Contact Us 1-800-596-4880

API, MCP, and A2A Policy Resources

Use policy resources to apply policies declaratively to APIs, MCP servers, gateways, and AI agent resources.

anypoint_api_policy_a2a_agent_card

Use the anypoint_api_policy_a2a_agent_card resource to publish and manage an A2A Agent Card on an Anypoint API instance. The agent card describes your AI agent’s capabilities and is served at a configurable path.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_a2a_agent_card" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    content        = "{\"name\": \"My Agent\", \"description\": \"An example A2A agent\"}"
    consumer_url   = "https://example.com/agent"
    card_path      = "/.well-known/agent-card.json"
    file_name      = "agent-card.json"
    file_mime_type = "application/json"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance to attach the agent card to.

  • configuration - (Block) Agent card content and serving configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies on the same API instance. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 2.0.0-20260327083212.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • content - (Required) The agent card content as a JSON string.

  • card_path - Path where the agent card is served.

  • consumer_url - Consumer-facing URL for the A2A agent.

  • file_mime_type - MIME type of the agent card file.

  • file_name - Filename for the agent card.

  • file_source - Source of the agent card file.

Pointcut Data

Use pointcut_data to limit the policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_a2a_agent_card policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_a2a_agent_card.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_a2a_agent_card" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_a2a_agent_card.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_a2a_pii_detector

Use the anypoint_api_policy_a2a_pii_detector resource to detect and act on personally identifiable information (PII) in requests to an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_a2a_pii_detector" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    entities = ["Email", "US SSN", "Credit Card", "Phone Number"]
    action   = "Reject"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - Numeric ID of the API instance to attach this policy to.

  • configuration - (Block) PII detection configuration..

Optional Arguments

  • organization_id - Organization ID. Defaults to the organization inferred from the connected app if not set.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies on the same API instance. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • entities - (Required, List of String) PII entity types to detect. Valid values: Email, Credit Card, Phone Number, US SSN.

  • action - Action to take when PII is detected (for example, Reject).

Pointcut Data

Use pointcut_data to limit the policy to specific HTTP methods and URI patterns. This corresponds to the "Apply configurations to specific methods & resources" setting in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_a2a_pii_detector policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_a2a_pii_detector.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_a2a_pii_detector" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_a2a_pii_detector.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_a2a_prompt_decorator

Use the anypoint_api_policy_a2a_prompt_decorator resource to prepend or append text and file content to prompts on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_a2a_prompt_decorator" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    text_decorators = [
      {
        position = "prefix"
        text     = "You are a helpful assistant."
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment containing the API instance.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Decorator configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • file_decorators - (Dynamic) File-based prompt decorators to inject.

  • text_decorators - (Dynamic) Text-based prompt decorators to inject.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_a2a_prompt_decorator policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_a2a_prompt_decorator.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_a2a_prompt_decorator" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_a2a_prompt_decorator.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_a2a_schema_validation

Use the anypoint_api_policy_a2a_schema_validation resource to manage an A2A Schema Validation policy on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_a2a_schema_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Required Arguments

  • environment_id - The environment ID.

  • api_instance_id - The API instance ID.

  • configuration - (Block) The policy configuration. This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

  • label - A human-readable label for this policy instance.

  • order - The order of policy execution.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) List of upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string. Restricts the policy to specific resources (methods and/or URIs). When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - The policy template ID assigned by the server.

Pointcut Data

The optional pointcut_data attribute restricts the policy to specific HTTP methods and/or URI patterns, matching what is configured under "Apply configurations to specific methods & resources" in the Anypoint Platform UI.

Each element in the array maps to one condition row in the UI:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions act as a logical OR — the policy applies if any condition matches.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_a2a_schema_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_a2a_schema_validation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_a2a_schema_validation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_a2a_schema_validation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_a2a_token_rate_limit

Use the anypoint_api_policy_a2a_token_rate_limit resource to enforce token-based rate limits on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_a2a_token_rate_limit" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    maximum_tokens              = 10000
    time_period_in_milliseconds = 60000
    key_selector                = "#[attributes.headers['Authorization']]"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Rate limit configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • maximum_tokens - (Required) Maximum number of tokens allowed in the time period.

  • time_period_in_milliseconds - (Required) Duration of the rate limit window in milliseconds.

  • key_selector - DataWeave expression to extract the rate limit key from the request (for example, #[attributes.headers['Authorization']]).

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_a2a_token_rate_limit policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_a2a_token_rate_limit.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_a2a_token_rate_limit" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_a2a_token_rate_limit.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_body_transformation

Use the anypoint_api_policy_body_transformation resource to apply a DataWeave script to transform request or response bodies on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_body_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script       = "%%dw 2.0\noutput application/json\n---\npayload"
    request_flow = "request"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Transformation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260127.133848.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • script - (Required) The DataWeave transformation script.

  • request_flow - Which flow to apply the transformation to (request or response).

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_body_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_body_transformation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_body_transformation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_body_transformation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_circuit_breaker

Use the anypoint_api_policy_circuit_breaker resource to protect upstream services from cascading failures by opening the circuit when error or slow-call thresholds are exceeded.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_circuit_breaker" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    thresholds = {
      failure_rate_threshold       = 50
      slow_call_rate_threshold     = 80
      slow_call_duration_threshold = 5000
      sliding_window_size          = 100
      minimum_number_of_calls      = 10
      wait_duration_in_open_state  = 60000
    }
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Circuit breaker thresholds..

  • upstream_ids - (Required, List of String) Upstream IDs this policy monitors.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.1.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • thresholds - (Required, Dynamic) Circuit breaker threshold configuration object.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_circuit_breaker policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_circuit_breaker.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_circuit_breaker" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_circuit_breaker.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_access_block

Use the anypoint_api_policy_access_block resource to block all access to an Anypoint API instance. Combine with pointcut_data to restrict specific methods or URI patterns.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_access_block" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance to block access to.

  • configuration - (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Pointcut Data

Use pointcut_data to restrict access blocking to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Block GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_access_block policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_access_block.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_access_block" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_access_block.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_client_id_enforcement

Use the anypoint_api_policy_client_id_enforcement resource to require a valid client ID and secret on all requests to an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_client_id_enforcement" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    credentials_origin_has_http_basic_authentication_header = "customExpression"
    client_id_expression     = "#[attributes.headers['client_id']]"
    client_secret_expression = "#[attributes.headers['client_secret']]"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Client credential extraction configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.3.3.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • client_id_expression - DataWeave expression to extract the client ID from the request.

  • client_secret_expression - DataWeave expression to extract the client secret from the request.

  • credentials_origin_has_http_basic_authentication_header - How client credentials are provided (for example, customExpression, httpBasicAuthenticationHeader).

