resource "anypoint_api_policy_a2a_agent_card" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
content = "{\"name\": \"My Agent\", \"description\": \"An example A2A agent\"}"
consumer_url = "https://example.com/agent"
card_path = "/.well-known/agent-card.json"
file_name = "agent-card.json"
file_mime_type = "application/json"
}
order = 1
}
API, MCP, and A2A Policy Resources
Use policy resources to apply policies declaratively to APIs, MCP servers, gateways, and AI agent resources.
anypoint_api_policy_a2a_agent_card
Use the anypoint_api_policy_a2a_agent_card resource to publish and manage an A2A Agent Card on an Anypoint API instance. The agent card describes your AI agent’s capabilities and is served at a configurable path.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance to attach the agent card to. -
configuration- (Block) Agent card content and serving configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies on the same API instance. Lower numbers run first. -
asset_version- The policy asset version. Defaults to2.0.0-20260327083212. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
content- (Required) The agent card content as a JSON string. -
card_path- Path where the agent card is served. -
consumer_url- Consumer-facing URL for the A2A agent. -
file_mime_type- MIME type of the agent card file. -
file_name- Filename for the agent card. -
file_source- Source of the agent card file.
Pointcut Data
Use pointcut_data to limit the policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_a2a_agent_card policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_a2a_agent_card.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_a2a_agent_card" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_a2a_pii_detector
Use the anypoint_api_policy_a2a_pii_detector resource to detect and act on personally identifiable information (PII) in requests to an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_a2a_pii_detector" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
entities = ["Email", "US SSN", "Credit Card", "Phone Number"]
action = "Reject"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- Numeric ID of the API instance to attach this policy to. -
configuration- (Block) PII detection configuration..
Optional Arguments
-
organization_id- Organization ID. Defaults to the organization inferred from the connected app if not set. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies on the same API instance. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
entities- (Required, List of String) PII entity types to detect. Valid values:Email,Credit Card,Phone Number,US SSN. -
action- Action to take when PII is detected (for example,Reject).
Pointcut Data
Use pointcut_data to limit the policy to specific HTTP methods and URI patterns. This corresponds to the "Apply configurations to specific methods & resources" setting in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_a2a_pii_detector policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_a2a_pii_detector.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_a2a_pii_detector" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_a2a_prompt_decorator
Use the anypoint_api_policy_a2a_prompt_decorator resource to prepend or append text and file content to prompts on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_a2a_prompt_decorator" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
text_decorators = [
{
position = "prefix"
text = "You are a helpful assistant."
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment containing the API instance. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Decorator configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
file_decorators- (Dynamic) File-based prompt decorators to inject. -
text_decorators- (Dynamic) Text-based prompt decorators to inject.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_a2a_prompt_decorator policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_a2a_prompt_decorator.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_a2a_prompt_decorator" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_a2a_schema_validation
Use the anypoint_api_policy_a2a_schema_validation resource to manage an A2A Schema Validation policy on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_a2a_schema_validation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {}
order = 1
}
Required Arguments
-
environment_id- The environment ID. -
api_instance_id- The API instance ID. -
configuration- (Block) The policy configuration. This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials. -
label- A human-readable label for this policy instance. -
order- The order of policy execution. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) List of upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string. Restricts the policy to specific resources (methods and/or URIs). Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- The policy template ID assigned by the server.
Pointcut Data
The optional pointcut_data attribute restricts the policy to specific HTTP methods and/or URI patterns, matching what is configured under "Apply configurations to specific methods & resources" in the Anypoint Platform UI.
Each element in the array maps to one condition row in the UI:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions act as a logical OR — the policy applies if any condition matches.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_a2a_schema_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_a2a_schema_validation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_a2a_schema_validation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_a2a_token_rate_limit
Use the anypoint_api_policy_a2a_token_rate_limit resource to enforce token-based rate limits on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_a2a_token_rate_limit" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
maximum_tokens = 10000
time_period_in_milliseconds = 60000
key_selector = "#[attributes.headers['Authorization']]"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Rate limit configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
maximum_tokens- (Required) Maximum number of tokens allowed in the time period. -
time_period_in_milliseconds- (Required) Duration of the rate limit window in milliseconds. -
key_selector- DataWeave expression to extract the rate limit key from the request (for example,#[attributes.headers['Authorization']]).
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_a2a_token_rate_limit policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_a2a_token_rate_limit.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_a2a_token_rate_limit" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_body_transformation
Use the anypoint_api_policy_body_transformation resource to apply a DataWeave script to transform request or response bodies on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_body_transformation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
script = "%%dw 2.0\noutput application/json\n---\npayload"
request_flow = "request"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Transformation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260127.133848. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
script- (Required) The DataWeave transformation script. -
request_flow- Which flow to apply the transformation to (requestorresponse).
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_body_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_body_transformation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_body_transformation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_circuit_breaker
Use the anypoint_api_policy_circuit_breaker resource to protect upstream services from cascading failures by opening the circuit when error or slow-call thresholds are exceeded.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_circuit_breaker" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
thresholds = {
failure_rate_threshold = 50
slow_call_rate_threshold = 80
slow_call_duration_threshold = 5000
sliding_window_size = 100
minimum_number_of_calls = 10
wait_duration_in_open_state = 60000
}
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Circuit breaker thresholds.. -
upstream_ids- (Required, List of String) Upstream IDs this policy monitors. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.1.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
thresholds- (Required, Dynamic) Circuit breaker threshold configuration object.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_circuit_breaker policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_circuit_breaker.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_circuit_breaker" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_access_block
Use the anypoint_api_policy_access_block resource to block all access to an Anypoint API instance. Combine with pointcut_data to restrict specific methods or URI patterns.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_access_block" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance to block access to. -
configuration- (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to restrict access blocking to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Block GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_access_block policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_access_block.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_access_block" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_client_id_enforcement
Use the anypoint_api_policy_client_id_enforcement resource to require a valid client ID and secret on all requests to an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_client_id_enforcement" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
credentials_origin_has_http_basic_authentication_header = "customExpression"
client_id_expression = "#[attributes.headers['client_id']]"
client_secret_expression = "#[attributes.headers['client_secret']]"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Client credential extraction configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.3.3. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
client_id_expression- DataWeave expression to extract the client ID from the request. -
client_secret_expression- DataWeave expression to extract the client secret from the request. -
credentials_origin_has_http_basic_authentication_header- How client credentials are provided (for example,customExpression,httpBasicAuthenticationHeader).
