terraform-azurerm-avm-res-apimanagement-service

This repo deploys the base Azure API management service.

[!IMPORTANT] As the overall AVM framework is not GA (generally available) yet - the CI framework and test automation is not fully functional and implemented across all supported languages yet - breaking changes are expected, and additional customer feedback is yet to be gathered and incorporated. Hence, modules MUST NOT be published at version 1.0.0 or higher at this time.

All module MUST be published as a pre-release version (e.g., 0.1.0, 0.1.1, 0.2.0, etc.) until the AVM framework becomes GA.

However, it is important to note that this DOES NOT mean that the modules cannot be consumed and utilized. They CAN be leveraged in all types of environments (dev, test, prod etc.). Consumers can treat them just like any other IaC module and raise issues or feature requests against them as they learn from the usage of the module. Consumers should also read the release notes for each version, if considering updating to a more recent version of a module to see if there are any considerations or breaking changes etc.

Requirements

The following requirements are needed by this module:

• terraform (>= 1.9, < 2.0)

• azapi (~> 2.4)

• azurerm (>= 4.0, < 5.0)

• modtm (>= 0.3, < 1.0)

• random (>= 3.5, < 4.0)

Resources

The following resources are used by this module:

• azurerm_api_management.this (resource)
• azurerm_api_management_api.this (resource)
• azurerm_api_management_api_operation.this (resource)
• azurerm_api_management_api_operation_policy.this (resource)
• azurerm_api_management_api_policy.this (resource)
• azurerm_api_management_api_version_set.this (resource)
• azurerm_api_management_named_value.this (resource)
• azurerm_api_management_policy.this (resource)
• azurerm_api_management_product.this (resource)
• azurerm_api_management_product_api.this (resource)
• azurerm_api_management_product_group.this (resource)
• azurerm_api_management_subscription.this (resource)
• azurerm_management_lock.this (resource)
• azurerm_monitor_diagnostic_setting.this (resource)
• azurerm_private_endpoint.this (resource)
• azurerm_private_endpoint.this_unmanaged_dns_zone_groups (resource)
• azurerm_private_endpoint_application_security_group_association.this (resource)
• azurerm_role_assignment.this (resource)
• modtm_telemetry.telemetry (resource)
• random_uuid.telemetry (resource)
• azapi_client_config.telemetry (data source)
• modtm_module_source.telemetry (data source)

Required Inputs

The following input variables are required:

location

Description: Azure region where the resource should be deployed.

Type: string

name

Description: The name of the this resource.

Type: string

publisher_email

Description: The email of the API Management service publisher.

Type: string

resource_group_name

Description: The resource group where the resources will be deployed.

Type: string

Optional Inputs

The following input variables are optional (have default values):

additional_location

Description: Additional datacenter locations where the API Management service should be provisioned.

Type:

list(object({
    location             = string
    capacity             = optional(number, null)
    zones                = optional(list(string), null)
    public_ip_address_id = optional(string, null)
    gateway_disabled     = optional(bool, null)
    virtual_network_configuration = optional(object({
      subnet_id = string
    }), null)
  }))

Default: []

api_version_sets

Description: API Version Sets for the API Management service. Version sets enable API versioning using Header, Query, or Segment-based schemes.

• display_name - (Required) The display name of the API version set.
• versioning_scheme - (Required) The versioning scheme. Valid values: Header, Query, Segment.
• description - (Optional) Description of the API version set.
• version_header_name - (Optional) Name of the HTTP header parameter for the Header versioning scheme. Required when versioning_scheme is Header.
• version_query_name - (Optional) Name of the query string parameter for the Query versioning scheme. Required when versioning_scheme is Query.

Example:

api_version_sets = {
  "my-api-versions" = {
    display_name        = "My API Versions"
    versioning_scheme   = "Header"
    version_header_name = "api-version"
    description         = "Version set for My API"
  }
}

Type:

map(object({
    display_name        = string
    versioning_scheme   = string
    description         = optional(string)
    version_header_name = optional(string)
    version_query_name  = optional(string)
  }))

Default: {}

apis

Description: APIs for the API Management service. APIs define the operations available to API consumers.

• display_name - (Required) The display name of the API.
• path - (Required) The relative path for the API. Must be unique within the API Management service.
• protocols - (Optional) A list of protocols the API supports. Valid values: http, https, ws, wss. Defaults to ["https"].
• revision - (Optional) The revision number of the API. Defaults to "1".
• service_url - (Optional) The backend service URL for the API.
• description - (Optional) Description of the API.
• subscription_required - (Optional) Whether a subscription key is required to access the API. Defaults to true.

