Contact Us 1-800-596-4880

Access Management Resources

Use Access Management resources to manage organizations, environments, connected applications, scopes, and teams in Anypoint Platform.

Access Management resources require administrative privileges and use the anypoint.admin provider configuration for authentication.

anypoint_connected_app_scopes

Use the anypoint_connected_app_scopes resource to manage scopes for a connected application in Anypoint Platform.

Admin provider required: This is an Access Management resource. It requires the anypoint.admin provider configured with auth_type = "user" (user credentials + connected app client credentials). A standard connected app (client credentials only) doesn’t have sufficient privileges for Access Management operations.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_connected_app_scopes" "example" {
  provider         = anypoint.admin
  connected_app_id = "my-connected-app-id"

  scopes = [
    {
      scope = "admin:cloudhub"
      context_params = {
        org = "your-org-id"
      }
    },
    {
      scope = "read:applications"
      context_params = {
        org   = "your-org-id"
        envId = "your-env-id"
      }
    }
  ]
}

Required Arguments

  • connected_app_id - The ID of the connected application to manage scopes for.

  • scopes - (Block Set) The set of scopes to assign to the connected application. See Nested Schema for scopes.

Read-Only Attributes

  • id - The unique identifier for the connected app scopes (same as connected_app_id).

Nested Schema for scopes

  • scope - (Required) The scope name (for example, admin:cloudhub, read:applications).

  • context_params - (Map of String) Context parameters for the scope (for example, organization ID).

Import

An existing connected app’s scopes can be imported using the connected app ID (UUID).

import {
  provider = anypoint.admin
  to       = anypoint_connected_app_scopes.imported
  id       = "<connected_app_id>"
}

resource "anypoint_connected_app_scopes" "imported" {
  provider         = anypoint.admin
  connected_app_id = "<connected_app_id>"
  scopes           = []
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_connected_app_scopes.imported <connected_app_id>

anypoint_environment

Use the anypoint_environment resource to manage Anypoint Platform environments.

Admin provider required: This is an Access Management resource. It requires the anypoint.admin provider configured with auth_type = "user" (user credentials + connected app client credentials). A standard connected app (client credentials only) doesn’t have sufficient privileges for Access Management operations.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_environment" "example" {
  provider        = anypoint.admin
  name            = "my-sandbox-env"
  type            = "sandbox"
  is_production   = false
  organization_id = "your-org-id"
}

Required Arguments

  • name - The name of the environment.

Optional Arguments

  • organization_id - Organization ID where the environment will be created. If not provided, the organization ID is inferred from the connected app credentials.

  • type - The type of the environment (design, sandbox, production). Defaults to sandbox.

  • is_production - Whether this is a production environment. Defaults to false.

  • arc_namespace - The ARC namespace for the environment.

  • client_id - The client ID associated with the environment.

Read-Only Attributes

  • id - The unique identifier for the environment.

Import

An existing environment can be imported using its environment ID (UUID).

import {
  provider = anypoint.admin
  to       = anypoint_environment.imported
  id       = "<environment_id>"
}

resource "anypoint_environment" "imported" {
  provider        = anypoint.admin
  organization_id = "<organization_id>"
  name            = "<environment_name>"
  type            = "sandbox"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_environment.imported <environment_id>

anypoint_organization

Use the anypoint_organization resource to create and manage Anypoint Platform organizations (business groups).

Admin provider required: This is an Access Management resource. It requires the anypoint.admin provider configured with auth_type = "user" (user credentials + connected app client credentials). A standard connected app (client credentials only) doesn’t have sufficient privileges for Access Management operations.

Entitlement State Behaviour

The provider honours user-defined state for entitlements, not platform defaults.

  • Fields you declare are managed by Terraform — any platform-side change will be reverted on the next apply.

  • Fields you omit are unmanaged. Platform-side updates to those fields aren’t reflected in the plan and won’t be reverted.

  • Master-org-only entitlements (hybrid, omni_gateway, service_mesh, worker_logging_override, runtime_fabric, design_center) are inherited on sub-orgs and can’t be set via this resource on a business group. They are stripped from API requests to prevent HTTP 403 errors.

