azurermApiManagementCustomDomain

Manages a API Management Custom Domain.

Disclaimers

\~> Note: It's possible to define Custom Domains both within the azurermApiManagement resource via the hostnameConfigurations block and by using this resource. However it's not possible to use both methods to manage Custom Domains within an API Management Service, since there will be conflicts.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermKeyVaultExample =
  new azurerm.dataAzurermKeyVault.DataAzurermKeyVault(this, "example_2", {
    name: "mykeyvault",
    resource_group_name: "some-resource-group",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermKeyVaultExample.overrideLogicalId("example");
const azurermApiManagementExample = new azurerm.apiManagement.ApiManagement(
  this,
  "example_3",
  {
    location: azurermResourceGroupExample.location,
    name: "example-apim",
    publisher_email: "pub1@email.com",
    publisher_name: "pub1",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "Developer_1",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermApiManagementExample.overrideLogicalId("example");
const azurermKeyVaultCertificateExample =
  new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_4", {
    certificate_policy: [
      {
        issuer_parameters: [
          {
            name: "Self",
          },
        ],
        key_properties: [
          {
            exportable: true,
            key_size: 2048,
            key_type: "RSA",
            reuse_key: true,
          },
        ],
        lifetime_action: [
          {
            action: [
              {
                action_type: "AutoRenew",
              },
            ],
            trigger: [
              {
                days_before_expiry: 30,
              },
            ],
          },
        ],
        secret_properties: [
          {
            content_type: "application/x-pkcs12",
          },
        ],
        x509_certificate_properties: [
          {
            key_usage: [
              "cRLSign",
              "dataEncipherment",
              "digitalSignature",
              "keyAgreement",
              "keyCertSign",
              "keyEncipherment",
            ],
            subject: "CN=api.example.com",
            subject_alternative_names: [
              {
                dns_names: ["api.example.com", "portal.example.com"],
              },
            ],
            validity_in_months: 12,
          },
        ],
      },
    ],
    key_vault_id: dataAzurermKeyVaultExample.id,
    name: "example-certificate",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");
const azurermApiManagementCustomDomainExample =
  new azurerm.apiManagementCustomDomain.ApiManagementCustomDomain(
    this,
    "example_5",
    {
      api_management_id: azurermApiManagementExample.id,
      developer_portal: [
        {
          host_name: "portal.example.com",
          key_vault_id: azurermKeyVaultCertificateExample.versionlessSecretId,
        },
      ],
      gateway: [
        {
          host_name: "api.example.com",
          key_vault_id: azurermKeyVaultCertificateExample.versionlessSecretId,
        },
      ],
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermApiManagementCustomDomainExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

apiManagementId - (Required) The ID of the API Management service for which to configure Custom Domains. Changing this forces a new API Management Custom Domain resource to be created.

developerPortal - (Optional) One or more developerPortal blocks as defined below.
management - (Optional) One or more management blocks as defined below.
portal - (Optional) One or more portal blocks as defined below.
gateway - (Optional) One or more gateway blocks as defined below.
scm - (Optional) One or more scm blocks as defined below.

A developerPortal, management, portal or scm block supports the following:

hostName - (Required) The Hostname to use for the corresponding endpoint.
certificate - (Optional) The Base64 Encoded Certificate. (Mutually exclusive with keyVaultId.)
certificatePassword - (Optional) The password associated with the certificate provided above.
keyVaultId - (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the type application/x-pkcs12.
negotiateClientCertificate - (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults to false.
sslKeyvaultIdentityClientId - (Optional) System or User Assigned Managed identity clientId as generated by Azure AD, which has get access to the keyVault containing the SSL certificate.

-> NOTE: If a User Assigned Managed identity is specified for sslKeyvaultIdentityClientId then this identity must be associated to the azurermApiManagement within an identity block.

A gateway block supports the following:

-> Tip: The default gateway hostname ending with azureApiNet must not be added as it will be automatically created by Azure and ignored by Terraform.

hostName - (Required) The Hostname to use for the API Proxy Endpoint.
certificate - (Optional) The Base64 Encoded Certificate. (Mutually exclusive with keyVaultId.)
certificatePassword - (Optional) The password associated with the certificate provided above.
defaultSslBinding - (Optional) Is the certificate associated with this Hostname the Default SSL Certificate? This is used when an SNI header isn't specified by a client. Defaults to false.
keyVaultId - (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the type application/x-pkcs12.
negotiateClientCertificate - (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults to false.
sslKeyvaultIdentityClientId - (Optional) System or User Assigned Managed identity clientId as generated by Azure AD, which has get access to the keyVault containing the SSL certificate.

-> NOTE: If a User Assigned Managed identity is specified for sslKeyvaultIdentityClientId then this identity must be associated to the azurermApiManagement within an identity block.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

id - The ID of the API Management Custom Domain.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 60 minutes) Used when creating the API Management Custom Domain.
read - (Defaults to 5 minutes) Used when retrieving the API Management Custom Domain.
update - (Defaults to 60 minutes) Used when updating the API Management Custom Domain.
delete - (Defaults to 60 minutes) Used when deleting the API Management Custom Domain.

Import

API Management Custom Domains can be imported using the resourceId, e.g.

terraform import azurerm_api_management_custom_domain.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.ApiManagement/service/instance1/customDomains/default