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_client_id_enforcement policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_client_id_enforcement.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_client_id_enforcement" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_client_id_enforcement.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_cors

Use the anypoint_api_policy_cors resource to configure Cross-Origin Resource Sharing (CORS) on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

Public resource (simple branch)

resource "anypoint_api_policy_cors" "public" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    public_resource     = true
    support_credentials = false
    origin_groups = [
      {
        origins  = ["https://example.com"]
        methods  = ["GET", "POST", "PUT"]
        headers  = ["Content-Type", "Authorization"]
      }
    ]
  }

  order = 1
}

Non-public resource (credentialed branch)

When public_resource = false, the platform enforces a stricter schema. Each origin group must include a name field and access_control_max_age. Omitting either returns HTTP 400.

resource "anypoint_api_policy_cors" "private" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    public_resource     = false
    support_credentials = true

    origin_groups = [
      {
        name                   = "allowed-origins"
        origins                = ["https://example.com"]
        methods                = ["GET", "POST", "PUT"]
        headers                = ["Content-Type", "Authorization"]
        access_control_max_age = 600
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) CORS configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.3.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • origin_groups - (Required, Dynamic) Array of origin group configurations. Structure differs by branch — see below.

  • public_resource - Whether the resource is publicly accessible. Defaults to false. Controls which platform schema branch is used.

  • support_credentials - Whether to allow credentials in CORS requests.

origin_groups — public branch (public_resource = true)

Field Type Description

origins

list(string)

Allowed origin URLs.

methods

list(string)

Allowed HTTP methods (for example, ["GET","POST"]).

headers

list(string)

Allowed request headers.

origin_groups — non-public branch (public_resource = false)

Field Required Type Description

name

yes

string

Unique label for this origin group. If omitted, the provider synthesizes group-<index>.

origins

no

list(string)

Allowed origin URLs.

methods

no

list(string)

HTTP methods. The provider automatically converts these to allowedMethods objects required by the platform.

headers

no

list(string)

Allowed request headers.

access_control_max_age

no

number

Preflight cache duration in seconds. Defaults to 30.

Using flat fields directly inside configuration (instead of the origin_groups array) is rejected by the platform with HTTP 400.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_cors policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_cors.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_cors" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_cors.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_credential_injection_basic_auth

Use the anypoint_api_policy_credential_injection_basic_auth resource to inject Basic Auth credentials into upstream requests on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_credential_injection_basic_auth" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    username  = "service-account"
    password  = "service-password"
    overwrite = true
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Credential injection configuration..

  • upstream_ids - (Required, List of String) Upstream IDs to inject credentials into.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.1.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • username - (Required) The username for authentication.

  • password - (Required) The password for authentication.

  • custom_header - Custom header name to inject credentials into instead of the standard Authorization header.

  • overwrite - Whether to overwrite an existing credential header on the request. Defaults to false. The provider always sends this field — omitting it doesn’t cause HTTP 400.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_credential_injection_basic_auth policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_credential_injection_basic_auth.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_credential_injection_basic_auth" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_credential_injection_basic_auth.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_credential_injection_oauth2

Use the anypoint_api_policy_credential_injection_oauth2 resource to fetch an OAuth 2.0 token and inject it into upstream requests on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_credential_injection_oauth2" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    oauth_service                    = "https://auth.example.com/oauth2/token"
    client_id                        = "my-client-id"
    client_secret                    = "my-client-secret"
    scope                            = ["read", "write"]
    overwrite                        = true
    token_fetch_timeout              = 5000
    allow_request_without_credential = false
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) OAuth 2.0 token injection configuration..

  • upstream_ids - (Required, List of String) Upstream IDs to inject the token into.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.1.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • oauth_service - (Required) URL of the OAuth 2.0 token service.

  • client_id - (Required) The OAuth 2.0 client ID.

  • client_secret - (Required) The OAuth 2.0 client secret.

  • scope - (Dynamic) Array of OAuth 2.0 scopes to request.

  • token_fetch_timeout - Timeout in milliseconds for fetching the OAuth token. Defaults to 10000. The provider always sends this field — omitting it doesn’t cause HTTP 400.

  • overwrite - Whether to overwrite an existing credential header on the request. Defaults to false. The provider always sends this field.

  • allow_request_without_credential - Whether to allow requests to pass through without injected credentials. Defaults to false. The provider always sends this field.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_credential_injection_oauth2 policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_credential_injection_oauth2.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_credential_injection_oauth2" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_credential_injection_oauth2.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_credential_injection_oauth2_obo

Use the anypoint_api_policy_credential_injection_oauth2_obo resource to exchange an incoming token for a downstream token using the OAuth 2.0 On-Behalf-Of flow, then inject it into upstream requests.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_credential_injection_oauth2_obo" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    flow           = "urn:ietf:params:oauth:grant-type:jwt-bearer"
    client_id      = "my-client-id"
    client_secret  = "my-client-secret"
    token_endpoint = "https://auth.example.com/oauth2/token"
    scope          = "openid profile"
    timeout        = 5000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) On-Behalf-Of token exchange configuration..

  • upstream_ids - (Required, List of String) Upstream IDs to inject the exchanged token into.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.1.0.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • client_id - (Required) The OAuth 2.0 client ID.

  • client_secret - (Required) The OAuth 2.0 client secret.

  • flow - (Required) The OAuth 2.0 grant flow type.

  • token_endpoint - (Required) URL of the OAuth 2.0 token endpoint.

  • ciba_enabled - Whether CIBA (Client-Initiated Backchannel Authentication) is enabled.

  • ciba_endpoint - The backchannel authentication endpoint URL (used when ciba_enabled is true).

  • ciba_binding_message - A human-readable binding message sent to the user’s authentication device (used when ciba_enabled is true).

  • ciba_login_hint_claim - The claim used to identify the end user in the CIBA flow (used when ciba_enabled is true).

  • distributed - Whether to use distributed token caching across cluster nodes.

  • requested_token_type - The type of token to be returned by the token endpoint.

  • scope - Array or string of OAuth 2.0 scopes.

  • subject_token_type - The type of the subject token (for example, urn:ietf:params:oauth:token-type:access_token).

  • target_type - The target resource type for the On-Behalf-Of flow.

  • target_value - The target resource value for the On-Behalf-Of flow.

  • timeout - Timeout in milliseconds.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_credential_injection_oauth2_obo policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_credential_injection_oauth2_obo.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_credential_injection_oauth2_obo" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_credential_injection_oauth2_obo.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_dataweave_request_filter

Use the anypoint_api_policy_dataweave_request_filter resource to evaluate a DataWeave script against incoming requests and allow or reject them based on the result.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_dataweave_request_filter" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\ntrue"
    requires_payload = false
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Filter script configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • script - (Required) The DataWeave script to evaluate against the request.

