# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
alias = "admin"
auth_type = "user"
client_id = var.anypoint_admin_client_id
client_secret = var.anypoint_admin_client_secret
username = var.anypoint_admin_username
password = var.anypoint_admin_password
base_url = var.anypoint_base_url
}
resource "anypoint_connected_app_scopes" "example" {
provider = anypoint.admin
connected_app_id = "my-connected-app-id"
scopes = [
{
scope = "admin:cloudhub"
context_params = {
org = "your-org-id"
}
},
{
scope = "read:applications"
context_params = {
org = "your-org-id"
envId = "your-env-id"
}
}
]
}
Access Management Resources
Use Access Management resources to manage organizations, environments, connected applications, scopes, and teams in Anypoint Platform.
Access Management resources require administrative privileges and use the anypoint.admin provider configuration for authentication.
anypoint_connected_app_scopes
Use the anypoint_connected_app_scopes resource to manage scopes for a connected application in Anypoint Platform.
|
Admin provider required: This is an Access Management resource. It requires the |
Example Usage
Required Arguments
-
connected_app_id- The ID of the connected application to manage scopes for. -
scopes- (Block Set) The set of scopes to assign to the connected application. See Nested Schema forscopes.
Read-Only Attributes
-
id- The unique identifier for the connected app scopes (same asconnected_app_id).
Nested Schema for scopes
-
scope- (Required) The scope name (for example,admin:cloudhub,read:applications). -
context_params- (Map of String) Context parameters for the scope (for example, organization ID).
Import
An existing connected app’s scopes can be imported using the connected app ID (UUID).
Using an import block (Terraform ≥ 1.5 — recommended)
import {
provider = anypoint.admin
to = anypoint_connected_app_scopes.imported
id = "<connected_app_id>"
}
resource "anypoint_connected_app_scopes" "imported" {
provider = anypoint.admin
connected_app_id = "<connected_app_id>"
scopes = []
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_environment
Use the anypoint_environment resource to manage Anypoint Platform environments.
|
Admin provider required: This is an Access Management resource. It requires the |
Example Usage
# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
alias = "admin"
auth_type = "user"
client_id = var.anypoint_admin_client_id
client_secret = var.anypoint_admin_client_secret
username = var.anypoint_admin_username
password = var.anypoint_admin_password
base_url = var.anypoint_base_url
}
resource "anypoint_environment" "example" {
provider = anypoint.admin
name = "my-sandbox-env"
type = "sandbox"
is_production = false
organization_id = "your-org-id"
}
Optional Arguments
-
organization_id- Organization ID where the environment will be created. If not provided, the organization ID is inferred from the connected app credentials. -
type- The type of the environment (design,sandbox,production). Defaults tosandbox. -
is_production- Whether this is a production environment. Defaults tofalse. -
arc_namespace- The ARC namespace for the environment. -
client_id- The client ID associated with the environment.
Import
An existing environment can be imported using its environment ID (UUID).
Using an import block (Terraform ≥ 1.5 — recommended)
import {
provider = anypoint.admin
to = anypoint_environment.imported
id = "<environment_id>"
}
resource "anypoint_environment" "imported" {
provider = anypoint.admin
organization_id = "<organization_id>"
name = "<environment_name>"
type = "sandbox"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_organization
Use the anypoint_organization resource to create and manage Anypoint Platform organizations (business groups).
|
Admin provider required: This is an Access Management resource. It requires the |
Entitlement State Behaviour
The provider honours user-defined state for entitlements, not platform defaults.
-
Fields you declare are managed by Terraform — any platform-side change will be reverted on the next
apply. -
Fields you omit are unmanaged. Platform-side updates to those fields aren’t reflected in the plan and won’t be reverted.
-
Master-org-only entitlements (
hybrid,omni_gateway,service_mesh,worker_logging_override,runtime_fabric,design_center) are inherited on sub-orgs and can’t be set via this resource on a business group. They are stripped from API requests to prevent HTTP 403 errors.
Only declare entitlement fields you want Terraform to own. Leave everything else out of your config.
