API Gateway (OpenAPI 2.0)

gcp-api-gateway

A serverless API Gateway fronting an OpenAPI 2.0 (Swagger) spec: the API, an immutable API config that carries the spec, and a managed gateway. A dedicated gateway service account is created and set as the backend identity (instead of the default compute SA), so calls to authenticated backends are made as a least-privilege principal. The OpenAPI document is embedded inline (base64-encoded) and the module ships a minimal valid default — a single GET /hello — so it deploys standalone with no real backend. Works with Terraform and OpenTofu (>= 1.6).

Provider note: API Gateway resources (google_api_gateway_*) are only available in the google-beta provider. The module requires google-beta and sets project/region explicitly on every resource, so it works with an implicit/default google-beta provider configuration (ADC credentials) — you do not need a separate provider block when the gateway is the only beta resource.

What you get per module call:

• An API Gateway API + immutable API config + deployed gateway
• An inline, base64-encoded OpenAPI 2.0 document (built-in default or your own)
• A dedicated gateway backend service account (least privilege)
• create_before_destroy on the immutable config so spec changes roll forward

Requirements

Requirement	Version
Terraform / OpenTofu	>= 1.6
hashicorp/google	>= 7.0, < 8.0
hashicorp/google-beta	>= 7.0, < 8.0

The API Gateway (apigateway.googleapis.com), Service Management (servicemanagement.googleapis.com) and Service Control (servicecontrol.googleapis.com) APIs must be enabled on the project.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).