  • requires_payload - Whether the script requires access to the request payload.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_dataweave_request_filter policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_dataweave_request_filter.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_dataweave_request_filter" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_dataweave_request_filter.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_dataweave_body_transformation

Use the anypoint_api_policy_dataweave_body_transformation resource to transform request or response bodies using a DataWeave script on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_dataweave_body_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script       = "%%dw 2.0\noutput application/json\n---\npayload"
    request_flow = "request"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Transformation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • script - (Required) The DataWeave transformation script.

  • request_flow - Which flow to apply the transformation to (request or response).

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_dataweave_body_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_dataweave_body_transformation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_dataweave_body_transformation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_dataweave_body_transformation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_dataweave_headers_transformation

Use the anypoint_api_policy_dataweave_headers_transformation resource to transform request or response headers using a DataWeave script on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_dataweave_headers_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\npayload"
    requires_payload = false
    request_flow     = "request"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Header transformation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • script - (Required) The DataWeave transformation script.

  • request_flow - Which flow to apply the transformation to (request or response).

  • requires_payload - Whether the script requires access to the payload.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_dataweave_headers_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_dataweave_headers_transformation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_dataweave_headers_transformation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_dataweave_headers_transformation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_external_oauth2_access_token_enforcement

Use the anypoint_api_policy_external_oauth2_access_token_enforcement resource to validate OAuth 2.0 access tokens against an external authorization server on an Anypoint API instance.

This policy is only supported on mule4 API instances.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_external_oauth2_access_token_enforcement" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    token_url                 = "https://auth.example.com/oauth2/token"
    scope_validation_criteria = "AND"
    scopes                    = "read write"
    expose_headers            = false
    skip_client_id_validation = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Token validation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.6.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • token_url - (Required) URL of the OAuth 2.0 token endpoint.

  • authentication_timeout - Authentication request timeout in milliseconds.

  • expose_headers - Whether to expose rate-limit headers in the response.

  • max_cache_entries - Maximum number of entries in the token cache.

  • scope_validation_criteria - How scopes are validated (AND or OR).

  • scopes - Space-separated list of required OAuth scopes.

  • secure_trust_store - Whether to use a secure trust store for token validation.

  • skip_client_id_validation - Whether to skip client ID validation.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_external_oauth2_access_token_enforcement policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_external_oauth2_access_token_enforcement.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_external_oauth2_access_token_enforcement" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_external_oauth2_access_token_enforcement.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_header_injection

Use the anypoint_api_policy_header_injection resource to add custom headers to inbound requests or outbound responses on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_header_injection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    inbound_headers = [
      {
        name  = "X-Custom-Header"
        value = "custom-value"
      }
    ]
    outbound_headers = []
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Header injection configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.3.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • inbound_headers - (Dynamic) Array of inbound headers to inject or remove.

  • outbound_headers - (Dynamic) Array of outbound headers to inject or remove.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_header_injection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_header_injection.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_header_injection" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_header_injection.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_header_removal

Use the anypoint_api_policy_header_removal resource to strip specific headers from inbound requests or outbound responses on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_header_removal" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    inbound_headers = [
      {
        name = "X-Remove-Me"
      }
    ]
    outbound_headers = []
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Header removal configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • inbound_headers - (Dynamic) Array of inbound headers to remove.

  • outbound_headers - (Dynamic) Array of outbound headers to remove.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_header_removal policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_header_removal.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_header_removal" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_header_removal.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_header_transformation

Use the anypoint_api_policy_header_transformation resource to transform request or response headers using a DataWeave script on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_header_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\npayload"
    requires_payload = false
    request_flow     = "request"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Transformation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260127.134148.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • script - (Required) The DataWeave transformation script.

  • request_flow - Which flow to apply the transformation to (request or response).

  • requires_payload - Whether the script requires access to the payload.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_header_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_header_transformation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_header_transformation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_header_transformation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_health_check

Use the anypoint_api_policy_health_check resource to expose a health check endpoint on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_health_check" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    endpoint    = "/health"
    path        = "/health"
    status_code = "200"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Health check configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • endpoint - The health check endpoint URL.

  • path - The health check path.

  • status_code - The expected HTTP status code for a healthy response.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_health_check policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_health_check.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_health_check" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_health_check.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_http_basic_authentication

Use the anypoint_api_policy_http_basic_authentication resource to enforce HTTP Basic Authentication on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_http_basic_authentication" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    username = "admin"
    password = "secret"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Authentication credentials..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.3.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • username - (Required) The username for authentication.

  • password - (Required) The password for authentication.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_http_basic_authentication policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_http_basic_authentication.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_http_basic_authentication" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_http_basic_authentication.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_http_caching

Use the anypoint_api_policy_http_caching resource to cache HTTP responses on an Anypoint API instance to reduce upstream load and improve response times.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_http_caching" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    http_caching_key       = "#[attributes.requestPath]"
    max_cache_entries      = 1000
    ttl                    = 600
    distributed            = false
    persist_cache          = false
    use_http_cache_headers = true
    invalidation_header    = "X-Cache-Invalidate"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Cache configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • http_caching_key - Expression to compute the cache key.

  • max_cache_entries - Maximum number of entries in the cache.

  • ttl - Time-to-live in seconds for cached entries.

  • distributed - Whether the cache is distributed across the cluster.

  • persist_cache - Whether to persist the cache to disk.

  • use_http_cache_headers - Whether to honor standard HTTP caching headers.

  • invalidation_header - Header name that triggers cache invalidation.

  • request_expression - Expression to evaluate on the request for caching decisions.

  • response_expression - Expression to evaluate on the response for caching decisions.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_http_caching policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_http_caching.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_http_caching" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_http_caching.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_idle_timeout

Use the anypoint_api_policy_idle_timeout resource to close idle upstream connections after a configurable period on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_idle_timeout" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    timeout = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Timeout configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy monitors.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.1.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • timeout - (Required) Idle connection timeout in milliseconds.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_idle_timeout policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_idle_timeout.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_idle_timeout" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_idle_timeout.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_intask_authentication_policy

Use the anypoint_api_policy_intask_authentication_policy resource to delegate authentication to a secondary OAuth 2.0 provider on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_intask_authentication_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    secondary_auth_provider = "example-provider"
    authorization_endpoint  = "https://auth.example.com/authorize"
    token_endpoint          = "https://auth.example.com/token"
    redirect_uri            = "https://app.example.com/callback"
    scopes                  = "openid profile"
    response_type           = "code"
    token_timeout           = 3600
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Authentication configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260113204639.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • authorization_endpoint - (Required) URL of the OAuth 2.0 authorization endpoint.

  • redirect_uri - (Required) The redirect URI for the OAuth 2.0 flow.

