Azure NoOps API Management Overlay Module

This Overlay terraform module can create a API Management resource and manage related parameters (Storage, Key Vault, Redis Cache, NSG Rules, Private Endpoints, etc.) to be used in a SCCA compliant Network.

SCCA Compliance

This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.

For more information, please read the SCCA documentation.

Contributing

If you want to contribute to this repository, feel free to to contribute to our Terraform module.

More details are available in the CONTRIBUTING.md file.

Resources Used

• API Management
• Redis Cache
• Storage Account
• Key Vault
• Private Endpoints
• Private DNS zone for privatelink A records
• Azure Reource Locks

Overlay Module Usage

Requirements

# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

module "mod_apim" {
  depends_on = [
    azurerm_resource_group.apim_rg,
    azurerm_virtual_network.apim_vnet,
    azurerm_subnet.apim_subnet,
    azurerm_subnet.pe_subnet
  ]
  source  = "POps-Rox/tf-az-overlays-api-management/azurerm"
  version = "~> X.X"

  # By default, this module will create a resource group and 
  # provide a name for an existing resource group. If you wish 
  # to use an existing resource group, change the option 
  # to "create_maps_resource_group = false." The location of the group 
  # will remain the same if you use the current resource.
  existing_resource_group_name = azurerm_resource_group.apim_rg.name
  location                     = module.mod_azure_region_lookup.location_cli
  environment                  = "public"
  deploy_environment           = "dev"
  org_name                     = "anoa"
  workload_name                = "apim"

  # API Management configuration
  enable_user_identity = true
  publisher_email = "apim_admins@microsoft.com"
  publisher_name  = "apim"  
  min_api_version      = "2019-12-01"

  # SKU configuration
  sku_tier             = "Developer"
  sku_capacity         = 1

  # Virtual network configuration
  virtual_network_name = azurerm_virtual_network.apim_vnet.name
  apim_subnet_name     = azurerm_subnet.apim_subnet.name # This is the subnet where APIM will be deployed. 
  
  # Private endpoint configuration
  # Key Vault and Redis are deployed by default.
  # So we need to make sure that the subnet is configured for private endpoints.
  existing_private_subnet_name = azurerm_subnet.pe_subnet.name

  # This is to enable resource locks for the key vault. 
  enable_resource_locks = false

  # Tags
  add_tags = local.tags # Tags to be applied to all resources
}

Providers

Name	Version
popsrox-utils	~> 1.0.4
azurerm	~> 3.116

Modules

Name	Source	Version
mod_azregions	POps-Rox/overlays-azregions-lookup/azurerm	~> 1.0.0
mod_key_vault	POps-Rox/overlays-key-vault/azurerm	~> 2.0
mod_redis_cache	POps-Rox/overlays-redis/azurerm	~> 2.0
mod_scaffold_rg	POps-Rox/overlays-resource-group/azurerm	~> 1.0.1

Resources

Name	Type
azurerm_api_management.api_management	resource
azurerm_api_management_diagnostic.app_insights	resource
azurerm_api_management_logger.app_insights	resource
azurerm_api_management_redis_cache.api_management_redis_cache	resource
azurerm_application_insights.apim_app_insights	resource
azurerm_key_vault_access_policy.apim_access_policy	resource
azurerm_management_lock.apim_dev_dns_zone_lock	resource
azurerm_management_lock.apim_identity_lock	resource
azurerm_management_lock.apim_level_lock	resource
azurerm_management_lock.apim_nsg_level_lock	resource
azurerm_management_lock.apim_pip_level_lock	resource
azurerm_network_security_group.apim-nsg	resource
azurerm_private_dns_a_record.a_rec	resource
azurerm_private_dns_a_record.apim_dev_portal_a_rec	resource
azurerm_private_dns_zone.apim_dev_portal_dns_zone	resource
azurerm_private_dns_zone.dns_zone	resource
azurerm_private_dns_zone_virtual_network_link.apim_dev_portalvnet_link	resource
azurerm_private_dns_zone_virtual_network_link.vnet_link	resource
azurerm_private_endpoint.pep	resource
azurerm_public_ip.apim_pip	resource
azurerm_subnet_network_security_group_association.apim-subnet-nsg-association	resource
azurerm_user_assigned_identity.apim_identity	resource
popsrox_resource_name.apim	data source
popsrox_resource_name.keyvault	data source
azurerm_api_management.apim	data source
azurerm_client_config.current	data source
azurerm_network_security_group.apim-nsg	data source
azurerm_private_endpoint_connection.pip	data source
azurerm_resource_group.rgrp	data source
azurerm_subnet.apim_subnet	data source
azurerm_subnet.snet	data source
azurerm_user_assigned_identity.apim_identity	data source
azurerm_virtual_network.vnet	data source