Only declare entitlement fields you want Terraform to own. Leave everything else out of your config.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_organization" "example" {
  provider = anypoint.admin

  name                   = "my-sub-org"
  parent_organization_id = "parent-org-id"
  owner_id               = "owner-user-id"

  entitlements = {
    create_sub_orgs     = false
    create_environments = true
    global_deployment   = false

    vcores_production = { assigned = 0 }
    vcores_sandbox    = { assigned = 0 }
    vcores_design     = { assigned = 0 }
    vpcs              = { assigned = 0 }
    network_connections   = { assigned = 0 }
    managed_gateway_small = { assigned = 0 }
    managed_gateway_large = { assigned = 0 }
  }
}

Required Arguments

  • name - The name of the organization.

  • owner_id - The ID of the organization owner. Changing this forces a new resource.

  • parent_organization_id - The ID of the parent organization. Changing this forces a new resource.

Optional Arguments

Read-Only Attributes

  • id - The unique identifier for the organization.

  • client_id - The client ID associated with the organization.

  • created_at - The creation timestamp of the organization.

  • deleted_at - The deletion timestamp of the organization.

  • domain - The domain of the organization.

  • environments - (Block List) The environments within the organization..

  • gdot_id - The GDOT ID of the organization.

  • idprovider_id - The ID provider ID for the organization.

  • is_automatic_admin_promotion_exempt - Whether the organization is exempt from automatic admin promotion.

  • is_federated - Whether the organization is federated.

  • is_master - Whether the organization is a master organization.

  • is_root - Whether the organization is a root organization.

  • mfa_required - Whether MFA is required for the organization.

  • org_type - The type of the organization.

  • parent_organization_ids - List of parent organization IDs (ancestor chain).

  • session_timeout - The session timeout for the organization.

  • sub_organization_ids - List of sub-organization IDs.

  • subscription - (Block) The subscription details for the organization..

  • tenant_organization_ids - List of tenant organization IDs.

  • updated_at - The last update timestamp of the organization.

Nested Schema for entitlements

Only the fields you declare are managed by Terraform. Fields you omit aren’t tracked and won’t be reverted if the platform changes them.

  • create_environments - Whether environments can be created. Defaults to false.

  • create_sub_orgs - Whether sub-organizations can be created. Defaults to false.

  • global_deployment - Whether global deployment is enabled. Defaults to false.

  • runtime_fabric - Whether Runtime Fabric is enabled. Master-org-only — ignored on business groups.

  • design_center - (Block) Design Center entitlement. Master-org-only — ignored on business groups.

    • api - Whether API Designer is enabled.

    • mozart - Whether Flow Designer (Mozart) is enabled.

  • omni_gateway - (Block) Omni Gateway entitlement. Master-org-only — ignored on business groups.

    • enabled - Whether this feature is enabled.

  • hybrid - (Block) Hybrid entitlement. Master-org-only — ignored on business groups.

    • enabled - Whether this feature is enabled.

  • service_mesh - (Block) Service Mesh entitlement. Master-org-only — ignored on business groups.

    • enabled - Whether this feature is enabled.

  • worker_logging_override - (Block) Worker logging override entitlement. Master-org-only — ignored on business groups.

    • enabled - Whether this feature is enabled.

  • vcores_production - (Block) Production vCore entitlement.

    • assigned - Number of assigned units. Defaults to 0.

    • reassigned - Number of reassigned units. Defaults to 0.

  • vcores_sandbox - (Block) Sandbox vCore entitlement.

    • assigned - Number of assigned units. Defaults to 0.

    • reassigned - Number of reassigned units. Defaults to 0.

  • vcores_design - (Block) Design vCore entitlement.

    • assigned - Number of assigned units. Defaults to 0.

    • reassigned - Number of reassigned units. Defaults to 0.

  • vpcs - (Block) VPC entitlement.

    • assigned - Number of assigned units. Defaults to 0.

    • reassigned - Number of reassigned units. Defaults to 0.

  • network_connections - (Block) Network connections entitlement.