  • secondary_auth_provider - (Required) Name of the secondary authentication provider.

  • token_endpoint - (Required) URL of the OAuth 2.0 token endpoint.

  • body_encoding - Encoding for the token request body.

  • challenge_response_status_code - HTTP status code for the challenge response.

  • code_challenge_method - The PKCE code challenge method (for example, S256).

  • response_type - The OAuth 2.0 response type (for example, code).

  • scopes - Space-separated list of required OAuth scopes.

  • token_audience - Expected audience value for the token.

  • token_timeout - Token validity timeout in seconds.

  • user_email_header - Header name to extract the user email from.

  • user_id_header - Header name to extract the user ID from.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_intask_authentication_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_intask_authentication_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_intask_authentication_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_intask_authentication_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_intask_authorization_code_policy

Use the anypoint_api_policy_intask_authorization_code_policy resource to enforce the OAuth 2.0 Authorization Code flow via a secondary provider on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_intask_authorization_code_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    secondary_auth_provider = "example-provider"
    authorization_endpoint  = "https://auth.example.com/authorize"
    token_endpoint          = "https://auth.example.com/token"
    redirect_uri            = "https://app.example.com/callback"
    scopes                  = "openid profile"
    response_type           = "code"
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Authorization code flow configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.0.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • authorization_endpoint - (Required) URL of the OAuth 2.0 authorization endpoint.

  • redirect_uri - (Required) The redirect URI for the OAuth 2.0 flow.

  • secondary_auth_provider - (Required) Name of the secondary authentication provider.

  • token_endpoint - (Required) URL of the OAuth 2.0 token endpoint.

  • body_encoding - Encoding for the token request body.

  • challenge_response_status_code - HTTP status code for the challenge response.

  • code_challenge_method - The PKCE code challenge method (for example, S256).

  • response_type - The OAuth 2.0 response type (for example, code).

  • scopes - Space-separated list of required OAuth scopes.

  • token_timeout - Token validity timeout in seconds.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_intask_authorization_code_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_intask_authorization_code_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_intask_authorization_code_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_intask_authorization_code_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_ip_allowlist

Use the anypoint_api_policy_ip_allowlist resource to restrict access to an Anypoint API instance to a specific set of IP addresses or CIDR blocks.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_ip_allowlist" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    ip_expression  = "#[attributes.remoteAddress]"
    ips            = ["10.0.0.0/8", "172.16.0.0/12"]
    methods_string = "GET|POST"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Allowlist configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • ip_expression - (Required) Expression to extract the client IP address from the request.

  • ips - (Required, List of String) IP addresses or CIDR blocks to allow. Must be a list of strings, not a comma-separated string.

  • methods_string - Pipe-separated list of HTTP methods this policy applies to (for example, GET|POST).

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_ip_allowlist policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_ip_allowlist.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_ip_allowlist" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_ip_allowlist.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_ip_blocklist

Use the anypoint_api_policy_ip_blocklist resource to deny access to an Anypoint API instance from specific IP addresses or CIDR blocks.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_ip_blocklist" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    ip_expression  = "#[attributes.remoteAddress]"
    ips            = ["192.168.1.0/24", "10.0.0.1"]
    methods_string = "GET|POST"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Blocklist configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • ip_expression - (Required) Expression to extract the client IP address from the request.

  • ips - (Required, List of String) IP addresses or CIDR blocks to block. Must be a list of strings, not a comma-separated string.

  • methods_string - Pipe-separated list of HTTP methods this policy applies to (for example, GET|POST).

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_ip_blocklist policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_ip_blocklist.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_ip_blocklist" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_ip_blocklist.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_injection_protection

Use the anypoint_api_policy_injection_protection resource to detect and block SQL, script, and other injection attacks on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_injection_protection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    protect_path_and_query = true
    protect_headers        = true
    protect_body           = true
    reject_requests        = true
    built_in_protections   = ["sql-injection", "script-injection"]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Injection protection configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • built_in_protections - (Dynamic) Built-in injection protection types to enable (for example, sql-injection, script-injection).

  • custom_protections - (Dynamic) Custom injection protection regex patterns.

  • protect_path_and_query - Whether to apply injection protection to path and query parameters.

  • protect_headers - Whether to apply injection protection to headers.

  • protect_body - Whether to apply injection protection to the request body.

  • reject_requests - Whether to reject requests that match injection patterns.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_injection_protection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_injection_protection.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_injection_protection" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_injection_protection.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_json_threat_protection

Use the anypoint_api_policy_json_threat_protection resource to protect an Anypoint API instance against malicious JSON payloads by enforcing structural limits.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_json_threat_protection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    max_container_depth          = 10
    max_string_value_length      = 256
    max_object_entry_name_length = 128
    max_object_entry_count       = 50
    max_array_element_count      = 50
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) JSON structural limits..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.2.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • max_container_depth - Maximum nesting depth for JSON containers.

  • max_string_value_length - Maximum length for JSON string values.

  • max_object_entry_name_length - Maximum length for JSON object entry names.

  • max_object_entry_count - Maximum number of entries in a JSON object.

  • max_array_element_count - Maximum number of elements in a JSON array.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_json_threat_protection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_json_threat_protection.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_json_threat_protection" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_json_threat_protection.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_jwt_validation

Use the anypoint_api_policy_jwt_validation resource to validate JWT tokens on incoming requests to an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_jwt_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    jwt_origin                = "httpBearerAuthenticationHeader"
    signing_method            = "rsa"
    signing_key_length        = 256
    jwt_key_origin            = "jwks"
    jwks_url                  = "https://example.com/.well-known/jwks.json"
    skip_client_id_validation = true
    validate_aud_claim        = true
    mandatory_exp_claim       = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) JWT validation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 0.12.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • jwt_origin - (Required) Where the JWT token is extracted from (for example, httpBearerAuthenticationHeader).

  • claims_to_headers - (Dynamic) Array mapping JWT claims to response headers.

  • client_id_expression - Expression to extract the client ID from the request.

  • custom_key_expression - Custom expression to resolve the signing key.

  • jwks_service_connection_timeout - Connection timeout in milliseconds for the JWKS endpoint.

  • jwks_service_time_to_live - TTL in seconds for cached JWKS keys.

  • jwks_url - URL to the JWKS endpoint for key retrieval.

  • jwt_expression - Custom expression to extract the JWT token.

  • jwt_key_origin - Source of the signing key (for example, jwks, text).

  • mandatory_aud_claim - Whether the aud claim is mandatory.

  • mandatory_custom_claims - (Dynamic) Custom claims that must be present.

  • mandatory_exp_claim - Whether the exp (expiration) claim is mandatory.

  • mandatory_nbf_claim - Whether the nbf (not before) claim is mandatory.

