Contact Us 1-800-596-4880
  1. Homepage
  2. MuleSoft Terraform Provider
  3. Resources

  4. Access Management Resources

Access Management Resources

Use Access Management resources to manage organizations, environments, connected applications, scopes, and teams in Anypoint Platform.

Access Management resources require administrative privileges and use the anypoint.admin provider configuration for authentication.

anypoint_connected_app_scopes

Use the anypoint_connected_app_scopes resource to manage scopes for a connected application.

Example

resource "anypoint_connected_app_scopes" "example" {
  provider = anypoint.admin

  connected_app_id = "my-connected-app-id"

  scopes = [
    {
      scope = "admin:cloudhub"
      context_params = {
        org = "your-org-id"
      }
    }
  ]
}

Key Arguments

  • connected_app_id - ID of the connected application.

  • scopes - Scopes assigned to the connected application.

  • scope - Scope name.

  • context_params - Context parameters associated with the scope.

Import

terraform import anypoint_connected_app_scopes.example <connected_app_id>

anypoint_environment

Use the anypoint_environment resource to manage Anypoint Platform environments.

Example

resource "anypoint_environment" "example" {
  provider = anypoint.admin

  name            = "my-sandbox-env"
  type            = "sandbox"
  is_production   = false
  organization_id = "your-org-id"
}

Key Arguments

  • name - Name of the environment.

  • organization_id - Organization ID where the environment is created.

  • type - Environment type. Valid values include design, sandbox, and production.

  • is_production - Indicates whether the environment is a production environment.

  • arc_namespace - ARC namespace associated with the environment.

  • client_id - Client ID associated with the environment.

Import

terraform import anypoint_environment.example <environment_id>

anypoint_organization

Creates and manages an Anypoint Platform organization (business group).

This is an Access Management resource and requires the admin provider (anypoint.admin), which uses admin user credentials along with the client_id and client_secret of a connected app to authenticate on behalf of the user (auth_type = "user"). You must set provider = anypoint.admin on this resource. The default provider (connected app credentials only) does not have sufficient privileges for Access Management operations.

Entitlement State Behaviour

The provider honours user-defined state for entitlements, not platform defaults.

  • If you declare an entitlement field in your Terraform config, the provider manages it: any platform-side change will be reverted on the next apply.

  • If you omit an entitlement field, the provider treats it as unmanaged. Platform-side updates to that field are not reflected in the plan and will not be reverted.

  • Master-org-only entitlements (hybrid, flex_gateway, service_mesh, worker_logging_override, runtime_fabric, design_center) are inherited on sub-orgs and cannot be set via this resource on a business group. They are stripped from API requests to prevent HTTP 403 errors.

Only declare entitlement fields you want Terraform to own. Leave everything else out of your config.

Example

# Admin provider – authenticates on behalf of a user using connected app credentials
provider "anypoint" {
  alias         = "admin"
  auth_type     = "user"
  client_id     = var.anypoint_admin_client_id
  client_secret = var.anypoint_admin_client_secret
  username      = var.anypoint_admin_username
  password      = var.anypoint_admin_password
  base_url      = var.anypoint_base_url
}

resource "anypoint_organization" "example" {
  provider = anypoint.admin

  name                   = "my-sub-org"
  parent_organization_id = "parent-org-id"
  owner_id               = "owner-user-id"

  entitlements = {
    create_sub_orgs     = false
    create_environments = true
    global_deployment   = false

    vcores_production = {
      assigned = 0
    }

    vcores_sandbox = {
      assigned = 0
    }

    vcores_design = {
      assigned = 0
    }

    vpcs = {
      assigned = 0
    }

    network_connections = {
      assigned = 0
    }

    managed_gateway_small = {
      assigned = 0
    }

    managed_gateway_large = {
      assigned = 0
    }
  }
}

Key Arguments

  • name - (Required) Name of the organization.

  • owner_id - (Required) ID of the organization owner. Changing this forces a new resource.

  • parent_organization_id - (Required) ID of the parent organization. Changing this forces a new resource.

  • entitlements - Entitlements for the organization. Only declared fields are managed by Terraform — omitted fields are left to the platform.

    • create_environments - Whether environments can be created. Defaults to false.

    • create_sub_orgs - Whether sub-organizations can be created. Defaults to false.

    • global_deployment - Whether global deployment is enabled. Defaults to false.

    • runtime_fabric - Whether Runtime Fabric is enabled. Master-org-only — ignored on business groups.

    • design_center - Design Center entitlement. Master-org-only — ignored on business groups.

      • api - Whether API Designer is enabled.

      • mozart - Whether Flow Designer (Mozart) is enabled.

    • flex_gateway - Omni Gateway entitlement. Master-org-only — ignored on business groups.

      • enabled - Whether this feature is enabled.

    • hybrid - Hybrid entitlement. Master-org-only — ignored on business groups.

      • enabled - Whether this feature is enabled.

    • service_mesh - Service Mesh entitlement. Master-org-only — ignored on business groups.

      • enabled - Whether this feature is enabled.

    • worker_logging_override - Worker logging override entitlement. Master-org-only — ignored on business groups.

      • enabled - Whether this feature is enabled.

    • vcores_production - Production vCore entitlement.

      • assigned - Number of assigned units. Defaults to 0.

      • reassigned - Number of reassigned units. Defaults to 0.

    • vcores_sandbox - Sandbox vCore entitlement.

      • assigned - Number of assigned units. Defaults to 0.

      • reassigned - Number of reassigned units. Defaults to 0.

    • vcores_design - Design vCore entitlement.

      • assigned - Number of assigned units. Defaults to 0.

      • reassigned - Number of reassigned units. Defaults to 0.

    • vpcs - VPC entitlement.

      • assigned - Number of assigned units. Defaults to 0.

      • reassigned - Number of reassigned units. Defaults to 0.

    • network_connections - Network connections entitlement.

      • assigned - Number of assigned units. Defaults to 0.

      • reassigned - Number of reassigned units. Defaults to 0.

    • gateways - Gateways entitlement.

      • assigned - Number of assigned units.

    • load_balancer - Load balancer entitlement.

      • assigned - Number of assigned units.

    • managed_gateway_small - Managed Gateway (small) entitlement.

      • assigned - Number of assigned units.

    • managed_gateway_large - Managed Gateway (large) entitlement.

      • assigned - Number of assigned units.

    • mq_messages - MQ messages entitlement.

      • base - Base number of MQ units. Defaults to 0.

      • add_on - Add-on number of MQ units. Defaults to 0.

    • mq_requests - MQ requests entitlement.

      • base - Base number of MQ units. Defaults to 0.

      • add_on - Add-on number of MQ units. Defaults to 0.

static_ips and vpns entitlements are managed server-side by Anypoint and are not settable via Terraform. Configure them through the Anypoint UI or API.

Read-Only Attributes

  • id - Unique identifier for the organization.

  • client_id - Client ID associated with the organization.

  • created_at - Timestamp when the organization was created.

  • deleted_at - Timestamp when the organization was deleted.

  • domain - Domain of the organization.

  • environments - Environments within the organization.

    • id - Environment ID.

    • name - Environment name.

    • organization_id - Organization ID.

    • client_id - Environment client ID.

    • type - Environment type.

    • is_production - Whether the environment is a production environment.

    • arc_namespace - ARC namespace of the environment (optional, manageable).

  • gdot_id - GDOT ID of the organization.

  • idprovider_id - ID provider ID for the organization.

  • is_automatic_admin_promotion_exempt - Whether the organization is exempt from automatic admin promotion.

  • is_federated - Whether the organization is federated.

  • is_master - Whether the organization is a master organization.

  • is_root - Whether the organization is a root organization.

  • mfa_required - Whether MFA is required for the organization.

  • org_type - Type of the organization.

  • parent_organization_ids - List of parent organization IDs (ancestor chain).

  • session_timeout - Session timeout for the organization.

  • sub_organization_ids - List of sub-organization IDs.

  • subscription - Subscription details for the organization.

    • category - Subscription category.

    • type - Subscription type.

    • expiration - Subscription expiration date.

    • justification - Subscription justification (optional, manageable).

  • tenant_organization_ids - List of tenant organization IDs.

  • updated_at - Timestamp when the organization was last updated.

When a new organization is created, Anypoint Platform automatically provisions two environments: Sandbox and Production. These appear in the environments read-only attribute after the first apply and do not need to be declared in your configuration.

Import

terraform import anypoint_organization.example_org 00000000-0000-0000-0000-000000000000

Your HCL must declare name, parent_organization_id, and owner_id before you import — those are required attributes. The first terraform plan after import refreshes all read-only and optional attributes (including entitlements) from the Anypoint API.

parent_organization_id is derived from the server-returned ancestor chain (parent_organization_ids) on the first refresh. If the derivation doesn’t match what you wrote in HCL, update the HCL to match — changing parent_organization_id triggers a destroy and recreate.

anypoint_team

Use the anypoint_team resource to manage teams in Anypoint Platform.

Example

resource "anypoint_team" "example" {
  provider = anypoint.admin

  team_name      = "Development Team"
  parent_team_id = "root-team-id"
  team_type      = "internal"
}

Key Arguments

  • team_name - Name of the team.

  • parent_team_id - ID of the parent team.

  • team_type - Type of the team.

  • organization_id - Organization ID where the team is created.

Read-Only Attributes

  • id - Unique identifier for the team.

  • created_at - Timestamp when the team was created.

  • updated_at - Timestamp when the team was last updated.

Import

terraform import anypoint_team.example <team_id>