Manages a API Management Custom Domain.
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
data "azurerm_key_vault" "example" {
name = "mykeyvault"
resource_group_name = "some-resource-group"
}
resource "azurerm_api_management" "example" {
name = "example-apim"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
publisher_name = "pub1"
publisher_email = "pub1@email.com"
sku_name = "Developer_1"
}
resource "azurerm_key_vault_certificate" "example" {
name = "example-certificate"
key_vault_id = data.azurerm_key_vault.example.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject = "CN=api.example.com"
validity_in_months = 12
subject_alternative_names {
dns_names = [
"api.example.com",
"portal.example.com",
]
}
}
}
}
resource "azurerm_api_management_custom_domain" "example" {
api_management_id = azurerm_api_management.example.id
gateway {
host_name = "api.example.com"
key_vault_id = azurerm_key_vault_certificate.example.versionless_secret_id
}
developer_portal {
host_name = "portal.example.com"
key_vault_id = azurerm_key_vault_certificate.example.versionless_secret_id
}
}
The following arguments are supported:
api_management_id
- (Required) The ID of the API Management service for which to configure Custom Domains. Changing this forces a new API Management Custom Domain resource to be created.developer_portal
- (Optional) One or more developer_portal
blocks as defined below.
management
- (Optional) One or more management
blocks as defined below.
portal
- (Optional) One or more portal
blocks as defined below.
gateway
- (Optional) One or more gateway
blocks as defined below.
scm
- (Optional) One or more scm
blocks as defined below.
A developer_portal
, management
, portal
or scm
block supports the following:
host_name
- (Required) The Hostname to use for the corresponding endpoint.
certificate
- (Optional) The Base64 Encoded Certificate. (Mutually exclusive with key_vault_id
.)
certificate_password
- (Optional) The password associated with the certificate provided above.
key_vault_id
- (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the type application/x-pkcs12.
negotiate_client_certificate
- (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults to false
.
ssl_keyvault_identity_client_id
- (Optional) System or User Assigned Managed identity clientId as generated by Azure AD, which has GET
access to the keyVault containing the SSL certificate.
A gateway
block supports the following:
host_name
- (Required) The Hostname to use for the API Proxy Endpoint.
certificate
- (Optional) The Base64 Encoded Certificate. (Mutually exclusive with key_vault_id
.)
certificate_password
- (Optional) The password associated with the certificate provided above.
default_ssl_binding
- (Optional) Is the certificate associated with this Hostname the Default SSL Certificate? This is used when an SNI header isn't specified by a client. Defaults to false
.
key_vault_id
- (Optional) The ID of the Key Vault Secret containing the SSL Certificate, which must be should be of the type application/x-pkcs12.
negotiate_client_certificate
- (Optional) Should Client Certificate Negotiation be enabled for this Hostname? Defaults to false
.
ssl_keyvault_identity_client_id
- (Optional) System or User Assigned Managed identity clientId as generated by Azure AD, which has GET
access to the keyVault containing the SSL certificate.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the API Management Custom Domain.The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the API Management Custom Domain.read
- (Defaults to 5 minutes) Used when retrieving the API Management Custom Domain.update
- (Defaults to 60 minutes) Used when updating the API Management Custom Domain.delete
- (Defaults to 60 minutes) Used when deleting the API Management Custom Domain.API Management Custom Domains can be imported using the resource id
, e.g.
terraform import azurerm_api_management_custom_domain.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.ApiManagement/service/instance1/customDomains/default