Azure API Management feature

This Terraform module creates an Azure API Management.

Requirements

• AzureRM Terraform provider >= 1.32

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name
}

module "apim" {
  source  = "claranet/api-management/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  sku_tier     = "Standard"
  sku_capacity = 1

  publisher_name  = "Contoso ApiManager"
  publisher_email = "[email protected]"

  named_values = [
    {
      name   = "my_named_value"
      value  = "my_secret_value"
      secret = true
    },
    {
      display_name = "My second value explained"
      name         = "my_second_value"
      value        = "my_not_secret_value"
    }
  ]

  additional_location = [
    {
      location  = "eastus2"
      subnet_id = var.subnet_id
    },
  ]

  logs_destinations_ids = [
    module.logs.logs_storage_account_id,
    module.logs.log_analytics_workspace_id
  ]
}

Providers

Name	Version
azurecaf	~> 1.2, >= 1.2.22
azurerm	~> 3.108

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 7.0.0

Resources

Name	Type
azurerm_api_management.apim	resource
azurerm_api_management_group.group	resource
azurerm_api_management_named_value.named_values	resource
azurerm_api_management_policy.policy	resource
azurerm_api_management_product.product	resource
azurerm_api_management_product_group.product_group	resource
azurerm_network_security_rule.management_apim	resource
azurecaf_name.apim	data source
azurecaf_name.apim_nsg_rule	data source

