Azure API Management Identity Provider Aad
This page shows how to write Terraform and Azure Resource Manager for API Management Identity Provider Aad and write them securely.
azurerm_api_management_identity_provider_aad (Terraform)
The Identity Provider Aad in API Management can be configured in Terraform with the resource name azurerm_api_management_identity_provider_aad
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_api_management_identity_provider_aad" "this" {
allowed_tenants = var.allowed_tenants
api_management_name = var.api_management_name
client_id = var.client_id
client_secret = var.client_secret
resource_group_name = var.resource_group_name
resource "azurerm_api_management_identity_provider_aad" "this" {
allowed_tenants = var.allowed_tenants
api_management_name = var.api_management_name
client_id = var.client_id
client_secret = var.client_secret
resource_group_name = var.resource_group_name
Parameters
-
allowed_tenants
required - list of string -
api_management_name
required - string -
client_id
required - string -
client_secret
required - string -
id
optional computed - string -
resource_group_name
required - string -
signin_tenant
optional - string -
timeouts
single block
Explanation in Terraform Registry
Manages an API Management AAD Identity Provider.
Microsoft.ApiManagement/service (Azure Resource Manager)
The service in Microsoft.ApiManagement can be configured in Azure Resource Manager with the resource name Microsoft.ApiManagement/service
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workbookName": {
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersion
required - stringidentity
optionaltype
required - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service.
userAssignedIdentities
optional - undefinedThe list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/ providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
location
required - stringResource location.
name
required - stringThe name of the API Management service.
properties
requiredadditionalLocations
optional arraydisableGateway
optional - booleanProperty only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location.
location
required - stringThe location name of the additional region among Azure Data center regions.
publicIpAddressId
optional - stringPublic Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network.
sku
requiredcapacity
required - integerCapacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.
name
required - stringName of the Sku.
virtualNetworkConfiguration
optionalsubnetResourceId
optional - stringThe full resource ID of a subnet in a virtual network to deploy the API Management service in.
zones
optional - arrayA list of availability zones denoting where the resource needs to come from.
apiVersionConstraint
optionalminApiVersion
optional - stringLimit control plane API calls to API Management service with version equal to or newer than this value.
certificates
optional arraycertificate
optionalexpiry
required - stringExpiration date of the certificate. The date conforms to the following format:
yyyy-MM-ddTHH:mm:ssZ
as specified by the ISO 8601 standard.subject
required - stringSubject of the certificate.
thumbprint
required - stringThumbprint of the certificate.
certificatePassword
optional - stringCertificate Password.
encodedCertificate
optional - stringBase64 Encoded certificate.
storeName
required - stringThe System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations.
customProperties
optional - stringCustom properties of the API Management service.</br>Setting
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
can be used to disable just TLS 1.1.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
can be used to disable TLS 1.0 on an API Management service.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
can be used to disable just TLS 1.1 for communications with backends.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
can be used to disable TLS 1.0 for communications with backends.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2
can be used to enable HTTP2 protocol on an API Management service.</br>Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value isTrue
if the service was created on or before April 1st 2018 andFalse
otherwise. Http2 setting's default value isFalse
.</br></br>You can disable any of next ciphers by using settingsMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]
: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256
:false
. The default value istrue
for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384disableGateway
optional - booleanProperty only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region.
enableClientCertificate
optional - booleanProperty only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.
hostnameConfigurations
optional arraycertificate
optionalexpiry
required - stringExpiration date of the certificate. The date conforms to the following format:
yyyy-MM-ddTHH:mm:ssZ
as specified by the ISO 8601 standard.subject
required - stringSubject of the certificate.
thumbprint
required - stringThumbprint of the certificate.
certificatePassword
optional - stringCertificate Password.
certificateSource
optional - stringCertificate Source.
certificateStatus
optional - stringCertificate Status.
defaultSslBinding
optional - booleanSpecify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type.
encodedCertificate
optional - stringBase64 Encoded certificate.
hostName
required - stringHostname to configure on the Api Management service.
identityClientId
optional - stringSystem or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate.
keyVaultId
optional - stringUrl to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12
negotiateClientCertificate
optional - booleanSpecify true to always negotiate client certificate on the hostname. Default Value is false.
type
required - stringHostname type.
notificationSenderEmail
optional - stringEmail address from which the notification will be sent.
privateEndpointConnections
optional arrayid
optional - stringPrivate Endpoint connection resource id
name
optional - stringPrivate Endpoint Connection Name
properties
optionalprivateEndpoint
optionalprivateLinkServiceConnectionState
requiredactionsRequired
optional - stringA message indicating if changes on the service provider require any updates on the consumer.
description
optional - stringThe reason for approval/rejection of the connection.
status
optional - stringIndicates whether the connection has been Approved/Rejected/Removed by the owner of the service.
type
optional - stringPrivate Endpoint Connection Resource Type
publicIpAddressId
optional - stringPublic Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network.
publicNetworkAccess
optional - stringWhether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled'.
publisherEmail
required - stringPublisher email.
publisherName
required - stringPublisher name.
restore
optional - booleanUndelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.
virtualNetworkConfiguration
optionalsubnetResourceId
optional - stringThe full resource ID of a subnet in a virtual network to deploy the API Management service in.
virtualNetworkType
optional - stringThe type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.
sku
requiredcapacity
required - integerCapacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.
name
required - stringName of the Sku.
tags
optional - stringResource tags.
type
required - stringzones
optional - arrayA list of availability zones denoting where the resource needs to come from.
Frequently asked questions
What is Azure API Management Identity Provider Aad?
Azure API Management Identity Provider Aad is a resource for API Management of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure API Management Identity Provider Aad?
For Terraform, the kevinhead/azurerm and niveklabs/azurerm source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the HasanIftakher/Azure-Monitor, tulpy/Azure and gaelor/SentinelAsCode source code examples are useful. See the Azure Resource Manager Example section for further details.