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_client_id_enforcement policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_client_id_enforcement.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_client_id_enforcement" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_cors
Use the anypoint_api_policy_cors resource to configure Cross-Origin Resource Sharing (CORS) on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
Public resource (simple branch)
resource "anypoint_api_policy_cors" "public" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
public_resource = true
support_credentials = false
origin_groups = [
{
origins = ["https://example.com"]
methods = ["GET", "POST", "PUT"]
headers = ["Content-Type", "Authorization"]
}
]
}
order = 1
}
Non-public resource (credentialed branch)
When public_resource = false, the platform enforces a stricter schema. Each origin group must include a name field and access_control_max_age. Omitting either returns HTTP 400.
resource "anypoint_api_policy_cors" "private" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
public_resource = false
support_credentials = true
origin_groups = [
{
name = "allowed-origins"
origins = ["https://example.com"]
methods = ["GET", "POST", "PUT"]
headers = ["Content-Type", "Authorization"]
access_control_max_age = 600
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) CORS configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.3.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
origin_groups- (Required, Dynamic) Array of origin group configurations. Structure differs by branch — see below. -
public_resource- Whether the resource is publicly accessible. Defaults tofalse. Controls which platform schema branch is used. -
support_credentials- Whether to allow credentials in CORS requests.
origin_groups — public branch (public_resource = true)
| Field | Type | Description |
|---|---|---|
|
list(string) |
Allowed origin URLs. |
|
list(string) |
Allowed HTTP methods (for example, |
|
list(string) |
Allowed request headers. |
origin_groups — non-public branch (public_resource = false)
| Field | Required | Type | Description |
|---|---|---|---|
|
yes |
string |
Unique label for this origin group. If omitted, the provider synthesizes |
|
no |
list(string) |
Allowed origin URLs. |
|
no |
list(string) |
HTTP methods. The provider automatically converts these to |
|
no |
list(string) |
Allowed request headers. |
|
no |
number |
Preflight cache duration in seconds. Defaults to |
|
Using flat fields directly inside |
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_cors policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_cors.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_cors" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_credential_injection_basic_auth
Use the anypoint_api_policy_credential_injection_basic_auth resource to inject Basic Auth credentials into upstream requests on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_credential_injection_basic_auth" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
username = "service-account"
password = "service-password"
overwrite = true
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Credential injection configuration.. -
upstream_ids- (Required, List of String) Upstream IDs to inject credentials into. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.1.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
username- (Required) The username for authentication. -
password- (Required) The password for authentication. -
custom_header- Custom header name to inject credentials into instead of the standardAuthorizationheader. -
overwrite- Whether to overwrite an existing credential header on the request. Defaults tofalse. The provider always sends this field — omitting it doesn’t cause HTTP 400.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_credential_injection_basic_auth policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_credential_injection_basic_auth.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_credential_injection_basic_auth" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_credential_injection_oauth2
Use the anypoint_api_policy_credential_injection_oauth2 resource to fetch an OAuth 2.0 token and inject it into upstream requests on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_credential_injection_oauth2" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
oauth_service = "https://auth.example.com/oauth2/token"
client_id = "my-client-id"
client_secret = "my-client-secret"
scope = ["read", "write"]
overwrite = true
token_fetch_timeout = 5000
allow_request_without_credential = false
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) OAuth 2.0 token injection configuration.. -
upstream_ids- (Required, List of String) Upstream IDs to inject the token into. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.1.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
oauth_service- (Required) URL of the OAuth 2.0 token service. -
client_id- (Required) The OAuth 2.0 client ID. -
client_secret- (Required) The OAuth 2.0 client secret. -
scope- (Dynamic) Array of OAuth 2.0 scopes to request. -
token_fetch_timeout- Timeout in milliseconds for fetching the OAuth token. Defaults to10000. The provider always sends this field — omitting it doesn’t cause HTTP 400. -
overwrite- Whether to overwrite an existing credential header on the request. Defaults tofalse. The provider always sends this field. -
allow_request_without_credential- Whether to allow requests to pass through without injected credentials. Defaults tofalse. The provider always sends this field.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_credential_injection_oauth2 policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_credential_injection_oauth2.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_credential_injection_oauth2" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_credential_injection_oauth2_obo
Use the anypoint_api_policy_credential_injection_oauth2_obo resource to exchange an incoming token for a downstream token using the OAuth 2.0 On-Behalf-Of flow, then inject it into upstream requests.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_credential_injection_oauth2_obo" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
flow = "urn:ietf:params:oauth:grant-type:jwt-bearer"
client_id = "my-client-id"
client_secret = "my-client-secret"
token_endpoint = "https://auth.example.com/oauth2/token"
scope = "openid profile"
timeout = 5000
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) On-Behalf-Of token exchange configuration.. -
upstream_ids- (Required, List of String) Upstream IDs to inject the exchanged token into. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.1.0.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
client_id- (Required) The OAuth 2.0 client ID. -
client_secret- (Required) The OAuth 2.0 client secret. -
flow- (Required) The OAuth 2.0 grant flow type. -
token_endpoint- (Required) URL of the OAuth 2.0 token endpoint. -
ciba_enabled- Whether CIBA (Client-Initiated Backchannel Authentication) is enabled. -
ciba_endpoint- The backchannel authentication endpoint URL (used whenciba_enabledistrue). -
ciba_binding_message- A human-readable binding message sent to the user’s authentication device (used whenciba_enabledistrue). -
ciba_login_hint_claim- The claim used to identify the end user in the CIBA flow (used whenciba_enabledistrue). -
distributed- Whether to use distributed token caching across cluster nodes. -
requested_token_type- The type of token to be returned by the token endpoint. -
scope- Array or string of OAuth 2.0 scopes. -
subject_token_type- The type of the subject token (for example,urn:ietf:params:oauth:token-type:access_token). -
target_type- The target resource type for the On-Behalf-Of flow. -
target_value- The target resource value for the On-Behalf-Of flow. -
timeout- Timeout in milliseconds.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_credential_injection_oauth2_obo policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_credential_injection_oauth2_obo.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_credential_injection_oauth2_obo" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_dataweave_request_filter
Use the anypoint_api_policy_dataweave_request_filter resource to evaluate a DataWeave script against incoming requests and allow or reject them based on the result.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_dataweave_request_filter" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
script = "%%dw 2.0\noutput application/json\n---\ntrue"
requires_payload = false
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Filter script configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
script- (Required) The DataWeave script to evaluate against the request. -
requires_payload- Whether the script requires access to the request payload.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_dataweave_request_filter policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_dataweave_request_filter.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_dataweave_request_filter" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_dataweave_body_transformation
Use the anypoint_api_policy_dataweave_body_transformation resource to transform request or response bodies using a DataWeave script on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_dataweave_body_transformation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
script = "%%dw 2.0\noutput application/json\n---\npayload"
request_flow = "request"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Transformation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
script- (Required) The DataWeave transformation script. -
request_flow- Which flow to apply the transformation to (requestorresponse).
