Skip to content

azurermApiManagement

Manages an API Management Service.

Disclaimers

-> When creating a new API Management resource in version 3.0 of the AzureRM Provider and later, please be aware that the AzureRM Provider will now clean up any sample APIs and Products created by the Azure API during the creation of the API Management resource.

-> Note: Version 2.77 and later of the Azure Provider include a Feature Toggle which will purge an API Management resource on destroy, rather than the default soft-delete. See the Features block documentation for more information on Feature Toggles within Terraform.

\~> Note: It's possible to define Custom Domains both within the azurermApiManagement resource via the hostnameConfigurations block and by using the azurermApiManagementCustomDomain resource. However it's not possible to use both methods to manage Custom Domains within an API Management Service, since there'll be conflicts.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermApiManagementExample = new azurerm.apiManagement.ApiManagement(
  this,
  "example_1",
  {
    location: azurermResourceGroupExample.location,
    name: "example-apim",
    publisher_email: "company@terraform.io",
    publisher_name: "My Company",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "Developer_1",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermApiManagementExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the API Management Service. Changing this forces a new resource to be created.

  • location - (Required) The Azure location where the API Management Service exists. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the Resource Group in which the API Management Service should be exist. Changing this forces a new resource to be created.

  • publisherName - (Required) The name of publisher/company.

  • publisherEmail - (Required) The email of publisher/company.

  • skuName - (Required) skuName is a string consisting of two parts separated by an underscore(_). The first part is the name, valid values include: consumption, developer, basic, standard and premium. The second part is the capacity (e.g. the number of deployed units of the sku), which must be a positive integer (e.g. developer1).

\~> NOTE: Premium SKU's are limited to a default maximum of 12 (i.e. premium12), this can, however, be increased via support request.

\~> NOTE: Consumption SKU capacity should be 0 (e.g. consumption0) as this tier includes automatic scaling.

  • additionalLocation - (Optional) One or more additionalLocation blocks as defined below.

  • certificate - (Optional) One or more (up to 10) certificate blocks as defined below.

  • clientCertificateEnabled - (Optional) Enforce a client certificate to be presented on each request to the gateway? This is only supported when SKU type is consumption.

  • delegation - (Optional) A delegation block as defined below.

  • gatewayDisabled - (Optional) Disable the gateway in main region? This is only supported when additionalLocation is set.

  • minApiVersion - (Optional) The version which the control plane API calls to API Management service are limited with version equal to or newer than.

  • zones - (Optional) Specifies a list of Availability Zones in which this API Management service should be located. Changing this forces a new API Management service to be created.

\~> NOTE: Availability zones are only supported in the Premium tier.

  • identity - (Optional) An identity block as defined below.

  • hostnameConfiguration - (Optional) A hostnameConfiguration block as defined below.

  • notificationSenderEmail - (Optional) Email address from which the notification will be sent.

  • policy - (Optional) A policy block as defined below.

  • protocols - (Optional) A protocols block as defined below.

  • security - (Optional) A security block as defined below.

  • signIn - (Optional) A signIn block as defined below.

  • signUp - (Optional) A signUp block as defined below.

  • tenantAccess - (Optional) A tenantAccess block as defined below.

  • publicIpAddressId - (Optional) ID of a standard SKU IPv4 Public IP.

\~> NOTE: Custom public IPs are only supported on the premium and developer tiers when deployed in a virtual network.

  • publicNetworkAccessEnabled - (Optional) Is public access to the service allowed?. Defaults to true

  • virtualNetworkType - (Optional) The type of virtual network you want to use, valid values include: none, external, internal.

NOTE: Please ensure that in the subnet, inbound port 3443 is open when virtualNetworkType is internal or external. And please ensure other necessary ports are open according to api management network configuration.

  • virtualNetworkConfiguration - (Optional) A virtualNetworkConfiguration block as defined below. Required when virtualNetworkType is external or internal.

  • tags - (Optional) A mapping of tags assigned to the resource.

A additionalLocation block supports the following:

  • location - (Required) The name of the Azure Region in which the API Management Service should be expanded to.

  • capacity - (Optional) The number of compute units in this region. Defaults to the capacity of the main region.

  • zones - (Optional) A list of availability zones. Changing this forces a new resource to be created.

  • publicIpAddressId - (Optional) ID of a standard SKU IPv4 Public IP.

\~> NOTE: Availability zones and custom public IPs are only supported in the Premium tier.

  • virtualNetworkConfiguration - (Optional) A virtualNetworkConfiguration block as defined below. Required when virtualNetworkType is external or internal.

  • gatewayDisabled - (Optional) Only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location.

A certificate block supports the following:

  • encodedCertificate - (Required) The Base64 Encoded PFX or Base64 Encoded X.509 Certificate.

