynamic) Array of headers to send on successful authorization.
• service_response_upstream_headers (Dynamic) Array of headers from the authorization response to send upstream.
• service_response_upstream_headers_to_append (Dynamic) Array of headers from the authorization response to append upstream.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_native_ext_authz.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_native_ext_proc (Resource)

Manages a Native External Processing policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_native_ext_proc" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    uri                  = "grpc://ext-proc-service:9091"
    message_timeout      = 5000
    failure_mode_allow   = false
    request_header_mode  = "SEND"
    response_header_mode = "SKIP"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• uri (String) The URI of the external service.

Optional:

• allow_mode_override (Boolean) Whether to allow the external processor to override the processing mode.
• failure_mode_allow (Boolean) Whether to allow requests when the external processor fails.
• max_message_timeout (Number) Maximum message processing timeout in milliseconds.
• message_timeout (Number) Message processing timeout in milliseconds.
• request_body_mode (String) Processing mode for the request body.
• request_header_mode (String) Processing mode for request headers (e.g. SEND, SKIP).
• request_trailer_mode (String) Processing mode for request trailers.
• response_body_mode (String) Processing mode for the response body.
• response_header_mode (String) Processing mode for response headers (e.g. SEND, SKIP).
• response_trailer_mode (String) Processing mode for response trailers.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_native_ext_proc.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_oauth2_token_introspection (Resource)

Manages a OAuth 2.0 Token Introspection policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_oauth2_token_introspection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    introspection_url         = "https://auth.example.com/oauth2/introspect"
    authorization_value       = "Bearer your-token-here"
    validated_token_ttl       = 600
    skip_client_id_validation = true
    expose_headers            = false
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• authorization_value (String) Authorization header value for the introspection request.
• introspection_url (String) URL of the OAuth 2.0 token introspection endpoint.

Optional:

• authentication_timeout (Number) Authentication request timeout in milliseconds.
• consumer_by (String) How to identify the API consumer (e.g. client_id).
• expose_headers (Boolean) Whether to expose rate-limit headers in the response.
• max_cache_entries (Number) Maximum number of entries in the cache.
• scope_validation_criteria (String) How scopes are validated (AND or OR).
• skip_client_id_validation (Boolean) Whether to skip client ID validation.
• validated_token_ttl (Number) TTL in seconds for validated token cache entries.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_oauth2_token_introspection.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_openai_transcoding_policy (Resource)

Manages a OpenAI Transcoding policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_openai_transcoding_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    api_key = "sk-xxxxxxxxxxxx"
    timeout = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• asset_version (String) The policy asset version. Defaults to 1.0.0.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• api_key (String) API key for the LLM provider.

Optional:

• model_mapper (Dynamic) Array of model name mappings.
• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_openai_transcoding_policy.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_rate_limiting (Resource)

Manages a Rate Limiting policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_rate_limiting" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    rate_limits = [
      {
        maximum_requests            = 100
        time_period_in_milliseconds = 60000
      }
    ]
    expose_headers = false
    clusterizable  = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.4.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• rate_limits (Dynamic) Array of rate limit rules with maximum_requests and time_period_in_milliseconds.

Optional:

• key_selector (String) Expression to extract the rate limit key from the request.
• expose_headers (Boolean) Whether to expose rate-limit headers in the response.
• clusterizable (Boolean) Whether the rate limit counters are shared across a cluster.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_rate_limiting.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_rate_limiting_sla_based (Resource)

Manages a Rate Limiting SLA Based policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_rate_limiting_sla_based" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    client_id_expression     = "#[attributes.headers['client_id']]"
    client_secret_expression = "#[attributes.headers['client_secret']]"
    expose_headers           = false
    clusterizable            = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.3.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• client_id_expression (String) Expression to extract the client ID from the request.
• client_secret_expression (String) Expression to extract the client secret from the request.
• expose_headers (Boolean) Whether to expose rate-limit headers in the response.
• clusterizable (Boolean) Whether the rate limit counters are shared across a cluster.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_rate_limiting_sla_based.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_response_timeout (Resource)

Manages a Response Timeout policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_response_timeout" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    timeout = 30000
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_response_timeout.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_script_evaluation_transformation (Resource)

Manages a Script Evaluation Transformation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_script_evaluation_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\npayload"
    requires_payload = false
    request_flow     = "request"
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260127.133315.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• script (String) The DataWeave or transformation script.

Optional:

• request_flow (String) Which flow to apply the transformation to (request or response).
• requires_payload (Boolean) Whether the script requires access to the payload.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_script_evaluation_transformation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_semantic_prompt_guard_policy_openai (Resource)

Manages a Semantic Prompt Guard (OpenAI) policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_semantic_prompt_guard_policy_openai" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    openai_url             = "https://api.openai.com/v1"
    openai_api_key         = "sk-xxxxxxxxxxxx"
    openai_embedding_model = "text-embedding-ada-002"
    timeout                = 5000
    deny_topics = [
      {
        topic       = "harmful content"
        description = "Block harmful content generation"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260130084752.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• deny_topics (Dynamic) Array of topics to deny in prompt guard evaluation.
• openai_api_key (String) API key for the OpenAI service.
• openai_url (String) URL of the OpenAI API.

Optional:

• openai_embedding_model (String) The OpenAI embedding model to use.
• threshold (Dynamic) Threshold configuration object for similarity scoring.
• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_semantic_prompt_guard_policy_openai.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_semantic_routing_policy_huggingface (Resource)

Manages a Semantic Routing (HuggingFace) policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_semantic_routing_policy_huggingface" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    huggingface_url     = "https://api-inference.huggingface.co/models/sentence-transformers/all-MiniLM-L6-v2"
    huggingface_api_key = "hf_xxxxxxxxxxxx"
    timeout             = 5000
    routes = [
      {
        description = "Route for customer queries"
        upstream_id = "upstream-1"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.0-20260130095514.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• huggingface_api_key (String) API key for the HuggingFace service.
• huggingface_url (String) URL of the HuggingFace inference API.
• routes (Dynamic) Array of routing rules.

Optional:

• fallback_route (Dynamic) Fallback route configuration when no semantic match is found.
• threshold (Dynamic) Threshold configuration object for similarity scoring.
• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_semantic_routing_policy_huggingface.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_spec_validation (Resource)

Manages a Spec Validation policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_spec_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    block_operation          = true
    strict_params_validation = true
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• block_operation (Boolean) Whether to block operations not defined in the API spec.
• strict_params_validation (Boolean) Whether to strictly validate query and header parameters.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_spec_validation.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_spike_control (Resource)

Manages a Spike Control policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_spike_control" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    maximum_requests            = 100
    time_period_in_milliseconds = 1000
    delay_time_in_millis        = 500
    delay_attempts              = 3
    queuing_limit               = 5
    expose_headers              = false
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.2.2.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• maximum_requests (Number) Maximum number of requests allowed in the time period.
• time_period_in_milliseconds (Number) The time period in milliseconds for the spike control window.
• delay_time_in_millis (Number) The delay time in milliseconds before retrying queued requests.
• delay_attempts (Number) The number of attempts to retry before rejecting.

Optional:

• queuing_limit (Number) Maximum number of requests that can be queued.
• expose_headers (Boolean) Whether to expose rate-limit headers in the response.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_spike_control.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_sse_logging (Resource)

Manages a SSE Logging policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_sse_logging" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    logs = [
      {
        message = "#[payload]"
        level   = "INFO"
      }
    ]
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• logs (Dynamic) Array of log entry configurations.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_sse_logging.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_stream_idle_timeout (Resource)

Manages a Stream Idle Timeout policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_stream_idle_timeout" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    timeout = 30000
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.0.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Required:

• timeout (Number) Timeout value in milliseconds.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_stream_idle_timeout.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_tracing (Resource)

Manages a Tracing policy on an Anypoint API instance.

Example Usage

resource "anypoint_api_policy_tracing" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    span_name = "api-request"
    sampling  = {
      probability = 0.1
    }
    labels = []
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.1.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• labels (Dynamic) Array of custom labels to attach to traces.
• sampling (Dynamic) Tracing sampling configuration object.
• span_name (String) Custom name for the tracing span.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_tracing.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_api_policy_xml_threat_protection (Resource)

Manages a XML Threat Protection policy on an Anypoint API instance. This policy is only supported on mule4 API instances.

