Provision API hub using Terraform

This page applies to Apigee and Apigee hybrid.

This page explains how to provision API hub using Terraform for Google Cloud in Cloud Shell.

Terraform is an infrastructure-as-code tool that enables you to predictably create, change, and improve your cloud infrastructure by using code. For more information about using Terraform to provision infrastructure on Google Cloud, see Terraform on Google Cloud.

If you prefer to provision API hub using Google Cloud console, see Provision API hub in the Cloud console .

Before you begin

Prepare your development environment, either Cloud Shell or a local shell:

Cloud Shell

To use an online terminal with the gcloud CLI and Terraform already set up, activate Cloud Shell.

At the bottom of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.

Note that Cloud Shell has Terraform already integrated.
Local shell

To use a local development environment, follow these steps:
1. Install the Google Cloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
To initialize the gcloud CLI, run the following command:
```
gcloud init
```
Install Terraform.

To create a Terraform configuration file and define the API hub resources, do the following:

Create a directory and a new Terraform configuration (main.tf) file within that directory. Type the following command, and then press Enter:

mkdir terraform && cd terraform && cat > main.tf

Copy and paste the following configuration into the main.tf file:

Create a Google Cloud project and provide a latency to allow project creation:

resource "google_project" "project" {
  name       = "PROJECT_NAME"
  project_id = "PROJECT_ID"
  org_id     = "ORG_ID"
  billing_account = "BILLING_ACCOUNT"
  deletion_policy = "DELETE"
}
resource "time_sleep" "wait_60_seconds" {
  create_duration = "60s"
  depends_on = [google_project.project]
}

Replace the following:

PROJECT_NAME: the name of the Google Cloud project.
PROJECT_ID: the ID of the Google Cloud project.
ORG_ID: the ID of the Apigee organization.
BILLING_ACCOUNT: the billing account for the project.

Enable the API hub API for your project:

resource "google_project_service" "apihub_service" {
  project = google_project.project.PROJECT_ID
  service = "apihub.googleapis.com"
  depends_on = [time_sleep.wait_60_seconds]
}

Replace the following:

PROJECT_ID: the ID of the Google Cloud project.

Register a host project. A host project is a Google Cloud project in your Apigee organization that you designate as the consumer project for all API hub resources. You can provision only one API hub instance per host project.

resource "google_apihub_host_project_registration" "apihub_host_project"{
  project = google_project.project.PROJECT_ID
  location = "HOST_PROJECT_LOCATION"
  host_project_registration_id = google_project.project.PROJECT_ID
  gcp_project = "projects/${google_project.project.PROJECT_ID}"
          
  depends_on = [google_project_service.apihub_service]
}

Replace the following:

PROJECT_ID: the ID of the Google Cloud project.
HOST_PROJECT_LOCATION: the location of the API hub host project.

Create a service identity for API hub:

resource "google_project_service_identity" "apihub_service_identity" {
  project  = google_project.project.PROJECT_ID
  service  = "apihub.googleapis.com"
}

Replace PROJECT_ID with the ID of the Google Cloud project.

Grant the apihub.admin and apihub.runtimeProjectServiceAgent roles to the API hub default service account:

resource "google_project_iam_member" "apihub_service_identity_permission" {
  for_each = toset([
    "roles/apihub.admin",
    "roles/apihub.runtimeProjectServiceAgent"
  ])
  role    = each.key
  member  = "serviceAccount:${google_project_service_identity.apihub_service_identity.email}"
  depends_on = [google_project_service_identity.apihub_service_identity]
}

Optional: Grant the API hub service identity access to the CMEK key.

If you plan to provision an API hub instance with Custom Managed Encryption Keys (CMEK), you must enable the Cloud KMS API and grant the API hub service identity access to the CMEK key using:

Enable the Cloud KMS API:

resource "google_project_service" "kms_service" {
  project = google_project.project.PROJECT_ID
  service = "cloudkms.googleapis.com"
  depends_on = [time_sleep.wait_60_seconds]
}

Replace PROJECT_ID with the ID of the Google Cloud project.

Grant the API hub service identity access to the CMEK key:

resource "google_project_iam_member" "apihub_service_identity_cmek_permission" {
  project    = google_project.project.PROJECT_ID
  role       = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member     = "serviceAccount:${google_project_service_identity.apihub_service_identity.email}"
  depends_on = [google_project_service_identity.apihub_service_identity]
}

Replace PROJECT_ID with the ID of the Google Cloud project.

Provision an API hub instance:

Using default GMEK

resource "google_apihub_api_hub_instance" "apihub-instance-without-search"{
  location = "HUB_LOCATION"
  config {
      disable_search = SEMANTIC_SEARCH_BOOLEAN
  }
}

Replace the following:

HUB_LOCATION: the location of the API hub instance.
SEMANTIC_SEARCH_BOOLEAN: false if you want to enable semantic search, true otherwise. For information about semantic search, see Search APIs.

Using CMEK

resource "google_apihub_api_hub_instance" "apihub-instance-search"{
  project = "PROJECT_ID"
  api_hub_instance_id = "API_HUB_INSTANCE_ID"
  description = "DESCRIPTION"
  location = "LOCATION"
  config {
      encryption_type = "CMEK"
      cmek_key_name = "projects/PROJECT_ID/locations/HUB_LOCATION/keyRings/KEY_RING_ID/cryptoKeys/KEY_ID"
      disable_search = SEMANTIC_SEARCH_BOOLEAN
      vertex_location = "VERTEX_AI_LOCATION"
  }
}

Replace the following:

PROJECT_ID: the ID of the Google Cloud project.
API_HUB_INSTANCE_ID: the ID of the API hub instance.
DESCRIPTION: a description of the API hub instance.
HUB_LOCATION: the location of the API hub instance.
KEY_RING_ID: the ID of the CMEK key ring.
KEY_ID: the ID of the CMEK key.
SEMANTIC_SEARCH_BOOLEAN: false if you want to enable semantic search, true otherwise. For information about semantic search, see Search APIs.
VERTEX_AI_LOCATION: the location of the Vertex AI instance where the data is stored. See Vertex AI Locations for a list of supported locations.

Deploy the Terraform configuration by initializing Terraform, generating the planned changes, and applying these changes. After deploying the Terraform configuration, you can access the API hub instance in the Google Cloud console.

If you have recently deprovisioned API hub, you must wait 7 days before provisioning a new instance in the same Google Cloud project. This is because deprovisioning moves the associated Apigee organization (if any) to a soft-delete state for 7 days, and API hub can only be reprovisioned after the Apigee org is permanently deleted.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-23 UTC.