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_dataweave_body_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_dataweave_body_transformation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_dataweave_body_transformation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_dataweave_headers_transformation
Use the anypoint_api_policy_dataweave_headers_transformation resource to transform request or response headers using a DataWeave script on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_dataweave_headers_transformation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
script = "%%dw 2.0\noutput application/json\n---\npayload"
requires_payload = false
request_flow = "request"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Header transformation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
script- (Required) The DataWeave transformation script. -
request_flow- Which flow to apply the transformation to (requestorresponse). -
requires_payload- Whether the script requires access to the payload.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_dataweave_headers_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_dataweave_headers_transformation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_dataweave_headers_transformation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_external_oauth2_access_token_enforcement
Use the anypoint_api_policy_external_oauth2_access_token_enforcement resource to validate OAuth 2.0 access tokens against an external authorization server on an Anypoint API instance.
|
This policy is only supported on |
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_external_oauth2_access_token_enforcement" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
token_url = "https://auth.example.com/oauth2/token"
scope_validation_criteria = "AND"
scopes = "read write"
expose_headers = false
skip_client_id_validation = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Token validation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.6.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
token_url- (Required) URL of the OAuth 2.0 token endpoint. -
authentication_timeout- Authentication request timeout in milliseconds. -
expose_headers- Whether to expose rate-limit headers in the response. -
max_cache_entries- Maximum number of entries in the token cache. -
scope_validation_criteria- How scopes are validated (ANDorOR). -
scopes- Space-separated list of required OAuth scopes. -
secure_trust_store- Whether to use a secure trust store for token validation. -
skip_client_id_validation- Whether to skip client ID validation.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_external_oauth2_access_token_enforcement policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_external_oauth2_access_token_enforcement.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_external_oauth2_access_token_enforcement" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_header_injection
Use the anypoint_api_policy_header_injection resource to add custom headers to inbound requests or outbound responses on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_header_injection" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
inbound_headers = [
{
name = "X-Custom-Header"
value = "custom-value"
}
]
outbound_headers = []
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Header injection configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.3.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
inbound_headers- (Dynamic) Array of inbound headers to inject or remove. -
outbound_headers- (Dynamic) Array of outbound headers to inject or remove.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_header_injection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_header_injection.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_header_injection" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_header_removal
Use the anypoint_api_policy_header_removal resource to strip specific headers from inbound requests or outbound responses on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_header_removal" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
inbound_headers = [
{
name = "X-Remove-Me"
}
]
outbound_headers = []
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Header removal configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
inbound_headers- (Dynamic) Array of inbound headers to remove. -
outbound_headers- (Dynamic) Array of outbound headers to remove.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_header_removal policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_header_removal.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_header_removal" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_header_transformation
Use the anypoint_api_policy_header_transformation resource to transform request or response headers using a DataWeave script on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_header_transformation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
script = "%%dw 2.0\noutput application/json\n---\npayload"
requires_payload = false
request_flow = "request"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Transformation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260127.134148. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
script- (Required) The DataWeave transformation script. -
request_flow- Which flow to apply the transformation to (requestorresponse). -
requires_payload- Whether the script requires access to the payload.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_header_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_header_transformation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_header_transformation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_health_check
Use the anypoint_api_policy_health_check resource to expose a health check endpoint on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_health_check" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
endpoint = "/health"
path = "/health"
status_code = "200"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Health check configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
endpoint- The health check endpoint URL. -
path- The health check path. -
status_code- The expected HTTP status code for a healthy response.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_health_check policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_health_check.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_health_check" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_http_basic_authentication
Use the anypoint_api_policy_http_basic_authentication resource to enforce HTTP Basic Authentication on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_http_basic_authentication" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
username = "admin"
password = "secret"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Authentication credentials..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.3.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
username- (Required) The username for authentication. -
password- (Required) The password for authentication.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_http_basic_authentication policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_http_basic_authentication.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_http_basic_authentication" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_http_caching
Use the anypoint_api_policy_http_caching resource to cache HTTP responses on an Anypoint API instance to reduce upstream load and improve response times.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_http_caching" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
http_caching_key = "#[attributes.requestPath]"
max_cache_entries = 1000
ttl = 600
distributed = false
persist_cache = false
use_http_cache_headers = true
invalidation_header = "X-Cache-Invalidate"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Cache configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
http_caching_key- Expression to compute the cache key. -
max_cache_entries- Maximum number of entries in the cache. -
ttl- Time-to-live in seconds for cached entries. -
distributed- Whether the cache is distributed across the cluster. -
persist_cache- Whether to persist the cache to disk. -
use_http_cache_headers- Whether to honor standard HTTP caching headers. -
invalidation_header- Header name that triggers cache invalidation. -
request_expression- Expression to evaluate on the request for caching decisions. -
response_expression- Expression to evaluate on the response for caching decisions.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_http_caching policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_http_caching.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_http_caching" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_idle_timeout
Use the anypoint_api_policy_idle_timeout resource to close idle upstream connections after a configurable period on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_idle_timeout" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
timeout = 30000
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Timeout configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy monitors. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.1.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_idle_timeout policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_idle_timeout.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_idle_timeout" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_intask_authentication_policy
Use the anypoint_api_policy_intask_authentication_policy resource to delegate authentication to a secondary OAuth 2.0 provider on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_intask_authentication_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
secondary_auth_provider = "example-provider"
authorization_endpoint = "https://auth.example.com/authorize"
token_endpoint = "https://auth.example.com/token"
redirect_uri = "https://app.example.com/callback"
