Azure API Management API Management
This page shows how to write Terraform and Azure Resource Manager for API Management API Management and write them securely.
azurerm_api_management (Terraform)
The API Management in API Management can be configured in Terraform with the resource name azurerm_api_management
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_api_management" "developer1" {
name = "example-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "My Company"
publisher_email = "company@terraform.io"
resource "azurerm_api_management" "main" {
name = var.apim.name
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
sku_name = var.apim.sku
publisher_name = var.apim.publisher.name
resource "azurerm_api_management" "apim" {
location = azurerm_resource_group.rg.location
name = "log-cabin"
publisher_email = "finn.welsford-ackroyd@pm.me"
publisher_name = "Log Cabin"
resource_group_name = azurerm_resource_group.rg.name
resource "azurerm_api_management" "i" {
name = var.name
location = var.location
resource_group_name = var.resource_group_name
publisher_name = "Russell Boley"
publisher_email = "raboley@gmail.com"
resource "azurerm_api_management" "puneet-dev-apim" {
name = "puneet-dev-apim"
location = var.passed_location
resource_group_name = var.passed_resource_group_name
publisher_name = var.publisher_name
publisher_email = var.publisher_email
resource "azurerm_api_management" "global-apim" {
name = "kp-global-apim"
location = azurerm_resource_group.global-apim.location
resource_group_name = azurerm_resource_group.global-apim.name
publisher_name = "Kallum Parr"
publisher_email = "kallum_parr@hotmail.com"
resource "azurerm_api_management" "VodafDev" {
name = "VodafDev-apim"
location = azurerm_resource_group.VodafDev.location
resource_group_name = azurerm_resource_group.VodafDev.name
publisher_name = "Vodafone"
publisher_email = "vodafone@terraform.io"
resource "azurerm_api_management" "developer1" {
name = "example-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "My Company"
publisher_email = "company@terraform.io"
resource "azurerm_api_management" "apim" {
name = local.apim_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
publisher_name = local.apim_publisher_name
publisher_email = local.apim_publisher_email
resource "azurerm_api_management" "example" {
name = "partnergateway"
}
# terraform import azurerm_api_management.example /subscriptions/000-0000-00000-00000/resourceGroups/ACS_EA_DEV_TEST/providers/Microsoft.ApiManagement/service/partnergateway
Parameters
-
developer_portal_url
optional computed - string -
gateway_regional_url
optional computed - string -
gateway_url
optional computed - string -
id
optional computed - string -
location
required - string -
management_api_url
optional computed - string -
name
required - string -
notification_sender_email
optional computed - string -
policy
optional computed - list of object-
xml_content
- string -
xml_link
- string
-
-
portal_url
optional computed - string -
private_ip_addresses
optional computed - list of string -
public_ip_addresses
optional computed - list of string -
publisher_email
required - string -
publisher_name
required - string -
resource_group_name
required - string -
scm_url
optional computed - string -
sku_name
required - string -
tags
optional - map from string to string -
virtual_network_type
optional - string -
additional_location
list block-
gateway_regional_url
optional computed - string -
location
required - string -
private_ip_addresses
optional computed - list of string -
public_ip_addresses
optional computed - list of string -
virtual_network_configuration
list block-
subnet_id
required - string
-
-
-
certificate
list block-
certificate_password
optional - string -
encoded_certificate
required - string -
store_name
required - string
-
-
hostname_configuration
list block-
developer_portal
list block-
certificate
optional - string -
certificate_password
optional - string -
host_name
required - string -
key_vault_id
optional - string -
negotiate_client_certificate
optional - bool
-
-
management
list block-
certificate
optional - string -
certificate_password
optional - string -
host_name
required - string -
key_vault_id
optional - string -
negotiate_client_certificate
optional - bool
-
-
portal
list block-
certificate
optional - string -
certificate_password
optional - string -
host_name
required - string -
key_vault_id
optional - string -
negotiate_client_certificate
optional - bool
-
-
proxy
list block-
certificate
optional - string -
certificate_password
optional - string -
default_ssl_binding
optional computed - bool -
host_name
required - string -
key_vault_id
optional - string -
negotiate_client_certificate
optional - bool
-
-
scm
list block-
certificate
optional - string -
certificate_password
optional - string -
host_name
required - string -
key_vault_id
optional - string -
negotiate_client_certificate
optional - bool
-
-
-
identity
list block-
identity_ids
optional - set of string -
principal_id
optional computed - string -
tenant_id
optional computed - string -
type
optional - string
-
-
protocols
list block-
enable_http2
optional - bool
-
-
security
list block-
enable_backend_ssl30
optional - bool -
enable_backend_tls10
optional - bool -
enable_backend_tls11
optional - bool -
enable_frontend_ssl30
optional - bool -
enable_frontend_tls10
optional - bool -
enable_frontend_tls11
optional - bool -
enable_triple_des_ciphers
optional computed - bool -
tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled
optional - bool -
tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled
optional - bool -
tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled
optional - bool -
tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled
optional - bool -
tls_rsa_with_aes128_cbc_sha256_ciphers_enabled
optional - bool -
tls_rsa_with_aes128_cbc_sha_ciphers_enabled
optional - bool -
tls_rsa_with_aes128_gcm_sha256_ciphers_enabled
optional - bool -
tls_rsa_with_aes256_cbc_sha256_ciphers_enabled
optional - bool -
tls_rsa_with_aes256_cbc_sha_ciphers_enabled
optional - bool -
triple_des_ciphers_enabled
optional computed - bool
-
-
sign_in
list block-
enabled
required - bool
-
-
sign_up
list block-
enabled
required - bool -
terms_of_service
list block-
consent_required
required - bool -
enabled
required - bool -
text
optional - string
-
-
-
tenant_access
list block-
enabled
required - bool -
primary_key
optional computed - string -
secondary_key
optional computed - string -
tenant_id
optional computed - string
-
-
timeouts
single block -
virtual_network_configuration
list block-
subnet_id
required - string
-
Explanation in Terraform Registry
Manages an API Management Service.