  • non_mandatory_custom_claims - (Dynamic) Optional custom claims to validate if present.

  • signing_key_length - The key length for the signing algorithm.

  • signing_method - The signing algorithm (for example, rsa, hmac).

  • skip_client_id_validation - Whether to skip client ID validation.

  • supported_audiences - Comma-separated list of supported audience values.

  • text_key - The inline signing key when jwt_key_origin is text.

  • validate_aud_claim - Whether to validate the aud (audience) claim.

  • validate_custom_claim - Whether to validate custom claims.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_jwt_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_jwt_validation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_jwt_validation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_jwt_validation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_ldap_authentication

Use the anypoint_api_policy_ldap_authentication resource to authenticate incoming requests against an LDAP directory on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_ldap_authentication" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    ldap_server_url           = "ldap://ldap.example.com:389"
    ldap_server_user_dn       = "cn=admin,dc=example,dc=com"
    ldap_server_user_password = "admin-password"
    ldap_search_base          = "ou=users,dc=example,dc=com"
    ldap_search_filter        = "(uid={0})"
    ldap_search_in_subtree    = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) LDAP connection and search configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.4.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • ldap_server_url - (Required) URL of the LDAP server.

  • ldap_server_user_dn - (Required) Distinguished name of the LDAP bind user.

  • ldap_server_user_password - (Required) Password for the LDAP bind user.

  • ldap_search_base - (Required) Base DN for LDAP searches.

  • ldap_search_filter - (Required) LDAP search filter expression.

  • ldap_search_in_subtree - Whether to search in subtrees.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_ldap_authentication policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_ldap_authentication.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_ldap_authentication" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_ldap_authentication.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_bedrock_llm_provider_policy

Use the anypoint_api_policy_bedrock_llm_provider_policy resource to configure AWS Bedrock as the LLM provider for an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_bedrock_llm_provider_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    aws_access_key_id     = "AKIAIOSFODNN7EXAMPLE"
    aws_secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    aws_region            = "us-east-1"
    service_name          = "bedrock"
    timeout               = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) AWS Bedrock connection configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.1.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • aws_access_key_id - (Required) AWS access key ID.

  • aws_region - (Required) AWS region for the Bedrock service.

  • aws_secret_access_key - (Required) AWS secret access key.

  • aws_session_token - AWS session token for temporary credentials.

  • service_name - The AWS service name.

  • timeout - Request timeout in milliseconds.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_bedrock_llm_provider_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_bedrock_llm_provider_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_bedrock_llm_provider_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_bedrock_llm_provider_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_gemini_llm_provider_policy

Use the anypoint_api_policy_gemini_llm_provider_policy resource to configure Google Gemini as the LLM provider for an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_gemini_llm_provider_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    api_key = "AIzaSy-xxxxxxxxxxxx"
    timeout = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Gemini connection configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.0.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • api_key - (Required) API key for the Gemini LLM provider.

  • model_mapper - (Dynamic) Array of model name mappings.

  • timeout - Request timeout in milliseconds.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_gemini_llm_provider_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_gemini_llm_provider_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_gemini_llm_provider_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_gemini_llm_provider_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_gemini_transcoding_policy

Use the anypoint_api_policy_gemini_transcoding_policy resource to transcode requests and responses between the OpenAI API format and the Google Gemini API format on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_gemini_transcoding_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.0.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_gemini_transcoding_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_gemini_transcoding_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_gemini_transcoding_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_gemini_transcoding_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_llm_gw_core_policy

Use the anypoint_api_policy_llm_gw_core_policy resource to route LLM requests to the correct provider backend based on a vendor header on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_llm_gw_core_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    header_name           = "X-LLM-Vendor"
    vendor_header_mapping = [
      {
        vendor       = "openai"
        header_value = "openai"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Vendor routing configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20251230075635.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • header_name - (Required) Name of the header used for vendor routing.

  • vendor_header_mapping - (Required, Dynamic) Array mapping vendor names to header values.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_llm_gw_core_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_llm_gw_core_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_llm_gw_core_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_llm_gw_core_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_llm_proxy_core

Use the anypoint_api_policy_llm_proxy_core resource to enable core LLM proxy functionality on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_llm_proxy_core" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260127095720.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_llm_proxy_core policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_llm_proxy_core.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_llm_proxy_core" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_llm_proxy_core.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_llm_proxy_core_policy

Use the anypoint_api_policy_llm_proxy_core_policy resource to route LLM proxy requests to the correct provider backend based on a vendor header on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_llm_proxy_core_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    header_name           = "X-LLM-Vendor"
    vendor_header_mapping = [
      {
        vendor       = "openai"
        header_value = "openai"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Vendor routing configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260108100848.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • header_name - (Required) Name of the header used for vendor routing.

  • vendor_header_mapping - (Required, Dynamic) Array mapping vendor names to header values.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_llm_proxy_core_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_llm_proxy_core_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_llm_proxy_core_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_llm_proxy_core_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_access_control

Use the anypoint_api_policy_mcp_access_control resource to define access control rules for MCP tools on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_access_control" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    rules = [
      {
        tool   = "list_files"
        action = "allow"
      }
    ]
    auth_type = "bearer"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Access control configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • rules - (Required, Dynamic) Array of access control rules.

  • auth_type - Authentication type (for example, bearer, api_key).

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_access_control policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_access_control.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_access_control" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_access_control.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_global_access_policy

Use the anypoint_api_policy_mcp_global_access_policy resource to define global access rules for all MCP tools on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_global_access_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    rules = [
      {
        action = "allow"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Access control configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • rules - (Required, Dynamic) Array of access control rules.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_global_access_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_global_access_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_global_access_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_global_access_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_pii_detector

Use the anypoint_api_policy_mcp_pii_detector resource to detect personally identifiable information (PII) in MCP requests and responses on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_pii_detector" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    entities = ["EMAIL", "PHONE_NUMBER", "CREDIT_CARD"]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) PII detection configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • entities - (Required, Dynamic) PII entity types to detect (for example, EMAIL, PHONE_NUMBER, CREDIT_CARD).

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_pii_detector policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_pii_detector.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_pii_detector" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_pii_detector.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_schema_validation

Use the anypoint_api_policy_mcp_schema_validation resource to validate MCP tool input and output against their declared schemas on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_schema_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    validate_tool_schema = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Schema validation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • validate_tool_schema - Whether to validate MCP tool input/output against schema.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_schema_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_schema_validation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_schema_validation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_schema_validation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_support

Use the anypoint_api_policy_mcp_support resource to enable Model Context Protocol (MCP) support on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_support" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {}

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_support policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_support.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_support" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_support.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_tool_mapping

Use the anypoint_api_policy_mcp_tool_mapping resource to remap MCP tool names from a source name to a target name on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_tool_mapping" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    tool_mappings = [
      {
        source_tool = "original_tool"
        target_tool = "mapped_tool"
      }
    ]
    log_mappings = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Tool mapping configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • tool_mappings - (Required, Dynamic) Array of tool name mappings from source to target.

  • log_mappings - Whether to log tool mapping operations.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_tool_mapping policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_tool_mapping.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_tool_mapping" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_tool_mapping.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_mcp_transcoding_router

Use the anypoint_api_policy_mcp_transcoding_router resource to route and transcode MCP requests to backend services on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_mcp_transcoding_router" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    transcoding_path = "/mcp"
    routes = [
      {
        tool    = "example_tool"
        backend = "https://backend.example.com"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Transcoding router configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1-20260414150102.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • routes - (Required, Dynamic) Array of routing rules mapping tools to backends.

  • transcoding_path - Base path for MCP transcoding requests.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_mcp_transcoding_router policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_mcp_transcoding_router.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_mcp_transcoding_router" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_mcp_transcoding_router.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_message_logging

Use the anypoint_api_policy_message_logging resource to log request and response messages on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_message_logging" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    logging_configuration = [
      {
        item_name = "request"
        item_data = {
          message        = "#[payload]"
          conditional    = "#[true]"
          level          = "INFO"
          first_section  = true
          second_section = false
        }
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Logging configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 2.0.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • logging_configuration - (Required, Dynamic) Array of logging rule objects. Each element must use the item_name + item_data wrapper — the platform rejects flat field structures with HTTP 400.

Each element requires the following structure:

logging_configuration = [
  {
    item_name = "<string>"   # unique label for this logging rule
    item_data = {
      message        = "<string>"  # DataWeave expression or literal, e.g. "#[payload]"
      level          = "<string>"  # Log level: DEBUG, INFO, WARN, ERROR (default: INFO)
      conditional    = "<string>"  # Optional DataWeave boolean expression, e.g. "#[true]"
      category       = "<string>"  # Optional logger category name
      first_section  = <bool>      # Log on request phase (default: true)
      second_section = <bool>      # Log on response phase (default: false)
    }
  }
]

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_message_logging policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_message_logging.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_message_logging" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_message_logging.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_message_logging_outbound

Use the anypoint_api_policy_message_logging_outbound resource to log outbound responses from upstream services on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_message_logging_outbound" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    logging_configuration = [
      {
        item_name = "response"
        item_data = {
          message        = "#[payload]"
          conditional    = "#[true]"
          level          = "INFO"
          first_section  = false
          second_section = true
        }
      }
    ]
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Logging configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 2.0.2.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • logging_configuration - (Required, Dynamic) Array of logging rule objects. Each element must use the item_name + item_data wrapper — the platform rejects flat field structures with HTTP 400.

Each element requires the following structure:

logging_configuration = [
  {
    item_name = "<string>"   # unique label for this logging rule
    item_data = {
      message        = "<string>"  # DataWeave expression or literal, e.g. "#[payload]"
      level          = "<string>"  # Log level: DEBUG, INFO, WARN, ERROR (default: INFO)
      conditional    = "<string>"  # Optional DataWeave boolean expression, e.g. "#[true]"
      category       = "<string>"  # Optional logger category name
      first_section  = <bool>      # Log on request phase (default: true)
      second_section = <bool>      # Log on response phase (default: false)
    }
  }
]

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_message_logging_outbound policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_message_logging_outbound.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_message_logging_outbound" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_message_logging_outbound.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_model_based_routing

Use the anypoint_api_policy_model_based_routing resource to route LLM requests to the appropriate upstream based on the requested model on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_model_based_routing" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    supported_vendors = [
      {
        vendor = "openai"
        models = ["gpt-4", "gpt-3.5-turbo"]
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Routing configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260127100214.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • supported_vendors - (Required, Dynamic) Array of supported LLM vendor configurations.

  • fallback - (Dynamic) Fallback vendor configuration object.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_model_based_routing policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_model_based_routing.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_model_based_routing" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_model_based_routing.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_agent_connection_telemetry

Use the anypoint_api_policy_agent_connection_telemetry resource to collect telemetry data from agent connections on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_agent_connection_telemetry" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    source_agent_id = "agent-001"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Telemetry configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • source_agent_id - Identifier for the source agent connection.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_agent_connection_telemetry policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_agent_connection_telemetry.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_agent_connection_telemetry" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_agent_connection_telemetry.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_native_aws_lambda

Use the anypoint_api_policy_native_aws_lambda resource to invoke an AWS Lambda function natively from an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_native_aws_lambda" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    arn                 = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
    payload_passthrough = false
    invocation_mode     = "synchronous"
    authentication_mode = "static_credentials"
    credentials = {
      access_key_id     = "AKIAIOSFODNN7EXAMPLE"
      secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    }
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Lambda invocation configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.1.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • arn - (Required) The ARN of the AWS Lambda function.

  • payload_passthrough - (Required) Whether to pass the request payload directly to Lambda.

  • invocation_mode - (Required) Lambda invocation mode (synchronous or asynchronous).

  • authentication_mode - (Required) AWS authentication mode (for example, static_credentials, iam_role).

  • credentials - (Dynamic) AWS credentials object with access_key_id, secret_access_key, and optional session_token.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_native_aws_lambda policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_native_aws_lambda.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_native_aws_lambda" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_native_aws_lambda.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_native_ext_authz

Use the anypoint_api_policy_native_ext_authz resource to delegate authorization decisions to an external service via gRPC or HTTP on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_native_ext_authz" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    uri             = "grpc://auth-service:9090"
    server_type     = "grpc"
    request_timeout = 5000
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) External authorization configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.2.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • uri - (Required) The URI of the external authorization service.

  • server_type - (Required) The server type (for example, grpc, http).

  • allowed_headers - (Dynamic) Headers to forward to the external service.

  • include_peer_certificate - Whether to include the peer certificate in the authorization request.

  • path_prefix - Path prefix for the external authorization request.

  • request_timeout - Request timeout in milliseconds.

  • server_api_version - The API version of the external authorization server.

  • service_request_headers_to_add - (Dynamic) Headers to add to the authorization request.

  • service_response_client_headers - (Dynamic) Headers from the authorization response to send to the client.

  • service_response_client_headers_on_success - (Dynamic) Headers to send on successful authorization.

  • service_response_upstream_headers - (Dynamic) Headers from the authorization response to send upstream.

  • service_response_upstream_headers_to_append - (Dynamic) Headers from the authorization response to append upstream.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_native_ext_authz policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_native_ext_authz.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_native_ext_authz" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_native_ext_authz.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_native_ext_proc

Use the anypoint_api_policy_native_ext_proc resource to stream request and response messages to an external gRPC processing service on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_native_ext_proc" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    uri                  = "grpc://ext-proc-service:9091"
    message_timeout      = 5000
    failure_mode_allow   = false
    request_header_mode  = "SEND"
    response_header_mode = "SKIP"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) External processor configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • uri - (Required) The URI of the external processing service.

