The gcp:apigee/organization:Organization resource, part of the Pulumi GCP provider, provisions the top-level Apigee organization container: its project binding, analytics region, networking mode, and encryption configuration. This guide focuses on three capabilities: VPC peering vs. no-peering deployments, data residency configuration, and customer-managed encryption keys.
Apigee organizations require a GCP project with the Apigee API enabled. Organizations that connect to VPC resources need service networking connections; those with encryption requirements reference Cloud KMS keys. The examples are intentionally small. Combine them with your own VPC infrastructure, KMS keys, and runtime instances.
Create an organization without VPC peering
Teams deploying Apigee in environments where VPC peering isn’t needed can disable it entirely, simplifying networking by removing the requirement for a dedicated VPC.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const org = new gcp.apigee.Organization("org", {
description: "Terraform-provisioned basic Apigee Org without VPC Peering.",
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
disableVpcPeering: true,
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
org = gcp.apigee.Organization("org",
description="Terraform-provisioned basic Apigee Org without VPC Peering.",
analytics_region="us-central1",
project_id=current.project,
disable_vpc_peering=True)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = apigee.NewOrganization(ctx, "org", &apigee.OrganizationArgs{
Description: pulumi.String("Terraform-provisioned basic Apigee Org without VPC Peering."),
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
DisableVpcPeering: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var org = new Gcp.Apigee.Organization("org", new()
{
Description = "Terraform-provisioned basic Apigee Org without VPC Peering.",
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
DisableVpcPeering = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var org = new Organization("org", OrganizationArgs.builder()
.description("Terraform-provisioned basic Apigee Org without VPC Peering.")
.analyticsRegion("us-central1")
.projectId(current.project())
.disableVpcPeering(true)
.build());
}
}
resources:
org:
type: gcp:apigee:Organization
properties:
description: Terraform-provisioned basic Apigee Org without VPC Peering.
analyticsRegion: us-central1
projectId: ${current.project}
disableVpcPeering: true
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
Setting disableVpcPeering to true tells Apigee not to establish service networking connections. This is required when you don’t provide an authorizedNetwork. The organization still needs an analyticsRegion for data storage and a projectId to bind the organization to your GCP project.
Connect to a VPC through service networking
Most Apigee deployments connect to backend services running in a VPC. Service networking establishes private connectivity between Apigee runtime instances and your VPC resources.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const org = new gcp.apigee.Organization("org", {
analyticsRegion: "us-central1",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
}, {
dependsOn: [apigeeVpcConnection],
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
org = gcp.apigee.Organization("org",
analytics_region="us-central1",
project_id=current.project,
authorized_network=apigee_network.id,
opts = pulumi.ResourceOptions(depends_on=[apigee_vpc_connection]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
_, err = apigee.NewOrganization(ctx, "org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var org = new Gcp.Apigee.Organization("org", new()
{
AnalyticsRegion = "us-central1",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var org = new Organization("org", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.build(), CustomResourceOptions.builder()
.dependsOn(apigeeVpcConnection)
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
org:
type: gcp:apigee:Organization
properties:
analyticsRegion: us-central1
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
options:
dependsOn:
- ${apigeeVpcConnection}
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The servicenetworking.Connection resource peers your VPC with Apigee’s service producer network. You allocate an IP range using GlobalAddress with purpose VPC_PEERING, then reference that range in the connection. The authorizedNetwork property on the organization points to your VPC, enabling Apigee runtime instances to reach private backends. The dependsOn ensures the peering connection completes before creating the organization.
Configure data residency for compliance
Organizations subject to data sovereignty requirements can specify where Apigee stores control plane data, ensuring compliance with regional data protection regulations.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const org = new gcp.apigee.Organization("org", {
description: "Terraform-provisioned basic Apigee Org under European Union hosting jurisdiction.",
projectId: current.then(current => current.project),
apiConsumerDataLocation: "europe-west1",
billingType: "PAYG",
disableVpcPeering: true,
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
org = gcp.apigee.Organization("org",
description="Terraform-provisioned basic Apigee Org under European Union hosting jurisdiction.",
project_id=current.project,
api_consumer_data_location="europe-west1",
billing_type="PAYG",
disable_vpc_peering=True)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = apigee.NewOrganization(ctx, "org", &apigee.OrganizationArgs{
Description: pulumi.String("Terraform-provisioned basic Apigee Org under European Union hosting jurisdiction."),
ProjectId: pulumi.String(current.Project),
ApiConsumerDataLocation: pulumi.String("europe-west1"),
BillingType: pulumi.String("PAYG"),
DisableVpcPeering: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var org = new Gcp.Apigee.Organization("org", new()
{
Description = "Terraform-provisioned basic Apigee Org under European Union hosting jurisdiction.",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
ApiConsumerDataLocation = "europe-west1",
BillingType = "PAYG",
DisableVpcPeering = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var org = new Organization("org", OrganizationArgs.builder()
.description("Terraform-provisioned basic Apigee Org under European Union hosting jurisdiction.")