Example Usage

resource "anypoint_api_policy_xml_threat_protection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    max_node_depth                  = 10
    max_attribute_count_per_element = 10
    max_child_count                 = 50
    max_text_length                 = 256
    max_attribute_length            = 128
    max_comment_length              = 128
  }

  order = 1
}

Schema

Required

• environment_id (String) The environment ID.
• api_instance_id (String) The API instance ID.
• configuration (Block) The policy configuration. See Configuration below.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• label (String) A human-readable label for this policy instance.
• order (Number) The order of policy execution.
• asset_version (String) The policy asset version. Defaults to 1.2.1.
• disabled (Boolean) Whether the policy is disabled. Defaults to false.
• upstream_ids (List of String) List of upstream IDs this policy applies to.

Read-Only

• id (String) The policy ID.
• policy_template_id (String) The policy template ID assigned by the server.

<a id="nestedschema--configuration"></a>

Nested Schema for configuration

Optional:

• max_attribute_count_per_element (Number) Maximum number of attributes per XML element.
• max_attribute_length (Number) Maximum length for XML attribute values.
• max_child_count (Number) Maximum number of child elements per XML node.
• max_comment_length (Number) Maximum length for XML comments.
• max_node_depth (Number) Maximum XML node nesting depth.
• max_text_length (Number) Maximum length for XML text nodes.

Import

Import is supported using the following syntax:

terraform import anypoint_api_policy_xml_threat_protection.example {organization_id}/{environment_id}/{api_instance_id}/{policy_id}

anypoint_private_space_association (Resource)

Creates and manages associations between a CloudHub 2.0 private space and environments.

Example Usage

resource "anypoint_private_space_association" "example" {
  private_space_id = var.private_space_id

  associations = [
    {
      organization_id = "080f1918-0096-4cac-85b5-b1cd9cdf9260"
      environment     = "all"
    }
  ]
}

Schema

Required

• private_space_id (String) The ID of the private space.
• associations (Block List) List of associations to create between the private space and environments. See below for nested schema.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.

Read-Only

• id (String) The unique identifier for the Private Space Association resource.
• created_associations (Block List) List of created associations with their IDs. See below for nested schema.

<a id="nestedschema--associations"></a>

Nested Schema for associations

Required:

• organization_id (String) The organization ID for the association.
• environment (String) The environment for the association. Can be an environment UUID, 'all', 'production', or 'sandbox'.

<a id="nestedschema--created_associations"></a>

Nested Schema for created_associations

Read-Only:

• id (String) The ID of the created association.
• organization_id (String) The organization ID of the association.
• environment (String) The environment of the association.

Import

Import is supported using the following syntax:

terraform import anypoint_private_space_association.example <private_space_id>

anypoint_private_space_config (Resource)

Manages an Anypoint Private Space together with its network configuration and firewall rules as a single composite resource. This resource combines private space creation, network provisioning, and firewall rule management into a unified workflow.

Example Usage

Minimal (space only, no network)

resource "anypoint_private_space_config" "example" {
  name = "my-private-space"
}

Basic (space + network)

resource "anypoint_private_space_config" "example" {
  name            = "my-private-space"
  organization_id = var.organization_id
  enable_egress   = true

  network {
    region     = "us-east-1"
    cidr_block = "10.0.0.0/22"
  }
}

Full (space + network + firewall rules)

resource "anypoint_private_space_config" "example" {
  name            = "my-private-space"
  organization_id = var.organization_id
  enable_egress   = true
  enable_iam_role = false

  network {
    region         = "us-east-1"
    cidr_block     = "10.0.0.0/22"
    reserved_cidrs = ["10.0.3.0/24"]
  }

  firewall_rules = [
    {
      cidr_block = "0.0.0.0/0"
      protocol   = "tcp"
      from_port  = 30500
      to_port    = 32500
      type       = "inbound"
    },
    {
      cidr_block = "0.0.0.0/0"
      protocol   = "tcp"
      from_port  = 0
      to_port    = 65535
      type       = "outbound"
    },
  ]
}

output "private_space_id" {
  value = anypoint_private_space_config.example.id
}

output "network_dns_target" {
  value = anypoint_private_space_config.example.network.dns_target
}

output "inbound_static_ips" {
  value = anypoint_private_space_config.example.network.inbound_static_ips
}

Schema

Required

• name (String) The name of the private space.

Optional

• organization_id (String) The organization ID where the private space will be created. Defaults to the provider organization.
• enable_egress (Boolean) Whether to enable egress for the private space. Defaults to false.
• enable_iam_role (Boolean) Whether to enable IAM role for the private space. Defaults to false.
• firewall_rules (List of Object) Firewall rules for the private space. Omit to use platform-managed default rules. Each object has the following attributes:
  • cidr_block (String, Required) The CIDR block for the firewall rule.
  • protocol (String, Required) The protocol for the firewall rule (tcp, udp, icmp).
  • from_port (Number, Required) The starting port for the firewall rule.
  • to_port (Number, Required) The ending port for the firewall rule.
  • type (String, Required) The type of the firewall rule (inbound or outbound).
• network (Block) Network configuration for the private space. Omit to create the space without a network.
  • region (String, Optional) The AWS region for the private network. Forces replacement if changed.
  • cidr_block (String, Optional) The CIDR block for the private network. Forces replacement if changed.
  • reserved_cidrs (List of String, Optional) Reserved CIDR blocks for the private network.

Read-Only

• id (String) The unique identifier for the private space.
• status (String) The current status of the private space (e.g., Running, Provisioning).
• root_organization_id (String) The root organization ID of the private space.
• mule_app_deployment_count (Number) The number of Mule apps currently deployed in the private space.
• days_left_for_relaxed_quota (Number) The number of days left for the relaxed deployment quota.
• vpc_migration_in_progress (Boolean) Whether a VPC migration is currently in progress.
• managed_firewall_rules (List of String) Platform-managed firewall rule identifiers.
• global_space_status (Map of String) Per-region global space status details.
• Within the network block:
  • inbound_static_ips (List of String) Inbound static IPs assigned to the private network.
  • inbound_internal_static_ips (List of String) Inbound internal static IPs assigned to the private network.
  • outbound_static_ips (List of String) Outbound static IPs assigned to the private network.
  • dns_target (String) The DNS target hostname for the private network.

Import

Private space configurations can be imported using the private space ID:

terraform import anypoint_private_space_config.example <private_space_id>

After import, run terraform plan to verify the state matches the actual configuration. The imported state will capture all network and firewall settings from the platform.

anypoint_private_space_upgrade (Resource)

Schedules an upgrade for a CloudHub 2.0 private space. Scheduled upgrades can be cancelled by deleting this resource.

Example Usage

resource "anypoint_private_space_upgrade" "example" {
  private_space_id = var.private_space_id
  organization_id  = var.organization_id
  date             = "2025-09-12"
  opt_in           = true
}

Schema

Required

• private_space_id (String) The ID of the private space to upgrade.
• date (String) The date when the upgrade should be scheduled (format: YYYY-MM-DD).
• opt_in (Boolean) Whether to opt in to the upgrade.

Optional

• organization_id (String) The organization ID where the private space is located. If not provided, the organization ID will be inferred from the connected app credentials.

Read-Only

• id (String) The unique identifier for the upgrade operation.
• scheduled_update_time (String) The scheduled update time returned by the API.
• status (String) The status of the upgrade operation.

Import

Import is supported using the following syntax:

terraform import anypoint_private_space_upgrade.example <private_space_id>:<date>:<opt_in>

anypoint_privatespace_advanced_config (Resource)

Manages advanced configuration for an Anypoint Private Space.

Example Usage

resource "anypoint_privatespace_advanced_config" "example" {
  private_space_id = var.private_space_id

  ingress_configuration = {
    read_response_timeout = "600"
    protocol              = "https-redirect"

    logs = {
      port_log_level = "INFO"
      filters        = []
    }

    deployment = {
      status              = "APPLIED"
      last_seen_timestamp = 1753719215000
    }
  }

  enable_iam_role = true
}

Schema

Required

• private_space_id (String) The ID of the private space to configure.