    • assigned - Number of assigned units. Defaults to 0.

    • reassigned - Number of reassigned units. Defaults to 0.

  • gateways - (Block) Gateways entitlement.

    • assigned - Number of assigned units.

  • load_balancer - (Block) Load balancer entitlement.

    • assigned - Number of assigned units.

  • managed_gateway_small - (Block) Managed Gateway (small) entitlement.

    • assigned - Number of assigned units.

  • managed_gateway_large - (Block) Managed Gateway (large) entitlement.

    • assigned - Number of assigned units.

  • mq_messages - (Block) MQ messages entitlement.

    • base - Base number of MQ units. Defaults to 0.

    • add_on - Add-on number of MQ units. Defaults to 0.

  • mq_requests - (Block) MQ requests entitlement.

    • base - Base number of MQ units. Defaults to 0.

    • add_on - Add-on number of MQ units. Defaults to 0.

static_ips and vpns entitlements are managed server-side by Anypoint and aren’t settable via Terraform. Configure them through the Anypoint UI or API.

Nested Schema for environments

When a new organization is created, Anypoint Platform automatically provisions two environments: Sandbox and Production. These appear in the environments read-only attribute after the first apply and don’t need to be declared in your configuration.

  • id - The environment ID. (Read-Only)

  • name - The environment name. (Read-Only)

  • organization_id - The organization ID. (Read-Only)

  • client_id - The environment client ID. (Read-Only)

  • type - The environment type. (Read-Only)

  • is_production - Whether the environment is a production environment. (Read-Only)

  • arc_namespace - The ARC namespace of the environment. (Optional)

Nested Schema for subscription

  • category - The subscription category. (Read-Only)

  • type - The subscription type. (Read-Only)

  • expiration - The subscription expiration date. (Read-Only)

  • justification - The subscription justification. (Optional)

Import

An existing organization can be imported using its organization ID (UUID). Your HCL must declare name, parent_organization_id, and owner_id before importing — those are required attributes. The first terraform plan after import refreshes all read-only and optional attributes (including entitlements) from the Anypoint API.

parent_organization_id is derived from the server-returned ancestor chain (parent_organization_ids) on the first refresh. If the derivation doesn’t match what you wrote in HCL, update the HCL to match — changing parent_organization_id triggers a destroy+recreate.

import {
  provider = anypoint.admin
  to       = anypoint_organization.imported
  id       = "<organization_id>"
}

resource "anypoint_organization" "imported" {
  provider               = anypoint.admin
  name                   = "<org_name>"
  parent_organization_id = "<parent_org_id>"
  owner_id               = "<owner_user_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_organization.imported <organization_id>

anypoint_team

Use the anypoint_team resource to manage teams in Anypoint Platform.

Admin provider required: This is an Access Management resource. It requires the anypoint.admin provider configured with auth_type = "user" (user credentials + connected app client credentials). A standard connected app (client credentials only) doesn’t have sufficient privileges for Access Management operations.

Example Usage

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_team" "example" {
  provider       = anypoint.admin
  team_name      = "Development Team"
  parent_team_id = "root-team-id"
  team_type      = "internal"
}

resource "anypoint_team" "sub_team" {
  provider       = anypoint.admin
  team_name      = "Frontend Team"
  parent_team_id = anypoint_team.example.id
  team_type      = "internal"
}

Required Arguments

  • team_name - The name of the team.

  • parent_team_id - The ID of the parent team.

  • team_type - The type of the team.

Optional Arguments

  • organization_id - Organization ID where the team will be created. If not provided, the organization ID is inferred from the connected app credentials.

Read-Only Attributes

  • id - The unique identifier for the team.

  • created_at - The timestamp when the team was created.

  • updated_at - The timestamp when the team was last updated.

Import

An existing team can be imported using its team ID (UUID).

import {
  provider = anypoint.admin
  to       = anypoint_team.imported
  id       = "<team_id>"
}

resource "anypoint_team" "imported" {
  provider        = anypoint.admin
  organization_id = "<organization_id>"
  team_name       = "<team_name>"
  team_type       = "internal"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_team.imported <team_id>