.projectId(current.project())
.apiConsumerDataLocation("europe-west1")
.billingType("PAYG")
.disableVpcPeering(true)
.build());
}
}
resources:
org:
type: gcp:apigee:Organization
properties:
description: Terraform-provisioned basic Apigee Org under European Union hosting jurisdiction.
projectId: ${current.project}
apiConsumerDataLocation: europe-west1
billingType: PAYG
disableVpcPeering: true
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The apiConsumerDataLocation property controls where Apigee stores control plane data. Setting it to “europe-west1” ensures data stays within the European Union. This example also sets billingType to “PAYG” (pay-as-you-go) and disables VPC peering, creating a minimal organization focused on data residency.
Encrypt runtime data with customer-managed keys
Regulated industries often require customer-managed encryption keys for data at rest. Apigee can encrypt runtime database data using Cloud KMS keys you control.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const current = gcp.organizations.getClientConfig({});
const apigeeNetwork = new gcp.compute.Network("apigee_network", {name: "apigee-network"});
const apigeeRange = new gcp.compute.GlobalAddress("apigee_range", {
name: "apigee-range",
purpose: "VPC_PEERING",
addressType: "INTERNAL",
prefixLength: 16,
network: apigeeNetwork.id,
});
const apigeeVpcConnection = new gcp.servicenetworking.Connection("apigee_vpc_connection", {
network: apigeeNetwork.id,
service: "servicenetworking.googleapis.com",
reservedPeeringRanges: [apigeeRange.name],
});
const apigeeKeyring = new gcp.kms.KeyRing("apigee_keyring", {
name: "apigee-keyring",
location: "us-central1",
});
const apigeeKey = new gcp.kms.CryptoKey("apigee_key", {
name: "apigee-key",
keyRing: apigeeKeyring.id,
});
const apigeeSa = new gcp.projects.ServiceIdentity("apigee_sa", {
project: project.projectId,
service: apigee.service,
});
const apigeeSaKeyuser = new gcp.kms.CryptoKeyIAMMember("apigee_sa_keyuser", {
cryptoKeyId: apigeeKey.id,
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
member: apigeeSa.member,
});
const org = new gcp.apigee.Organization("org", {
analyticsRegion: "us-central1",
displayName: "apigee-org",
description: "Auto-provisioned Apigee Org.",
projectId: current.then(current => current.project),
authorizedNetwork: apigeeNetwork.id,
runtimeDatabaseEncryptionKeyName: apigeeKey.id,
}, {
dependsOn: [
apigeeVpcConnection,
apigeeSaKeyuser,
],
});
import pulumi
import pulumi_gcp as gcp
current = gcp.organizations.get_client_config()
apigee_network = gcp.compute.Network("apigee_network", name="apigee-network")
apigee_range = gcp.compute.GlobalAddress("apigee_range",
name="apigee-range",
purpose="VPC_PEERING",
address_type="INTERNAL",
prefix_length=16,
network=apigee_network.id)
apigee_vpc_connection = gcp.servicenetworking.Connection("apigee_vpc_connection",
network=apigee_network.id,
service="servicenetworking.googleapis.com",
reserved_peering_ranges=[apigee_range.name])
apigee_keyring = gcp.kms.KeyRing("apigee_keyring",
name="apigee-keyring",
location="us-central1")
apigee_key = gcp.kms.CryptoKey("apigee_key",
name="apigee-key",
key_ring=apigee_keyring.id)
apigee_sa = gcp.projects.ServiceIdentity("apigee_sa",
project=project["projectId"],
service=apigee["service"])
apigee_sa_keyuser = gcp.kms.CryptoKeyIAMMember("apigee_sa_keyuser",
crypto_key_id=apigee_key.id,
role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
member=apigee_sa.member)
org = gcp.apigee.Organization("org",
analytics_region="us-central1",
display_name="apigee-org",
description="Auto-provisioned Apigee Org.",
project_id=current.project,
authorized_network=apigee_network.id,
runtime_database_encryption_key_name=apigee_key.id,
opts = pulumi.ResourceOptions(depends_on=[
apigee_vpc_connection,
apigee_sa_keyuser,
]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/servicenetworking"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := organizations.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
apigeeNetwork, err := compute.NewNetwork(ctx, "apigee_network", &compute.NetworkArgs{
Name: pulumi.String("apigee-network"),
})
if err != nil {
return err
}
apigeeRange, err := compute.NewGlobalAddress(ctx, "apigee_range", &compute.GlobalAddressArgs{
Name: pulumi.String("apigee-range"),
Purpose: pulumi.String("VPC_PEERING"),
AddressType: pulumi.String("INTERNAL"),
PrefixLength: pulumi.Int(16),
Network: apigeeNetwork.ID(),
})
if err != nil {
return err
}
apigeeVpcConnection, err := servicenetworking.NewConnection(ctx, "apigee_vpc_connection", &servicenetworking.ConnectionArgs{
Network: apigeeNetwork.ID(),
Service: pulumi.String("servicenetworking.googleapis.com"),
ReservedPeeringRanges: pulumi.StringArray{
apigeeRange.Name,
},
})
if err != nil {
return err
}
apigeeKeyring, err := kms.NewKeyRing(ctx, "apigee_keyring", &kms.KeyRingArgs{
Name: pulumi.String("apigee-keyring"),
Location: pulumi.String("us-central1"),
})
if err != nil {
return err
}
apigeeKey, err := kms.NewCryptoKey(ctx, "apigee_key", &kms.CryptoKeyArgs{
Name: pulumi.String("apigee-key"),
KeyRing: apigeeKeyring.ID(),
})
if err != nil {
return err
}
apigeeSa, err := projects.NewServiceIdentity(ctx, "apigee_sa", &projects.ServiceIdentityArgs{
Project: pulumi.Any(project.ProjectId),
Service: pulumi.Any(apigee.Service),
})
if err != nil {
return err
}
apigeeSaKeyuser, err := kms.NewCryptoKeyIAMMember(ctx, "apigee_sa_keyuser", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: apigeeKey.ID(),
Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
Member: apigeeSa.Member,
})
if err != nil {
return err
}
_, err = apigee.NewOrganization(ctx, "org", &apigee.OrganizationArgs{
AnalyticsRegion: pulumi.String("us-central1"),
DisplayName: pulumi.String("apigee-org"),
Description: pulumi.String("Auto-provisioned Apigee Org."),
ProjectId: pulumi.String(current.Project),
AuthorizedNetwork: apigeeNetwork.ID(),
RuntimeDatabaseEncryptionKeyName: apigeeKey.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
apigeeVpcConnection,
apigeeSaKeyuser,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var current = Gcp.Organizations.GetClientConfig.Invoke();
var apigeeNetwork = new Gcp.Compute.Network("apigee_network", new()
{
Name = "apigee-network",
});
var apigeeRange = new Gcp.Compute.GlobalAddress("apigee_range", new()
{
Name = "apigee-range",
Purpose = "VPC_PEERING",
AddressType = "INTERNAL",
PrefixLength = 16,
Network = apigeeNetwork.Id,
});
var apigeeVpcConnection = new Gcp.ServiceNetworking.Connection("apigee_vpc_connection", new()
{
Network = apigeeNetwork.Id,
Service = "servicenetworking.googleapis.com",
ReservedPeeringRanges = new[]
{
apigeeRange.Name,
},
});
var apigeeKeyring = new Gcp.Kms.KeyRing("apigee_keyring", new()
{
Name = "apigee-keyring",
Location = "us-central1",
});
var apigeeKey = new Gcp.Kms.CryptoKey("apigee_key", new()
{
Name = "apigee-key",
KeyRing = apigeeKeyring.Id,
});
var apigeeSa = new Gcp.Projects.ServiceIdentity("apigee_sa", new()
{
Project = project.ProjectId,
Service = apigee.Service,
});
var apigeeSaKeyuser = new Gcp.Kms.CryptoKeyIAMMember("apigee_sa_keyuser", new()
{
CryptoKeyId = apigeeKey.Id,
Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
Member = apigeeSa.Member,
});
var org = new Gcp.Apigee.Organization("org", new()