  • allow_mode_override - Whether to allow the external processor to override the processing mode.

  • failure_mode_allow - Whether to allow requests when the external processor fails.

  • max_message_timeout - Maximum message processing timeout in milliseconds.

  • message_timeout - Message processing timeout in milliseconds.

  • request_body_mode - Processing mode for the request body.

  • request_header_mode - Processing mode for request headers (for example, SEND, SKIP).

  • request_trailer_mode - Processing mode for request trailers.

  • response_body_mode - Processing mode for the response body.

  • response_header_mode - Processing mode for response headers (for example, SEND, SKIP).

  • response_trailer_mode - Processing mode for response trailers.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_native_ext_proc policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_native_ext_proc.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_native_ext_proc" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_native_ext_proc.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_oauth2_token_introspection

Use the anypoint_api_policy_oauth2_token_introspection resource to validate OAuth 2.0 tokens by introspecting them against an authorization server on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_oauth2_token_introspection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    introspection_url         = "https://auth.example.com/oauth2/introspect"
    authorization_value       = "Bearer your-token-here"
    validated_token_ttl       = 600
    skip_client_id_validation = true
    expose_headers            = false
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Token introspection configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • introspection_url - (Required) URL of the OAuth 2.0 token introspection endpoint.

  • authorization_value - (Required) Authorization header value for the introspection request.

  • authentication_timeout - Authentication request timeout in milliseconds.

  • consumer_by - How to identify the API consumer (for example, client_id).

  • expose_headers - Whether to expose rate-limit headers in the response.

  • max_cache_entries - Maximum number of entries in the token cache.

  • scope_validation_criteria - How scopes are validated (AND or OR).

  • skip_client_id_validation - Whether to skip client ID validation.

  • validated_token_ttl - TTL in seconds for validated token cache entries.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_oauth2_token_introspection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_oauth2_token_introspection.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_oauth2_token_introspection" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_oauth2_token_introspection.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_openai_transcoding_policy

Use the anypoint_api_policy_openai_transcoding_policy resource to configure OpenAI as the LLM provider for an Anypoint API instance, handling request and response transcoding.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_openai_transcoding_policy" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    api_key = "sk-xxxxxxxxxxxx"
    timeout = 30000
  }

  upstream_ids = [anypoint_api_upstream.example.id]
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) OpenAI connection configuration..

  • upstream_ids - (Required, List of String) Upstream IDs this policy applies to.

  • pointcut_data - Pointcut definition as a JSON string..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • asset_version - The policy asset version. Defaults to 1.0.0.

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • api_key - (Required) API key for the OpenAI LLM provider.

  • model_mapper - (Dynamic) Array of model name mappings.

  • timeout - Request timeout in milliseconds.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_openai_transcoding_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_openai_transcoding_policy.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_openai_transcoding_policy" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_openai_transcoding_policy.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_semantic_prompt_guard_policy_openai

Use the anypoint_api_policy_semantic_prompt_guard_policy_openai resource to block prompts that semantically match denied topics using OpenAI embeddings on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_semantic_prompt_guard_policy_openai" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    openai_url             = "https://api.openai.com/v1"
    openai_api_key         = "sk-xxxxxxxxxxxx"
    openai_embedding_model = "text-embedding-ada-002"
    timeout                = 5000
    deny_topics = [
      {
        topic       = "harmful content"
        description = "Block harmful content generation"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Prompt guard configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260130084752.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • deny_topics - (Required, Dynamic) Array of topics to deny in prompt guard evaluation.

  • openai_api_key - (Required) API key for the OpenAI service.

  • openai_url - (Required) URL of the OpenAI API.

  • openai_embedding_model - The OpenAI embedding model to use.

  • threshold - (Dynamic) Threshold configuration object for similarity scoring.

  • timeout - Timeout value in milliseconds.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_semantic_prompt_guard_policy_openai policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_semantic_prompt_guard_policy_openai.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_semantic_prompt_guard_policy_openai" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_semantic_prompt_guard_policy_openai.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_semantic_routing_policy_huggingface

Use the anypoint_api_policy_semantic_routing_policy_huggingface resource to route requests to different upstreams based on semantic similarity using HuggingFace embeddings on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_semantic_routing_policy_huggingface" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    huggingface_url     = "https://api-inference.huggingface.co/models/sentence-transformers/all-MiniLM-L6-v2"
    huggingface_api_key = "hf_xxxxxxxxxxxx"
    timeout             = 5000
    routes = [
      {
        description = "Route for customer queries"
        upstream_id = "upstream-1"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Semantic routing configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260130095514.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • huggingface_api_key - (Required) API key for the HuggingFace service.

  • huggingface_url - (Required) URL of the HuggingFace inference API.

  • routes - (Required, Dynamic) Array of routing rules.

  • fallback_route - (Dynamic) Fallback route configuration when no semantic match is found.

  • threshold - (Dynamic) Threshold configuration object for similarity scoring.

  • timeout - Timeout value in milliseconds.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_semantic_routing_policy_huggingface policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_semantic_routing_policy_huggingface.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_semantic_routing_policy_huggingface" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_semantic_routing_policy_huggingface.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_rate_limiting

Use the anypoint_api_policy_rate_limiting resource to limit the number of requests an API instance accepts within a configurable time window.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_rate_limiting" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    rate_limits = [
      {
        maximum_requests            = 100
        time_period_in_milliseconds = 60000
      }
    ]
    expose_headers = false
    clusterizable  = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Rate limit configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.4.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • rate_limits - (Required, Dynamic) Array of rate limit rules with maximum_requests and time_period_in_milliseconds.

  • key_selector - Expression to extract the rate limit key from the request.

  • expose_headers - Whether to expose rate-limit headers in the response.

  • clusterizable - Whether rate limit counters are shared across a cluster.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_rate_limiting policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_rate_limiting.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_rate_limiting" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_rate_limiting.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_rate_limiting_sla_based

Use the anypoint_api_policy_rate_limiting_sla_based resource to enforce rate limits based on client SLA tiers on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_rate_limiting_sla_based" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    client_id_expression     = "#[attributes.headers['client_id']]"
    client_secret_expression = "#[attributes.headers['client_secret']]"
    expose_headers           = false
    clusterizable            = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) SLA-based rate limit configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.3.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • client_id_expression - DataWeave expression to extract the client ID from the request.

  • client_secret_expression - DataWeave expression to extract the client secret from the request.

  • expose_headers - Whether to expose rate-limit headers in the response.