Versioning:

• api_version - (Optional) The version identifier for the API.
• api_version_set_name - (Optional) The name of the API version set to associate with this API.
• revision_description - (Optional) Description of the API revision.

Import:

• import - (Optional) Import configuration for OpenAPI, WSDL, WADL specifications.
  • content_format - (Required) Format of the content. Valid values: openapi, openapi+json, openapi+json-link, openapi-link, swagger-json, swagger-link-json, wadl-link-json, wadl-xml, wsdl, wsdl-link.
  • content_value - (Required) The API definition content or URL.
  • wsdl_selector - (Optional) WSDL selector for SOAP APIs.

Operations:

• operations - (Optional) Map of API operations. Each operation defines an HTTP method and URL template.

Policies:

• policy - (Optional) API-level policy configuration.
  • xml_content - (Optional) XML policy content.
  • xml_link - (Optional) URL to XML policy content.

Example:

apis = {
  "petstore-api" = {
    display_name = "Petstore API"
    path         = "petstore"
    protocols    = ["https"]
    service_url  = "https://petstore.swagger.io/v2"

    operations = {
      "get-pets" = {
        display_name = "Get all pets"
        method       = "GET"
        url_template = "/pets"
      }
    }
  }
}

Type:

map(object({
    # Basic API properties
    display_name          = string
    path                  = string
    protocols             = optional(list(string), ["https"])
    revision              = optional(string, "1")
    service_url           = optional(string)
    description           = optional(string)
    subscription_required = optional(bool, true)

    # API versioning
    api_version          = optional(string)
    api_version_set_name = optional(string)
    revision_description = optional(string)

    # Import configuration (OpenAPI, WSDL, WADL, etc.)
    import = optional(object({
      content_format = string
      content_value  = string
      wsdl_selector = optional(object({
        service_name  = string
        endpoint_name = string
      }))
    }))

    # Source API for cloning
    source_api_id = optional(string)

    # OAuth2 Authorization
    oauth2_authorization = optional(object({
      authorization_server_name = string
      scope                     = optional(string)
    }))

    # OpenID Connect Authentication
    openid_authentication = optional(object({
      openid_provider_name         = string
      bearer_token_sending_methods = optional(list(string))
    }))

    # Subscription key parameter names
    subscription_key_parameter_names = optional(object({
      header = string
      query  = string
    }))

    # Contact information
    contact = optional(object({
      email = optional(string)
      name  = optional(string)
      url   = optional(string)
    }))

    # License information
    license = optional(object({
      name = optional(string)
      url  = optional(string)
    }))

    terms_of_service_url = optional(string)

    # API-level policy
    policy = optional(object({
      xml_content = optional(string)
      xml_link    = optional(string)
    }))

    # API operations
    operations = optional(map(object({
      display_name = string
      method       = string
      url_template = string
      description  = optional(string)

      # Template parameters (URL path parameters)
      template_parameters = optional(list(object({
        name          = string
        required      = bool
        type          = string
        description   = optional(string)
        default_value = optional(string)
        values        = optional(list(string))
      })))

      # Request configuration
      request = optional(object({
        description = optional(string)

        query_parameters = optional(list(object({
          name          = string
          required      = bool
          type          = string
          description   = optional(string)
          default_value = optional(string)
          values        = optional(list(string))
        })))

        headers = optional(list(object({
          name          = string
          required      = bool
          type          = string
          description   = optional(string)
          default_value = optional(string)
          values        = optional(list(string))
        })))

        representations = optional(list(object({
          content_type = string
          schema_id    = optional(string)
          type_name    = optional(string)

          form_parameters = optional(list(object({
            name          = string
            required      = bool
            type          = string
            description   = optional(string)
            default_value = optional(string)
            values        = optional(list(string))
          })))
        })))
      }))

      # Response configuration
      responses = optional(list(object({
        status_code = number
        description = optional(string)

        headers = optional(list(object({
          name          = string
          required      = bool
          type          = string
          description   = optional(string)
          default_value = optional(string)
          values        = optional(list(string))
        })))

        representations = optional(list(object({
          content_type = string
          schema_id    = optional(string)
          type_name    = optional(string)

          form_parameters = optional(list(object({
            name          = string
            required      = bool
            type          = string
            description   = optional(string)
            default_value = optional(string)
            values        = optional(list(string))
          })))
        })))
      })))

      # Operation-level policy
      policy = optional(object({
        xml_content = optional(string)
        xml_link    = optional(string)
      }))
    })), {})
  }))

Default: {}

certificate

Description: Certificate configurations for the API Management service.