{
AnalyticsRegion = "us-central1",
DisplayName = "apigee-org",
Description = "Auto-provisioned Apigee Org.",
ProjectId = current.Apply(getClientConfigResult => getClientConfigResult.Project),
AuthorizedNetwork = apigeeNetwork.Id,
RuntimeDatabaseEncryptionKeyName = apigeeKey.Id,
}, new CustomResourceOptions
{
DependsOn =
{
apigeeVpcConnection,
apigeeSaKeyuser,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.GlobalAddress;
import com.pulumi.gcp.compute.GlobalAddressArgs;
import com.pulumi.gcp.servicenetworking.Connection;
import com.pulumi.gcp.servicenetworking.ConnectionArgs;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import com.pulumi.gcp.apigee.Organization;
import com.pulumi.gcp.apigee.OrganizationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = OrganizationsFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var apigeeNetwork = new Network("apigeeNetwork", NetworkArgs.builder()
.name("apigee-network")
.build());
var apigeeRange = new GlobalAddress("apigeeRange", GlobalAddressArgs.builder()
.name("apigee-range")
.purpose("VPC_PEERING")
.addressType("INTERNAL")
.prefixLength(16)
.network(apigeeNetwork.id())
.build());
var apigeeVpcConnection = new Connection("apigeeVpcConnection", ConnectionArgs.builder()
.network(apigeeNetwork.id())
.service("servicenetworking.googleapis.com")
.reservedPeeringRanges(apigeeRange.name())
.build());
var apigeeKeyring = new KeyRing("apigeeKeyring", KeyRingArgs.builder()
.name("apigee-keyring")
.location("us-central1")
.build());
var apigeeKey = new CryptoKey("apigeeKey", CryptoKeyArgs.builder()
.name("apigee-key")
.keyRing(apigeeKeyring.id())
.build());
var apigeeSa = new ServiceIdentity("apigeeSa", ServiceIdentityArgs.builder()
.project(project.projectId())
.service(apigee.service())
.build());
var apigeeSaKeyuser = new CryptoKeyIAMMember("apigeeSaKeyuser", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId(apigeeKey.id())
.role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
.member(apigeeSa.member())
.build());
var org = new Organization("org", OrganizationArgs.builder()
.analyticsRegion("us-central1")
.displayName("apigee-org")
.description("Auto-provisioned Apigee Org.")
.projectId(current.project())
.authorizedNetwork(apigeeNetwork.id())
.runtimeDatabaseEncryptionKeyName(apigeeKey.id())
.build(), CustomResourceOptions.builder()
.dependsOn(
apigeeVpcConnection,
apigeeSaKeyuser)
.build());
}
}
resources:
apigeeNetwork:
type: gcp:compute:Network
name: apigee_network
properties:
name: apigee-network
apigeeRange:
type: gcp:compute:GlobalAddress
name: apigee_range
properties:
name: apigee-range
purpose: VPC_PEERING
addressType: INTERNAL
prefixLength: 16
network: ${apigeeNetwork.id}
apigeeVpcConnection:
type: gcp:servicenetworking:Connection
name: apigee_vpc_connection
properties:
network: ${apigeeNetwork.id}
service: servicenetworking.googleapis.com
reservedPeeringRanges:
- ${apigeeRange.name}
apigeeKeyring:
type: gcp:kms:KeyRing
name: apigee_keyring
properties:
name: apigee-keyring
location: us-central1
apigeeKey:
type: gcp:kms:CryptoKey
name: apigee_key
properties:
name: apigee-key
keyRing: ${apigeeKeyring.id}
apigeeSa:
type: gcp:projects:ServiceIdentity
name: apigee_sa
properties:
project: ${project.projectId}
service: ${apigee.service}
apigeeSaKeyuser:
type: gcp:kms:CryptoKeyIAMMember
name: apigee_sa_keyuser
properties:
cryptoKeyId: ${apigeeKey.id}
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
member: ${apigeeSa.member}
org:
type: gcp:apigee:Organization
properties:
analyticsRegion: us-central1
displayName: apigee-org
description: Auto-provisioned Apigee Org.