Optional

• organization_id (String) The organization ID where the private space is located. If not provided, the organization ID will be inferred from the connected app credentials.
• ingress_configuration (Block) Ingress configuration for the private space. See below for nested schema.
• enable_iam_role (Boolean) Whether to enable IAM role for the private space. Defaults to false.

Read-Only

• id (String) The unique identifier of the advanced configuration.

<a id="nestedschema--ingress_configuration"></a>

Nested Schema for ingress_configuration

Optional:

• read_response_timeout (String) Read response timeout in seconds. Defaults to "300".
• protocol (String) Protocol for ingress configuration. Defaults to "https-redirect".
• logs (Block) Logs configuration for ingress. See below for nested schema.
• deployment (Block) Deployment configuration for ingress. See below for nested schema.

<a id="nestedschema--ingress_configuration--logs"></a>

Nested Schema for ingress_configuration.logs

Optional:

• port_log_level (String) Port log level. Defaults to "ERROR".
• filters (Block List) List of log filters. Defaults to []. See below for nested schema.

<a id="nestedschema--ingress_configuration--logs--filters"></a>

Nested Schema for ingress_configuration.logs.filters

Required:

• ip (String) IP address for the filter.
• level (String) Log level for the filter.

<a id="nestedschema--ingress_configuration--deployment"></a>

Nested Schema for ingress_configuration.deployment

Optional:

• status (String) Deployment status. Defaults to "APPLIED".
• last_seen_timestamp (Number) Last seen timestamp. Defaults to 1753719215000.

Import

Import is supported using the following syntax:

terraform import anypoint_privatespace_advanced_config.example <private_space_id>

anypoint_tls_context (Resource)

Manages a CloudHub 2.0 TLS Context with support for both PEM and JKS keystores.

Example Usage

PEM Keystore

resource "anypoint_tls_context" "pem_example" {
  private_space_id     = "your-private-space-id"
  name                 = "example-pem-tls-context"
  keystore_type        = "PEM"

  certificate          = file("cert.pem")
  key                  = file("key.pem")
  key_filename         = "key.pem"
  certificate_filename = "cert.pem"

  ciphers = {
    aes128_gcm_sha256             = true
    aes128_sha256                 = false
    aes256_gcm_sha384             = false
    aes256_sha256                 = false
    dhe_rsa_aes128_sha256         = false
    dhe_rsa_aes256_gcm_sha384     = false
    dhe_rsa_aes256_sha256         = false
    ecdhe_ecdsa_aes128_gcm_sha256 = true
    ecdhe_ecdsa_aes256_gcm_sha384 = true
    ecdhe_rsa_aes128_gcm_sha256   = true
    ecdhe_rsa_aes256_gcm_sha384   = true
    ecdhe_ecdsa_chacha20_poly1305 = false
    ecdhe_rsa_chacha20_poly1305   = false
    dhe_rsa_chacha20_poly1305     = false
    tls_aes256_gcm_sha384         = true
    tls_chacha20_poly1305_sha256  = true
    tls_aes128_gcm_sha256         = true
  }
}

JKS Keystore

resource "anypoint_tls_context" "jks_example" {
  private_space_id  = "your-private-space-id"
  name              = "example-jks-tls-context"
  keystore_type     = "JKS"

  keystore_base64   = var.jks_keystore_base64
  store_passphrase  = var.jks_store_passphrase
  key_passphrase    = var.jks_key_passphrase
  alias             = "my-alias"
  keystore_filename = "keystore.jks"

  ciphers = {
    aes128_gcm_sha256             = false
    aes128_sha256                 = false
    aes256_gcm_sha384             = true
    aes256_sha256                 = false
    dhe_rsa_aes128_sha256         = false
    dhe_rsa_aes256_gcm_sha384     = false
    dhe_rsa_aes256_sha256         = false
    ecdhe_ecdsa_aes128_gcm_sha256 = false
    ecdhe_ecdsa_aes256_gcm_sha384 = true
    ecdhe_rsa_aes128_gcm_sha256   = false
    ecdhe_rsa_aes256_gcm_sha384   = true
    ecdhe_ecdsa_chacha20_poly1305 = false
    ecdhe_rsa_chacha20_poly1305   = false
    dhe_rsa_chacha20_poly1305     = false
    tls_aes256_gcm_sha384         = true
    tls_chacha20_poly1305_sha256  = false
    tls_aes128_gcm_sha256         = false
  }
}

Schema

Required

• private_space_id (String) The ID of the private space this TLS context belongs to.
• name (String) The name of the TLS context.
• keystore_type (String) The type of keystore: 'PEM' or 'JKS'.
• ciphers (Block) Cipher configuration for the TLS context. See below for nested schema.

Optional

• organization_id (String) The organization ID where the private space is located. If not provided, the organization ID will be inferred from the connected app credentials.
• certificate (String, Sensitive) PEM certificate content (required for PEM keystore).
• key (String, Sensitive) PEM private key content (required for PEM keystore).
• key_filename (String) Filename for the private key (PEM keystore).
• certificate_filename (String) Filename for the certificate (PEM keystore).
• keystore_base64 (String, Sensitive) Base64 encoded JKS keystore content (required for JKS keystore).
• store_passphrase (String, Sensitive) Store passphrase for JKS keystore (required for JKS keystore).
• alias (String) Alias for JKS keystore (required for JKS keystore).
• keystore_filename (String) Filename for the JKS keystore (required for JKS keystore).
• key_passphrase (String, Sensitive) Passphrase for the private key.

Read-Only

• id (String) The unique identifier for the TLS context.
• type (String) The type of TLS context.
• trust_store (Block) Trust store information. See below for nested schema.
• key_store (Block) Key store information. See below for nested schema.

<a id="nestedschema--ciphers"></a>

Nested Schema for ciphers

Optional:

• aes128_gcm_sha256 (Boolean) Enable AES128-GCM-SHA256 cipher. Defaults to false.
• aes128_sha256 (Boolean) Enable AES128-SHA256 cipher. Defaults to false.
• aes256_gcm_sha384 (Boolean) Enable AES256-GCM-SHA384 cipher. Defaults to false.
• aes256_sha256 (Boolean) Enable AES256-SHA256 cipher. Defaults to false.
• dhe_rsa_aes128_sha256 (Boolean) Enable DHE-RSA-AES128-SHA256 cipher. Defaults to false.
• dhe_rsa_aes256_gcm_sha384 (Boolean) Enable DHE-RSA-AES256-GCM-SHA384 cipher. Defaults to false.
• dhe_rsa_aes256_sha256 (Boolean) Enable DHE-RSA-AES256-SHA256 cipher. Defaults to false.
• ecdhe_ecdsa_aes128_gcm_sha256 (Boolean) Enable ECDHE-ECDSA-AES128-GCM-SHA256 cipher. Defaults to false.
• ecdhe_ecdsa_aes256_gcm_sha384 (Boolean) Enable ECDHE-ECDSA-AES256-GCM-SHA384 cipher. Defaults to false.
• ecdhe_rsa_aes128_gcm_sha256 (Boolean) Enable ECDHE-RSA-AES128-GCM-SHA256 cipher. Defaults to false.
• ecdhe_rsa_aes256_gcm_sha384 (Boolean) Enable ECDHE-RSA-AES256-GCM-SHA384 cipher. Defaults to false.
• ecdhe_ecdsa_chacha20_poly1305 (Boolean) Enable ECDHE-ECDSA-CHACHA20-POLY1305 cipher. Defaults to false.
• ecdhe_rsa_chacha20_poly1305 (Boolean) Enable ECDHE-RSA-CHACHA20-POLY1305 cipher. Defaults to false.
• dhe_rsa_chacha20_poly1305 (Boolean) Enable DHE-RSA-CHACHA20-POLY1305 cipher. Defaults to false.
• tls_aes256_gcm_sha384 (Boolean) Enable TLS-AES256-GCM-SHA384 cipher. Defaults to false.
• tls_chacha20_poly1305_sha256 (Boolean) Enable TLS-CHACHA20-POLY1305-SHA256 cipher. Defaults to false.
• tls_aes128_gcm_sha256 (Boolean) Enable TLS-AES128-GCM-SHA256 cipher. Defaults to false.

<a id="nestedschema--trust_store"></a>

Nested Schema for trust_store

Read-Only:

• filename (String) Trust store filename.
• expiration_date (String) Trust store expiration date.
• type (String) Trust store type.

<a id="nestedschema--key_store"></a>

Nested Schema for key_store

Read-Only:

• filename (String) Key store filename.
• type (String) Key store type.
• cn (String) Common name from the certificate.
• san (List of String) Subject alternative names.
• expiration_date (String) Key store expiration date.

Import

Import is supported using the following syntax:

terraform import anypoint_tls_context.example <private_space_id>:<tls_context_id>

anypoint_vpn_connection (Resource)

Creates a VPN connection in a CloudHub 2.0 private space.

Example Usage

resource "anypoint_vpn_connection" "example" {
  private_space_id = anypoint_private_space.example.id
  name             = "my-vpn-connection"

  vpns = [
    {
      local_asn         = "64512"
      remote_asn        = "65534"
      remote_ip_address = "203.0.113.1"
      static_routes     = []

      vpn_tunnels = [
        {
          psk            = "my-pre-shared-key-1"
          ptp_cidr       = "169.254.10.0/30"
          startup_action = "start"
        },
        {
          psk            = "my-pre-shared-key-2"
          ptp_cidr       = "169.254.11.0/30"
          startup_action = "start"
        }
      ]
    }
  ]
}

Schema

Required

• private_space_id (String) The ID of the private space.
• name (String) The name of the VPN connection.
• vpns (Block List) List of VPN configurations. See below for nested schema.

Optional

• organization_id (String) The organization ID where the private space is located. If not provided, the organization ID will be inferred from the connected app credentials.

Read-Only

• id (String) The unique identifier for the VPN connection.

<a id="nestedschema--vpns"></a>

Nested Schema for vpns

Required:

• local_asn (String) Local ASN for the VPN.
• remote_asn (String) Remote ASN for the VPN.
• remote_ip_address (String) Remote IP address for the VPN.
• vpn_tunnels (Block List) List of VPN tunnel configurations. See below for nested schema.

Optional:

• name (String) The name of the VPN.
• static_routes (List of String) List of static routes.

Read-Only:

• connection_name (String) The connection name of the VPN.
• vpn_connection_status (String) The status of the VPN connection.
• vpn_id (String) The ID of the VPN.
• connection_id (String) The connection ID of the VPN.

<a id="nestedschema--vpns--vpn_tunnels"></a>

Nested Schema for vpns.vpn_tunnels

Required:

• psk (String) Pre-shared key for the VPN tunnel.
• startup_action (String) Startup action for the VPN tunnel.

Optional:

• ptp_cidr (String) Point-to-point CIDR for the VPN tunnel.

Read-Only:

• is_logs_enabled (Boolean) Whether logs are enabled for the VPN tunnel.

Import

Import is supported using the following syntax:

terraform import anypoint_vpn_connection.example <private_space_id>/<connection_id>

anypoint_secret_group (Resource)

Manages a secret group in Anypoint Secrets Manager.

-> Lifecycle note: Deleting this resource also cascade-deletes all sub-resources on the Platform (keystores, truststores, certificates, shared secrets, TLS contexts, certificate pinsets). Sub-resource Terraform resources (anypoint_secret_group_keystore, etc.) must be declared as dependents — destroy them first in your config or Terraform will remove them from state automatically when the secret group is destroyed.

Example Usage

resource "anypoint_secret_group" "example" {
  environment_id = var.environment_id
  name           = "terraform-secrets"
  downloadable   = false
}

Schema

Required

• environment_id (String) Environment ID where the secret group is created.
• name (String) Name of the secret group.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• downloadable (Boolean) Whether the secrets in this group can be downloaded. Defaults to false.

Read-Only

• id (String) Unique identifier of the secret group.
• current_state (String) Current state of the secret group.

Import

Import is supported using the following syntax:

terraform import anypoint_secret_group.example organization_id/environment_id/secret_group_id

anypoint_secret_group_certificate (Resource)

Manages a certificate within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats.

~> Delete behaviour: The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the certificate is deleted on the Platform when the parent anypoint_secret_group is destroyed.

Example Usage

resource "anypoint_secret_group_certificate" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "my-certificate"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}

Schema

Required

• environment_id (String) Environment ID.
• secret_group_id (String) Secret group ID that this certificate belongs to.
• name (String) Name of the certificate.
• certificate_base64 (String, Sensitive) Base64-encoded certificate file content. For PEM: base64encode(file("cert.pem")). For binary: filebase64("cert.der").

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• type (String) Certificate format: PEM, JKS, PKCS12, or JCEKS. Defaults to PEM.

Read-Only

• id (String) Unique identifier of the certificate.
• expiration_date (String) Expiration date of the certificate.
• algorithm (String) Signature algorithm of the certificate.

Import

Import is supported using the following syntax:

terraform import anypoint_secret_group_certificate.example organization_id/environment_id/secret_group_id/certificate_id

anypoint_secret_group_certificate_pinset (Resource)

Manages a certificate pinset within a secret group in Anypoint Secrets Manager. A certificate pinset is used for certificate pinning validation.

~> Delete behaviour: The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the certificate pinset is deleted on the Platform when the parent anypoint_secret_group is destroyed.

Example Usage

resource "anypoint_secret_group_certificate_pinset" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "my-cert-pinset"

  certificate_pinset_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}

Schema

Required

• environment_id (String) Environment ID.
• secret_group_id (String) Secret group ID that this certificate pinset belongs to.
• name (String) Name of the certificate pinset.
• certificate_pinset_base64 (String, Sensitive) Base64-encoded certificate file for pinning. For PEM: base64encode(file("cert.pem")).

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.

Read-Only

• id (String) Unique identifier of the certificate pinset.
• expiration_date (String) Expiration date of the pinned certificate.
• algorithm (String) Signature algorithm of the pinned certificate.

Import

Import is supported using the following syntax:

terraform import anypoint_secret_group_certificate_pinset.example organization_id/environment_id/secret_group_id/certificate_pinset_id

anypoint_secret_group_keystore (Resource)

Manages a keystore within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats. Use filebase64() to read binary files (JKS/PKCS12) or base64encode(file(...)) for PEM text files.

~> Delete behaviour: The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the keystore is deleted on the Platform when the parent anypoint_secret_group is destroyed.

Example Usage

PEM Keystore

resource "anypoint_secret_group_keystore" "pem" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-pem-keystore"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
  key_base64         = base64encode(file("${path.module}/certs/key.pem"))
}

PEM Keystore with CA Chain

resource "anypoint_secret_group_keystore" "pem_with_ca" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-pem-with-truststore"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
  key_base64         = base64encode(file("${path.module}/certs/key.pem"))
  ca_path_base64     = base64encode(file("${path.module}/certs/truststore.pem"))
}

JKS Keystore

resource "anypoint_secret_group_keystore" "jks" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-jks-keystore"
  type            = "JKS"

  keystore_file_base64 = filebase64("${path.module}/certs/keystore.jks")
  store_passphrase     = var.jks_store_passphrase
  key_passphrase       = var.jks_key_passphrase
  alias                = "myalias"
}

Schema

Required

• environment_id (String) Environment ID. Changing this forces a new resource.
• secret_group_id (String) Secret group ID that this keystore belongs to. Changing this forces a new resource.
• name (String) Name of the keystore.

Optional

• organization_id (String) The organization ID. If not provided, inferred from the connected app credentials.
• type (String) Keystore format: PEM, JKS, PKCS12, or JCEKS. Defaults to PEM. Changing this forces a new resource.
• certificate_base64 (String, Sensitive) Base64-encoded certificate content. For PEM: base64encode(file("cert.pem")). For binary DER: filebase64("cert.der"). Used for PEM type.
• key_base64 (String, Sensitive) Base64-encoded private key content. For PEM: base64encode(file("key.pem")). Required for PEM type.
• keystore_file_base64 (String, Sensitive) Base64-encoded keystore file. Use filebase64("keystore.jks") or filebase64("keystore.p12"). Required for JKS, PKCS12, and JCEKS types.
• store_passphrase (String, Sensitive) Store-level passphrase (storePassphrase). Required for JKS, PKCS12, and JCEKS types.
• key_passphrase (String, Sensitive) Private-key entry passphrase (keyPassphrase). Required for JKS, PKCS12, and JCEKS types. Optional for PEM encrypted keys.
• alias (String) Entry alias within the keystore. Used for JKS, PKCS12, and JCEKS types.
• ca_path_base64 (String, Sensitive) Base64-encoded CA certificate chain (appended as truststore). Optional for all types.

