Add Apigee Spaces resource to set fine-grained permission on API proxies, etc #23796
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to a user, that user is claiming responsibility for the issue.
- Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.
Description
Please add "Apigee Spaces" resource for Apigee.
Apigee Spaces enables fine-grained permission configuration to manage API proxies.
Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows and API products.
You can create multiple Spaces in the same organization for different teams, development projects, or environments and set the IAM controls for each Space. Any API resources created under a Space will inherit the IAM policies applied to that Space.
New or Affected Resource(s)
New resources
- google_apigee_space
- google_apigee_space_iam_policy
- google_apigee_space_iam_binding
- google_apigee_space_iam_member
Affected resources
- google_apigee_api
- google_apigee_api_product
- google_apigee_shared_flow
Potential Terraform Configuration
Create Apigee Space
data "google_client_config" "current" {}
resource "google_compute_network" "apigee_network" {
name = "apigee-network"
}
resource "google_compute_global_address" "apigee_range" {
name = "apigee-range"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = google_compute_network.apigee_network.id
}
resource "google_service_networking_connection" "apigee_vpc_connection" {
network = google_compute_network.apigee_network.id
service = "servicenetworking.googleapis.com"
reserved_peering_ranges = [google_compute_global_address.apigee_range.name]
}
resource "google_apigee_organization" "apigee_org" {
analytics_region = "us-central1"
project_id = data.google_client_config.current.project
authorized_network = google_compute_network.apigee_network.id
depends_on = [google_service_networking_connection.apigee_vpc_connection]
}
resource "google_apigee_space" "apigee_space" {
org_id = google_apigee_organization.apigee_org.id
name = "red"
display_name = "Red Space"
}Manage API proxies in a Space
resource "google_apigee_space" "apigee_space" {
org_id = var.org_id
name = "example"
display_name = "Example Space"
}
data "archive_file" "bundle" {
type = "zip"
source_dir = "${path.module}/bundle"
output_path = "${path.module}/bundle.zip"
output_file_mode = "0644"
}
resource "google_apigee_api" "api_proxy" {
name = "proxy1"
org_id = var.org_id
space = google_apigee_space.apigee_space.id
config_bundle = data.archive_file.bundle.output_path
}resource "google_apigee_space" "apigee_space" {
org_id = var.org_id
name = "example"
display_name = "Example Space"
}
resource "google_apigee_space_iam_member" "member" {
org_id = var.org_id
space = google_apigee_environment.apigee_space.id
role = "roles/apigee.spaceContentEditor"
member = "user:[email protected]"
}References
- https://cloud.google.com/apigee/docs/api-platform/system-administration/spaces/apigee-spaces-overview
- https://cloud.google.com/apigee/docs/api-platform/system-administration/spaces/create-spaces
- https://cloud.google.com/apigee/docs/api-platform/system-administration/spaces/manage-space-resources
- https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.spaces
b/436279257