Azure API Management API Management
This page shows how to write Terraform and Azure Resource Manager for API Management API Management and write them securely.
azurerm_api_management (Terraform)
The API Management in API Management can be configured in Terraform with the resource name azurerm_api_management. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_api_management" "developer1" {
name = "example-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "My Company"
publisher_email = "company@terraform.io"
resource "azurerm_api_management" "main" {
name = var.apim.name
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
sku_name = var.apim.sku
publisher_name = var.apim.publisher.name
resource "azurerm_api_management" "apim" {
location = azurerm_resource_group.rg.location
name = "log-cabin"
publisher_email = "finn.welsford-ackroyd@pm.me"
publisher_name = "Log Cabin"
resource_group_name = azurerm_resource_group.rg.name
resource "azurerm_api_management" "i" {
name = var.name
location = var.location
resource_group_name = var.resource_group_name
publisher_name = "Russell Boley"
publisher_email = "raboley@gmail.com"
resource "azurerm_api_management" "puneet-dev-apim" {
name = "puneet-dev-apim"
location = var.passed_location
resource_group_name = var.passed_resource_group_name
publisher_name = var.publisher_name
publisher_email = var.publisher_email
resource "azurerm_api_management" "global-apim" {
name = "kp-global-apim"
location = azurerm_resource_group.global-apim.location
resource_group_name = azurerm_resource_group.global-apim.name
publisher_name = "Kallum Parr"
publisher_email = "kallum_parr@hotmail.com"
resource "azurerm_api_management" "VodafDev" {
name = "VodafDev-apim"
location = azurerm_resource_group.VodafDev.location
resource_group_name = azurerm_resource_group.VodafDev.name
publisher_name = "Vodafone"
publisher_email = "vodafone@terraform.io"
resource "azurerm_api_management" "developer1" {
name = "example-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "My Company"
publisher_email = "company@terraform.io"
resource "azurerm_api_management" "apim" {
name = local.apim_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
publisher_name = local.apim_publisher_name
publisher_email = local.apim_publisher_email
resource "azurerm_api_management" "example" {
name = "partnergateway"
}
# terraform import azurerm_api_management.example /subscriptions/000-0000-00000-00000/resourceGroups/ACS_EA_DEV_TEST/providers/Microsoft.ApiManagement/service/partnergateway
Parameters
-
developer_portal_urloptional computed - string -
gateway_regional_urloptional computed - string -
gateway_urloptional computed - string -
idoptional computed - string -
locationrequired - string -
management_api_urloptional computed - string -
namerequired - string -
notification_sender_emailoptional computed - string -
policyoptional computed - list of object-
xml_content- string -
xml_link- string
-
-
portal_urloptional computed - string -
private_ip_addressesoptional computed - list of string -
public_ip_addressesoptional computed - list of string -
publisher_emailrequired - string -
publisher_namerequired - string -
resource_group_namerequired - string -
scm_urloptional computed - string -
sku_namerequired - string -
tagsoptional - map from string to string -
virtual_network_typeoptional - string -
additional_locationlist block-
gateway_regional_urloptional computed - string -
locationrequired - string -
private_ip_addressesoptional computed - list of string -
public_ip_addressesoptional computed - list of string -
virtual_network_configurationlist block-
subnet_idrequired - string
-
-
-
certificatelist block-
certificate_passwordoptional - string -
encoded_certificaterequired - string -
store_namerequired - string
-
-
hostname_configurationlist block-
developer_portallist block-
certificateoptional - string -
certificate_passwordoptional - string -
host_namerequired - string -
key_vault_idoptional - string -
negotiate_client_certificateoptional - bool
-
-
managementlist block-
certificateoptional - string -
certificate_passwordoptional - string -
host_namerequired - string -
key_vault_idoptional - string -
negotiate_client_certificateoptional - bool
-
-
portallist block-
certificateoptional - string -
certificate_passwordoptional - string -
host_namerequired - string -
key_vault_idoptional - string -
negotiate_client_certificateoptional - bool
-
-
proxylist block-
certificateoptional - string -
certificate_passwordoptional - string -
default_ssl_bindingoptional computed - bool -
host_namerequired - string -
key_vault_idoptional - string -
negotiate_client_certificateoptional - bool
-
-
scmlist block-
certificateoptional - string -
certificate_passwordoptional - string -
host_namerequired - string -
key_vault_idoptional - string -
negotiate_client_certificateoptional - bool
-
-
-
identitylist block-
identity_idsoptional - set of string -
principal_idoptional computed - string -
tenant_idoptional computed - string -
typeoptional - string
-
-
protocolslist block-
enable_http2optional - bool
-
-
securitylist block-
enable_backend_ssl30optional - bool -
enable_backend_tls10optional - bool -
enable_backend_tls11optional - bool -
enable_frontend_ssl30optional - bool -
enable_frontend_tls10optional - bool -
enable_frontend_tls11optional - bool -
enable_triple_des_ciphersoptional computed - bool -
tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabledoptional - bool -
tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabledoptional - bool -
tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabledoptional - bool -
tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabledoptional - bool -
tls_rsa_with_aes128_cbc_sha256_ciphers_enabledoptional - bool -
tls_rsa_with_aes128_cbc_sha_ciphers_enabledoptional - bool -
tls_rsa_with_aes128_gcm_sha256_ciphers_enabledoptional - bool -
tls_rsa_with_aes256_cbc_sha256_ciphers_enabledoptional - bool -
tls_rsa_with_aes256_cbc_sha_ciphers_enabledoptional - bool -
triple_des_ciphers_enabledoptional computed - bool
-
-
sign_inlist block-
enabledrequired - bool
-
-
sign_uplist block-
enabledrequired - bool -
terms_of_servicelist block-
consent_requiredrequired - bool -
enabledrequired - bool -
textoptional - string
-
-
-
tenant_accesslist block-
enabledrequired - bool -
primary_keyoptional computed - string -
secondary_keyoptional computed - string -
tenant_idoptional computed - string
-
-
timeoutssingle block -
virtual_network_configurationlist block-
subnet_idrequired - string
-
Explanation in Terraform Registry
Manages an API Management Service.