Microsoft.ApiManagement/service (Azure Resource Manager)
The service in Microsoft.ApiManagement can be configured in Azure Resource Manager with the resource name Microsoft.ApiManagement/service
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workbookName": {
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersion
required - stringidentity
optionaltype
required - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service.
userAssignedIdentities
optional - undefinedThe list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/ providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
location
required - stringResource location.
name
required - stringThe name of the API Management service.
properties
requiredadditionalLocations
optional arraydisableGateway
optional - booleanProperty only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location.
location
required - stringThe location name of the additional region among Azure Data center regions.
publicIpAddressId
optional - stringPublic Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network.
sku
requiredcapacity
required - integerCapacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.
name
required - stringName of the Sku.
virtualNetworkConfiguration
optionalsubnetResourceId
optional - stringThe full resource ID of a subnet in a virtual network to deploy the API Management service in.
zones
optional - arrayA list of availability zones denoting where the resource needs to come from.
apiVersionConstraint
optionalminApiVersion
optional - stringLimit control plane API calls to API Management service with version equal to or newer than this value.
certificates
optional arraycertificate
optionalexpiry
required - stringExpiration date of the certificate. The date conforms to the following format:
yyyy-MM-ddTHH:mm:ssZ
as specified by the ISO 8601 standard.subject
required - stringSubject of the certificate.
thumbprint
required - stringThumbprint of the certificate.
certificatePassword
optional - stringCertificate Password.
encodedCertificate
optional - stringBase64 Encoded certificate.
storeName
required - stringThe System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations.
customProperties
optional - stringCustom properties of the API Management service.</br>Setting
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
can be used to disable just TLS 1.1.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
can be used to disable TLS 1.0 on an API Management service.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
can be used to disable just TLS 1.1 for communications with backends.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
can be used to disable TLS 1.0 for communications with backends.</br>SettingMicrosoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2
can be used to enable HTTP2 protocol on an API Management service.</br>Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value isTrue
if the service was created on or before April 1st 2018 andFalse
otherwise. Http2 setting's default value isFalse
.</br></br>You can disable any of next ciphers by using settingsMicrosoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]
: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example,Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256
:false
. The default value istrue
for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384disableGateway
optional - booleanProperty only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region.
enableClientCertificate
optional - booleanProperty only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.
hostnameConfigurations
optional arraycertificate
optionalexpiry
required - stringExpiration date of the certificate. The date conforms to the following format:
yyyy-MM-ddTHH:mm:ssZ
as specified by the ISO 8601 standard.subject
required - stringSubject of the certificate.
thumbprint
required - stringThumbprint of the certificate.
certificatePassword
optional - stringCertificate Password.
certificateSource
optional - stringCertificate Source.
certificateStatus
optional - stringCertificate Status.
defaultSslBinding
optional - booleanSpecify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type.
encodedCertificate
optional - stringBase64 Encoded certificate.
hostName
required - stringHostname to configure on the Api Management service.
identityClientId
optional - stringSystem or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate.
keyVaultId
optional - stringUrl to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12
negotiateClientCertificate
optional - booleanSpecify true to always negotiate client certificate on the hostname. Default Value is false.
type
required - stringHostname type.
notificationSenderEmail
optional - stringEmail address from which the notification will be sent.
privateEndpointConnections
optional arrayid
optional - stringPrivate Endpoint connection resource id
name
optional - stringPrivate Endpoint Connection Name
properties
optionalprivateEndpoint
optionalprivateLinkServiceConnectionState
requiredactionsRequired
optional - stringA message indicating if changes on the service provider require any updates on the consumer.
description
optional - stringThe reason for approval/rejection of the connection.
status
optional - stringIndicates whether the connection has been Approved/Rejected/Removed by the owner of the service.
type
optional - stringPrivate Endpoint Connection Resource Type
publicIpAddressId
optional - stringPublic Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network.
publicNetworkAccess
optional - stringWhether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled'.
publisherEmail
required - stringPublisher email.
publisherName
required - stringPublisher name.
restore
optional - booleanUndelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.
virtualNetworkConfiguration
optionalsubnetResourceId
optional - stringThe full resource ID of a subnet in a virtual network to deploy the API Management service in.
virtualNetworkType
optional - stringThe type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.
sku
requiredcapacity
required - integerCapacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.
name
required - stringName of the Sku.
tags
optional - stringResource tags.
type
required - stringzones
optional - arrayA list of availability zones denoting where the resource needs to come from.
Frequently asked questions
What is Azure API Management API Management?
Azure API Management API Management is a resource for API Management of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure API Management API Management?
For Terraform, the gilyas/infracost, IvanFarkas/test_api and finn-wa-log-cabin/lc-devops-terraform source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the HasanIftakher/Azure-Monitor, tulpy/Azure and gaelor/SentinelAsCode source code examples are useful. See the Azure Resource Manager Example section for further details.