scopes = "openid profile"
response_type = "code"
token_timeout = 3600
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Authentication configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.0-20260113204639.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
authorization_endpoint- (Required) URL of the OAuth 2.0 authorization endpoint. -
redirect_uri- (Required) The redirect URI for the OAuth 2.0 flow. -
secondary_auth_provider- (Required) Name of the secondary authentication provider. -
token_endpoint- (Required) URL of the OAuth 2.0 token endpoint. -
body_encoding- Encoding for the token request body. -
challenge_response_status_code- HTTP status code for the challenge response. -
code_challenge_method- The PKCE code challenge method (for example,S256). -
response_type- The OAuth 2.0 response type (for example,code). -
scopes- Space-separated list of required OAuth scopes. -
token_audience- Expected audience value for the token. -
token_timeout- Token validity timeout in seconds. -
user_email_header- Header name to extract the user email from. -
user_id_header- Header name to extract the user ID from.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_intask_authentication_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_intask_authentication_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_intask_authentication_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_intask_authorization_code_policy
Use the anypoint_api_policy_intask_authorization_code_policy resource to enforce the OAuth 2.0 Authorization Code flow via a secondary provider on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_intask_authorization_code_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
secondary_auth_provider = "example-provider"
authorization_endpoint = "https://auth.example.com/authorize"
token_endpoint = "https://auth.example.com/token"
redirect_uri = "https://app.example.com/callback"
scopes = "openid profile"
response_type = "code"
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Authorization code flow configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.0.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
authorization_endpoint- (Required) URL of the OAuth 2.0 authorization endpoint. -
redirect_uri- (Required) The redirect URI for the OAuth 2.0 flow. -
secondary_auth_provider- (Required) Name of the secondary authentication provider. -
token_endpoint- (Required) URL of the OAuth 2.0 token endpoint. -
body_encoding- Encoding for the token request body. -
challenge_response_status_code- HTTP status code for the challenge response. -
code_challenge_method- The PKCE code challenge method (for example,S256). -
response_type- The OAuth 2.0 response type (for example,code). -
scopes- Space-separated list of required OAuth scopes. -
token_timeout- Token validity timeout in seconds.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_intask_authorization_code_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_intask_authorization_code_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_intask_authorization_code_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_ip_allowlist
Use the anypoint_api_policy_ip_allowlist resource to restrict access to an Anypoint API instance to a specific set of IP addresses or CIDR blocks.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_ip_allowlist" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
ip_expression = "#[attributes.remoteAddress]"
ips = ["10.0.0.0/8", "172.16.0.0/12"]
methods_string = "GET|POST"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Allowlist configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
ip_expression- (Required) Expression to extract the client IP address from the request. -
ips- (Required, List of String) IP addresses or CIDR blocks to allow. Must be a list of strings, not a comma-separated string. -
methods_string- Pipe-separated list of HTTP methods this policy applies to (for example,GET|POST).
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_ip_allowlist policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_ip_allowlist.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_ip_allowlist" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_ip_blocklist
Use the anypoint_api_policy_ip_blocklist resource to deny access to an Anypoint API instance from specific IP addresses or CIDR blocks.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_ip_blocklist" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
ip_expression = "#[attributes.remoteAddress]"
ips = ["192.168.1.0/24", "10.0.0.1"]
methods_string = "GET|POST"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Blocklist configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
ip_expression- (Required) Expression to extract the client IP address from the request. -
ips- (Required, List of String) IP addresses or CIDR blocks to block. Must be a list of strings, not a comma-separated string. -
methods_string- Pipe-separated list of HTTP methods this policy applies to (for example,GET|POST).
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_ip_blocklist policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_ip_blocklist.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_ip_blocklist" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_injection_protection
Use the anypoint_api_policy_injection_protection resource to detect and block SQL, script, and other injection attacks on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_injection_protection" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
protect_path_and_query = true
protect_headers = true
protect_body = true
reject_requests = true
built_in_protections = ["sql-injection", "script-injection"]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Injection protection configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
built_in_protections- (Dynamic) Built-in injection protection types to enable (for example,sql-injection,script-injection). -
custom_protections- (Dynamic) Custom injection protection regex patterns. -
protect_path_and_query- Whether to apply injection protection to path and query parameters. -
protect_headers- Whether to apply injection protection to headers. -
protect_body- Whether to apply injection protection to the request body. -
reject_requests- Whether to reject requests that match injection patterns.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_injection_protection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_injection_protection.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_injection_protection" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_json_threat_protection
Use the anypoint_api_policy_json_threat_protection resource to protect an Anypoint API instance against malicious JSON payloads by enforcing structural limits.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_json_threat_protection" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
max_container_depth = 10
max_string_value_length = 256
max_object_entry_name_length = 128
max_object_entry_count = 50
max_array_element_count = 50
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) JSON structural limits..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.2.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
max_container_depth- Maximum nesting depth for JSON containers. -
max_string_value_length- Maximum length for JSON string values. -
max_object_entry_name_length- Maximum length for JSON object entry names. -
max_object_entry_count- Maximum number of entries in a JSON object. -
max_array_element_count- Maximum number of elements in a JSON array.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_json_threat_protection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_json_threat_protection.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_json_threat_protection" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_jwt_validation
Use the anypoint_api_policy_jwt_validation resource to validate JWT tokens on incoming requests to an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_jwt_validation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
jwt_origin = "httpBearerAuthenticationHeader"
signing_method = "rsa"
signing_key_length = 256
jwt_key_origin = "jwks"
jwks_url = "https://example.com/.well-known/jwks.json"
skip_client_id_validation = true
validate_aud_claim = true
mandatory_exp_claim = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) JWT validation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to0.12.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
jwt_origin- (Required) Where the JWT token is extracted from (for example,httpBearerAuthenticationHeader). -
claims_to_headers- (Dynamic) Array mapping JWT claims to response headers. -
client_id_expression- Expression to extract the client ID from the request. -
custom_key_expression- Custom expression to resolve the signing key. -
jwks_service_connection_timeout- Connection timeout in milliseconds for the JWKS endpoint. -
jwks_service_time_to_live- TTL in seconds for cached JWKS keys. -
jwks_url- URL to the JWKS endpoint for key retrieval. -
jwt_expression- Custom expression to extract the JWT token. -
jwt_key_origin- Source of the signing key (for example,jwks,text). -
mandatory_aud_claim- Whether theaudclaim is mandatory. -
mandatory_custom_claims- (Dynamic) Custom claims that must be present. -
mandatory_exp_claim- Whether theexp(expiration) claim is mandatory. -
mandatory_nbf_claim- Whether thenbf(not before) claim is mandatory. -
non_mandatory_custom_claims- (Dynamic) Optional custom claims to validate if present. -
signing_key_length- The key length for the signing algorithm. -
signing_method- The signing algorithm (for example,rsa,hmac). -
skip_client_id_validation- Whether to skip client ID validation. -
supported_audiences- Comma-separated list of supported audience values. -
text_key- The inline signing key whenjwt_key_originistext. -
validate_aud_claim- Whether to validate theaud(audience) claim. -