  • storeName - (Required) The name of the Certificate Store where this certificate should be stored. Possible values are certificateAuthority and root.

  • certificatePassword - (Optional) The password for the certificate.

A delegation block supports the following:

  • subscriptionsEnabled - (Optional) Should subscription requests be delegated to an external url? Defaults to false.

  • userRegistrationEnabled - (Optional) Should user registration requests be delegated to an external url? Defaults to false.

  • url - (Optional) The delegation URL.

  • validationKey - (Optional) A base64-encoded validation key to validate, that a request is coming from Azure API Management.

A hostnameConfiguration block supports the following:

  • management - (Optional) One or more management blocks as documented below.

  • portal - (Optional) One or more portal blocks as documented below.

  • developerPortal - (Optional) One or more developerPortal blocks as documented below.

  • proxy - (Optional) One or more proxy blocks as documented below.

  • scm - (Optional) One or more scm blocks as documented below.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this API Management Service. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) A list of User Assigned Managed Identity IDs to be assigned to this API Management Service.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

A management, portal, developerPortal and scm block supports the following:

  • hostName - (Required) The Hostname to use for the Management API.

  • keyVaultId - (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the type application/xPkcs12.

-> NOTE: Setting this field requires the identity block to be specified, since this identity is used for to retrieve the Key Vault Certificate. Possible values are versioned or versionless secret ID. Auto-updating the Certificate from the Key Vault requires the Secret version isn't specified.

  • certificate - (Optional) The Base64 Encoded Certificate.

  • certificatePassword - (Optional) The password associated with the certificate provided above.

-> NOTE: Either keyVaultId or certificate and certificatePassword must be specified.

  • negotiateClientCertificate - (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults to false.

  • sslKeyvaultIdentityClientId - (Optional) System or User Assigned Managed identity clientId as generated by Azure AD, which has get access to the keyVault containing the SSL certificate.

-> NOTE: If a User Assigned Managed identity is specified for sslKeyvaultIdentityClientId then this identity must be associated to the azurermApiManagement within an identity block.

A policy block supports the following:

  • xmlContent - (Optional) The XML Content for this Policy.

  • xmlLink - (Optional) A link to an API Management Policy XML Document, which must be publicly available.

A proxy block supports the following:

  • defaultSslBinding - (Optional) Is the certificate associated with this Hostname the Default SSL Certificate? This is used when an SNI header isn't specified by a client. Defaults to false.

  • hostName - (Required) The Hostname to use for the Management API.

  • keyVaultId - (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the type application/xPkcs12.

-> NOTE: Setting this field requires the identity block to be specified, since this identity is used for to retrieve the Key Vault Certificate. Auto-updating the Certificate from the Key Vault requires the Secret version isn't specified.

  • certificate - (Optional) The Base64 Encoded Certificate.

  • certificatePassword - (Optional) The password associated with the certificate provided above.

-> NOTE: Either keyVaultId or certificate and certificatePassword must be specified.

  • negotiateClientCertificate - (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults to false.

  • sslKeyvaultIdentityClientId - (Optional) The Managed Identity Client ID to use to access the Key Vault. This Identity must be specified in the identity block to be used.

A protocols block supports the following:

  • enableHttp2 - (Optional) Should HTTP/2 be supported by the API Management Service? Defaults to false.

A security block supports the following:

  • enableBackendSsl30 - (Optional) Should SSL 3.0 be enabled on the backend of the gateway? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityBackendProtocolsSsl30 field

  • enableBackendTls10 - (Optional) Should TLS 1.0 be enabled on the backend of the gateway? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityBackendProtocolsTls10 field

  • enableBackendTls11 - (Optional) Should TLS 1.1 be enabled on the backend of the gateway? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityBackendProtocolsTls11 field

  • enableFrontendSsl30 - (Optional) Should SSL 3.0 be enabled on the frontend of the gateway? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityProtocolsSsl30 field

  • enableFrontendTls10 - (Optional) Should TLS 1.0 be enabled on the frontend of the gateway? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityProtocolsTls10 field

  • enableFrontendTls11 - (Optional) Should TLS 1.1 be enabled on the frontend of the gateway? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityProtocolsTls11 field

  • tlsEcdheEcdsaWithAes128CbcShaCiphersEnabled - (Optional) Should the tlsEcdheEcdsaWithAes128CbcSha cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsEcdheEcdsaWithAes128CbcSha field

  • tlsEcdheEcdsaWithAes256CbcShaCiphersEnabled - (Optional) Should the tlsEcdheEcdsaWithAes256CbcSha cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsEcdheEcdsaWithAes256CbcSha field

  • tlsEcdheRsaWithAes128CbcShaCiphersEnabled - (Optional) Should the tlsEcdheRsaWithAes128CbcSha cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsEcdheRsaWithAes128CbcSha field