Read-Only

• id (String) Unique identifier of the keystore.
• expiration_date (String) Expiration date of the certificate in the keystore.
• algorithm (String) Signature algorithm of the certificate.

Import

terraform import anypoint_secret_group_keystore.example organization_id/environment_id/secret_group_id/keystore_id

anypoint_secret_group_shared_secret (Resource)

Manages a shared secret within a secret group in Anypoint Secrets Manager. Supports four types: UsernamePassword, S3Credential, SymmetricKey, and Blob. Provide the type-specific fields based on the chosen type.

~> Delete behaviour: The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the shared secret is deleted on the Platform when the parent anypoint_secret_group is destroyed.

Example Usage

UsernamePassword

resource "anypoint_secret_group_shared_secret" "db_creds" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "db-credentials"
  type            = "UsernamePassword"

  username = "admin"
  password = var.db_password
}

S3Credential

resource "anypoint_secret_group_shared_secret" "s3" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "s3-backup-creds"
  type            = "S3Credential"

  access_key_id     = var.aws_access_key
  secret_access_key = var.aws_secret_key
  expiration_date   = "2026-12-31"
}

SymmetricKey

resource "anypoint_secret_group_shared_secret" "symmetric" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "encryption-key"
  type            = "SymmetricKey"

  key = base64encode("my-256-bit-secret-key-value-here")
}

Blob

resource "anypoint_secret_group_shared_secret" "blob" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "api-token"
  type            = "Blob"

  content = var.api_token
}

Schema

Required

• environment_id (String) Environment ID.
• secret_group_id (String) Secret group ID that this shared secret belongs to.
• name (String) Name of the shared secret.
• type (String) Type of shared secret: UsernamePassword, S3Credential, SymmetricKey, or Blob.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• expiration_date (String) Optional expiration date (e.g. 2026-03-31).
• username (String) Username (for UsernamePassword type).
• password (String, Sensitive) Password (for UsernamePassword type).
• access_key_id (String) AWS access key ID (for S3Credential type).
• secret_access_key (String, Sensitive) AWS secret access key (for S3Credential type).
• key (String, Sensitive) Base64-encoded symmetric key (for SymmetricKey type).
• content (String, Sensitive) Secret content string (for Blob type).

Read-Only

• id (String) Unique identifier of the shared secret.

Import

Import is supported using the following syntax:

terraform import anypoint_secret_group_shared_secret.example organization_id/environment_id/secret_group_id/shared_secret_id

anypoint_secret_group_tls_context (Resource)

Manages a Omni Gateway TLS context within a secret group in Anypoint Secrets Manager. The target is automatically set to OmniGateway. References keystore and truststore resources by their IDs — the provider automatically builds the internal path references (keystores/{id}, truststores/{id}).

~> Delete behaviour: The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the TLS context is deleted on the Platform when the parent anypoint_secret_group is destroyed.

Example Usage

Basic TLS Context

resource "anypoint_secret_group_tls_context" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "omni-tls-context"

  keystore_id   = anypoint_secret_group_keystore.tls.id
  truststore_id = anypoint_secret_group_truststore.ca.id

  min_tls_version = "TLSv1.3"
  max_tls_version = "TLSv1.3"
  alpn_protocols  = ["h2", "http/1.1"]

  enable_client_cert_validation = false
  skip_server_cert_validation   = false
}

mTLS-enabled TLS Context

resource "anypoint_secret_group_tls_context" "mtls" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "mtls-context"

  keystore_id   = anypoint_secret_group_keystore.tls.id
  truststore_id = anypoint_secret_group_truststore.ca.id

  min_tls_version = "TLSv1.3"
  max_tls_version = "TLSv1.3"
  alpn_protocols  = ["h2", "http/1.1"]

  enable_client_cert_validation = true
  skip_server_cert_validation   = false
}

Schema

Required

• environment_id (String) Environment ID.
• secret_group_id (String) Secret group ID that this TLS context belongs to.
• name (String) Name of the TLS context.

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• keystore_id (String) ID of the keystore in the same secret group. Use anypoint_secret_group_keystore.example.id to reference it.
• truststore_id (String) ID of the truststore in the same secret group. Use anypoint_secret_group_truststore.example.id to reference it.
• min_tls_version (String) Minimum TLS version. Valid values: TLSv1.1, TLSv1.2, TLSv1.3. Defaults to TLSv1.3.
• max_tls_version (String) Maximum TLS version. Valid values: TLSv1.1, TLSv1.2, TLSv1.3. Defaults to TLSv1.3.
• alpn_protocols (List of String) ALPN protocol negotiation list. Valid element values: h2, http/1.1. Order determines preference: ["h2", "http/1.1"] prefers H2, ["http/1.1", "h2"] prefers HTTP/1.1.
• cipher_suites (List of String) Allowed cipher suites. Empty list means use defaults.
• enable_client_cert_validation (Boolean) Enable mutual TLS client certificate validation (inbound). Defaults to false.
• skip_server_cert_validation (Boolean) Skip server certificate validation (outbound). Defaults to false.

Read-Only

• id (String) Unique identifier of the TLS context.
• target (String) Target runtime for the TLS context. Always OmniGateway for this resource.
• expiration_date (String) Expiration date of the TLS context.

Import

Import is supported using the following syntax:

terraform import anypoint_secret_group_tls_context.example organization_id/environment_id/secret_group_id/tls_context_id

anypoint_secret_group_truststore (Resource)

Manages a truststore within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats. Use base64encode(file(...)) for PEM text files or filebase64(...) for binary JKS/PKCS12 files.

~> Delete behaviour: The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the truststore is deleted on the Platform when the parent anypoint_secret_group is destroyed.

Example Usage

PEM Truststore

resource "anypoint_secret_group_truststore" "pem" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "ca-truststore"
  type            = "PEM"

  truststore_base64 = base64encode(file("${path.module}/certs/truststore.pem"))
}

JKS Truststore

resource "anypoint_secret_group_truststore" "jks" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "ca-truststore-jks"
  type            = "JKS"

  truststore_base64 = filebase64("${path.module}/certs/truststore.jks")
  passphrase        = var.jks_passphrase
}

Schema

Required

• environment_id (String) Environment ID.
• secret_group_id (String) Secret group ID that this truststore belongs to.
• name (String) Name of the truststore.
• truststore_base64 (String, Sensitive) Base64-encoded truststore file content. For PEM: base64encode(file("truststore.pem")). For JKS/PKCS12: filebase64("truststore.jks").

Optional

• organization_id (String) The organization ID. If not provided, the organization ID will be inferred from the connected app credentials.
• type (String) Truststore format: PEM, JKS, PKCS12, or JCEKS. Defaults to PEM.
• passphrase (String, Sensitive) Passphrase for the truststore. Required for JKS, PKCS12, and JCEKS formats.

Read-Only

• id (String) Unique identifier of the truststore.
• expiration_date (String) Expiration date of the certificate in the truststore.
• algorithm (String) Signature algorithm of the certificate.

Import

Import is supported using the following syntax:

terraform import anypoint_secret_group_truststore.example organization_id/environment_id/secret_group_id/truststore_id

anypoint_environment (Data Source)

Fetches information about an Anypoint Platform environment.

Example Usage

data "anypoint_environment" "sandbox" {
  id              = "abc123ef-0000-0000-0000-000000000000"
  organization_id = var.organization_id
}

output "env_name" {
  value = data.anypoint_environment.sandbox.name
}

Schema

Required

• id (String) The unique identifier for the environment.

Optional

• organization_id (String) The organization ID where the environment is located. If not specified, uses the organization from provider credentials.