Type:

list(object({
    encoded_certificate  = string
    store_name           = string
    certificate_password = optional(string, null)
  }))

Default: []

client_certificate_enabled

Description: Enforce a client certificate to be presented on each request to the gateway. This is only supported when SKU type is Consumption.

Type: bool

Default: false

delegation

Description: Delegation settings for the API Management service.

Type:

object({
    subscriptions_enabled     = optional(bool, false)
    user_registration_enabled = optional(bool, false)
    url                       = optional(string, null)
    validation_key            = optional(string, null)
  })

Default: null

diagnostic_settings

Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

• name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
• log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].
• log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].
• metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].
• log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.
• workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
• storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.
• event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
• event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
• marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.

Type:

map(object({
    name                                     = optional(string, null)
    log_categories                           = optional(set(string), [])
    log_groups                               = optional(set(string), ["allLogs"])
    metric_categories                        = optional(set(string), ["AllMetrics"])
    log_analytics_destination_type           = optional(string, "Dedicated")
    workspace_resource_id                    = optional(string, null)
    storage_account_resource_id              = optional(string, null)
    event_hub_authorization_rule_resource_id = optional(string, null)
    event_hub_name                           = optional(string, null)
    marketplace_partner_resource_id          = optional(string, null)
  }))

Default: {}

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: false

gateway_disabled

Description: Disable the gateway in the main region? This is only supported when additional_location is set.

Type: bool

Default: false

hostname_configuration

Description: Hostname configuration for the API Management service.

Type:

object({
    management = optional(list(object({
      host_name                       = string
      key_vault_id                    = optional(string, null)
      certificate                     = optional(string, null)
      certificate_password            = optional(string, null)
      negotiate_client_certificate    = optional(bool, false)
      ssl_keyvault_identity_client_id = optional(string, null)
    })), [])
    portal = optional(list(object({
      host_name                       = string
      key_vault_id                    = optional(string, null)
      certificate                     = optional(string, null)
      certificate_password            = optional(string, null)
      negotiate_client_certificate    = optional(bool, false)
      ssl_keyvault_identity_client_id = optional(string, null)
    })), [])
    developer_portal = optional(list(object({
      host_name                       = string
      key_vault_id                    = optional(string, null)
      certificate                     = optional(string, null)
      certificate_password            = optional(string, null)
      negotiate_client_certificate    = optional(bool, false)
      ssl_keyvault_identity_client_id = optional(string, null)
    })), [])
    proxy = optional(list(object({
      host_name                       = string
      default_ssl_binding             = optional(bool, false)
      key_vault_id                    = optional(string, null)
      certificate                     = optional(string, null)
      certificate_password            = optional(string, null)
      negotiate_client_certificate    = optional(bool, false)
      ssl_keyvault_identity_client_id = optional(string, null)
    })), [])
    scm = optional(list(object({
      host_name                       = string
      key_vault_id                    = optional(string, null)
      certificate                     = optional(string, null)
      certificate_password            = optional(string, null)
      negotiate_client_certificate    = optional(bool, false)
      ssl_keyvault_identity_client_id = optional(string, null)
    })), [])
  })

Default: null

lock

Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:

• kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
• name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.

Type:

object({
    kind = string
    name = optional(string, null)
  })

Default: null

managed_identities

Description: Controls the Managed Identity configuration on this resource. The following properties can be specified:

• system_assigned - (Optional) Specifies if the System Assigned Managed Identity should be enabled.
• user_assigned_resource_ids - (Optional) Specifies a list of User Assigned Managed Identity resource IDs to be assigned to this resource.

Type:

object({
    system_assigned            = optional(bool, false)
    user_assigned_resource_ids = optional(set(string), [])
  })

Default: {}

min_api_version

Description: The version which the control plane API calls to API Management service are limited with version equal to or newer than.

Type: string

Default: null

named_values

Description: Named values for the API Management service. Named values are a collection of key/value pairs that can be referenced in policies and API configurations.

• display_name - (Required) The display name of the named value. Must be unique within the API Management service.
• value - (Optional) The value of the named value. Conflicts with value_from_key_vault. If neither is specified, the named value must be set through other means.
• secret - (Optional) Whether the value is a secret and should be encrypted. Defaults to false.
• tags - (Optional) A list of tags that can be used to filter the named values list.
• value_from_key_vault - (Optional) A Key Vault configuration for secret values. Conflicts with value.
  • secret_id - (Required) The versioned secret ID from Key Vault (e.g., https://myvault.vault.azure.net/secrets/mysecret/version).
  • identity_client_id - (Optional) The client ID of a user-assigned managed identity to use for Key Vault access. If not specified, the system-assigned identity will be used.

Example:

named_values = {
  "api-key" = {
    display_name = "API Key"
    value        = "my-secret-key"
    secret       = true
    tags         = ["production", "api"]
  }
  "keyvault-secret" = {
    display_name = "Database Connection String"
    secret       = true
    value_from_key_vault = {
      secret_id = "https://myvault.vault.azure.net/secrets/db-conn/abc123"
    }
  }
}

Type:

map(object({
    display_name = string
    value        = optional(string)
    secret       = optional(bool, false)
    tags         = optional(list(string), [])
    value_from_key_vault = optional(object({
      secret_id          = string
      identity_client_id = optional(string)
    }))
  }))

Default: {}

notification_sender_email

Description: Email address from which the notification will be sent.

Type: string

Default: null

policy

Description: Service-level (global) policy for the API Management service. This policy applies to all APIs.

• xml_content - (Required) The XML content of the policy.

Example:

policy = {
  xml_content = <<XML
<policies>
  <inbound>
    <base />
    <cors allow-credentials="true">
      <allowed-origins>
        <origin>https://example.com</origin>
      </allowed-origins>
      <allowed-methods>
        <method>GET</method>
        <method>POST</method>
      </allowed-methods>
    </cors>
    <rate-limit-by-key calls="100" renewal-period="60" counter-key="@(context.Subscription.Id)" />
  </inbound>
  <backend>
    <base />
  </backend>
  <outbound>
    <base />
    <set-header name="X-Powered-By" exists-action="delete" />
  </outbound>
  <on-error>
    <base />
  </on-error>
</policies>
XML
}

Type:

object({
    xml_content = string
  })

Default: null

private_endpoints

Description: A map of private endpoints to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

• name - (Optional) The name of the private endpoint. One will be generated if not set.
• role_assignments - (Optional) A map of role assignments to create on the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. See var.role_assignments for more information.
• lock - (Optional) The lock level to apply to the private endpoint. Default is None. Possible values are None, CanNotDelete, and ReadOnly.
• tags - (Optional) A mapping of tags to assign to the private endpoint.
• subnet_resource_id - The resource ID of the subnet to deploy the private endpoint in.
• private_dns_zone_group_name - (Optional) The name of the private DNS zone group. One will be generated if not set.
• private_dns_zone_resource_ids - (Optional) A set of resource IDs of private DNS zones to associate with the private endpoint. If not set, no zone groups will be created and the private endpoint will not be associated with any private DNS zones. DNS records must be managed external to this module.
• application_security_group_resource_ids - (Optional) A map of resource IDs of application security groups to associate with the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
• private_service_connection_name - (Optional) The name of the private service connection. One will be generated if not set.
• network_interface_name - (Optional) The name of the network interface. One will be generated if not set.
• location - (Optional) The Azure location where the resources will be deployed. Defaults to the location of the resource group.
• resource_group_name - (Optional) The resource group where the resources will be deployed. Defaults to the resource group of this resource.
• ip_configurations - (Optional) A map of IP configurations to create on the private endpoint. If not specified the platform will create one. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
  • name - The name of the IP configuration.
  • private_ip_address - The private IP address of the IP configuration.

Type:

map(object({
    name = optional(string, null)
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
    lock = optional(object({
      kind = string
      name = optional(string, null)
    }), null)
    tags                                    = optional(map(string), null)
    subnet_resource_id                      = string
    private_dns_zone_group_name             = optional(string, "default")
    private_dns_zone_resource_ids           = optional(set(string), [])
    application_security_group_associations = optional(map(string), {})
    private_service_connection_name         = optional(string, null)
    network_interface_name                  = optional(string, null)
    location                                = optional(string, null)
    resource_group_name                     = optional(string, null)
    ip_configurations = optional(map(object({
      name               = string
      private_ip_address = string
    })), {})
  }))

Default: {}

private_endpoints_manage_dns_zone_group

Description: Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy.

Type: bool

Default: true

products

Description: Products for the API Management service. The map key is the product identifier.

• display_name - (Required) The display name of the product.
• description - (Optional) Description of the product.
• terms - (Optional) Terms of use for the product.
• subscription_required - (Optional) Whether a subscription is required to access APIs in this product. Default is false.
• approval_required - (Optional) Whether subscription approval is required. Default is false.
• subscriptions_limit - (Optional) Maximum number of subscriptions allowed for this product.
• state - (Optional) Publication state of the product. Valid values: published, notPublished. Default is published.
• api_names - (Optional) List of API names to associate with this product.
• group_names - (Optional) List of group names to associate with this product (e.g., "developers", "administrators", "guests").

Example:

products = {
  "starter" = {
    display_name          = "Starter"
    description           = "Starter product for new developers"
    subscription_required = true
    approval_required     = false
    state                 = "published"
    api_names             = ["petstore-api", "weather-api"]
    group_names           = ["developers"]
  }
}

Type:

map(object({
    display_name          = string
    description           = optional(string)
    terms                 = optional(string)
    subscription_required = optional(bool, false)
    approval_required     = optional(bool, false)
    subscriptions_limit   = optional(number)
    state                 = optional(string, "published") # published, notPublished

    # Associations
    api_names   = optional(list(string), [])
    group_names = optional(list(string), [])
  }))

Default: {}

protocols

Description: Protocol settings for the API Management service.

Type:

object({
    enable_http2 = optional(bool, false)
  })

Default: null

public_ip_address_id

Description: ID of a standard SKU IPv4 Public IP. Only supported on Premium and Developer tiers when deployed in a virtual network.

Type: string

Default: null

public_network_access_enabled

Description: Is public access to the API Management service allowed? This only applies to the Management plane, not the API gateway or Developer portal.

Type: bool

Default: true

publisher_name

Description: The name of the API Management service publisher.

Type: string

Default: "Apim Example Publisher"

role_assignments

Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

• role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
• principal_id - The ID of the principal to assign the role to.
• description - The description of the role assignment.
• skip_service_principal_aad_check - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
• condition - The condition which will be used to scope the role assignment.
• condition_version - The version of the condition syntax. Valid values are '2.0'.

Note: only set skip_service_principal_aad_check to true if you are assigning a role to a service principal.

Type:

map(object({
    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
    principal_type                         = optional(string, null)
  }))

Default: {}

security

Description: Security settings for the API Management service.

Type:

object({
    enable_backend_ssl30                                = optional(bool, false)
    enable_backend_tls10                                = optional(bool, false)
    enable_backend_tls11                                = optional(bool, false)
    enable_frontend_ssl30                               = optional(bool, false)
    enable_frontend_tls10                               = optional(bool, false)
    enable_frontend_tls11                               = optional(bool, false)
    tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled = optional(bool, false)
    tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled = optional(bool, false)
    tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled   = optional(bool, false)
    tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled   = optional(bool, false)
    tls_rsa_with_aes128_cbc_sha256_ciphers_enabled      = optional(bool, false)
    tls_rsa_with_aes128_cbc_sha_ciphers_enabled         = optional(bool, false)
    tls_rsa_with_aes128_gcm_sha256_ciphers_enabled      = optional(bool, false)
    tls_rsa_with_aes256_gcm_sha384_ciphers_enabled      = optional(bool, false)
    tls_rsa_with_aes256_cbc_sha256_ciphers_enabled      = optional(bool, false)
    tls_rsa_with_aes256_cbc_sha_ciphers_enabled         = optional(bool, false)
    triple_des_ciphers_enabled                          = optional(bool, false)
  })

Default: null

sign_in

Description: Sign-in settings for the API Management service. When enabled, anonymous users will be redirected to the sign-in page.

Type:

object({
    enabled = bool
  })

Default: null

sign_up

Description: Sign-up settings for the API Management service.

Type:

object({
    enabled = bool
    terms_of_service = object({
      consent_required = bool
      enabled          = bool
      text             = optional(string, null)
    })
  })

Default: null

sku_name

Description: The SKU name of the API Management service.

Type: string

Default: "Developer_1"

subscriptions

Description: Subscriptions for the API Management service. The map key is the subscription identifier.

• display_name - (Required) The display name of the subscription.
• scope_type - (Required) The scope type. Valid values: product, api, all_apis.
• scope_identifier - (Optional) The product ID or API name. Required for product and api scope types. Not needed for all_apis.
• user_id - (Optional) The user ID for this subscription (format: /users/{userId}).
• primary_key - (Optional) Custom primary subscription key.
• secondary_key - (Optional) Custom secondary subscription key.
• state - (Optional) The state of the subscription. Valid values: active, suspended, submitted, rejected, cancelled. Default is active.
• allow_tracing - (Optional) Whether tracing is allowed. Default is false.

Example:

subscriptions = {
  "developer-sub" = {
    display_name     = "Developer Subscription"
    scope_type       = "product"
    scope_identifier = "starter"
    state            = "active"
    allow_tracing    = true
  }
  "api-specific-sub" = {
    display_name     = "Petstore API Subscription"
    scope_type       = "api"
    scope_identifier = "petstore-api"
    state            = "active"
  }
}

Type:

map(object({
    display_name     = string
    scope_type       = string           # "product", "api", or "all_apis"
    scope_identifier = optional(string) # Product ID or API name (not needed for "all_apis")
    user_id          = optional(string)
    primary_key      = optional(string)
    secondary_key    = optional(string)
    state            = optional(string, "active") # active, suspended, submitted, rejected, cancelled
    allow_tracing    = optional(bool, false)
  }))

Default: {}

tags

Description: (Optional) Tags of the resource.

Type: map(string)

Default: null

tenant_access

Description: Controls whether access to the management API is enabled. When enabled, the primary/secondary keys provide access to this API.

Type:

object({
    enabled = bool
  })

Default: null

virtual_network_subnet_id

Description: The ID of the subnet in the virtual network where the API Management service will be deployed.

Type: string

Default: null

virtual_network_type

Description: The type of virtual network configuration for the API Management service.

Type: string

Default: "None"

zones

Description: Specifies a list of Availability Zones in which this API Management service should be located. Only supported in the Premium tier.

Type: list(string)

Default: null

Outputs

The following outputs are exported:

additional_locations

Description: Information about additional locations for the API Management Service.

api_ids

Description: A map of API names to their resource IDs.

api_operation_ids

Description: A map of API operation keys to their operation IDs.

api_operations

Description: A map of API operations created in the API Management service.

api_version_set_ids

Description: A map of API version set names to their resource IDs.

api_version_sets

Description: A map of API version sets created in the API Management service.

apim_gateway_url

Description: The gateway URL of the API Management service.

apim_management_url

Description: The management URL of the API Management service.

apis

Description: A map of APIs created in the API Management service.

certificates

Description: Certificate information for the API Management Service.

developer_portal_url

Description: The publisher URL of the API Management service.

gateway_regional_url

Description: The Region URL for the Gateway of the API Management Service.

hostname_configuration

Description: The hostname configuration for the API Management Service.

name

Description: The name of the API Management service.

named_value_ids

Description: A map of named value keys to their resource IDs.

named_values

Description: A map of named values created in the API Management service.

policy

Description: Service-level policy details.

portal_url

Description: The URL for the Publisher Portal associated with this API Management service.

private_endpoints

Description: A map of the private endpoints created.

private_ip_addresses

Description: The private IP addresses of the private endpoints created by this module

product_ids

Description: A map of product keys to their resource IDs.

products

Description: A map of products created in the API Management service.

public_ip_addresses

Description: The Public IP addresses of the API Management Service.

resource

Description: The API Management service resource.

resource_id

Description: The ID of the API Management service.

scm_url

Description: The URL for the SCM (Source Code Management) Endpoint associated with this API Management service.

subscription_ids

Description: A map of subscription keys to their resource IDs.

subscription_keys

Description: A map of subscription keys to their primary and secondary keys.

subscriptions

Description: A map of subscriptions created in the API Management service.

tenant_access

Description: The tenant access information for the API Management Service.

workspace_identity

Description: The identity for the created workspace.

Modules

No modules.

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

 
 {
  "workingFolder": "packages",
  "packages": [
    // packages defined earlier
    {
      "name": "avm-terraform/apimanagement-service",
      "version": "0.0.7"
    }
  ]
}