validate_custom_claim- Whether to validate custom claims.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_jwt_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_jwt_validation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_jwt_validation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_ldap_authentication
Use the anypoint_api_policy_ldap_authentication resource to authenticate incoming requests against an LDAP directory on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_ldap_authentication" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
ldap_server_url = "ldap://ldap.example.com:389"
ldap_server_user_dn = "cn=admin,dc=example,dc=com"
ldap_server_user_password = "admin-password"
ldap_search_base = "ou=users,dc=example,dc=com"
ldap_search_filter = "(uid={0})"
ldap_search_in_subtree = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) LDAP connection and search configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.4.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
ldap_server_url- (Required) URL of the LDAP server. -
ldap_server_user_dn- (Required) Distinguished name of the LDAP bind user. -
ldap_server_user_password- (Required) Password for the LDAP bind user. -
ldap_search_base- (Required) Base DN for LDAP searches. -
ldap_search_filter- (Required) LDAP search filter expression. -
ldap_search_in_subtree- Whether to search in subtrees.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_ldap_authentication policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_ldap_authentication.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_ldap_authentication" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_bedrock_llm_provider_policy
Use the anypoint_api_policy_bedrock_llm_provider_policy resource to configure AWS Bedrock as the LLM provider for an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_bedrock_llm_provider_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
aws_access_key_id = "AKIAIOSFODNN7EXAMPLE"
aws_secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
aws_region = "us-east-1"
service_name = "bedrock"
timeout = 30000
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) AWS Bedrock connection configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.1.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
aws_access_key_id- (Required) AWS access key ID. -
aws_region- (Required) AWS region for the Bedrock service. -
aws_secret_access_key- (Required) AWS secret access key. -
aws_session_token- AWS session token for temporary credentials. -
service_name- The AWS service name. -
timeout- Request timeout in milliseconds.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_bedrock_llm_provider_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_bedrock_llm_provider_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_bedrock_llm_provider_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_gemini_llm_provider_policy
Use the anypoint_api_policy_gemini_llm_provider_policy resource to configure Google Gemini as the LLM provider for an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_gemini_llm_provider_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
api_key = "AIzaSy-xxxxxxxxxxxx"
timeout = 30000
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Gemini connection configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.0.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
api_key- (Required) API key for the Gemini LLM provider. -
model_mapper- (Dynamic) Array of model name mappings. -
timeout- Request timeout in milliseconds.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_gemini_llm_provider_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_gemini_llm_provider_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_gemini_llm_provider_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_gemini_transcoding_policy
Use the anypoint_api_policy_gemini_transcoding_policy resource to transcode requests and responses between the OpenAI API format and the Google Gemini API format on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_gemini_transcoding_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}). -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.0.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_gemini_transcoding_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_gemini_transcoding_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_gemini_transcoding_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_llm_gw_core_policy
Use the anypoint_api_policy_llm_gw_core_policy resource to route LLM requests to the correct provider backend based on a vendor header on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_llm_gw_core_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
header_name = "X-LLM-Vendor"
vendor_header_mapping = [
{
vendor = "openai"
header_value = "openai"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Vendor routing configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20251230075635. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
header_name- (Required) Name of the header used for vendor routing. -
vendor_header_mapping- (Required, Dynamic) Array mapping vendor names to header values.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_llm_gw_core_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_llm_gw_core_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_llm_gw_core_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_llm_proxy_core
Use the anypoint_api_policy_llm_proxy_core resource to enable core LLM proxy functionality on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_llm_proxy_core" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260127095720. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_llm_proxy_core policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_llm_proxy_core.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_llm_proxy_core" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_llm_proxy_core_policy
Use the anypoint_api_policy_llm_proxy_core_policy resource to route LLM proxy requests to the correct provider backend based on a vendor header on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_llm_proxy_core_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
header_name = "X-LLM-Vendor"
vendor_header_mapping = [
{
vendor = "openai"
header_value = "openai"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Vendor routing configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260108100848. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
header_name- (Required) Name of the header used for vendor routing. -
vendor_header_mapping- (Required, Dynamic) Array mapping vendor names to header values.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_llm_proxy_core_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_llm_proxy_core_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_llm_proxy_core_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_access_control
Use the anypoint_api_policy_mcp_access_control resource to define access control rules for MCP tools on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_access_control" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
rules = [
{
tool = "list_files"
action = "allow"
}
]
auth_type = "bearer"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Access control configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
rules- (Required, Dynamic) Array of access control rules. -
auth_type- Authentication type (for example,bearer,api_key).
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_access_control policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_access_control.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_access_control" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_global_access_policy
Use the anypoint_api_policy_mcp_global_access_policy resource to define global access rules for all MCP tools on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_global_access_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
rules = [
{
action = "allow"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Access control configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_global_access_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_global_access_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_global_access_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_pii_detector
Use the anypoint_api_policy_mcp_pii_detector resource to detect personally identifiable information (PII) in MCP requests and responses on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_pii_detector" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
entities = ["EMAIL", "PHONE_NUMBER", "CREDIT_CARD"]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) PII detection configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
entities- (Required, Dynamic) PII entity types to detect (for example,EMAIL,PHONE_NUMBER,CREDIT_CARD).
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_pii_detector policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_pii_detector.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_pii_detector" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_schema_validation
Use the anypoint_api_policy_mcp_schema_validation resource to validate MCP tool input and output against their declared schemas on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_schema_validation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
validate_tool_schema = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Schema validation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
validate_tool_schema- Whether to validate MCP tool input/output against schema.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_schema_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_schema_validation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_schema_validation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_support
Use the anypoint_api_policy_mcp_support resource to enable Model Context Protocol (MCP) support on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_support" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) This policy doesn’t require any configuration fields — pass an empty block (configuration = {}).