projectId: ${current.project}
authorizedNetwork: ${apigeeNetwork.id}
runtimeDatabaseEncryptionKeyName: ${apigeeKey.id}
options:
dependsOn:
- ${apigeeVpcConnection}
- ${apigeeSaKeyuser}
variables:
current:
fn::invoke:
function: gcp:organizations:getClientConfig
arguments: {}
The runtimeDatabaseEncryptionKeyName property points to a Cloud KMS crypto key. Before creating the organization, you must grant the Apigee service account the cloudkms.cryptoKeyEncrypterDecrypter role on that key. The ServiceIdentity resource retrieves the Apigee service account, and CryptoKeyIAMMember grants the necessary permissions. The dependsOn array ensures both the VPC peering and IAM binding complete before organization creation.
Beyond these examples
These snippets focus on specific organization-level features: VPC peering and service networking, data residency configuration, and customer-managed encryption keys. They’re intentionally minimal rather than full Apigee deployments.
The examples may reference pre-existing infrastructure such as GCP projects with the Apigee API enabled, and Cloud KMS key rings and crypto keys for encryption examples. They focus on configuring the organization rather than provisioning runtime instances or API proxies.
To keep things focused, common organization patterns are omitted, including:
- Control plane encryption keys (controlPlaneEncryptionKeyName)
- API consumer data encryption (apiConsumerDataEncryptionKeyName)
- Organization properties and custom metadata
- Hybrid runtime deployments (runtimeType: HYBRID)
- Retention policies for soft-deleted organizations
These omissions are intentional: the goal is to illustrate how each organization feature is wired, not provide drop-in API management platforms. See the Apigee Organization resource reference for all available configuration options.
Let's create GCP Apigee Organizations
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Networking & VPC Peering
Do I need VPC peering for my Apigee organization?
No, VPC peering is optional. If you don’t provide an
authorizedNetwork, you must set disableVpcPeering to true. VPC peering is only required if you need to access private resources in your VPC.How do I set up VPC peering for my Apigee organization?
Create a
gcp.compute.Network, gcp.compute.GlobalAddress with purpose: "VPC_PEERING", and gcp.servicenetworking.Connection. Then set authorizedNetwork to the network ID and use dependsOn to ensure the connection completes first.When can I update networking configuration like authorizedNetwork or disableVpcPeering?
You can only update
authorizedNetwork or disableVpcPeering when there are no runtime instances. Remove all runtime instances before making networking changes.Encryption & Security
How do I enable Cloud KMS encryption for my organization?
Create a
gcp.kms.KeyRing and gcp.kms.CryptoKey, then grant the Apigee service identity the roles/cloudkms.cryptoKeyEncrypterDecrypter role using gcp.kms.CryptoKeyIAMMember. Set runtimeDatabaseEncryptionKeyName to the key ID and use dependsOn to ensure the IAM binding completes first.Can I change encryption keys after creating the organization?
No,
runtimeDatabaseEncryptionKeyName is immutable and cannot be updated after the organization is created.Data Residency & Regions
How do I configure data residency for a specific region?
Set
apiConsumerDataLocation to your desired region (e.g., "europe-west1") and use billingType: "PAYG". This ensures control plane data is stored in a single region for compliance.What's the difference between analyticsRegion and apiConsumerDataLocation?
analyticsRegion determines where analytics data is stored, while apiConsumerDataLocation specifies the single region for control plane data. Use apiConsumerDataLocation for non-default data residency requirements.Configuration & Immutability
What properties are immutable after creating the organization?
The following properties cannot be changed after creation:
billingType, projectId, analyticsRegion, apiConsumerDataLocation, apiConsumerDataEncryptionKeyName, controlPlaneEncryptionKeyName, runtimeDatabaseEncryptionKeyName, and runtimeType.Why do I need dependsOn when creating an organization?
Use
dependsOn to ensure prerequisite resources are fully created before the organization. For VPC peering, depend on the servicenetworking.Connection. For KMS encryption, depend on the kms.CryptoKeyIAMMember that grants permissions.Using a different cloud?
Explore integration guides for other cloud providers: