Console
Start free

Provision API hub using Terraform

This page applies to Apigee and Apigee hybrid.

This page explains how to provision API hub using Terraform for Google Cloud in Cloud Shell.

Terraform is an infrastructure-as-code tool that enables you to predictably create, change, and improve your cloud infrastructure by using code. For more information about using Terraform to provision infrastructure on Google Cloud, see Terraform on Google Cloud.

If you prefer to provision API hub using Google Cloud console, see Provision API hub in the Cloud console .

Before you begin

  1. Prepare your development environment, either Cloud Shell or a local shell:

    Cloud Shell

    To use an online terminal with the gcloud CLI and Terraform already set up, activate Cloud Shell.

    At the bottom of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.

    Note that Cloud Shell has Terraform already integrated.

    Local shell

    To use a local development environment, follow these steps:

    1. Install the Google Cloud CLI.

    2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    3. To initialize the gcloud CLI, run the following command: 

      gcloud init
    4. Install Terraform.

  2. Verify that billing is enabled for your Google Cloud project.

  3. Enable the Cloud Resource Manager and Identity, Access Management (IAM) APIs:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable cloudresourcemanager.googleapis.com  iam.googleapis.com
  4. Ensure that your Google Cloud project doesn't have the Google Cloud Platform - Resource Location Restriction organization policy constraint added.
  5. Optional: Configure VPC Service Controls.

Provision API hub using Terraform

To provision API hub using Terraform, complete the following steps:

  1. Create a Terraform configuration file using the API hub resources.
  2. Deploy the Terraform configuration.

Create a Terraform configuration file

To create a Terraform configuration file and define the API hub resources, do the following:

  • Create a directory and a new Terraform configuration (main.tf) file within that directory. Type the following command, and then press Enter: 
    mkdir terraform && cd terraform && cat > main.tf
    • Copy and paste the following configuration into the main.tf file:
  • Create a Google Cloud project and provide a latency to allow project creation: 
    resource "google_project" "project" {
  name       = "PROJECT_NAME"
  project_id = "PROJECT_ID"
  org_id     = "ORG_ID"
  billing_account = "BILLING_ACCOUNT"
  deletion_policy = "DELETE"
}
resource "time_sleep" "wait_60_seconds" {
  create_duration = "60s"
  depends_on = [google_project.project]
}

    Replace the following:

  • Enable the API hub API for your project: 
    resource "google_project_service" "apihub_service" {
  project = google_project.project.PROJECT_ID
  service = "apihub.googleapis.com"
  depends_on = [time_sleep.wait_60_seconds]
}

    Replace the following:

  • Register a host project. A host project is a Google Cloud project in your Apigee organization that you designate as the consumer project for all API hub resources. You can provision only one API hub instance per host project. 
    resource "google_apihub_host_project_registration" "apihub_host_project"{
  project = google_project.project.PROJECT_ID
  location = "HOST_PROJECT_LOCATION"
  host_project_registration_id = google_project.project.PROJECT_ID
  gcp_project = "projects/${google_project.project.PROJECT_ID}"
          
  depends_on = [google_project_service.apihub_service]
}

    Replace the following:

  • Create a service identity for API hub: 
    resource "google_project_service_identity" "apihub_service_identity" {
  project  = google_project.project.PROJECT_ID
  service  = "apihub.googleapis.com"
}

    Replace PROJECT_ID with the ID of the Google Cloud project.

  • Grant the apihub.admin and apihub.runtimeProjectServiceAgent roles to the API hub default service account: 
    resource "google_project_iam_member" "apihub_service_identity_permission" {
  for_each = toset([
    "roles/apihub.admin",
    "roles/apihub.runtimeProjectServiceAgent"
  ])
  role    = each.key
  member  = "serviceAccount:${google_project_service_identity.apihub_service_identity.email}"
  depends_on = [google_project_service_identity.apihub_service_identity]
}
  • Optional: Grant the API hub service identity access to the CMEK key.

    If you plan to provision an API hub instance with Custom Managed Encryption Keys (CMEK), you must enable the Cloud KMS API and grant the API hub service identity access to the CMEK key using:

    Enable the Cloud KMS API:

    resource "google_project_service" "kms_service" {
  project = google_project.project.PROJECT_ID
  service = "cloudkms.googleapis.com"
  depends_on = [time_sleep.wait_60_seconds]
}

    Replace PROJECT_ID with the ID of the Google Cloud project.

    Grant the API hub service identity access to the CMEK key:

    resource "google_project_iam_member" "apihub_service_identity_cmek_permission" {
  project    = google_project.project.PROJECT_ID
  role       = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member     = "serviceAccount:${google_project_service_identity.apihub_service_identity.email}"
  depends_on = [google_project_service_identity.apihub_service_identity]
}

    Replace PROJECT_ID with the ID of the Google Cloud project.

    • Provision an API hub instance:

    Using default GMEK

    resource "google_apihub_api_hub_instance" "apihub-instance-without-search"{
  location = "HUB_LOCATION"
  config {
      disable_search = SEMANTIC_SEARCH_BOOLEAN
  }
}

    Replace the following:

    Using CMEK

    resource "google_apihub_api_hub_instance" "apihub-instance-search"{
  project = "PROJECT_ID"
  api_hub_instance_id = "API_HUB_INSTANCE_ID"
  description = "DESCRIPTION"
  location = "LOCATION"
  config {
      encryption_type = "CMEK"
      cmek_key_name = "projects/PROJECT_ID/locations/HUB_LOCATION/keyRings/KEY_RING_ID/cryptoKeys/KEY_ID"
      disable_search = SEMANTIC_SEARCH_BOOLEAN
      vertex_location = "VERTEX_AI_LOCATION"
  }
}

    Replace the following:

  • Save and close the file, press Ctrl+D (or Command+D on macOS).

    • Deploy the Terraform configuration to provision API hub

    Deploy the Terraform configuration by initializing Terraform, generating the planned changes, and applying these changes. After deploying the Terraform configuration, you can access the API hub instance in the Google Cloud console.

    1. Initialize Terraform in the directory: 
      terraform init
    2. Generate the Terraform execution plan based on the current state of your project and the configuration file: 
      terraform plan
    3. Apply the plan to provision API hub: 
      terraform apply

      If prompted, enter yes to confirm the deployment.

      4. After the deployment is complete, you can access the API hub instance in the Google Cloud console.

    Considerations

    If you have recently deprovisioned API hub, you must wait 7 days before provisioning a new instance in the same Google Cloud project. This is because deprovisioning moves the associated Apigee organization (if any) to a soft-delete state for 7 days, and API hub can only be reprovisioned after the Apigee org is permanently deleted.

    What's next