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_support policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_support.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_support" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_tool_mapping
Use the anypoint_api_policy_mcp_tool_mapping resource to remap MCP tool names from a source name to a target name on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_tool_mapping" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
tool_mappings = [
{
source_tool = "original_tool"
target_tool = "mapped_tool"
}
]
log_mappings = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Tool mapping configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
tool_mappings- (Required, Dynamic) Array of tool name mappings from source to target. -
log_mappings- Whether to log tool mapping operations.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_tool_mapping policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_tool_mapping.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_tool_mapping" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_mcp_transcoding_router
Use the anypoint_api_policy_mcp_transcoding_router resource to route and transcode MCP requests to backend services on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_mcp_transcoding_router" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
transcoding_path = "/mcp"
routes = [
{
tool = "example_tool"
backend = "https://backend.example.com"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Transcoding router configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1-20260414150102. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
routes- (Required, Dynamic) Array of routing rules mapping tools to backends. -
transcoding_path- Base path for MCP transcoding requests.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_mcp_transcoding_router policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_mcp_transcoding_router.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_mcp_transcoding_router" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_message_logging
Use the anypoint_api_policy_message_logging resource to log request and response messages on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_message_logging" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
logging_configuration = [
{
item_name = "request"
item_data = {
message = "#[payload]"
conditional = "#[true]"
level = "INFO"
first_section = true
second_section = false
}
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Logging configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to2.0.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
logging_configuration- (Required, Dynamic) Array of logging rule objects. Each element must use theitem_name+item_datawrapper — the platform rejects flat field structures with HTTP 400.
Each element requires the following structure:
logging_configuration = [
{
item_name = "<string>" # unique label for this logging rule
item_data = {
message = "<string>" # DataWeave expression or literal, e.g. "#[payload]"
level = "<string>" # Log level: DEBUG, INFO, WARN, ERROR (default: INFO)
conditional = "<string>" # Optional DataWeave boolean expression, e.g. "#[true]"
category = "<string>" # Optional logger category name
first_section = <bool> # Log on request phase (default: true)
second_section = <bool> # Log on response phase (default: false)
}
}
]
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_message_logging policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_message_logging.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_message_logging" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_message_logging_outbound
Use the anypoint_api_policy_message_logging_outbound resource to log outbound responses from upstream services on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_message_logging_outbound" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
logging_configuration = [
{
item_name = "response"
item_data = {
message = "#[payload]"
conditional = "#[true]"
level = "INFO"
first_section = false
second_section = true
}
}
]
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Logging configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to2.0.2.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
logging_configuration- (Required, Dynamic) Array of logging rule objects. Each element must use theitem_name+item_datawrapper — the platform rejects flat field structures with HTTP 400.
Each element requires the following structure:
logging_configuration = [
{
item_name = "<string>" # unique label for this logging rule
item_data = {
message = "<string>" # DataWeave expression or literal, e.g. "#[payload]"
level = "<string>" # Log level: DEBUG, INFO, WARN, ERROR (default: INFO)
conditional = "<string>" # Optional DataWeave boolean expression, e.g. "#[true]"
category = "<string>" # Optional logger category name
first_section = <bool> # Log on request phase (default: true)
second_section = <bool> # Log on response phase (default: false)
}
}
]
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_message_logging_outbound policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_message_logging_outbound.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_message_logging_outbound" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_model_based_routing
Use the anypoint_api_policy_model_based_routing resource to route LLM requests to the appropriate upstream based on the requested model on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_model_based_routing" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
supported_vendors = [
{
vendor = "openai"
models = ["gpt-4", "gpt-3.5-turbo"]
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Routing configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260127100214. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
supported_vendors- (Required, Dynamic) Array of supported LLM vendor configurations. -
fallback- (Dynamic) Fallback vendor configuration object.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_model_based_routing policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_model_based_routing.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_model_based_routing" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_agent_connection_telemetry
Use the anypoint_api_policy_agent_connection_telemetry resource to collect telemetry data from agent connections on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_agent_connection_telemetry" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
source_agent_id = "agent-001"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Telemetry configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_agent_connection_telemetry policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_agent_connection_telemetry.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_agent_connection_telemetry" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_native_aws_lambda
Use the anypoint_api_policy_native_aws_lambda resource to invoke an AWS Lambda function natively from an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_native_aws_lambda" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
arn = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
payload_passthrough = false
invocation_mode = "synchronous"
authentication_mode = "static_credentials"
credentials = {
access_key_id = "AKIAIOSFODNN7EXAMPLE"
secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Lambda invocation configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.1.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
arn- (Required) The ARN of the AWS Lambda function. -
payload_passthrough- (Required) Whether to pass the request payload directly to Lambda. -
invocation_mode- (Required) Lambda invocation mode (synchronousorasynchronous). -
authentication_mode- (Required) AWS authentication mode (for example,static_credentials,iam_role). -
credentials- (Dynamic) AWS credentials object withaccess_key_id,secret_access_key, and optionalsession_token.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_native_aws_lambda policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_native_aws_lambda.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_native_aws_lambda" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_native_ext_authz
Use the anypoint_api_policy_native_ext_authz resource to delegate authorization decisions to an external service via gRPC or HTTP on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_native_ext_authz" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
uri = "grpc://auth-service:9090"
server_type = "grpc"
request_timeout = 5000
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) External authorization configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.2.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
uri- (Required) The URI of the external authorization service. -
server_type- (Required) The server type (for example,grpc,http). -
allowed_headers- (Dynamic) Headers to forward to the external service. -
include_peer_certificate- Whether to include the peer certificate in the authorization request. -
path_prefix- Path prefix for the external authorization request. -
request_timeout- Request timeout in milliseconds. -
server_api_version- The API version of the external authorization server. -
service_request_headers_to_add- (Dynamic) Headers to add to the authorization request. -
service_response_client_headers- (Dynamic) Headers from the authorization response to send to the client. -
service_response_client_headers_on_success- (Dynamic) Headers to send on successful authorization. -
service_response_upstream_headers- (Dynamic) Headers from the authorization response to send upstream. -