Example Usage
# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
alias = "admin"
auth_type = "user"
client_id = var.anypoint_admin_client_id
client_secret = var.anypoint_admin_client_secret
username = var.anypoint_admin_username
password = var.anypoint_admin_password
base_url = var.anypoint_base_url
}
resource "anypoint_organization" "example" {
provider = anypoint.admin
name = "my-sub-org"
parent_organization_id = "parent-org-id"
owner_id = "owner-user-id"
entitlements = {
create_sub_orgs = false
create_environments = true
global_deployment = false
vcores_production = { assigned = 0 }
vcores_sandbox = { assigned = 0 }
vcores_design = { assigned = 0 }
vpcs = { assigned = 0 }
network_connections = { assigned = 0 }
managed_gateway_small = { assigned = 0 }
managed_gateway_large = { assigned = 0 }
}
}
Required Arguments
-
name- The name of the organization. -
owner_id- The ID of the organization owner. Changing this forces a new resource. -
parent_organization_id- The ID of the parent organization. Changing this forces a new resource.
Optional Arguments
-
entitlements- (Block) Entitlements for the organization. Only declared fields are managed by Terraform. See Nested Schema forentitlements.
Read-Only Attributes
-
id- The unique identifier for the organization. -
client_id- The client ID associated with the organization. -
created_at- The creation timestamp of the organization. -
deleted_at- The deletion timestamp of the organization. -
domain- The domain of the organization. -
environments- (Block List) The environments within the organization.. -
gdot_id- The GDOT ID of the organization. -
idprovider_id- The ID provider ID for the organization. -
is_automatic_admin_promotion_exempt- Whether the organization is exempt from automatic admin promotion. -
is_federated- Whether the organization is federated. -
is_master- Whether the organization is a master organization. -
is_root- Whether the organization is a root organization. -
mfa_required- Whether MFA is required for the organization. -
org_type- The type of the organization. -
parent_organization_ids- List of parent organization IDs (ancestor chain). -
session_timeout- The session timeout for the organization. -
sub_organization_ids- List of sub-organization IDs. -
subscription- (Block) The subscription details for the organization.. -
tenant_organization_ids- List of tenant organization IDs. -
updated_at- The last update timestamp of the organization.
Nested Schema for entitlements
Only the fields you declare are managed by Terraform. Fields you omit aren’t tracked and won’t be reverted if the platform changes them.
-
create_environments- Whether environments can be created. Defaults tofalse. -
create_sub_orgs- Whether sub-organizations can be created. Defaults tofalse. -
global_deployment- Whether global deployment is enabled. Defaults tofalse. -
runtime_fabric- Whether Runtime Fabric is enabled. Master-org-only — ignored on business groups. -
design_center- (Block) Design Center entitlement. Master-org-only — ignored on business groups.-
api- Whether API Designer is enabled. -
mozart- Whether Flow Designer (Mozart) is enabled.
-
-
omni_gateway- (Block) Omni Gateway entitlement. Master-org-only — ignored on business groups.-
enabled- Whether this feature is enabled.
-
-
hybrid- (Block) Hybrid entitlement. Master-org-only — ignored on business groups.-
enabled- Whether this feature is enabled.
-
-
service_mesh- (Block) Service Mesh entitlement. Master-org-only — ignored on business groups.-
enabled- Whether this feature is enabled.
-
-
worker_logging_override- (Block) Worker logging override entitlement. Master-org-only — ignored on business groups.-
enabled- Whether this feature is enabled.
-
-
vcores_production- (Block) Production vCore entitlement.-
assigned- Number of assigned units. Defaults to0. -
reassigned- Number of reassigned units. Defaults to0.
-
-
vcores_sandbox- (Block) Sandbox vCore entitlement.-
assigned- Number of assigned units. Defaults to0. -
reassigned- Number of reassigned units. Defaults to0.
-
-
vcores_design- (Block) Design vCore entitlement.-
assigned- Number of assigned units. Defaults to0. -
reassigned- Number of reassigned units. Defaults to0.
-
-
vpcs- (Block) VPC entitlement.-
assigned- Number of assigned units. Defaults to0. -
reassigned- Number of reassigned units. Defaults to0.
-
-
network_connections- (Block) Network connections entitlement.-
assigned- Number of assigned units. Defaults to0. -
reassigned- Number of reassigned units. Defaults to0.
-
-
gateways- (Block) Gateways entitlement.-
assigned- Number of assigned units.
-
-
load_balancer- (Block) Load balancer entitlement.-
assigned- Number of assigned units.
-
-
managed_gateway_small- (Block) Managed Gateway (small) entitlement.-
assigned- Number of assigned units.
-
-
managed_gateway_large- (Block) Managed Gateway (large) entitlement.-
assigned- Number of assigned units.
-
-
mq_messages- (Block) MQ messages entitlement.-
base- Base number of MQ units. Defaults to0. -
add_on- Add-on number of MQ units. Defaults to0.
-
-
mq_requests- (Block) MQ requests entitlement.-
base- Base number of MQ units. Defaults to0. -
add_on- Add-on number of MQ units. Defaults to0.
-
|
|
Nested Schema for environments
|
When a new organization is created, Anypoint Platform automatically provisions two environments: Sandbox and Production. These appear in the |
-
id- The environment ID. (Read-Only) -
name- The environment name. (Read-Only) -
organization_id- The organization ID. (Read-Only) -
client_id- The environment client ID. (Read-Only) -
type- The environment type. (Read-Only) -
is_production- Whether the environment is a production environment. (Read-Only) -
arc_namespace- The ARC namespace of the environment. (Optional)
Nested Schema for subscription
-
category- The subscription category. (Read-Only) -
type- The subscription type. (Read-Only) -
expiration- The subscription expiration date. (Read-Only) -
justification- The subscription justification. (Optional)
Import
An existing organization can be imported using its organization ID (UUID). Your HCL must declare name, parent_organization_id, and owner_id before importing — those are required attributes. The first terraform plan after import refreshes all read-only and optional attributes (including entitlements) from the Anypoint API.
parent_organization_id is derived from the server-returned ancestor chain (parent_organization_ids) on the first refresh. If the derivation doesn’t match what you wrote in HCL, update the HCL to match — changing parent_organization_id triggers a destroy+recreate.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
provider = anypoint.admin
to = anypoint_organization.imported
id = "<organization_id>"
}
resource "anypoint_organization" "imported" {
provider = anypoint.admin
name = "<org_name>"
parent_organization_id = "<parent_org_id>"
owner_id = "<owner_user_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_team
Use the anypoint_team resource to manage teams in Anypoint Platform.
|
Admin provider required: This is an Access Management resource. It requires the |
Example Usage
# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
alias = "admin"
auth_type = "user"
client_id = var.anypoint_admin_client_id
client_secret = var.anypoint_admin_client_secret
username = var.anypoint_admin_username
password = var.anypoint_admin_password
base_url = var.anypoint_base_url
}
resource "anypoint_team" "example" {
provider = anypoint.admin
team_name = "Development Team"
parent_team_id = "root-team-id"
team_type = "internal"
}
resource "anypoint_team" "sub_team" {
provider = anypoint.admin
team_name = "Frontend Team"
parent_team_id = anypoint_team.example.id
team_type = "internal"
}
Required Arguments
-
team_name- The name of the team. -
parent_team_id- The ID of the parent team. -
team_type- The type of the team.
Optional Arguments
-
organization_id- Organization ID where the team will be created. If not provided, the organization ID is inferred from the connected app credentials.
Read-Only Attributes
-
id- The unique identifier for the team. -
created_at- The timestamp when the team was created. -
updated_at- The timestamp when the team was last updated.
Import
An existing team can be imported using its team ID (UUID).
Using an import block (Terraform ≥ 1.5 — recommended)
import {
provider = anypoint.admin
to = anypoint_team.imported
id = "<team_id>"
}
resource "anypoint_team" "imported" {
provider = anypoint.admin
organization_id = "<organization_id>"
team_name = "<team_name>"
team_type = "internal"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply



