Search

Please login in for more filter options

Kickstart your project with AVM templates.

AVM Bicep Modules
AVM Terraform Modules

api-management-services

avm-bicep

report
Report Package api-management-services

If you believe that this package or its contents contain harmful information, please inform us.
Please be aware that we will never share your credentials.

Please let us know what this package contains.
Please enter a valid email address.

This Bicep AVM module deploys an API Management Service. The default deployment is set to use a Premium SKU to align with Microsoft WAF-aligned best practices. In most cases, non-prod deployments should use a lower-tier SKU.

ipm add --package avm-bicep/api-management-services --version 0.9.1

Published: 24-03-2025

Project URL: https://ipmhub.io/avm-bicep

Package Type: Bicep

License: MIT

API Management Services [Microsoft.ApiManagement/service]

This module deploys an API Management Service. The default deployment is set to use a Premium SKU to align with Microsoft WAF-aligned best practices. In most cases, non-prod deployments should use a lower-tier SKU.

Navigation

Resource Types

Resource Type API Version
Microsoft.ApiManagement/service 2024-05-01
Microsoft.ApiManagement/service/apis 2022-08-01
Microsoft.ApiManagement/service/apis/diagnostics 2022-08-01
Microsoft.ApiManagement/service/apis/policies 2022-08-01
Microsoft.ApiManagement/service/apiVersionSets 2022-08-01
Microsoft.ApiManagement/service/authorizationServers 2022-08-01
Microsoft.ApiManagement/service/backends 2022-08-01
Microsoft.ApiManagement/service/caches 2022-08-01
Microsoft.ApiManagement/service/identityProviders 2022-08-01
Microsoft.ApiManagement/service/loggers 2022-08-01
Microsoft.ApiManagement/service/namedValues 2022-08-01
Microsoft.ApiManagement/service/policies 2022-08-01
Microsoft.ApiManagement/service/portalsettings 2022-08-01
Microsoft.ApiManagement/service/products 2022-08-01
Microsoft.ApiManagement/service/products/apis 2022-08-01
Microsoft.ApiManagement/service/products/groups 2022-08-01
Microsoft.ApiManagement/service/subscriptions 2022-08-01
Microsoft.Authorization/locks 2020-05-01
Microsoft.Authorization/roleAssignments 2022-04-01
Microsoft.Insights/diagnosticSettings 2021-05-01-preview

Usage examples

The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository.

Note: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.

Note: To reference the module, please use the following syntax ./packages/api-management-services/main.bicep.

Example 1: Deploying a Consumption SKU

This instance deploys the module using a Consumption SKU.

via Bicep module 
module service './packages/api-management-services/main.bicep' = {
  name: 'serviceDeployment'
  params: {
    // Required parameters
    name: 'apiscon001'
    publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
    publisherName: 'az-amorg-x-001'
    // Non-required parameters
    sku: 'Consumption'
  }
}

via JSON parameters file 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    // Required parameters
    "name": {
      "value": "apiscon001"
    },
    "publisherEmail": {
      "value": "apimgmt-noreply@mail.windowsazure.com"
    },
    "publisherName": {
      "value": "az-amorg-x-001"
    },
    // Non-required parameters
    "sku": {
      "value": "Consumption"
    }
  }
}

via Bicep parameters file 
using './packages/api-management-services/main.bicep'

// Required parameters
param name = 'apiscon001'
param publisherEmail = 'apimgmt-noreply@mail.windowsazure.com'
param publisherName = 'az-amorg-x-001'
// Non-required parameters
param sku = 'Consumption'

Example 2: Using only defaults

This instance deploys the module with the minimum set of required parameters.

via Bicep module 
module service './packages/api-management-services/main.bicep' = {
  name: 'serviceDeployment'
  params: {
    // Required parameters
    name: 'apismin001'
    publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
    publisherName: 'az-amorg-x-001'
  }
}

via JSON parameters file 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    // Required parameters
    "name": {
      "value": "apismin001"
    },
    "publisherEmail": {
      "value": "apimgmt-noreply@mail.windowsazure.com"
    },
    "publisherName": {
      "value": "az-amorg-x-001"
    }
  }
}

via Bicep parameters file 
using './packages/api-management-services/main.bicep'

// Required parameters
param name = 'apismin001'
param publisherEmail = 'apimgmt-noreply@mail.windowsazure.com'
param publisherName = 'az-amorg-x-001'

Example 3: Deploying a Developer SKU

This instance deploys the module using a Developer SKU.

via Bicep module 
module service './packages/api-management-services/main.bicep' = {
  name: 'serviceDeployment'
  params: {
    // Required parameters
    name: 'apisdev001'
    publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
    publisherName: 'az-amorg-x-001'
    // Non-required parameters
    enableDeveloperPortal: true
    sku: 'Developer'
  }
}

via JSON parameters file 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    // Required parameters
    "name": {
      "value": "apisdev001"
    },
    "publisherEmail": {
      "value": "apimgmt-noreply@mail.windowsazure.com"
    },
    "publisherName": {
      "value": "az-amorg-x-001"
    },
    // Non-required parameters
    "enableDeveloperPortal": {
      "value": true
    },
    "sku": {
      "value": "Developer"
    }
  }
}

via Bicep parameters file 
using './packages/api-management-services/main.bicep'

// Required parameters
param name = 'apisdev001'
param publisherEmail = 'apimgmt-noreply@mail.windowsazure.com'
param publisherName = 'az-amorg-x-001'
// Non-required parameters
param enableDeveloperPortal = true
param sku = 'Developer'

Example 4: Using large parameter set

This instance deploys the module with most of its features enabled.

via Bicep module 
module service './packages/api-management-services/main.bicep' = {
  name: 'serviceDeployment'
  params: {
    // Required parameters
    name: 'apismax001'
    publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
    publisherName: 'az-amorg-x-001'
    // Non-required parameters
    additionalLocations: [
      {
        disableGateway: false
        location: '<location>'
        publicIpAddressId: '<publicIpAddressId>'
        sku: {
          capacity: 1
          name: 'Premium'
        }
        virtualNetworkConfiguration: {
          subnetResourceId: '<subnetResourceId>'
        }
      }
    ]
    apiDiagnostics: [
      {
        apiName: 'echo-api'
        loggerName: 'logger'
        metrics: true
        name: 'applicationinsights'
      }
    ]
    apis: [
      {
        apiVersionSet: {
          name: 'echo-version-set'
          properties: {
            description: 'echo-version-set'
            displayName: 'echo-version-set'
            versioningScheme: 'Segment'
          }
        }
        displayName: 'Echo API'
        name: 'echo-api'
        path: 'echo'
        protocols: [
          'http'
          'https'
        ]
        serviceUrl: 'http://echoapi.cloudapp.net/api'
      }
    ]
    authorizationServers: [
      {
        authorizationEndpoint: '<authorizationEndpoint>'
        clientId: 'apimclientid'
        clientRegistrationEndpoint: 'http://localhost'
        clientSecret: '<clientSecret>'
        displayName: 'AuthServer1'
        grantTypes: [
          'authorizationCode'
        ]
        name: 'AuthServer1'
        tokenEndpoint: '<tokenEndpoint>'
      }
    ]
    backends: [
      {
        name: 'backend'
        tls: {
          validateCertificateChain: false
          validateCertificateName: false
        }
        url: 'http://echoapi.cloudapp.net/api'
      }
    ]
    caches: [
      {
        connectionString: 'connectionstringtest'
        name: 'westeurope'
        useFromLocation: 'westeurope'
      }
    ]
    diagnosticSettings: [
      {
        eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
        eventHubName: '<eventHubName>'
        metricCategories: [
          {
            category: 'AllMetrics'
          }
        ]
        name: 'customSetting'
        storageAccountResourceId: '<storageAccountResourceId>'
        workspaceResourceId: '<workspaceResourceId>'
      }
    ]
    identityProviders: [
      {
        allowedTenants: [
          'mytenant.onmicrosoft.com'
        ]
        authority: '<authority>'
        clientId: 'apimClientid'
        clientLibrary: 'MSAL-2'
        clientSecret: 'apimSlientSecret'
        name: 'aad'
        signinTenant: 'mytenant.onmicrosoft.com'
      }
    ]
    location: '<location>'
    lock: {
      kind: 'CanNotDelete'
      name: 'myCustomLockName'
    }
    loggers: [
      {
        credentials: {
          instrumentationKey: '<instrumentationKey>'
        }
        description: 'Logger to Azure Application Insights'
        isBuffered: false
        loggerType: 'applicationInsights'
        name: 'logger'
        resourceId: '<resourceId>'
      }
    ]
    managedIdentities: {
      systemAssigned: true
      userAssignedResourceIds: [
        '<managedIdentityResourceId>'
      ]
    }
    namedValues: [
      {
        displayName: 'apimkey'
        name: 'apimkey'
        secret: true
      }
    ]
    policies: [
      {
        format: 'xml'
        value: '<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period=\'60\' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
      }
    ]
    portalsettings: [
      {
        name: 'signin'
        properties: {
          enabled: false
        }
      }
      {
        name: 'signup'
        properties: {
          enabled: false
          termsOfService: {
            consentRequired: false
            enabled: false
          }
        }
      }
    ]
    products: [
      {
        apis: [
          {
            name: 'echo-api'
          }
        ]
        approvalRequired: false
        displayName: 'Starter'
        groups: [
          {
            name: 'developers'
          }
        ]
        name: 'Starter'
        subscriptionRequired: false
      }
    ]
    publicIpAddressResourceId: '<publicIpAddressResourceId>'
    roleAssignments: [
      {
        name: '6352c3e3-ac6b-43d5-ac43-1077ff373721'
        principalId: '<principalId>'
        principalType: 'ServicePrincipal'
        roleDefinitionIdOrName: 'Owner'
      }
      {
        name: '<name>'
        principalId: '<principalId>'
        principalType: 'ServicePrincipal'
        roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
      }
      {
        principalId: '<principalId>'
        principalType: 'ServicePrincipal'
        roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
      }
    ]
    subnetResourceId: '<subnetResourceId>'
    subscriptions: [
      {
        displayName: 'testArmSubscriptionAllApis'
        name: 'testArmSubscriptionAllApis'
        scope: '/apis'
      }
    ]
    tags: {
      Environment: 'Non-Prod'
      'hidden-title': 'This is visible in the resource name'
      Role: 'DeploymentValidation'
    }
    virtualNetworkType: 'Internal'
  }
}

via JSON parameters file 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    // Required parameters
    "name": {
      "value": "apismax001"
    },
    "publisherEmail": {
      "value": "apimgmt-noreply@mail.windowsazure.com"
    },
    "publisherName": {
      "value": "az-amorg-x-001"
    },
    // Non-required parameters
    "additionalLocations": {
      "value": [
        {
          "disableGateway": false,
          "location": "<location>",
          "publicIpAddressId": "<publicIpAddressId>",
          "sku": {
            "capacity": 1,
            "name": "Premium"
          },
          "virtualNetworkConfiguration": {
            "subnetResourceId": "<subnetResourceId>"
          }
        }
      ]
    },
    "apiDiagnostics": {
      "value": [
        {
          "apiName": "echo-api",
          "loggerName": "logger",
          "metrics": true,
          "name": "applicationinsights"
        }
      ]
    },
    "apis": {
      "value": [
        {
          "apiVersionSet": {
            "name": "echo-version-set",
            "properties": {
              "description": "echo-version-set",
              "displayName": "echo-version-set",
              "versioningScheme": "Segment"
            }
          },
          "displayName": "Echo API",
          "name": "echo-api",
          "path": "echo",
          "protocols": [
            "http",
            "https"
          ],
          "serviceUrl": "http://echoapi.cloudapp.net/api"
        }
      ]
    },
    "authorizationServers": {
      "value": [
        {
          "authorizationEndpoint": "<authorizationEndpoint>",
          "clientId": "apimclientid",
          "clientRegistrationEndpoint": "http://localhost",
          "clientSecret": "<clientSecret>",
          "displayName": "AuthServer1",
          "grantTypes": [
            "authorizationCode"
          ],
          "name": "AuthServer1",
          "tokenEndpoint": "<tokenEndpoint>"
        }
      ]
    },
    "backends": {
      "value": [
        {
          "name": "backend",
          "tls": {
            "validateCertificateChain": false,
            "validateCertificateName": false
          },
          "url": "http://echoapi.cloudapp.net/api"
        }
      ]
    },
    "caches": {
      "value": [
        {
          "connectionString": "connectionstringtest",
          "name": "westeurope",
          "useFromLocation": "westeurope"
        }
      ]
    },
    "diagnosticSettings": {
      "value": [
        {
          "eventHubAuthorizationRuleResourceId": "<eventHubAuthorizationRuleResourceId>",
          "eventHubName": "<eventHubName>",
          "metricCategories": [
            {
              "category": "AllMetrics"
            }
          ],
          "name": "customSetting",
          "storageAccountResourceId": "<storageAccountResourceId>",
          "workspaceResourceId": "<workspaceResourceId>"
        }
      ]
    },
    "identityProviders": {
      "value": [
        {
          "allowedTenants": [
            "mytenant.onmicrosoft.com"
          ],
          "authority": "<authority>",
          "clientId": "apimClientid",
          "clientLibrary": "MSAL-2",
          "clientSecret": "apimSlientSecret",
          "name": "aad",
          "signinTenant": "mytenant.onmicrosoft.com"
        }
      ]
    },
    "location": {
      "value": "<location>"
    },
    "lock": {
      "value": {
        "kind": "CanNotDelete",
        "name": "myCustomLockName"
      }
    },
    "loggers": {
      "value": [
        {
          "credentials": {
            "instrumentationKey": "<instrumentationKey>"
          },
          "description": "Logger to Azure Application Insights",
          "isBuffered": false,
          "loggerType": "applicationInsights",
          "name": "logger",
          "resourceId": "<resourceId>"
        }
      ]
    },
    "managedIdentities": {
      "value": {
        "systemAssigned": true,
        "userAssignedResourceIds": [
          "<managedIdentityResourceId>"
        ]
      }
    },
    "namedValues": {
      "value": [
        {
          "displayName": "apimkey",
          "name": "apimkey",
          "secret": true
        }
      ]
    },
    "policies": {
      "value": [
        {
          "format": "xml",
          "value": "<policies> <inbound> <rate-limit-by-key calls=\"250\" renewal-period=\"60\" counter-key=\"@(context.Request.IpAddress)\" /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>"
        }
      ]
    },
    "portalsettings": {
      "value": [
        {
          "name": "signin",
          "properties": {
            "enabled": false
          }
        },
        {
          "name": "signup",
          "properties": {
            "enabled": false,
            "termsOfService": {
              "consentRequired": false,
              "enabled": false
            }
          }
        }
      ]
    },
    "products": {
      "value": [
        {
          "apis": [
            {
              "name": "echo-api"
            }
          ],
          "approvalRequired": false,
          "displayName": "Starter",
          "groups": [
            {
              "name": "developers"
            }
          ],
          "name": "Starter",
          "subscriptionRequired": false
        }
      ]
    },
    "publicIpAddressResourceId": {
      "value": "<publicIpAddressResourceId>"
    },
    "roleAssignments": {
      "value": [
        {
          "name": "6352c3e3-ac6b-43d5-ac43-1077ff373721",
          "principalId": "<principalId>",
          "principalType": "ServicePrincipal",
          "roleDefinitionIdOrName": "Owner"
        },
        {
          "name": "<name>",
          "principalId": "<principalId>",
          "principalType": "ServicePrincipal",
          "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c"
        },
        {
          "principalId": "<principalId>",
          "principalType": "ServicePrincipal",
          "roleDefinitionIdOrName": "<roleDefinitionIdOrName>"
        }
      ]
    },
    "subnetResourceId": {
      "value": "<subnetResourceId>"
    },
    "subscriptions": {
      "value": [
        {
          "displayName": "testArmSubscriptionAllApis",
          "name": "testArmSubscriptionAllApis",
          "scope": "/apis"
        }
      ]
    },
    "tags": {
      "value": {
        "Environment": "Non-Prod",
        "hidden-title": "This is visible in the resource name",
        "Role": "DeploymentValidation"
      }
    },
    "virtualNetworkType": {
      "value": "Internal"
    }
  }
}

via Bicep parameters file 
using './packages/api-management-services/main.bicep'

// Required parameters
param name = 'apismax001'
param publisherEmail = 'apimgmt-noreply@mail.windowsazure.com'
param publisherName = 'az-amorg-x-001'
// Non-required parameters
param additionalLocations = [
  {
    disableGateway: false
    location: '<location>'
    publicIpAddressId: '<publicIpAddressId>'
    sku: {
      capacity: 1
      name: 'Premium'
    }
    virtualNetworkConfiguration: {
      subnetResourceId: '<subnetResourceId>'
    }
  }
]
param apiDiagnostics = [
  {
    apiName: 'echo-api'
    loggerName: 'logger'
    metrics: true
    name: 'applicationinsights'
  }
]
param apis = [
  {
    apiVersionSet: {
      name: 'echo-version-set'
      properties: {
        description: 'echo-version-set'
        displayName: 'echo-version-set'
        versioningScheme: 'Segment'
      }
    }
    displayName: 'Echo API'
    name: 'echo-api'
    path: 'echo'
    protocols: [
      'http'
      'https'
    ]
    serviceUrl: 'http://echoapi.cloudapp.net/api'
  }
]
param authorizationServers = [
  {
    authorizationEndpoint: '<authorizationEndpoint>'
    clientId: 'apimclientid'
    clientRegistrationEndpoint: 'http://localhost'
    clientSecret: '<clientSecret>'
    displayName: 'AuthServer1'
    grantTypes: [
      'authorizationCode'
    ]
    name: 'AuthServer1'
    tokenEndpoint: '<tokenEndpoint>'
  }
]
param backends = [
  {
    name: 'backend'
    tls: {
      validateCertificateChain: false
      validateCertificateName: false
    }
    url: 'http://echoapi.cloudapp.net/api'
  }
]
param caches = [
  {
    connectionString: 'connectionstringtest'
    name: 'westeurope'
    useFromLocation: 'westeurope'
  }
]
param diagnosticSettings = [
  {
    eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
    eventHubName: '<eventHubName>'
    metricCategories: [
      {
        category: 'AllMetrics'
      }
    ]
    name: 'customSetting'
    storageAccountResourceId: '<storageAccountResourceId>'
    workspaceResourceId: '<workspaceResourceId>'
  }
]
param identityProviders = [
  {
    allowedTenants: [
      'mytenant.onmicrosoft.com'
    ]
    authority: '<authority>'
    clientId: 'apimClientid'
    clientLibrary: 'MSAL-2'
    clientSecret: 'apimSlientSecret'
    name: 'aad'
    signinTenant: 'mytenant.onmicrosoft.com'
  }
]
param location = '<location>'
param lock = {
  kind: 'CanNotDelete'
  name: 'myCustomLockName'
}
param loggers = [
  {
    credentials: {
      instrumentationKey: '<instrumentationKey>'
    }
    description: 'Logger to Azure Application Insights'
    isBuffered: false
    loggerType: 'applicationInsights'
    name: 'logger'
    resourceId: '<resourceId>'
  }
]
param managedIdentities = {
  systemAssigned: true
  userAssignedResourceIds: [
    '<managedIdentityResourceId>'
  ]
}
param namedValues = [
  {
    displayName: 'apimkey'
    name: 'apimkey'
    secret: true
  }
]
param policies = [
  {
    format: 'xml'
    value: '<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period=\'60\' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
  }
]
param portalsettings = [
  {
    name: 'signin'
    properties: {
      enabled: false
    }
  }
  {
    name: 'signup'
    properties: {
      enabled: false
      termsOfService: {
        consentRequired: false
        enabled: false
      }
    }
  }
]
param products = [
  {
    apis: [
      {
        name: 'echo-api'
      }
    ]
    approvalRequired: false
    displayName: 'Starter'
    groups: [
      {
        name: 'developers'
      }
    ]
    name: 'Starter'
    subscriptionRequired: false
  }
]
param publicIpAddressResourceId = '<publicIpAddressResourceId>'
param roleAssignments = [
  {
    name: '6352c3e3-ac6b-43d5-ac43-1077ff373721'
    principalId: '<principalId>'
    principalType: 'ServicePrincipal'
    roleDefinitionIdOrName: 'Owner'
  }
  {
    name: '<name>'
    principalId: '<principalId>'
    principalType: 'ServicePrincipal'
    roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
  }
  {
    principalId: '<principalId>'
    principalType: 'ServicePrincipal'
    roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
  }
]
param subnetResourceId = '<subnetResourceId>'
param subscriptions = [
  {
    displayName: 'testArmSubscriptionAllApis'
    name: 'testArmSubscriptionAllApis'
    scope: '/apis'
  }
]
param tags = {
  Environment: 'Non-Prod'
  'hidden-title': 'This is visible in the resource name'
  Role: 'DeploymentValidation'
}
param virtualNetworkType = 'Internal'

Example 5: Deploying an APIM v2 sku

This instance deploys the module using a v2 SKU.

via Bicep module 
module service './packages/api-management-services/main.bicep' = {
  name: 'serviceDeployment'
  params: {
    // Required parameters
    name: 'apisv2s001'
    publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
    publisherName: 'az-amorg-x-001'
    // Non-required parameters
    enableDeveloperPortal: true
    sku: 'BasicV2'
  }
}

via JSON parameters file 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    // Required parameters
    "name": {
      "value": "apisv2s001"
    },
    "publisherEmail": {
      "value": "apimgmt-noreply@mail.windowsazure.com"
    },
    "publisherName": {
      "value": "az-amorg-x-001"
    },
    // Non-required parameters
    "enableDeveloperPortal": {
      "value": true
    },
    "sku": {
      "value": "BasicV2"
    }
  }
}

via Bicep parameters file 
using './packages/api-management-services/main.bicep'

// Required parameters
param name = 'apisv2s001'
param publisherEmail = 'apimgmt-noreply@mail.windowsazure.com'
param publisherName = 'az-amorg-x-001'
// Non-required parameters
param enableDeveloperPortal = true
param sku = 'BasicV2'

Example 6: WAF-aligned

This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.

via Bicep module 
module service './packages/api-management-services/main.bicep' = {
  name: 'serviceDeployment'
  params: {
    // Required parameters
    name: 'apiswaf001'
    publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
    publisherName: 'az-amorg-x-001'
    // Non-required parameters
    additionalLocations: [
      {
        disableGateway: false
        location: 'westus'
        sku: {
          capacity: 1
          name: 'Premium'
        }
      }
    ]
    apis: [
      {
        apiVersionSet: {
          name: 'echo-version-set'
          properties: {
            description: 'An echo API version set'
            displayName: 'Echo version set'
            versioningScheme: 'Segment'
          }
        }
        description: 'An echo API service'
        displayName: 'Echo API'
        name: 'echo-api'
        path: 'echo'
        protocols: [
          'https'
        ]
        serviceUrl: 'https://echoapi.cloudapp.net/api'
      }
    ]
    authorizationServers: [
      {
        authorizationEndpoint: '<authorizationEndpoint>'
        clientId: 'apimClientid'
        clientRegistrationEndpoint: 'https://localhost'
        clientSecret: '<clientSecret>'
        displayName: 'AuthServer1'
        grantTypes: [
          'authorizationCode'
        ]
        name: 'AuthServer1'
        tokenEndpoint: '<tokenEndpoint>'
      }
    ]
    backends: [
      {
        name: 'backend'
        tls: {
          validateCertificateChain: true
          validateCertificateName: true
        }
        url: 'https://echoapi.cloudapp.net/api'
      }
    ]
    caches: [
      {
        connectionString: 'connectionstringtest'
        name: 'westeurope'
        useFromLocation: 'westeurope'
      }
    ]
    customProperties: {
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'
      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'
    }
    diagnosticSettings: [
      {
        eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
        eventHubName: '<eventHubName>'
        storageAccountResourceId: '<storageAccountResourceId>'
        workspaceResourceId: '<workspaceResourceId>'
      }
    ]
    identityProviders: [
      {
        allowedTenants: [
          'mytenant.onmicrosoft.com'
        ]
        authority: '<authority>'
        clientId: 'apimClientid'
        clientLibrary: 'MSAL-2'
        clientSecret: '<clientSecret>'
        name: 'aad'
        signinTenant: 'mytenant.onmicrosoft.com'
      }
    ]
    loggers: [
      {
        credentials: {
          instrumentationKey: '<instrumentationKey>'
        }
        description: 'Logger to Azure Application Insights'
        isBuffered: false
        loggerType: 'applicationInsights'
        name: 'logger'
        resourceId: '<resourceId>'
      }
    ]
    managedIdentities: {
      systemAssigned: true
      userAssignedResourceIds: [
        '<managedIdentityResourceId>'
      ]
    }
    minApiVersion: '2022-08-01'
    namedValues: [
      {
        displayName: 'apimkey'
        name: 'apimkey'
        secret: true
      }
    ]
    policies: [
      {
        format: 'xml'
        value: '<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period=\'60\' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
      }
    ]
    portalsettings: [
      {
        name: 'signin'
        properties: {
          enabled: false
        }
      }
      {
        name: 'signup'
        properties: {
          enabled: false
          termsOfService: {
            consentRequired: false
            enabled: false
          }
        }
      }
    ]
    products: [
      {
        apis: [
          {
            name: 'echo-api'
          }
        ]
        approvalRequired: true
        description: 'This is an echo API'
        displayName: 'Echo API'
        groups: [
          {
            name: 'developers'
          }
        ]
        name: 'Starter'
        subscriptionRequired: true
        terms: 'By accessing or using the services provided by Echo API through Azure API Management, you agree to be bound by these Terms of Use. These terms may be updated from time to time, and your continued use of the services constitutes acceptance of any changes.'
      }
    ]
    subscriptions: [
      {
        displayName: 'testArmSubscriptionAllApis'
        name: 'testArmSubscriptionAllApis'
        scope: '/apis'
      }
    ]
    tags: {
      Environment: 'Non-Prod'
      'hidden-title': 'This is visible in the resource name'
      Role: 'DeploymentValidation'
    }
  }
}

via JSON parameters file 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    // Required parameters
    "name": {
      "value": "apiswaf001"
    },
    "publisherEmail": {
      "value": "apimgmt-noreply@mail.windowsazure.com"
    },
    "publisherName": {
      "value": "az-amorg-x-001"
    },
    // Non-required parameters
    "additionalLocations": {
      "value": [
        {
          "disableGateway": false,
          "location": "westus",
          "sku": {
            "capacity": 1,
            "name": "Premium"
          }
        }
      ]
    },
    "apis": {
      "value": [
        {
          "apiVersionSet": {
            "name": "echo-version-set",
            "properties": {
              "description": "An echo API version set",
              "displayName": "Echo version set",
              "versioningScheme": "Segment"
            }
          },
          "description": "An echo API service",
          "displayName": "Echo API",
          "name": "echo-api",
          "path": "echo",
          "protocols": [
            "https"
          ],
          "serviceUrl": "https://echoapi.cloudapp.net/api"
        }
      ]
    },
    "authorizationServers": {
      "value": [
        {
          "authorizationEndpoint": "<authorizationEndpoint>",
          "clientId": "apimClientid",
          "clientRegistrationEndpoint": "https://localhost",
          "clientSecret": "<clientSecret>",
          "displayName": "AuthServer1",
          "grantTypes": [
            "authorizationCode"
          ],
          "name": "AuthServer1",
          "tokenEndpoint": "<tokenEndpoint>"
        }
      ]
    },
    "backends": {
      "value": [
        {
          "name": "backend",
          "tls": {
            "validateCertificateChain": true,
            "validateCertificateName": true
          },
          "url": "https://echoapi.cloudapp.net/api"
        }
      ]
    },
    "caches": {
      "value": [
        {
          "connectionString": "connectionstringtest",
          "name": "westeurope",
          "useFromLocation": "westeurope"
        }
      ]
    },
    "customProperties": {
      "value": {
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "True",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False"
      }
    },
    "diagnosticSettings": {
      "value": [
        {
          "eventHubAuthorizationRuleResourceId": "<eventHubAuthorizationRuleResourceId>",
          "eventHubName": "<eventHubName>",
          "storageAccountResourceId": "<storageAccountResourceId>",
          "workspaceResourceId": "<workspaceResourceId>"
        }
      ]
    },
    "identityProviders": {
      "value": [
        {
          "allowedTenants": [
            "mytenant.onmicrosoft.com"
          ],
          "authority": "<authority>",
          "clientId": "apimClientid",
          "clientLibrary": "MSAL-2",
          "clientSecret": "<clientSecret>",
          "name": "aad",
          "signinTenant": "mytenant.onmicrosoft.com"
        }
      ]
    },
    "loggers": {
      "value": [
        {
          "credentials": {
            "instrumentationKey": "<instrumentationKey>"
          },
          "description": "Logger to Azure Application Insights",
          "isBuffered": false,
          "loggerType": "applicationInsights",
          "name": "logger",
          "resourceId": "<resourceId>"
        }
      ]
    },
    "managedIdentities": {
      "value": {
        "systemAssigned": true,
        "userAssignedResourceIds": [
          "<managedIdentityResourceId>"
        ]
      }
    },
    "minApiVersion": {
      "value": "2022-08-01"
    },
    "namedValues": {
      "value": [
        {
          "displayName": "apimkey",
          "name": "apimkey",
          "secret": true
        }
      ]
    },
    "policies": {
      "value": [
        {
          "format": "xml",
          "value": "<policies> <inbound> <rate-limit-by-key calls=\"250\" renewal-period=\"60\" counter-key=\"@(context.Request.IpAddress)\" /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>"
        }
      ]
    },
    "portalsettings": {
      "value": [
        {
          "name": "signin",
          "properties": {
            "enabled": false
          }
        },
        {
          "name": "signup",
          "properties": {
            "enabled": false,
            "termsOfService": {
              "consentRequired": false,
              "enabled": false
            }
          }
        }
      ]
    },
    "products": {
      "value": [
        {
          "apis": [
            {
              "name": "echo-api"
            }
          ],
          "approvalRequired": true,
          "description": "This is an echo API",
          "displayName": "Echo API",
          "groups": [
            {
              "name": "developers"
            }
          ],
          "name": "Starter",
          "subscriptionRequired": true,
          "terms": "By accessing or using the services provided by Echo API through Azure API Management, you agree to be bound by these Terms of Use. These terms may be updated from time to time, and your continued use of the services constitutes acceptance of any changes."
        }
      ]
    },
    "subscriptions": {
      "value": [
        {
          "displayName": "testArmSubscriptionAllApis",
          "name": "testArmSubscriptionAllApis",
          "scope": "/apis"
        }
      ]
    },
    "tags": {
      "value": {
        "Environment": "Non-Prod",
        "hidden-title": "This is visible in the resource name",
        "Role": "DeploymentValidation"
      }
    }
  }
}

via Bicep parameters file 
using './packages/api-management-services/main.bicep'

// Required parameters
param name = 'apiswaf001'
param publisherEmail = 'apimgmt-noreply@mail.windowsazure.com'
param publisherName = 'az-amorg-x-001'
// Non-required parameters
param additionalLocations = [
  {
    disableGateway: false
    location: 'westus'
    sku: {
      capacity: 1
      name: 'Premium'
    }
  }
]
param apis = [
  {
    apiVersionSet: {
      name: 'echo-version-set'
      properties: {
        description: 'An echo API version set'
        displayName: 'Echo version set'
        versioningScheme: 'Segment'
      }
    }
    description: 'An echo API service'
    displayName: 'Echo API'
    name: 'echo-api'
    path: 'echo'
    protocols: [
      'https'
    ]
    serviceUrl: 'https://echoapi.cloudapp.net/api'
  }
]
param authorizationServers = [
  {
    authorizationEndpoint: '<authorizationEndpoint>'
    clientId: 'apimClientid'
    clientRegistrationEndpoint: 'https://localhost'
    clientSecret: '<clientSecret>'
    displayName: 'AuthServer1'
    grantTypes: [
      'authorizationCode'
    ]
    name: 'AuthServer1'
    tokenEndpoint: '<tokenEndpoint>'
  }
]
param backends = [
  {
    name: 'backend'
    tls: {
      validateCertificateChain: true
      validateCertificateName: true
    }
    url: 'https://echoapi.cloudapp.net/api'
  }
]
param caches = [
  {
    connectionString: 'connectionstringtest'
    name: 'westeurope'
    useFromLocation: 'westeurope'
  }
]
param customProperties = {
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'
  'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'
}
param diagnosticSettings = [
  {
    eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
    eventHubName: '<eventHubName>'
    storageAccountResourceId: '<storageAccountResourceId>'
    workspaceResourceId: '<workspaceResourceId>'
  }
]
param identityProviders = [
  {
    allowedTenants: [
      'mytenant.onmicrosoft.com'
    ]
    authority: '<authority>'
    clientId: 'apimClientid'
    clientLibrary: 'MSAL-2'
    clientSecret: '<clientSecret>'
    name: 'aad'
    signinTenant: 'mytenant.onmicrosoft.com'
  }
]
param loggers = [
  {
    credentials: {
      instrumentationKey: '<instrumentationKey>'
    }
    description: 'Logger to Azure Application Insights'
    isBuffered: false
    loggerType: 'applicationInsights'
    name: 'logger'
    resourceId: '<resourceId>'
  }
]
param managedIdentities = {
  systemAssigned: true
  userAssignedResourceIds: [
    '<managedIdentityResourceId>'
  ]
}
param minApiVersion = '2022-08-01'
param namedValues = [
  {
    displayName: 'apimkey'
    name: 'apimkey'
    secret: true
  }
]
param policies = [
  {
    format: 'xml'
    value: '<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period=\'60\' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
  }
]
param portalsettings = [
  {
    name: 'signin'
    properties: {
      enabled: false
    }
  }
  {
    name: 'signup'
    properties: {
      enabled: false
      termsOfService: {
        consentRequired: false
        enabled: false
      }
    }
  }
]
param products = [
  {
    apis: [
      {
        name: 'echo-api'
      }
    ]
    approvalRequired: true
    description: 'This is an echo API'
    displayName: 'Echo API'
    groups: [
      {
        name: 'developers'
      }
    ]
    name: 'Starter'
    subscriptionRequired: true
    terms: 'By accessing or using the services provided by Echo API through Azure API Management, you agree to be bound by these Terms of Use. These terms may be updated from time to time, and your continued use of the services constitutes acceptance of any changes.'
  }
]
param subscriptions = [
  {
    displayName: 'testArmSubscriptionAllApis'
    name: 'testArmSubscriptionAllApis'
    scope: '/apis'
  }
]
param tags = {
  Environment: 'Non-Prod'
  'hidden-title': 'This is visible in the resource name'
  Role: 'DeploymentValidation'
}

Parameters

Required parameters

Parameter Type Description
name string The name of the API Management service.
publisherEmail string The email address of the owner of the service.
publisherName string The name of the owner of the service.

Conditional parameters

Parameter Type Description
skuCapacity int The scale units for this API Management service. Required if using Basic, Standard, or Premium skus. For range of capacities for each sku, reference https://azure.microsoft.com/en-us/pricing/details/api-management/.

Optional parameters

Parameter Type Description
additionalLocations array Additional datacenter locations of the API Management service. Not supported with V2 SKUs.
apiDiagnostics array API Diagnostics.
apis array APIs.
apiVersionSets array API Version Sets.
authorizationServers array Authorization servers.
backends array Backends.
caches array Caches.
certificates array List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10.
customProperties object Custom properties of the API Management service. Not supported if SKU is Consumption.
diagnosticSettings array The diagnostic settings of the service.
disableGateway bool Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region.
enableClientCertificate bool Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.
enableDeveloperPortal bool Enable the Developer Portal. The developer portal is not supported on the Consumption SKU.
enableTelemetry bool Enable/Disable usage telemetry for module.
hostnameConfigurations array Custom hostname configuration of the API Management service.
identityProviders array Identity providers.
location string Location for all Resources.
lock object The lock settings of the service.
loggers array Loggers.
managedIdentities object The managed identity definition for this resource.
minApiVersion string Limit control plane API calls to API Management service with version equal to or newer than this value.
namedValues array Named values.
newGuidValue string Necessary to create a new GUID.
notificationSenderEmail string The notification sender email address for the service.
policies array Policies.
portalsettings array Portal settings.
products array Products.
publicIpAddressResourceId string Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network.
restore bool Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.
roleAssignments array Array of role assignments to create.
sku string The pricing tier of this API Management service.
subnetResourceId string The full resource ID of a subnet in a virtual network to deploy the API Management service in.
subscriptions array Subscriptions.
tags object Tags of the resource.
virtualNetworkType string The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.
zones array A list of availability zones denoting where the resource needs to come from. Only supported by Premium sku.

Parameter: name

The name of the API Management service.

  • Required: Yes
  • Type: string

Parameter: publisherEmail

The email address of the owner of the service.

  • Required: Yes
  • Type: string

Parameter: publisherName

The name of the owner of the service.

  • Required: Yes
  • Type: string

Parameter: skuCapacity

The scale units for this API Management service. Required if using Basic, Standard, or Premium skus. For range of capacities for each sku, reference https://azure.microsoft.com/en-us/pricing/details/api-management/.

  • Required: No
  • Type: int
  • Default: 2

Parameter: additionalLocations

Additional datacenter locations of the API Management service. Not supported with V2 SKUs.

  • Required: No
  • Type: array
  • Default: []

Parameter: apiDiagnostics

API Diagnostics.

  • Required: No
  • Type: array
  • Default: []

Parameter: apis

APIs.

  • Required: No
  • Type: array
  • Default: []

Parameter: apiVersionSets

API Version Sets.

  • Required: No
  • Type: array
  • Default: []

Parameter: authorizationServers

Authorization servers.

  • Required: No
  • Type: array

Required parameters

Parameter Type Description
authorizationEndpoint string OAuth authorization endpoint. See http://tools.ietf.org/html/rfc6749#section-3.2.
clientId securestring Client or app ID registered with this authorization server.
clientSecret securestring Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value.
displayName string API Management Service Authorization Servers name. Must be 1 to 50 characters long.
grantTypes array Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials.
name string Identifier of the authorization server.

Optional parameters

Parameter Type Description
authorizationMethods array HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE.
bearerTokenSendingMethods array Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query.
clientAuthenticationMethod array Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body.
clientRegistrationEndpoint string Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.
defaultScope string Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.
resourceOwnerPassword securestring Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.
resourceOwnerUsername string Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.
serverDescription string Description of the authorization server. Can contain HTML formatting tags.
supportState bool If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.
tokenBodyParameters array Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object.
tokenEndpoint string OAuth token endpoint. Contains absolute URI to entity being referenced.

Parameter: authorizationServers.authorizationEndpoint

OAuth authorization endpoint. See http://tools.ietf.org/html/rfc6749#section-3.2.

  • Required: Yes
  • Type: string

Parameter: authorizationServers.clientId

Client or app ID registered with this authorization server.

  • Required: Yes
  • Type: securestring

Parameter: authorizationServers.clientSecret

Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value.

  • Required: Yes
  • Type: securestring

Parameter: authorizationServers.displayName

API Management Service Authorization Servers name. Must be 1 to 50 characters long.

  • Required: Yes
  • Type: string

Parameter: authorizationServers.grantTypes

Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials.

  • Required: Yes
  • Type: array
  • Allowed:
    [
  'authorizationCode'
  'clientCredentials'
  'implicit'
  'resourceOwnerPassword'
]

Parameter: authorizationServers.name

Identifier of the authorization server.

  • Required: Yes
  • Type: string

Parameter: authorizationServers.authorizationMethods

HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE.

  • Required: No
  • Type: array

Parameter: authorizationServers.bearerTokenSendingMethods

Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query.

  • Required: No
  • Type: array

Parameter: authorizationServers.clientAuthenticationMethod

Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body.

  • Required: No
  • Type: array

Parameter: authorizationServers.clientRegistrationEndpoint

Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.

  • Required: No
  • Type: string

Parameter: authorizationServers.defaultScope

Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.

  • Required: No
  • Type: string

Parameter: authorizationServers.resourceOwnerPassword

Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.

  • Required: No
  • Type: securestring

Parameter: authorizationServers.resourceOwnerUsername

Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.

  • Required: No
  • Type: string

Parameter: authorizationServers.serverDescription

Description of the authorization server. Can contain HTML formatting tags.

  • Required: No
  • Type: string

Parameter: authorizationServers.supportState

If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.

  • Required: No
  • Type: bool

Parameter: authorizationServers.tokenBodyParameters

Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object.

  • Required: No
  • Type: array

Required parameters

Parameter Type Description
name string Body parameter name.
value string Body parameter value.

Parameter: authorizationServers.tokenBodyParameters.name

Body parameter name.

  • Required: Yes
  • Type: string

Parameter: authorizationServers.tokenBodyParameters.value

Body parameter value.

  • Required: Yes
  • Type: string

Parameter: authorizationServers.tokenEndpoint

OAuth token endpoint. Contains absolute URI to entity being referenced.

  • Required: No
  • Type: string

Parameter: backends

Backends.

  • Required: No
  • Type: array
  • Default: []

Parameter: caches

Caches.

  • Required: No
  • Type: array
  • Default: []

Parameter: certificates

List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10.

  • Required: No
  • Type: array
  • Default: []

Parameter: customProperties

Custom properties of the API Management service. Not supported if SKU is Consumption.

  • Required: No
  • Type: object
  • Default:
    {
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'
    'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'
}

Parameter: diagnosticSettings

The diagnostic settings of the service.

  • Required: No
  • Type: array

Optional parameters

Parameter Type Description
eventHubAuthorizationRuleResourceId string Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.
eventHubName string Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.
logAnalyticsDestinationType string A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.
logCategoriesAndGroups array The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to [] to disable log collection.
marketplacePartnerResourceId string The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
metricCategories array The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to [] to disable metric collection.
name string The name of the diagnostic setting.
storageAccountResourceId string Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.
workspaceResourceId string Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.

Parameter: diagnosticSettings.eventHubAuthorizationRuleResourceId

Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.eventHubName

Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.logAnalyticsDestinationType

A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.

  • Required: No
  • Type: string
  • Allowed:
    [
  'AzureDiagnostics'
  'Dedicated'
]

Parameter: diagnosticSettings.logCategoriesAndGroups

The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to [] to disable log collection.

  • Required: No
  • Type: array

Optional parameters

Parameter Type Description
category string Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to allLogs to collect all logs.
enabled bool Enable or disable the category explicitly. Default is true.

Parameter: diagnosticSettings.logCategoriesAndGroups.category

Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.logCategoriesAndGroups.categoryGroup

Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to allLogs to collect all logs.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.logCategoriesAndGroups.enabled

Enable or disable the category explicitly. Default is true.

  • Required: No
  • Type: bool

Parameter: diagnosticSettings.marketplacePartnerResourceId

The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.metricCategories

The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to [] to disable metric collection.

  • Required: No
  • Type: array

Required parameters

Parameter Type Description
category string Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics.

Optional parameters

Parameter Type Description
enabled bool Enable or disable the category explicitly. Default is true.

Parameter: diagnosticSettings.metricCategories.category

Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics.

  • Required: Yes
  • Type: string

Parameter: diagnosticSettings.metricCategories.enabled

Enable or disable the category explicitly. Default is true.

  • Required: No
  • Type: bool

Parameter: diagnosticSettings.name

The name of the diagnostic setting.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.storageAccountResourceId

Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.

  • Required: No
  • Type: string

Parameter: diagnosticSettings.workspaceResourceId

Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.

  • Required: No
  • Type: string

Parameter: disableGateway

Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region.

  • Required: No
  • Type: bool
  • Default: False

Parameter: enableClientCertificate

Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.

  • Required: No
  • Type: bool
  • Default: False

Parameter: enableDeveloperPortal

Enable the Developer Portal. The developer portal is not supported on the Consumption SKU.

  • Required: No
  • Type: bool
  • Default: False

Parameter: enableTelemetry

Enable/Disable usage telemetry for module.

  • Required: No
  • Type: bool
  • Default: True

Parameter: hostnameConfigurations

Custom hostname configuration of the API Management service.

  • Required: No
  • Type: array
  • Default: []

Parameter: identityProviders

Identity providers.

  • Required: No
  • Type: array
  • Default: []

Parameter: location

Location for all Resources.

  • Required: No
  • Type: string
  • Default: [resourceGroup().location]

Parameter: lock

The lock settings of the service.

  • Required: No
  • Type: object

Optional parameters

Parameter Type Description
kind string Specify the type of lock.
name string Specify the name of lock.

Parameter: lock.kind

Specify the type of lock.

  • Required: No
  • Type: string
  • Allowed:
    [
  'CanNotDelete'
  'None'
  'ReadOnly'
]

Parameter: lock.name

Specify the name of lock.

  • Required: No
  • Type: string

Parameter: loggers

Loggers.

  • Required: No
  • Type: array
  • Default: []

Parameter: managedIdentities

The managed identity definition for this resource.

  • Required: No
  • Type: object

Optional parameters

Parameter Type Description
systemAssigned bool Enables system assigned managed identity on the resource.
userAssignedResourceIds array The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.

Parameter: managedIdentities.systemAssigned

Enables system assigned managed identity on the resource.

  • Required: No
  • Type: bool

Parameter: managedIdentities.userAssignedResourceIds

The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.

  • Required: No
  • Type: array

Parameter: minApiVersion

Limit control plane API calls to API Management service with version equal to or newer than this value.

  • Required: No
  • Type: string

Parameter: namedValues

Named values.

  • Required: No
  • Type: array
  • Default: []

Parameter: newGuidValue

Necessary to create a new GUID.

  • Required: No
  • Type: string
  • Default: [newGuid()]

Parameter: notificationSenderEmail

The notification sender email address for the service.

  • Required: No
  • Type: string
  • Default: 'apimgmt-noreply@mail.windowsazure.com'

Parameter: policies

Policies.

  • Required: No
  • Type: array
  • Default: []

Parameter: portalsettings

Portal settings.

  • Required: No
  • Type: array
  • Default: []

Parameter: products

Products.

  • Required: No
  • Type: array
  • Default: []

Parameter: publicIpAddressResourceId

Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network.

  • Required: No
  • Type: string

Parameter: restore

Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.

  • Required: No
  • Type: bool
  • Default: False

Parameter: roleAssignments

Array of role assignments to create.

  • Required: No
  • Type: array
  • Roles configurable by name:
    • 'API Management Developer Portal Content Editor'
    • 'API Management Service Contributor'
    • 'API Management Service Operator Role'
    • 'API Management Service Reader Role'
    • 'Contributor'
    • 'Owner'
    • 'Reader'
    • 'Role Based Access Control Administrator'
    • 'User Access Administrator'

Required parameters

Parameter Type Description
principalId string The principal ID of the principal (user/group/identity) to assign the role to.
roleDefinitionIdOrName string The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.

Optional parameters

Parameter Type Description
condition string The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".
conditionVersion string Version of the condition.
delegatedManagedIdentityResourceId string The Resource Id of the delegated managed identity resource.
description string The description of the role assignment.
name string The name (as GUID) of the role assignment. If not provided, a GUID will be generated.
principalType string The principal type of the assigned principal ID.

Parameter: roleAssignments.principalId

The principal ID of the principal (user/group/identity) to assign the role to.

  • Required: Yes
  • Type: string

Parameter: roleAssignments.roleDefinitionIdOrName

The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.

  • Required: Yes
  • Type: string

Parameter: roleAssignments.condition

The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".

  • Required: No
  • Type: string

Parameter: roleAssignments.conditionVersion

Version of the condition.

  • Required: No
  • Type: string
  • Allowed:
    [
  '2.0'
]

Parameter: roleAssignments.delegatedManagedIdentityResourceId

The Resource Id of the delegated managed identity resource.

  • Required: No
  • Type: string

Parameter: roleAssignments.description

The description of the role assignment.

  • Required: No
  • Type: string

Parameter: roleAssignments.name

The name (as GUID) of the role assignment. If not provided, a GUID will be generated.

  • Required: No
  • Type: string

Parameter: roleAssignments.principalType

The principal type of the assigned principal ID.

  • Required: No
  • Type: string
  • Allowed:
    [
  'Device'
  'ForeignGroup'
  'Group'
  'ServicePrincipal'
  'User'
]

Parameter: sku

The pricing tier of this API Management service.

  • Required: No
  • Type: string
  • Default: 'Premium'
  • Allowed:
    [
  'Basic'
  'BasicV2'
  'Consumption'
  'Developer'
  'Premium'
  'Standard'
  'StandardV2'
]

Parameter: subnetResourceId

The full resource ID of a subnet in a virtual network to deploy the API Management service in.

  • Required: No
  • Type: string

Parameter: subscriptions

Subscriptions.

  • Required: No
  • Type: array
  • Default: []

Parameter: tags

Tags of the resource.

  • Required: No
  • Type: object

Parameter: virtualNetworkType

The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.

  • Required: No
  • Type: string
  • Default: 'None'
  • Allowed:
    [
  'External'
  'Internal'
  'None'
]

Parameter: zones

A list of availability zones denoting where the resource needs to come from. Only supported by Premium sku.

  • Required: No
  • Type: array
  • Default:
    [
  1
  2
]

Outputs

Output Type Description
location string The location the resource was deployed into.
name string The name of the API management service.
resourceGroupName string The resource group the API management service was deployed into.
resourceId string The resource ID of the API management service.
systemAssignedMIPrincipalId string The principal ID of the system assigned identity.

Cross-referenced modules

This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).

Reference Type
./packages/utl-common-types/main.bicep Local Reference

Notes

The latest version of this module only includes supported versions of the API Management resource. All unsupported versions of API Management have been removed from the related parameters. See the API Management stv1 platform retirement article for more details.

Parameter Usage: apiManagementServicePolicy

Parameter JSON format 
"apiManagementServicePolicy": {
    "value": {
        "value":"<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
        "format":"xml"
    }
}
Bicep format 
apiManagementServicePolicy: {
    value:'<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period='60' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
    format:'xml'
}

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

No release notes uploaded for this version

 
 {
  "workingFolder": "packages",
  "packages": [
    // packages defined earlier
    {
      "name": "avm-bicep/api-management-services",
      "version": "0.9.1"
    }
  ]
}

Stats

Selected version:

0.9.1

Downloads this version:

2

Downloads all versions:

9

Latest version:

0.9.1

Latest update:

24-03-2025

avm-bicep

Other versions (3)

0.9.1

0.8.0

0.6.0

Other packages

from avm-bicep

action-rules

action-groups

aad-domain-services

View all from publisher