service_response_upstream_headers_to_append- (Dynamic) Headers from the authorization response to append upstream.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_native_ext_authz policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_native_ext_authz.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_native_ext_authz" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_native_ext_proc
Use the anypoint_api_policy_native_ext_proc resource to stream request and response messages to an external gRPC processing service on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_native_ext_proc" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
uri = "grpc://ext-proc-service:9091"
message_timeout = 5000
failure_mode_allow = false
request_header_mode = "SEND"
response_header_mode = "SKIP"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) External processor configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
uri- (Required) The URI of the external processing service. -
allow_mode_override- Whether to allow the external processor to override the processing mode. -
failure_mode_allow- Whether to allow requests when the external processor fails. -
max_message_timeout- Maximum message processing timeout in milliseconds. -
message_timeout- Message processing timeout in milliseconds. -
request_body_mode- Processing mode for the request body. -
request_header_mode- Processing mode for request headers (for example,SEND,SKIP). -
request_trailer_mode- Processing mode for request trailers. -
response_body_mode- Processing mode for the response body. -
response_header_mode- Processing mode for response headers (for example,SEND,SKIP). -
response_trailer_mode- Processing mode for response trailers.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_native_ext_proc policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_native_ext_proc.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_native_ext_proc" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_oauth2_token_introspection
Use the anypoint_api_policy_oauth2_token_introspection resource to validate OAuth 2.0 tokens by introspecting them against an authorization server on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_oauth2_token_introspection" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
introspection_url = "https://auth.example.com/oauth2/introspect"
authorization_value = "Bearer your-token-here"
validated_token_ttl = 600
skip_client_id_validation = true
expose_headers = false
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Token introspection configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
introspection_url- (Required) URL of the OAuth 2.0 token introspection endpoint. -
authorization_value- (Required) Authorization header value for the introspection request. -
authentication_timeout- Authentication request timeout in milliseconds. -
consumer_by- How to identify the API consumer (for example,client_id). -
expose_headers- Whether to expose rate-limit headers in the response. -
max_cache_entries- Maximum number of entries in the token cache. -
scope_validation_criteria- How scopes are validated (ANDorOR). -
skip_client_id_validation- Whether to skip client ID validation. -
validated_token_ttl- TTL in seconds for validated token cache entries.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_oauth2_token_introspection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_oauth2_token_introspection.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_oauth2_token_introspection" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_openai_transcoding_policy
Use the anypoint_api_policy_openai_transcoding_policy resource to configure OpenAI as the LLM provider for an Anypoint API instance, handling request and response transcoding.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_openai_transcoding_policy" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
api_key = "sk-xxxxxxxxxxxx"
timeout = 30000
}
upstream_ids = [anypoint_api_upstream.example.id]
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) OpenAI connection configuration.. -
upstream_ids- (Required, List of String) Upstream IDs this policy applies to. -
pointcut_data- Pointcut definition as a JSON string..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
asset_version- The policy asset version. Defaults to1.0.0.
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
api_key- (Required) API key for the OpenAI LLM provider. -
model_mapper- (Dynamic) Array of model name mappings. -
timeout- Request timeout in milliseconds.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_openai_transcoding_policy policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_openai_transcoding_policy.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_openai_transcoding_policy" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_semantic_prompt_guard_policy_openai
Use the anypoint_api_policy_semantic_prompt_guard_policy_openai resource to block prompts that semantically match denied topics using OpenAI embeddings on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_semantic_prompt_guard_policy_openai" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
openai_url = "https://api.openai.com/v1"
openai_api_key = "sk-xxxxxxxxxxxx"
openai_embedding_model = "text-embedding-ada-002"
timeout = 5000
deny_topics = [
{
topic = "harmful content"
description = "Block harmful content generation"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Prompt guard configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260130084752. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
deny_topics- (Required, Dynamic) Array of topics to deny in prompt guard evaluation. -
openai_api_key- (Required) API key for the OpenAI service. -
openai_url- (Required) URL of the OpenAI API. -
openai_embedding_model- The OpenAI embedding model to use. -
threshold- (Dynamic) Threshold configuration object for similarity scoring. -
timeout- Timeout value in milliseconds.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_semantic_prompt_guard_policy_openai policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_semantic_prompt_guard_policy_openai.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_semantic_prompt_guard_policy_openai" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_semantic_routing_policy_huggingface
Use the anypoint_api_policy_semantic_routing_policy_huggingface resource to route requests to different upstreams based on semantic similarity using HuggingFace embeddings on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_semantic_routing_policy_huggingface" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
huggingface_url = "https://api-inference.huggingface.co/models/sentence-transformers/all-MiniLM-L6-v2"
huggingface_api_key = "hf_xxxxxxxxxxxx"
timeout = 5000
routes = [
{
description = "Route for customer queries"
upstream_id = "upstream-1"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Semantic routing configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260130095514. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
huggingface_api_key- (Required) API key for the HuggingFace service. -
huggingface_url- (Required) URL of the HuggingFace inference API. -
routes- (Required, Dynamic) Array of routing rules. -
fallback_route- (Dynamic) Fallback route configuration when no semantic match is found. -
threshold- (Dynamic) Threshold configuration object for similarity scoring. -
timeout- Timeout value in milliseconds.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_semantic_routing_policy_huggingface policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_semantic_routing_policy_huggingface.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_semantic_routing_policy_huggingface" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_rate_limiting
Use the anypoint_api_policy_rate_limiting resource to limit the number of requests an API instance accepts within a configurable time window.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_rate_limiting" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
rate_limits = [
{
maximum_requests = 100
time_period_in_milliseconds = 60000
}
]
expose_headers = false
clusterizable = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Rate limit configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.4.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
rate_limits- (Required, Dynamic) Array of rate limit rules withmaximum_requestsandtime_period_in_milliseconds. -
key_selector- Expression to extract the rate limit key from the request. -
expose_headers- Whether to expose rate-limit headers in the response. -
clusterizable- Whether rate limit counters are shared across a cluster.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_rate_limiting policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_rate_limiting.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_rate_limiting" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_rate_limiting_sla_based
Use the anypoint_api_policy_rate_limiting_sla_based resource to enforce rate limits based on client SLA tiers on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_rate_limiting_sla_based" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
client_id_expression = "#[attributes.headers['client_id']]"
client_secret_expression = "#[attributes.headers['client_secret']]"
expose_headers = false
clusterizable = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) SLA-based rate limit configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.3.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
client_id_expression- DataWeave expression to extract the client ID from the request. -
client_secret_expression- DataWeave expression to extract the client secret from the request. -
expose_headers- Whether to expose rate-limit headers in the response. -
clusterizable- Whether rate limit counters are shared across a cluster.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_rate_limiting_sla_based policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_rate_limiting_sla_based.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_rate_limiting_sla_based" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_response_timeout
Use the anypoint_api_policy_response_timeout resource to enforce a maximum response time on upstream requests from an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_response_timeout" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
timeout = 30000
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Timeout configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_response_timeout policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_response_timeout.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_response_timeout" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_script_evaluation_transformation
Use the anypoint_api_policy_script_evaluation_transformation resource to evaluate and transform request or response payloads using a DataWeave script on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_script_evaluation_transformation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
script = "%%dw 2.0\noutput application/json\n---\npayload"
requires_payload = false
request_flow = "request"
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Script configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.0-20260127.133315. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
script- (Required) The DataWeave transformation script. -
request_flow- Which flow to apply the transformation to (requestorresponse). -
requires_payload- Whether the script requires access to the payload.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_script_evaluation_transformation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_script_evaluation_transformation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_script_evaluation_transformation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_sse_logging
Use the anypoint_api_policy_sse_logging resource to log Server-Sent Events (SSE) traffic on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_sse_logging" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
logs = [
{
message = "#[payload]"
level = "INFO"
}
]
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) SSE logging configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_sse_logging policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_sse_logging.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_sse_logging" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_spec_validation
Use the anypoint_api_policy_spec_validation resource to validate incoming requests against the API specification on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_spec_validation" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
block_operation = true
strict_params_validation = true
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Spec validation configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
block_operation- Whether to block operations not defined in the API spec. -
strict_params_validation- Whether to strictly validate query and header parameters.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_spec_validation policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_spec_validation.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_spec_validation" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_spike_control
Use the anypoint_api_policy_spike_control resource to queue and throttle traffic spikes on an Anypoint API instance, delaying excess requests instead of rejecting them immediately.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_spike_control" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
maximum_requests = 100
time_period_in_milliseconds = 1000
delay_time_in_millis = 500
delay_attempts = 3
queuing_limit = 5
expose_headers = false
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Spike control configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.2.2. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
maximum_requests- (Required) Maximum number of requests allowed in the time period. -
time_period_in_milliseconds- (Required) The time period in milliseconds for the spike control window. -
delay_time_in_millis- (Required) The delay in milliseconds before retrying queued requests. -
delay_attempts- (Required) The number of retry attempts before rejecting a queued request. -
queuing_limit- Maximum number of requests that can be queued. -
expose_headers- Whether to expose rate-limit headers in the response.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_spike_control policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_spike_control.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_spike_control" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_stream_idle_timeout
Use the anypoint_api_policy_stream_idle_timeout resource to close idle SSE or streaming connections after a configurable period on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_stream_idle_timeout" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
timeout = 30000
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Timeout configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.0.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_stream_idle_timeout policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_stream_idle_timeout.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_stream_idle_timeout" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_tracing
Use the anypoint_api_policy_tracing resource to instrument distributed tracing on an Anypoint API instance.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_tracing" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
span_name = "api-request"
sampling = {
probability = 0.1
}
labels = []
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) Tracing configuration..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.1.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
span_name- Custom name for the tracing span. -
sampling- (Dynamic) Tracing sampling configuration object. -
labels- (Dynamic) Array of custom labels to attach to traces.
Pointcut Data
Use pointcut_data to scope this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_tracing policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_tracing.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_tracing" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_api_policy_xml_threat_protection
Use the anypoint_api_policy_xml_threat_protection resource to protect an Anypoint API instance against malicious XML payloads by enforcing structural limits.
|
This policy is only supported on |
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
Example Usage
resource "anypoint_api_policy_xml_threat_protection" "example" {
organization_id = var.organization_id
environment_id = var.environment_id
api_instance_id = anypoint_api_instance.example.id
configuration = {
max_node_depth = 10
max_attribute_count_per_element = 10
max_child_count = 50
max_text_length = 256
max_attribute_length = 128
max_comment_length = 128
}
order = 1
}
Required Arguments
-
environment_id- ID of the environment where the API instance lives. -
api_instance_id- ID of the API instance this policy is applied to. -
configuration- (Block) XML structural limits..
Optional Arguments
-
organization_id- Organization ID. If omitted, defaults to the organization of the connected app. -
label- A human-readable label for this policy instance. -
order- Execution order relative to other policies. Lower numbers run first. -
asset_version- The policy asset version. Defaults to1.2.1. -
disabled- Whether the policy is disabled. Defaults tofalse. -
upstream_ids- (List of String) Upstream IDs this policy applies to. When omitted, applies to all upstreams. -
pointcut_data- Scope the policy to specific HTTP methods and URI patterns as a JSON string. Whennull, the policy applies to all resources. Usejsonencode()to set this..
Read-Only Attributes
-
id- The policy ID. -
policy_template_id- Policy template ID assigned by the platform.
Nested Schema for configuration
-
max_node_depth- Maximum XML node nesting depth. -
max_attribute_count_per_element- Maximum number of attributes per XML element. -
max_child_count- Maximum number of child elements per XML node. -
max_text_length- Maximum length for XML text nodes. -
max_attribute_length- Maximum length for XML attribute values. -
max_comment_length- Maximum length for XML comments.
Pointcut Data
Use pointcut_data to limit this policy to specific request methods and URI patterns. This mirrors the "Apply configurations to specific methods & resources" option in the Anypoint Platform UI.
Each array element defines one condition:
-
methodRegex— pipe-separated HTTP methods (for example,GET,GET|POST). Omit or set to.*to match all methods. -
uriTemplateRegex— regex for the URI path (for example,/api/v1/.). Omit or set to.to match all paths.
Multiple conditions are evaluated as a logical OR.
# Apply policy to GET and POST requests on /api/v1/* only
pointcut_data = jsonencode([
{
methodRegex = "GET|POST"
uriTemplateRegex = "/api/v1/.*"
}
])
# Multiple conditions
pointcut_data = jsonencode([
{
methodRegex = "GET"
uriTemplateRegex = "/api/v1/read/.*"
},
{
methodRegex = "POST|PUT"
uriTemplateRegex = "/api/v1/write/.*"
}
])
Import
An existing anypoint_api_policy_xml_threat_protection policy can be imported using its composite ID: organization_id/environment_id/api_instance_id/policy_id.
The policy_id is the numeric ID of the policy, visible in Anypoint API Manager or from the API response.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_api_policy_xml_threat_protection.imported
id = "<organization_id>/<environment_id>/<api_instance_id>/<policy_id>"
}
resource "anypoint_api_policy_xml_threat_protection" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
api_instance_id = "<api_instance_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply



