subcategory | layout | page_title | description |
---|---|---|---|
API Management |
azurerm |
Azure Resource Manager: azurerm_api_management |
Manages an API Management Service. |
Manages an API Management Service.
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_api_management" "example" {
name = "example-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "My Company"
publisher_email = "company@terraform.io"
sku_name = "Developer_1"
policy {
xml_content = <<XML
<policies>
<inbound />
<backend />
<outbound />
<on-error />
</policies>
XML
}
}
The following arguments are supported:
-
name
- (Required) The name of the API Management Service. Changing this forces a new resource to be created. -
location
- (Required) The Azure location where the API Management Service exists. Changing this forces a new resource to be created. -
resource_group_name
- (Required) The name of the Resource Group in which the API Management Service should be exist. Changing this forces a new resource to be created. -
publisher_name
- (Required) The name of publisher/company. -
publisher_email
- (Required) The email of publisher/company. -
sku_name
- (Required)sku_name
is a string consisting of two parts separated by an underscore(_). The fist part is thename
, valid values include:Developer
,Basic
,Standard
andPremium
. The second part is thecapacity
(e.g. the number of deployed units of thesku
), which must be a positiveinteger
(e.g.Developer_1
).
-
additional_location
- (Optional) One or moreadditional_location
blocks as defined below. -
certificate
- (Optional) One or more (up to 10)certificate
blocks as defined below. -
identity
- (Optional) Anidentity
block is documented below. -
hostname_configuration
- (Optional) Ahostname_configuration
block as defined below. -
notification_sender_email
- (Optional) Email address from which the notification will be sent. -
policy
- (Optional) Apolicy
block as defined below. -
protocols
- (Optional) Aprotocols
block as defined below. -
security
- (Optional) Asecurity
block as defined below. -
sign_in
- (Optional) Asign_in
block as defined below. -
sign_up
- (Optional) Asign_up
block as defined below. -
virtual_network_type
- (Optional) The type of virtual network you want to use, valid values include:None
,External
,Internal
. -
virtual_network_configuration
- (Optional) Avirtual_network_configuration
block as defined below. Required whenvirtual_network_type
isExternal
orInternal
. -
tags
- (Optional) A mapping of tags assigned to the resource.
A additional_location
block supports the following:
location
- (Required) The name of the Azure Region in which the API Management Service should be expanded to.
A certificate
block supports the following:
-
encoded_certificate
- (Required) The Base64 Encoded PFX Certificate. -
certificate_password
- (Required) The password for the certificate. -
store_name
- (Required) The name of the Certificate Store where this certificate should be stored. Possible values areCertificateAuthority
andRoot
.
A hostname_configuration
block supports the following:
-
management
- (Optional) One or moremanagement
blocks as documented below. -
portal
- (Optional) One or moreportal
blocks as documented below. -
proxy
- (Optional) One or moreproxy
blocks as documented below. -
scm
- (Optional) One or morescm
blocks as documented below.
A identity
block supports the following:
type
- (Required) Specifies the type of Managed Service Identity that should be configured on this API Management Service. At this time the only supported value isSystemAssigned
.
A management
, portal
and scm
block supports the following:
-
host_name
- (Required) The Hostname to use for the Management API. -
key_vault_id
- (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the typeapplication/x-pkcs12
.
-> NOTE: Setting this field requires the identity
block to be specified, since this identity is used for to retrieve the Key Vault Certificate. Auto-updating the Certificate from the Key Vault requires the Secret version isn't specified.
-
certificate
- (Optional) The Base64 Encoded Certificate. -
certificate_password
- (Optional) The password associated with the certificate provided above.
-> NOTE: Either key_vault_id
or certificate
and certificate_password
must be specified.
negotiate_client_certificate
- (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults tofalse
.
A policy
block supports the following:
-
xml_content
- (Optional) The XML Content for this Policy. -
xml_link
- (Optional) A link to an API Management Policy XML Document, which must be publicly available.
A proxy
block supports the following:
-
default_ssl_binding
- (Optional) Is the certificate associated with this Hostname the Default SSL Certificate? This is used when an SNI header isn't specified by a client. Defaults tofalse
. -
host_name
- (Required) The Hostname to use for the Management API. -
key_vault_id
- (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the typeapplication/x-pkcs12
.
-> NOTE: Setting this field requires the identity
block to be specified, since this identity is used for to retrieve the Key Vault Certificate. Auto-updating the Certificate from the Key Vault requires the Secret version isn't specified.
-
certificate
- (Optional) The Base64 Encoded Certificate. -
certificate_password
- (Optional) The password associated with the certificate provided above.
-> NOTE: Either key_vault_id
or certificate
and certificate_password
must be specified.
negotiate_client_certificate
- (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults tofalse
.
A protocols
block supports the following:
enable_http2
- (Optional) Should HTTP/2 be supported by the API Management Service? Defaults tofalse
.
A security
block supports the following:
enable_backend_ssl30
- (Optional) Should SSL 3.0 be enabled on the backend of the gateway? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30
field
enable_backend_tls10
- (Optional) Should TLS 1.0 be enabled on the backend of the gateway? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10
field
enable_backend_tls11
- (Optional) Should TLS 1.1 be enabled on the backend of the gateway? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11
field
enable_frontend_ssl30
- (Optional) Should SSL 3.0 be enabled on the frontend of the gateway? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30
field
enable_frontend_tls10
- (Optional) Should TLS 1.0 be enabled on the frontend of the gateway? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10
field
enable_frontend_tls11
- (Optional) Should TLS 1.1 be enabled on the frontend of the gateway? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11
field
enable_triple_des_ciphers
- (Optional) Should theTLS_RSA_WITH_3DES_EDE_CBC_SHA
cipher be enabled for alL TLS versions (1.0, 1.1 and 1.2)? Defaults tofalse
.
-> info: This maps to the Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168
field
disable_backend_ssl30
- (Optional) Should SSL 3.0 be disabled on the backend of the gateway? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_backend_ssl30
property and will be removed in version 2.0 of the provider.
disable_backend_tls10
- (Optional) Should TLS 1.0 be disabled on the backend of the gateway? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_backend_tls10
property and will be removed in version 2.0 of the provider.
disable_backend_tls11
- (Optional) Should TLS 1.1 be disabled on the backend of the gateway? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_backend_tls11
property and will be removed in version 2.0 of the provider.
disable_frontend_ssl30
- (Optional) Should SSL 3.0 be disabled on the frontend of the gateway? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_frontend_ssl30
property and will be removed in version 2.0 of the provider.
disable_frontend_tls10
- (Optional) Should TLS 1.0 be disabled on the frontend of the gateway? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_frontend_tls10
property and will be removed in version 2.0 of the provider.
disable_frontend_tls11
- (Optional) Should TLS 1.1 be disabled on the frontend of the gateway? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_frontend_tls11
property and will be removed in version 2.0 of the provider.
disable_triple_des_ciphers
- (Optional) Should theTLS_RSA_WITH_3DES_EDE_CBC_SHA
cipher be disabled for alL TLS versions (1.0, 1.1 and 1.2)? This property was mistakenly inverted andtrue
actually enables it. Defaults tofalse
.
-> Note: This property has been deprecated in favour of the enable_triple_des_ciphers
property and will be removed in version 2.0 of the provider.
A sign_in
block supports the following:
enabled
- (Required) Should anonymous users be redirected to the sign in page?
A sign_up
block supports the following:
-
enabled
- (Required) Can users sign up on the development portal? -
terms_of_service
- (Optional) Aterms_of_service
block as defined below.
A virtual_network_configuration
block supports the following:
subnet_id
- (Required) The id of the subnet that will be used for the API Management.
A terms_of_service
block supports the following:
-
consent_required
- (Required) Should the user be asked for consent during sign up? -
enabled
- (Required) Should Terms of Service be displayed during sign up?. -
text
- (Required) The Terms of Service which users are required to agree to in order to sign up.
In addition to all arguments above, the following attributes are exported:
-
id
- The ID of the API Management Service. -
additional_location
- One or moreadditional_location
blocks as documented below. -
gateway_url
- The URL of the Gateway for the API Management Service. -
gateway_regional_url
- The Region URL for the Gateway of the API Management Service. -
identity
- Anidentity
block as defined below. -
management_api_url
- The URL for the Management API associated with this API Management service. -
portal_url
- The URL for the Publisher Portal associated with this API Management service. -
public_ip_addresses
- The Public IP addresses of the API Management Service. -
scm_url
- The URL for the SCM (Source Code Management) Endpoint associated with this API Management service.
An additional_location
block exports the following:
-
gateway_regional_url
- The URL of the Regional Gateway for the API Management Service in the specified region. -
public_ip_addresses
- Public Static Load Balanced IP addresses of the API Management service in the additional location. Available only for Basic, Standard and Premium SKU.
An identity
block exports the following:
-
principal_id
- The Principal ID associated with this Managed Service Identity. -
tenant_id
- The Tenant ID associated with this Managed Service Identity.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the API Management Service.update
- (Defaults to 60 minutes) Used when updating the API Management Service.read
- (Defaults to 5 minutes) Used when retrieving the API Management Service.delete
- (Defaults to 60 minutes) Used when deleting the API Management Service.
API Management Services can be imported using the resource id
, e.g.
terraform import azurerm_api_management.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.ApiManagement/service/instance1