Inputs

Name	Description	Type	Default	Required
additional_location	List of the Azure Region in which the API Management Service should be expanded to.	list(object({ location = string capacity = optional(number) zones = optional(list(number), [1, 2, 3]) public_ip_address_id = optional(string) subnet_id = optional(string) }))	[]	no
certificate_configuration	List of certificate configurations.	list(object({ encoded_certificate = string certificate_password = optional(string) store_name = string }))	[]	no
client_certificate_enabled	(Optional) Enforce a client certificate to be presented on each request to the gateway? This is only supported when SKU type is Consumption.	bool	false	no
client_name	Client name/account used in naming.	string	n/a	yes
create_management_rule	Whether to create the NSG rule for the management port of the APIM. If true, nsg_name variable must be set	bool	false	no
create_product_group_and_relationships	Create local APIM groups with name identical to products and create a relationship between groups and products.	bool	false	no
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	string	"default"	no
custom_management_rule_name	Custom NSG rule name for APIM Management.	string	""	no
custom_name	Custom API Management name, generated if not set.	string	""	no
default_tags_enabled	Option to enable or disable default tags	bool	true	no
developer_portal_hostname_configuration	Developer Portal hostname configurations.	list(object({ host_name = string key_vault_id = optional(string) certificate = optional(string) certificate_password = optional(string) negotiate_client_certificate = optional(bool, false) }))	[]	no
enable_http2	Should HTTP/2 be supported by the API Management Service?	bool	false	no
environment	Project environment.	string	n/a	yes
extra_tags	Extra tags to add	map(string)	{}	no
gateway_disabled	(Optional) Disable the gateway in main region? This is only supported when additional_location is set.	bool	false	no
identity_ids	A list of IDs for User Assigned Managed Identity resources to be assigned. This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.	list(string)	[]	no
identity_type	Type of Managed Service Identity that should be configured on this API Management Service.	string	"SystemAssigned"	no
location	Azure location for Eventhub.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	list(string)	n/a
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
management_hostname_configuration	List of management hostname configurations.	list(object({ host_name = string key_vault_id = optional(string) certificate = optional(string) certificate_password = optional(string) negotiate_client_certificate = optional(bool, false) }))	[]	no
management_nsg_rule_priority	Priority of the NSG rule created for the management port of the APIM	number	101	no
min_api_version	(Optional) The version which the control plane API calls to API Management service are limited with version equal to or newer than.	string	null	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
named_values	Named values configurations.	list(object({ name = string display_name = optional(string) value = string secret = optional(bool, false) }))	[]	no
notification_sender_email	Email address from which the notification will be sent.	string	null	no
nsg_name	NSG name of the subnet hosting the APIM to add the rule to allow management if the APIM is private	string	null	no
nsg_rg_name	Name of the RG hosting the NSG if it's different from the one hosting the APIM	string	null	no
policy_configuration	Policies configurations.	list(object({ name = optional(string, "default") xml_content = optional(string) xml_link = optional(string) }))	[]	no
portal_hostname_configuration	Legacy Portal hostname configurations.	list(object({ host_name = string key_vault_id = optional(string) certificate = optional(string) certificate_password = optional(string) negotiate_client_certificate = optional(bool, false) }))	[]	no
products	List of products to create.	list(string)	[]	no
proxy_hostname_configuration	List of proxy hostname configurations.	list(object({ host_name = string key_vault_id = optional(string) certificate = optional(string) certificate_password = optional(string) negotiate_client_certificate = optional(bool, false) }))	[]	no
publisher_email	The email of publisher/company.	string	n/a	yes
publisher_name	The name of publisher/company.	string	n/a	yes
resource_group_name	Name of the resource group.	string	n/a	yes
scm_hostname_configuration	List of SCM hostname configurations.	list(object({ host_name = string key_vault_id = optional(string) certificate = optional(string) certificate_password = optional(string) negotiate_client_certificate = optional(bool, false) }))	[]	no
security_configuration	Security configuration block.	object({ enable_backend_ssl30 = optional(bool, false) enable_backend_tls10 = optional(bool, false) enable_backend_tls11 = optional(bool, false) enable_frontend_ssl30 = optional(bool, false) enable_frontend_tls10 = optional(bool, false) enable_frontend_tls11 = optional(bool, false) tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled = optional(bool, false) tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled = optional(bool, false) tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled = optional(bool, false) tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled = optional(bool, false) tls_rsa_with_aes128_cbc_sha256_ciphers_enabled = optional(bool, false) tls_rsa_with_aes128_cbc_sha_ciphers_enabled = optional(bool, false) tls_rsa_with_aes128_gcm_sha256_ciphers_enabled = optional(bool, false) tls_rsa_with_aes256_cbc_sha256_ciphers_enabled = optional(bool, false) tls_rsa_with_aes256_cbc_sha_ciphers_enabled = optional(bool, false) triple_des_ciphers_enabled = optional(bool, false) })	{}	no
sign_in_enabled	Should anonymous users be redirected to the sign in page?	bool	false	no
sign_up_enabled	Can users sign up on the development portal?	bool	false	no
sku_capacity	APIM SKU capacity.	number	1	no
sku_tier	APIM SKU. Valid values include: Developer, Basic, Standard, StandardV2 and Premium.	string	"Basic"	no
stack	Project stack name.	string	n/a	yes
terms_of_service_configuration	Terms of service configurations.	list(object({ consent_required = optional(bool, false) enabled = optional(bool, false) text = optional(string, "") }))	[]	no
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
virtual_network_configuration	The id(s) of the subnet(s) that will be used for the API Management. Required when virtual_network_type is External or Internal	list(string)	[]	no
virtual_network_type	The type of virtual network you want to use, valid values include: None, External, Internal.	string	null	no
zones	(Optional) Specifies a list of Availability Zones in which this API Management service should be located. Changing this forces a new API Management service to be created. Supported in Premium Tier.	list(number)	[ 1, 2, 3 ]	no

Outputs

Name	Description
api_management_additional_location	Map listing gateway_regional_url and public_ip_addresses associated
api_management_gateway_regional_url	The Region URL for the Gateway of the API Management Service
api_management_gateway_url	The URL of the Gateway for the API Management Service
api_management_id	The ID of the API Management Service
api_management_identity	The identity of the API Management
api_management_management_api_url	The URL for the Management API associated with this API Management service
api_management_name	The name of the API Management Service
api_management_portal_url	The URL for the Publisher Portal associated with this API Management service
api_management_private_ip_addresses	The Private IP addresses of the API Management Service
api_management_public_ip_addresses	The Public IP addresses of the API Management Service
api_management_scm_url	The URL for the SCM Endpoint associated with this API Management service

Related documentation

Microsoft Azure documentation: https://docs.microsoft.com/en-us/azure/api-management/