  • tlsEcdheRsaWithAes256CbcShaCiphersEnabled - (Optional) Should the tlsEcdheRsaWithAes256CbcSha cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsEcdheRsaWithAes256CbcSha field

  • tlsRsaWithAes128CbcSha256CiphersEnabled - (Optional) Should the tlsRsaWithAes128CbcSha256 cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsRsaWithAes128CbcSha256 field

  • tlsRsaWithAes128CbcShaCiphersEnabled - (Optional) Should the tlsRsaWithAes128CbcSha cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsRsaWithAes128CbcSha field

  • tlsRsaWithAes128GcmSha256CiphersEnabled - (Optional) Should the tlsRsaWithAes128GcmSha256 cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsRsaWithAes128GcmSha256 field

  • tlsRsaWithAes256GcmSha384CiphersEnabled - (Optional) Should the tlsRsaWithAes256GcmSha384 cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsRsaWithAes256GcmSha384 field

  • tlsRsaWithAes256CbcSha256CiphersEnabled - (Optional) Should the tlsRsaWithAes256CbcSha256 cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsRsaWithAes256CbcSha256 field

  • tlsRsaWithAes256CbcShaCiphersEnabled - (Optional) Should the tlsRsaWithAes256CbcSha cipher be enabled? Defaults to false.

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTlsRsaWithAes256CbcSha field

  • tripleDesCiphersEnabled - (Optional) Should the tlsRsaWith3DesEdeCbcSha cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)?

-> info: This maps to the microsoftWindowsAzureApiManagementGatewaySecurityCiphersTripleDes168 field

A signIn block supports the following:

  • enabled - (Required) Should anonymous users be redirected to the sign in page?

A signUp block supports the following:

  • enabled - (Required) Can users sign up on the development portal?

  • termsOfService - (Required) A termsOfService block as defined below.

A tenantAccess block supports the following:

  • enabled - (Required) Should the access to the management API be enabled?

A virtualNetworkConfiguration block supports the following:

  • subnetId - (Required) The id of the subnet that will be used for the API Management.

A termsOfService block supports the following:

  • consentRequired - (Required) Should the user be asked for consent during sign up?

  • enabled - (Required) Should Terms of Service be displayed during sign up?.

  • text - (Optional) The Terms of Service which users are required to agree to in order to sign up.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the API Management Service.

  • additionalLocation - Zero or more additionalLocation blocks as documented below.

  • gatewayUrl - The URL of the Gateway for the API Management Service.

  • gatewayRegionalUrl - The Region URL for the Gateway of the API Management Service.

  • identity - An identity block as defined below.

  • hostnameConfiguration - A hostnameConfiguration block as defined below.

  • managementApiUrl - The URL for the Management API associated with this API Management service.

  • portalUrl - The URL for the Publisher Portal associated with this API Management service.

  • developerPortalUrl - The URL for the Developer Portal associated with this API Management service.

  • publicIpAddresses - The Public IP addresses of the API Management Service.

  • privateIpAddresses - The Private IP addresses of the API Management Service.

  • scmUrl - The URL for the SCM (Source Code Management) Endpoint associated with this API Management service.

  • tenantAccess - The tenantAccess block as documented below.

An additionalLocation block exports the following:

  • gatewayRegionalUrl - The URL of the Regional Gateway for the API Management Service in the specified region.

  • publicIpAddresses - Public Static Load Balanced IP addresses of the API Management service in the additional location. Available only for Basic, Standard and Premium SKU.

  • privateIpAddresses - The Private IP addresses of the API Management Service. Available only when the API Manager instance is using Virtual Network mode.

An identity block exports the following:

  • principalId - The Principal ID associated with this Managed Service Identity.

  • tenantId - The Tenant ID associated with this Managed Service Identity.

A tenantAccess block exports the following:

  • tenantId - The identifier for the tenant access information contract.

  • primaryKey - Primary access key for the tenant access information contract.

  • secondaryKey - Secondary access key for the tenant access information contract.

The certificate block exports the following:

  • expiry - The expiration date of the certificate in RFC3339 format: 20000102T03:04:05Z.

  • thumbprint - The thumbprint of the certificate.

  • subject - The subject of the certificate.

The hostnameConfiguration block exports the following:

  • proxy - A proxy block as defined below.

The proxy block exports the following:

  • certificateSource - The source of the certificate.

  • certificateStatus - The status of the certificate.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 3 hours) Used when creating the API Management Service.
  • update - (Defaults to 3 hours) Used when updating the API Management Service.
  • read - (Defaults to 5 minutes) Used when retrieving the API Management Service.
  • delete - (Defaults to 3 hours) Used when deleting the API Management Service.

Import

API Management Services can be imported using the resourceId, e.g.

terraform import azurerm_api_management.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.ApiManagement/service/instance1