Read-Only

• name (String) The name of the environment.
• type (String) The type of the environment (e.g., design, sandbox, production).
• is_production (Boolean) Whether this is a production environment.
• client_id (String) The client ID associated with the environment.
• arc_namespace (String) The ARC namespace for the environment.
• created_at (String) The timestamp when the environment was created.
• updated_at (String) The timestamp when the environment was last updated.

anypoint_organization (Data Source)

Fetches information about an Anypoint Platform organization.

-> Entitlements: The entitlements attribute is returned as a JSON string. Use the jsondecode() function to access individual fields (e.g., jsondecode(data.anypoint_organization.main.entitlements).workerClouds).

Example Usage

data "anypoint_organization" "main" {
  id = var.organization_id
}

output "org_name" {
  value = data.anypoint_organization.main.name
}

Schema

Required

• id (String) The unique identifier for the organization.

Read-Only

• name (String) The name of the organization.
• created_at (String) The creation timestamp of the organization.
• updated_at (String) The last update timestamp of the organization.
• owner_id (String) The owner ID of the organization.
• client_id (String) The client ID associated with the organization.
• idprovider_id (String) The identity provider ID.
• is_federated (Boolean) Whether the organization is federated.
• parent_organization_ids (List of String) List of parent organization IDs.
• sub_organization_ids (List of String) List of sub-organization IDs.
• tenant_organization_ids (List of String) List of tenant organization IDs.
• mfa_required (String) Whether MFA is required for the organization.
• is_automatic_admin_promotion_exempt (Boolean) Whether the organization is exempt from automatic admin promotion.
• org_type (String) The type of the organization.
• gdot_id (String) The GDOT ID of the organization.
• deleted_at (String) The deletion timestamp of the organization.
• domain (String) The domain of the organization.
• is_root (Boolean) Whether this is a root organization.
• is_master (Boolean) Whether this is a master organization.
• session_timeout (Number) The session timeout for the organization.
• entitlements (String) The entitlements for the organization as a JSON string. Use jsondecode() to access individual fields.
• subscription (Object) The subscription details for the organization. See subscription below.
• owner (Object) The owner of the organization. See owner below.
• environments (List of Object) The environments within the organization. See environments below.

<a id="nestedschema--subscription"></a>

Nested Schema for subscription

Read-Only:

• category (String) The subscription category.
• type (String) The subscription type.
• expiration (String) The subscription expiration date.
• justification (String) The subscription justification.

<a id="nestedschema--owner"></a>

Nested Schema for owner

Read-Only:

• id (String) The owner's ID.
• first_name (String) The owner's first name.
• last_name (String) The owner's last name.
• email (String) The owner's email.
• username (String) The owner's username.
• enabled (Boolean) Whether the owner's account is enabled.
• created_at (String) The creation timestamp of the owner's account.
• updated_at (String) The last update timestamp of the owner's account.
• organization_id (String) The organization ID of the owner.
• phone_number (String) The owner's phone number.
• idprovider_id (String) The identity provider ID of the owner.
• deleted (Boolean) Whether the owner's account is deleted.
• last_login (String) The last login timestamp of the owner.
• mfa_verification_excluded (Boolean) Whether MFA verification is excluded for the owner.
• mfa_verifiers_configured (String) The MFA verifiers configured for the owner.
• email_verified_at (String) The email verification timestamp of the owner.
• gdou_id (String) The GDOU ID of the owner.
• previous_last_login (String) The previous last login timestamp of the owner.
• type (String) The type of the owner.

<a id="nestedschema--environments"></a>

Nested Schema for environments

Read-Only:

• id (String) The environment ID.
• name (String) The environment name.
• organization_id (String) The organization ID.
• is_production (Boolean) Whether the environment is a production environment.
• type (String) The environment type.
• client_id (String) The environment client ID.
• arc_namespace (String) The ARC namespace of the environment.

anypoint_team (Data Source)

Fetches information about an Anypoint Platform team.

Example Usage

data "anypoint_team" "ops" {
  id              = "team-uuid-here"
  organization_id = var.organization_id
}

output "team_name" {
  value = data.anypoint_team.ops.name
}

Schema

Required

• id (String) The unique identifier for the team.

Optional

• organization_id (String) The organization ID where the team is located. If not specified, uses the organization from provider credentials.

Read-Only

• name (String) The name of the team.
• parent_team_id (String) The parent team ID.
• team_type (String) The type of the team.
• created_date (String) The creation date of the team.
• updated_date (String) The last update date of the team.
• member_count (Number) The number of members in the team.
• created_at (String) The timestamp when the team was created.
• updated_at (String) The timestamp when the team was last updated.

anypoint_agent_instances (Data Source)

Lists all agent instances registered in API Manager for the given environment.

Example Usage

data "anypoint_agent_instances" "all" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
}

output "instance_ids" {
  value = [for inst in data.anypoint_agent_instances.all.instances : inst.id]
}

Schema

Required

• environment_id (String) The environment ID to list agent instances from.

Optional

• organization_id (String) The organization ID. Defaults to the provider credentials organization.

Read-Only

• id (String) Composite identifier: <organization_id>/<environment_id>.
• instances (List of Object) List of agent instances. See instances below.

<a id="nestedschema--instances"></a>

Nested Schema for instances

Read-Only:

• id (String) The numeric ID of the agent instance.
• asset_id (String) The Exchange asset ID.
• asset_version (String) The Exchange asset version.
• product_version (String) The product version.
• group_id (String) The Exchange group (organization) ID.
• technology (String) The gateway technology (e.g., omniGateway, mule4).
• instance_label (String) The label of the agent instance.
• status (String) The current status of the agent instance.
• endpoint_uri (String) The endpoint URI for the agent instance.
• autodiscovery_instance_name (String) The autodiscovery instance name.

anypoint_mcp_servers (Data Source)

Lists all MCP servers registered in API Manager for the given environment.

Example Usage

data "anypoint_mcp_servers" "all" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
}

output "mcp_server_proxy_uris" {
  value = [for s in data.anypoint_mcp_servers.all.servers : s.proxy_uri]
}

Schema

Required

• environment_id (String) The environment ID to list MCP servers from.

Optional

• organization_id (String) The organization ID. Defaults to the provider credentials organization.

Read-Only

• id (String) Composite identifier: <organization_id>/<environment_id>.
• servers (List of Object) List of MCP servers. See servers below.

<a id="nestedschema--servers"></a>

Nested Schema for servers

Read-Only:

• id (String) The numeric ID of the MCP server.
• asset_id (String) The Exchange asset ID.
• asset_version (String) The Exchange asset version.
• product_version (String) The product version.
• group_id (String) The Exchange group (organization) ID.
• technology (String) The gateway technology (typically omniGateway for MCP).
• instance_label (String) The label of the MCP server.
• status (String) The current status of the MCP server.
• endpoint_uri (String) The endpoint URI for the MCP server.
• proxy_uri (String) The MCP proxy URI (e.g., http://0.0.0.0:8081/mcp1).
• autodiscovery_instance_name (String) The autodiscovery instance name.

anypoint_api_instances (Data Source)

Lists all API instances registered in API Manager for the given environment.

Example Usage

data "anypoint_api_instances" "all" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
}

output "api_instance_ids" {
  value = [for inst in data.anypoint_api_instances.all.instances : inst.id]
}

Schema

Required

• environment_id (String) The environment ID to list API instances from.

Optional

• organization_id (String) The organization ID. Defaults to the provider credentials organization.

Read-Only

• id (String) Composite identifier: <organization_id>/<environment_id>.
• instances (List of Object) List of API instances. See instances below.

<a id="nestedschema--instances"></a>

Nested Schema for instances

Read-Only:

• id (String) The numeric ID of the API instance.
• asset_id (String) The Exchange asset ID.
• asset_version (String) The Exchange asset version.
• product_version (String) The product version.
• group_id (String) The Exchange group (organization) ID.
• technology (String) The gateway technology (e.g., omniGateway, mule4).
• instance_label (String) The label of the API instance.
• status (String) The current status of the API instance.
• endpoint_uri (String) The endpoint URI for the API instance.
• autodiscovery_instance_name (String) The autodiscovery instance name.

anypoint_api_upstreams (Data Source)

Lists all upstreams registered for an API instance in API Manager.

Example Usage

data "anypoint_api_upstreams" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = "12345"
}

output "upstream_uris" {
  value = [for u in data.anypoint_api_upstreams.example.upstreams : u.uri]
}

Schema

Required

• environment_id (String) The environment ID where the API instance lives.
• api_instance_id (String) The numeric ID of the API instance.

Optional

• organization_id (String) The organization ID. Defaults to the provider credentials organization.

Read-Only

• id (String) Composite identifier: <organization_id>/<environment_id>/<api_instance_id>.
• total (Number) Total number of upstreams returned.
• upstreams (List of Object) List of upstreams for the API instance. See upstreams below.

<a id="nestedschema--upstreams"></a>

Nested Schema for upstreams

Read-Only:

• id (String) The upstream UUID.
• label (String) The upstream label (matches the label in the routing configuration).
• uri (String) The upstream URI.

anypoint_managed_omni_gateway (Data Source)

Fetches the full details of a single managed Omni Gateway by ID.

Example Usage

data "anypoint_managed_omni_gateway" "gw" {
  id              = var.gateway_id
  environment_id  = var.environment_id
  organization_id = var.organization_id
}

output "gateway_public_url" {
  value = data.anypoint_managed_omni_gateway.gw.ingress.public_url
}

Schema

Required

• id (String) The managed Omni Gateway ID.
• environment_id (String) The environment ID where the gateway is deployed.

Optional

• organization_id (String) The organization ID. Defaults to the provider credentials organization.

Read-Only

• name (String) The name of the gateway.
• target_id (String) The target (private space) ID.
• target_name (String) The name of the target (private space).
• target_type (String) The type of the target (e.g., private-space).
• runtime_version (String) The runtime version of the gateway.
• release_channel (String) The release channel (lts or edge).
• size (String) The gateway size (small, large).
• status (String) The current status of the gateway (e.g., APPLIED).
• desired_status (String) The desired status of the gateway (e.g., STARTED).
• status_message (String) Additional status message from the gateway.
• date_created (String) Timestamp when the gateway was created.
• last_updated (String) Timestamp of the last update to the gateway.
• api_limit (Number) Maximum number of APIs that can be deployed to this gateway.
• ingress (Object) Ingress network configuration. See ingress below.
• properties (Object) Runtime properties. See properties below.
• logging (Object) Logging configuration. See logging below.
• port_configuration (Object) Port configuration for ingress and egress traffic. See port_configuration below.

<a id="nestedschema--ingress"></a>

Nested Schema for ingress

Read-Only:

• public_url (String) The primary public URL.
• internal_urls (List of String) All internal URLs.
• forward_ssl_session (Boolean) Whether SSL session forwarding is enabled.
• last_mile_security (Boolean) Whether last-mile security (TLS to upstream) is enabled.

<a id="nestedschema--properties"></a>

Nested Schema for properties

Read-Only:

• upstream_response_timeout (Number) Upstream response timeout in seconds.
• connection_idle_timeout (Number) Connection idle timeout in seconds.

<a id="nestedschema--logging"></a>

Nested Schema for logging

Read-Only:

• level (String) Log level (debug, info, warn, error).
• forward_logs (Boolean) Whether logs are forwarded to Anypoint Monitoring.

<a id="nestedschema--port_configuration"></a>

Nested Schema for port_configuration

Read-Only:

• ingress (Object) Ingress port settings. See port_configuration.ingress below.
• egress (Object) Egress port settings. See port_configuration.egress below.

<a id="nestedschema--port_configuration--ingress"></a>

Nested Schema for port_configuration.ingress

Read-Only:

• port (Number) The port number.
• protocol (String) The protocol (e.g., TCP).

<a id="nestedschema--port_configuration--egress"></a>

Nested Schema for port_configuration.egress

Read-Only:

• port (Number) The port number.
• protocol (String) The protocol (e.g., TCP).

anypoint_managed_omni_gateways (Data Source)

Lists all managed Omni Gateway instances in the given environment.

Example Usage

data "anypoint_managed_omni_gateways" "all" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
}

output "gateway_names" {
  value = [for gw in data.anypoint_managed_omni_gateways.all.gateways : gw.name]
}

Schema

Required

• environment_id (String) The environment ID to list gateways from.

Optional

• organization_id (String) The organization ID. Defaults to the provider credentials organization.

Read-Only

• id (String) Composite identifier: <organization_id>/<environment_id>.
• gateways (List of Object) List of managed Omni Gateway instances. See gateways below.

<a id="nestedschema--gateways"></a>

Nested Schema for gateways

Read-Only:

• id (String) The unique identifier of the gateway.
• name (String) The name of the gateway.
• target_id (String) The target (private space) ID the gateway is deployed to.
• status (String) The current status of the gateway (e.g., APPLIED, RUNNING).
• date_created (String) Timestamp when the gateway was created.
• last_updated (String) Timestamp of the last update to the gateway.

anypoint_private_space_associations (Data Source)

Reads all private space associations for a given private space.

Example Usage

data "anypoint_private_space_associations" "ps" {
  private_space_id = var.private_space_id
  organization_id  = var.organization_id
}

output "associated_environments" {
  value = [for a in data.anypoint_private_space_associations.ps.associations : a.environment]
}

Schema

Required

• private_space_id (String) The ID of the private space to fetch associations for.

Optional

• organization_id (String) The organization ID. If not provided, the provider's default organization will be used.

Read-Only

• id (String) Identifier for the data source.
• associations (List of Object) List of associations for the private space. See associations below.

<a id="nestedschema--associations"></a>

Nested Schema for associations

Read-Only:

• id (String) The ID of the association.
• organization_id (String) The organization ID of the association.
• environment (String) The environment of the association.

anypoint_private_space_upgrade (Data Source)

Retrieves upgrade status information for a CloudHub 2.0 private space.

Example Usage

data "anypoint_private_space_upgrade" "status" {
  private_space_id = var.private_space_id
  organization_id  = var.organization_id
}

output "upgrade_status" {
  value = data.anypoint_private_space_upgrade.status.status
}

Schema

Required

• private_space_id (String) The ID of the private space to get upgrade status for.

Optional

• organization_id (String) The organization ID where the private space is located. If not specified, uses the organization from provider credentials.

Read-Only

• id (String) Identifier for this data source.
• scheduled_update_time (String) The scheduled update time for the upgrade.
• status (String) The current status of the upgrade (e.g., QUEUED, IN_PROGRESS, COMPLETED).

anypoint_tls_context (Data Source)

Fetches information about a CloudHub 2.0 TLS context.

Example Usage

data "anypoint_tls_context" "example" {
  id               = var.tls_context_id
  private_space_id = var.private_space_id
  organization_id  = var.organization_id
}

output "tls_context_name" {
  value = data.anypoint_tls_context.example.name
}

Schema

Required

• id (String) The unique identifier for the TLS context.
• private_space_id (String) The private space ID where the TLS context is located.

Optional

• organization_id (String) The organization ID where the private space is located. If not specified, uses the organization from provider credentials.

Read-Only

• name (String) The name of the TLS context.
• type (String) The type of the TLS context.
• ciphers (Object) Cipher configuration for the TLS context. See ciphers below.
• trust_store (Object) Trust store information. See trust_store below.
• key_store (Object) Key store information. See key_store below.

<a id="nestedschema--ciphers"></a>

Nested Schema for ciphers

Read-Only:

• aes128_gcm_sha256 (Boolean) AES128-GCM-SHA256 cipher status.
• aes128_sha256 (Boolean) AES128-SHA256 cipher status.
• aes256_gcm_sha384 (Boolean) AES256-GCM-SHA384 cipher status.
• aes256_sha256 (Boolean) AES256-SHA256 cipher status.
• dhe_rsa_aes128_sha256 (Boolean) DHE-RSA-AES128-SHA256 cipher status.
• dhe_rsa_aes256_gcm_sha384 (Boolean) DHE-RSA-AES256-GCM-SHA384 cipher status.
• dhe_rsa_aes256_sha256 (Boolean) DHE-RSA-AES256-SHA256 cipher status.
• ecdhe_ecdsa_aes128_gcm_sha256 (Boolean) ECDHE-ECDSA-AES128-GCM-SHA256 cipher status.
• ecdhe_ecdsa_aes256_gcm_sha384 (Boolean) ECDHE-ECDSA-AES256-GCM-SHA384 cipher status.
• ecdhe_rsa_aes128_gcm_sha256 (Boolean) ECDHE-RSA-AES128-GCM-SHA256 cipher status.
• ecdhe_rsa_aes256_gcm_sha384 (Boolean) ECDHE-RSA-AES256-GCM-SHA384 cipher status.
• ecdhe_ecdsa_chacha20_poly1305 (Boolean) ECDHE-ECDSA-CHACHA20-POLY1305 cipher status.
• ecdhe_rsa_chacha20_poly1305 (Boolean) ECDHE-RSA-CHACHA20-POLY1305 cipher status.
• dhe_rsa_chacha20_poly1305 (Boolean) DHE-RSA-CHACHA20-POLY1305 cipher status.
• tls_aes256_gcm_sha384 (Boolean) TLS-AES256-GCM-SHA384 cipher status.
• tls_chacha20_poly1305_sha256 (Boolean) TLS-CHACHA20-POLY1305-SHA256 cipher status.
• tls_aes128_gcm_sha256 (Boolean) TLS-AES128-GCM-SHA256 cipher status.

<a id="nestedschema--trust_store"></a>

Nested Schema for trust_store

Read-Only:

• filename (String) Trust store filename.
• expiration_date (String) Trust store expiration date.
• type (String) Trust store type.

<a id="nestedschema--key_store"></a>

Nested Schema for key_store

Read-Only:

• filename (String) Key store filename.
• type (String) Key store type.
• cn (String) Common name from the certificate.
• san (List of String) Subject alternative names.
• expiration_date (String) Key store expiration date.

anypoint_secret_group_certificate_pinsets (Data Source)

Lists all certificate pinsets within a secret group.

Example Usage

data "anypoint_secret_group_certificate_pinsets" "pinsets" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  secret_group_id = var.secret_group_id
}

output "pinset_names" {
  value = [for p in data.anypoint_secret_group_certificate_pinsets.pinsets.certificate_pinsets : p.name]
}

Schema

Required

• environment_id (String) The environment ID.
• secret_group_id (String) The secret group ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• certificate_pinsets (List of Object) List of certificate pinsets. See certificate_pinsets below.

<a id="nestedschema--certificate_pinsets"></a>

Nested Schema for certificate_pinsets

Read-Only:

• id (String) The certificate pinset ID.
• name (String) The name of the certificate pinset.
• expiration_date (String) The expiration date of the certificate pinset.
• algorithm (String) The algorithm used by the certificate pinset.

anypoint_secret_group_certificates (Data Source)

Lists all certificates within a secret group.

Example Usage

data "anypoint_secret_group_certificates" "certs" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  secret_group_id = var.secret_group_id
}

output "certificate_names" {
  value = [for c in data.anypoint_secret_group_certificates.certs.certificates : c.name]
}

Schema

Required

• environment_id (String) The environment ID.
• secret_group_id (String) The secret group ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• certificates (List of Object) List of certificates. See certificates below.

<a id="nestedschema--certificates"></a>

Nested Schema for certificates

Read-Only:

• id (String) The certificate ID.
• name (String) The name of the certificate.
• type (String) The certificate type (PEM, JKS, PKCS12, JCEKS).
• expiration_date (String) The expiration date of the certificate.
• algorithm (String) The algorithm used by the certificate.

anypoint_secret_group_keystores (Data Source)

Lists all keystores within a secret group.

Example Usage

data "anypoint_secret_group_keystores" "ks" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  secret_group_id = var.secret_group_id
}

output "keystore_names" {
  value = [for k in data.anypoint_secret_group_keystores.ks.keystores : k.name]
}

Schema

Required

• environment_id (String) The environment ID.
• secret_group_id (String) The secret group ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• keystores (List of Object) List of keystores. See keystores below.

<a id="nestedschema--keystores"></a>

Nested Schema for keystores

Read-Only:

• id (String) The keystore ID.
• name (String) The name of the keystore.
• type (String) The keystore type (PEM, JKS, PKCS12, JCEKS).
• expiration_date (String) The expiration date of the keystore.
• algorithm (String) The algorithm used by the keystore.

anypoint_secret_group_shared_secrets (Data Source)

Lists all shared secrets within a secret group.

-> Note: Sensitive values (passwords, secret keys) are not returned by the Anypoint Platform API. Only metadata such as name, type, and expiration is available.

Example Usage

data "anypoint_secret_group_shared_secrets" "ss" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  secret_group_id = var.secret_group_id
}

output "shared_secret_names" {
  value = [for s in data.anypoint_secret_group_shared_secrets.ss.shared_secrets : s.name]
}

Schema

Required

• environment_id (String) The environment ID.
• secret_group_id (String) The secret group ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• shared_secrets (List of Object) List of shared secrets. See shared_secrets below.

<a id="nestedschema--shared_secrets"></a>

Nested Schema for shared_secrets

Read-Only:

• id (String) The shared secret ID.
• name (String) The name of the shared secret.
• type (String) The shared secret type (UsernamePassword, S3Credential, SymmetricKey, Blob).
• expiration_date (String) The expiration date of the shared secret.
• username (String) Username, returned only for UsernamePassword type.
• access_key_id (String) Access key ID, returned only for S3Credential type.

anypoint_secret_group_tls_contexts (Data Source)

Lists all TLS contexts within a secret group.

Example Usage

data "anypoint_secret_group_tls_contexts" "tls" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  secret_group_id = var.secret_group_id
}

output "tls_context_ids" {
  value = [for t in data.anypoint_secret_group_tls_contexts.tls.tls_contexts : t.id]
}

Schema

Required

• environment_id (String) The environment ID.
• secret_group_id (String) The secret group ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• tls_contexts (List of Object) List of TLS contexts. See tls_contexts below.

<a id="nestedschema--tls_contexts"></a>

Nested Schema for tls_contexts

Read-Only:

• id (String) The TLS context ID.
• name (String) The name of the TLS context.
• target (String) The target (e.g., OmniGateway).
• min_tls_version (String) Minimum TLS version.
• max_tls_version (String) Maximum TLS version.
• expiration_date (String) The expiration date of the TLS context.
• enable_client_cert_validation (Boolean) Whether client certificate validation is enabled.
• skip_server_cert_validation (Boolean) Whether server certificate validation is skipped.
• alpn_protocols (String) Comma-separated list of ALPN protocols.
• cipher_suites (String) Comma-separated list of cipher suites.

anypoint_secret_group_truststores (Data Source)

Lists all truststores within a secret group.

Example Usage

data "anypoint_secret_group_truststores" "ts" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  secret_group_id = var.secret_group_id
}

output "truststore_names" {
  value = [for t in data.anypoint_secret_group_truststores.ts.truststores : t.name]
}

Schema

Required

• environment_id (String) The environment ID.
• secret_group_id (String) The secret group ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• truststores (List of Object) List of truststores. See truststores below.

<a id="nestedschema--truststores"></a>

Nested Schema for truststores

Read-Only:

• id (String) The truststore ID.
• name (String) The name of the truststore.
• type (String) The truststore type (PEM, JKS, PKCS12, JCEKS).
• expiration_date (String) The expiration date of the truststore.
• algorithm (String) The algorithm used by the truststore.

anypoint_secret_groups (Data Source)

Lists all secret groups in a given environment.

Example Usage

data "anypoint_secret_groups" "all" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
}

output "secret_group_ids" {
  value = [for sg in data.anypoint_secret_groups.all.secret_groups : sg.id]
}

Schema

Required

• environment_id (String) The environment ID.

Optional

• organization_id (String) The organization ID. Defaults to the provider organization.

Read-Only

• secret_groups (List of Object) List of secret groups. See secret_groups below.

<a id="nestedschema--secret_groups"></a>

Nested Schema for secret_groups

Read-Only:

• id (String) The secret group ID.
• name (String) The name of the secret group.
• downloadable (Boolean) Whether the secret group is downloadable.
• current_state (String) The current state of the secret group (e.g., Clear).