Thank you for your reply.

I also imagined a system like this, it seems to be the only solution: but KVM allows to manage different values in environment function? (I haven't used KVM yet but according to the documentation I have the impression that there are several scopes)

Yes, that's the purpose of the KVM : you develop your policies saying "read the KEY x in KVM z", and then, when you deploy it in multiple environment, you don't need to change it.

In parallel, you create a KVM, with keys. And each keys will have one value by environment.

Thank you for this response Arnaud.

Still a question about KVM : from the UI it is possible to create a KVM but not to add values ​​to it. By browsing the forum I have the impression that you have to use a proxy to manipulate the KVMs, is that how you proceed?

So, you are using Apigee X 🙂

It was possible in Apigee Edge, but not in X.

However, since June, 2nd, you can use APIGEE API for that :

$ AUTH=$(gcloud auth print-access-token)

$ curl -X POST \
-H "Authorization: Bearer $AUTH" \
-H "Content-Type: application/json" \
-d '{"name":"KeyName","value":"KeyValue"}' \
"https://apigee.googleapis.com/v1/organizations/<yourOrg>/environments/<yourEnv>/keyvaluemaps/<yourKVM>/entries"

$ #To check the results
$ curl -X GET -H "Authorization: Bearer $AUTH" \
"https://apigee.googleapis.com/v1/organizations/<yourOrg>/environments/<yourEnv>/keyvaluemaps/<yourKVM>/entries"

API Documentation: https://cloud.google.com/apigee/docs/reference/apis/apigee/rest#rest-resource:-v1.organizations.keyv...

OK I understand.

Which would mean that adding and changing values has to go through apigee API. Weird not to have this possibility from the UI, do you know the reason?

You can find some explanations into this post, and more in detail in the link shared by @davorm

Until June, I played with the KVM Operation proxy shared by Google. But it is not required anymore.

The sackmesser tool does not offer this for the moment. In the mean time, I'm currently working (no joke, that was my activity the last few days) on a script that could help:

$ cat dev-kvm1.json
{
    "name": "KV-Test-Arnaduga",
    "organization": "myOrganizationName",
    "environment": "dev",
    "keys": [
        {
            "name": "myFirstKey",
            "value": "whatAWonderfulValue"
        },
        {
            "name": "myKey2",
            "value": "AnotherValue"
        }
    ]
}

$ ./kvm-terraforming.sh ./dev-kvm1.json
[INFO] Checking dependencies
[INFO] Found in file: KV-Test-Arnaduga // myOrganizationName // dev
[INFO] Getting GCloud credentials
[INFO] The KVM does NOT exist. Requesting creation.
[INFO] Keyvaluemap KV-Test-Arnaduga successfully created.
[INFO] Processing keys for myOrganizationName // dev // KV-Test-Arnaduga
[INFO] Creation key 'myFirstKey' with value 'whatA...' (hidden for confidentiality)
[INFO] Keys 'myFirstKey': created
[INFO] Creation key 'myKey2' with value 'Anoth...' (hidden for confidentiality)
[INFO] Keys 'myKey2': created

$ curl -X GET -H "Authorization: Bearer $AUTH" https://apigee.googleapis.com/v1/organizations/myOrganizationName/environments/dev/keyvaluemaps/KV-Test-Arnaduga/entries
{
    "keyValueEntries": [
        {
            "name": "myKey2",
            "value": "AnotherValue"
        },
        {
            "name": "myFirstKey",
            "value": "whatAWonderfulValue"
        }
    ],
    "nextPageToken": ""
}                                                                                                 

If you are patient enough, I'll share it soon on Github repo (if you are interested in it).

To Google staff: I do not know Golang to develop a real Terraform provider, and I need more time to efficiently contribute to sackmesser tool with that... if not done before by Daniel 🙂

Great, very interested in this "little" script! Don't hesitate to notify me when it's on Git. Thanks again for the explanations and links!

It is shared now: Github link

I started a new conversion here in case of questions (as note related anymore with your initial question).