Microsoft.ApiManagement/service (Azure Resource Manager)
The service in Microsoft.ApiManagement can be configured in Azure Resource Manager with the resource name Microsoft.ApiManagement/service. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workbookName": {
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersionrequired - stringidentityoptionaltyperequired - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service.
userAssignedIdentitiesoptional - undefinedThe list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/ providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
locationrequired - stringResource location.
namerequired - stringThe name of the API Management service.
propertiesrequiredadditionalLocationsoptional arraydisableGatewayoptional - booleanProperty only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location.
locationrequired - stringThe location name of the additional region among Azure Data center regions.
publicIpAddressIdoptional - stringPublic Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network.
skurequiredcapacityrequired - integerCapacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.
namerequired - stringName of the Sku.
virtualNetworkConfigurationoptionalsubnetResourceIdoptional - stringThe full resource ID of a subnet in a virtual network to deploy the API Management service in.
zonesoptional - arrayA list of availability zones denoting where the resource needs to come from.
apiVersionConstraintoptionalminApiVersionoptional - stringLimit control plane API calls to API Management service with version equal to or newer than this value.
certificatesoptional arraycertificateoptionalexpiryrequired - stringExpiration date of the certificate. The date conforms to the following format:
yyyy-MM-ddTHH:mm:ssZas specified by the ISO 8601 standard.subjectrequired - stringSubject of the certificate.
thumbprintrequired - stringThumbprint of the certificate.
certificatePasswordoptional - stringCertificate Password.
encodedCertificateoptional - stringBase64 Encoded certificate.
storeNamerequired - stringThe System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations.
customPropertiesoptional - stringCustom properties of the API Management service.</br>Setting
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11can be used to disable just TLS 1.1.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10can be used to disable TLS 1.0 on an API Management service.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11can be used to disable just TLS 1.1 for communications with backends.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10can be used to disable TLS 1.0 for communications with backends.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2can be used to enable HTTP2 protocol on an API Management service.</br>Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value isTrueif the service was created on or before April 1st 2018 andFalseotherwise. Http2 setting's default value isFalse.</br></br>You can disable any of next ciphers by using settingsMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value istruefor them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384disableGatewayoptional - booleanProperty only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region.
enableClientCertificateoptional - booleanProperty only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.
hostnameConfigurationsoptional arraycertificateoptionalexpiryrequired - stringExpiration date of the certificate. The date conforms to the following format:
yyyy-MM-ddTHH:mm:ssZas specified by the ISO 8601 standard.subjectrequired - stringSubject of the certificate.
thumbprintrequired - stringThumbprint of the certificate.
certificatePasswordoptional - stringCertificate Password.
certificateSourceoptional - stringCertificate Source.
certificateStatusoptional - stringCertificate Status.
defaultSslBindingoptional - booleanSpecify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type.
encodedCertificateoptional - stringBase64 Encoded certificate.
hostNamerequired - stringHostname to configure on the Api Management service.
identityClientIdoptional - stringSystem or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate.
keyVaultIdoptional - stringUrl to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12
negotiateClientCertificateoptional - booleanSpecify true to always negotiate client certificate on the hostname. Default Value is false.
typerequired - stringHostname type.
notificationSenderEmailoptional - stringEmail address from which the notification will be sent.
privateEndpointConnectionsoptional arrayidoptional - stringPrivate Endpoint connection resource id
nameoptional - stringPrivate Endpoint Connection Name
propertiesoptionalprivateEndpointoptionalprivateLinkServiceConnectionStaterequiredactionsRequiredoptional - stringA message indicating if changes on the service provider require any updates on the consumer.
descriptionoptional - stringThe reason for approval/rejection of the connection.
statusoptional - stringIndicates whether the connection has been Approved/Rejected/Removed by the owner of the service.
typeoptional - stringPrivate Endpoint Connection Resource Type
publicIpAddressIdoptional - stringPublic Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network.
publicNetworkAccessoptional - stringWhether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled'.
publisherEmailrequired - stringPublisher email.
publisherNamerequired - stringPublisher name.
restoreoptional - booleanUndelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.
virtualNetworkConfigurationoptionalsubnetResourceIdoptional - stringThe full resource ID of a subnet in a virtual network to deploy the API Management service in.
virtualNetworkTypeoptional - stringThe type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.
skurequiredcapacityrequired - integerCapacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.
namerequired - stringName of the Sku.
tagsoptional - stringResource tags.
typerequired - stringzonesoptional - arrayA list of availability zones denoting where the resource needs to come from.
Frequently asked questions
What is Azure API Management API Management?
Azure API Management API Management is a resource for API Management of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure API Management API Management?
For Terraform, the gilyas/infracost, IvanFarkas/test_api and finn-wa-log-cabin/lc-devops-terraform source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the HasanIftakher/Azure-Monitor, tulpy/Azure and gaelor/SentinelAsCode source code examples are useful. See the Azure Resource Manager Example section for further details.