  • clusterizable - Whether rate limit counters are shared across a cluster.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_rate_limiting_sla_based policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_rate_limiting_sla_based.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_rate_limiting_sla_based" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_rate_limiting_sla_based.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_response_timeout

Use the anypoint_api_policy_response_timeout resource to enforce a maximum response time on upstream requests from an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_response_timeout" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    timeout = 30000
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Timeout configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • timeout - (Required) Response timeout in milliseconds.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_response_timeout policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_response_timeout.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_response_timeout" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_response_timeout.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_script_evaluation_transformation

Use the anypoint_api_policy_script_evaluation_transformation resource to evaluate and transform request or response payloads using a DataWeave script on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_script_evaluation_transformation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    script           = "%%dw 2.0\noutput application/json\n---\npayload"
    requires_payload = false
    request_flow     = "request"
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Script configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.0-20260127.133315.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • script - (Required) The DataWeave transformation script.

  • request_flow - Which flow to apply the transformation to (request or response).

  • requires_payload - Whether the script requires access to the payload.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_script_evaluation_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_script_evaluation_transformation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_script_evaluation_transformation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_script_evaluation_transformation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_sse_logging

Use the anypoint_api_policy_sse_logging resource to log Server-Sent Events (SSE) traffic on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_sse_logging" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    logs = [
      {
        message = "#[payload]"
        level   = "INFO"
      }
    ]
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) SSE logging configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • logs - (Required, Dynamic) Array of log entry configurations.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_sse_logging policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_sse_logging.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_sse_logging" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_sse_logging.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_spec_validation

Use the anypoint_api_policy_spec_validation resource to validate incoming requests against the API specification on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_spec_validation" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    block_operation          = true
    strict_params_validation = true
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Spec validation configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • block_operation - Whether to block operations not defined in the API spec.

  • strict_params_validation - Whether to strictly validate query and header parameters.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_spec_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_spec_validation.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_spec_validation" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_spec_validation.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_spike_control

Use the anypoint_api_policy_spike_control resource to queue and throttle traffic spikes on an Anypoint API instance, delaying excess requests instead of rejecting them immediately.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_spike_control" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    maximum_requests            = 100
    time_period_in_milliseconds = 1000
    delay_time_in_millis        = 500
    delay_attempts              = 3
    queuing_limit               = 5
    expose_headers              = false
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Spike control configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.2.2.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • maximum_requests - (Required) Maximum number of requests allowed in the time period.

  • time_period_in_milliseconds - (Required) The time period in milliseconds for the spike control window.

  • delay_time_in_millis - (Required) The delay in milliseconds before retrying queued requests.

  • delay_attempts - (Required) The number of retry attempts before rejecting a queued request.

  • queuing_limit - Maximum number of requests that can be queued.

  • expose_headers - Whether to expose rate-limit headers in the response.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_spike_control policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_spike_control.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_spike_control" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_spike_control.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_stream_idle_timeout

Use the anypoint_api_policy_stream_idle_timeout resource to close idle SSE or streaming connections after a configurable period on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_stream_idle_timeout" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    timeout = 30000
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Timeout configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.0.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • timeout - (Required) Stream idle timeout in milliseconds.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_stream_idle_timeout policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_stream_idle_timeout.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_stream_idle_timeout" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_stream_idle_timeout.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_tracing

Use the anypoint_api_policy_tracing resource to instrument distributed tracing on an Anypoint API instance.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_tracing" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    span_name = "api-request"
    sampling  = {
      probability = 0.1
    }
    labels = []
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) Tracing configuration..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.1.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • span_name - Custom name for the tracing span.

  • sampling - (Dynamic) Tracing sampling configuration object.

  • labels - (Dynamic) Array of custom labels to attach to traces.

Pointcut Data

Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_tracing policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_tracing.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_tracing" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_tracing.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>

anypoint_api_policy_xml_threat_protection

Use the anypoint_api_policy_xml_threat_protection resource to protect an Anypoint API instance against malicious XML payloads by enforcing structural limits.

This policy is only supported on mule4 API instances.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Example Usage

resource "anypoint_api_policy_xml_threat_protection" "example" {
  organization_id = var.organization_id
  environment_id  = var.environment_id
  api_instance_id = anypoint_api_instance.example.id

  configuration = {
    max_node_depth                  = 10
    max_attribute_count_per_element = 10
    max_child_count                 = 50
    max_text_length                 = 256
    max_attribute_length            = 128
    max_comment_length              = 128
  }

  order = 1
}

Required Arguments

  • environment_id - ID of the environment where the API instance lives.

  • api_instance_id - ID of the API instance this policy is applied to.

  • configuration - (Block) XML structural limits..

Optional Arguments

  • organization_id - Organization ID. If omitted, defaults to the organization of the connected app.

  • label - A human-readable label for this policy instance.

  • order - Execution order relative to other policies. Lower numbers run first.

  • asset_version - The policy asset version. Defaults to 1.2.1.

  • disabled - Whether the policy is disabled. Defaults to false.

  • upstream_ids - (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams.

  • pointcut_data - Scope the policy to specific HTTP methods and URI patterns as a JSON string. When null, the policy applies to all resources. Use jsonencode() to set this..

Read-Only Attributes

  • id - The policy ID.

  • policy_template_id - Policy template ID assigned by the platform.

Nested Schema for configuration

  • max_node_depth - Maximum XML node nesting depth.

  • max_attribute_count_per_element - Maximum number of attributes per XML element.

  • max_child_count - Maximum number of child elements per XML node.

  • max_text_length - Maximum length for XML text nodes.

  • max_attribute_length - Maximum length for XML attribute values.

  • max_comment_length - Maximum length for XML comments.

Pointcut Data

Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.

Each array element defines one condition:

  • methodRegex — pipe-separated HTTP methods (for example, GET, GET|POST). Omit or set to .* to match all methods.

  • uriTemplateRegex — regex for the URI path (for example, /api/v1/.). Omit or set to . to match all paths.

Multiple conditions are evaluated as a logical OR.

# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
  {
    methodRegex      = "GET|POST"
    uriTemplateRegex = "/api/v1/.*"
  }
])

# Multiple conditions
pointcut_data = jsonencode([
  {
    methodRegex      = "GET"
    uriTemplateRegex = "/api/v1/read/.*"
  },
  {
    methodRegex      = "POST|PUT"
    uriTemplateRegex = "/api/v1/write/.*"
  }
])

Import

An existing anypoint_api_policy_xml_threat_protection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.

The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.

import {
  to = anypoint_api_policy_xml_threat_protection.imported
  id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}

resource "anypoint_api_policy_xml_threat_protection" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  api_instance_id = "<api_instance_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_api_policy_xml_threat_protection.imported <organization_id>/<environment_id>/<api_instance_id>/<policy_id>