Inputs

Name	Description	Type	Default	Required
add_tags	Map of custom tags.	map(string)	{}	no
apim_custom_name	Custom name for the API Management instance. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
apim_subnet_name	Name of the subnet for the API Management	string	n/a	yes
create_apim_keyvault	Controls if the keyvault should be created. If set to false, the keyvault name must be provided. Default is false.	bool	true	no
create_apim_resource_group	Controls if the resource group should be created. If set to false, the resource group name must be provided. Default is false.	bool	false	no
custom_resource_group_name	The name of the custom resource group to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
deploy_environment	Name of the workload's environment	string	n/a	yes
enable_application_insights	Controls if the application insights should be created. Default is true.	bool	true	no
enable_private_endpoint	Manages a Private Endpoint to Azure API Management. Default is false.	bool	false	no
enable_redis_cache	Controls if the redis cache should be enabled. Default is true.	bool	true	no
enable_resource_locks	(Optional) Enable resource locks, default is false. If true, resource locks will be created for the resource group and the storage account.	bool	false	no
enable_user_identity	Controls if the user identity should be enabled.	bool	true	no
enabled_for_template_deployment	Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.	bool	false	no
environment	The Terraform backend environment e.g. public or usgovernment	string	n/a	yes
existing_apim_dev_portal_dns_zone	The ID of an existing private dns zone to use. If not set, a new private dns zone will be created.	string	null	no
existing_apim_private_dns_zone	The ID of an existing private dns zone to use. If not set, a new private dns zone will be created.	string	null	no
existing_keyvault_private_dns_zone	The ID of an existing private dns zone to use for Key Vault. If not set, a new private dns zone will be created.	string	null	no
existing_private_dns_zone	Name of the existing private DNS zone	any	null	no
existing_private_subnet_name	Name of the existing private subnet for the private endpoint	any	null	no
existing_redis_private_dns_zone	The ID of an existing private dns zone to use for Redis. If not set, a new private dns zone will be created.	string	null	no
existing_resource_group_name	The name of the existing resource group to use. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
existing_vnet_id	The ID of an existing virtual network to use. If not set, a new virtual network will be created.	string	null	no
key_vault_custom_name	Custom name for the keyvault. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
key_vault_sku_name	The SKU name of the Key Vault to create. Possible values are standard and premium.	string	"standard"	no
location	Azure region in which instance will be hosted	string	n/a	yes
lock_level	(Optional) id locks are enabled, Specifies the Level to be used for this Lock.	string	"CanNotDelete"	no
log_analytics_workspace_id	The ID of the Log Analytics Workspace to use for Application Insights.	string	null	no
min_api_version	The minimum supported API version for the API Management Management API.	string	"2022-08-01"	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
org_name	Name of the organization	string	n/a	yes
publisher_email	The email address of the publisher.	string	n/a	yes
publisher_name	The name of the publisher.	string	n/a	yes
purge_protection_enabled	Specifies whether protection against purge is enabled for this key vault. Default is true.	bool	true	no
sku_capacity	The capacity of the API Management instance. Possible values are positive integers from 1-12, except for Consumption tier where it is 0.	number	1	no
sku_tier	The tier of the API Management instance. Possible values are Developer, Basic, Standard, Premium, Consumption.	string	"Developer"	no
use_location_short_name	Use short location name for resources naming (ie eastus -> eus). Default is true. If set to false, the full cli location name will be used. if custom naming is set, this variable will be ignored.	bool	true	no
use_naming	Use the Azure NoOps naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
virtual_network_name	Name of the virtual network for the private endpoint	any	null	no
workload_name	Name of the workload_name	string	n/a	yes

Outputs

Name	Description
apim_id	n/a
apim_name	n/a