This is the Terraform-based deployment guide for Scenario 1: Azure API Management - Secure Baseline.
This is the starting point for the instructions on deploying this reference implementation. There is the required access and tooling you'll need in order to accomplish this.
-
An Azure subscription
-
The following resource providers registered:
Microsoft.ApiManagementMicrosoft.NetworkMicrosoft.KeyVault
-
The user or service principal initiating the deployment process must have the owner role at the subscription level to have the ability to create resource groups and to delegate access to others (Azure Managed Identities created from the IaC deployment).
-
Access to Bash command line to run the deployment script.
-
Latest Azure CLI installed (must be at least 2.40), or you can perform this from Azure Cloud Shell by clicking below.
-
JQ command line JSON processor installed
sudo apt-get install jq
-
Terraform installed. You can download the latest version from the Terraform website. However, if using the dev container, this will not need to be downloaded and installed separately.
-
Clone/download this repo locally, or even better fork this repository.
git clone https://github.com/Azure/apim-landing-zone-accelerator.git cd apim-landing-zone-accelerator/scenarios/scripts -
Log into Azure from the AZ CLI and select your subscription.
az login
-
Review and update deployment parameters.
Copy the
sample.envinto a new file called.envin the same directory. The main difference with the Bicep version is the need for a backend when deploying Terraform templates.The .env parameter file is where you can customize your deployment. The defaults are a suitable starting point, but feel free to adjust any to fit your requirements.
Deployment parameters
Name Description Default Example(s) AZURE_LOCATIONThe Azure location to deploy to. eastus westus RESOURCE_NAME_PREFIXA suffix for naming. apimdemo appname ENVIRONMENT_TAGA tag that will be included in the naming. dev stage APPGATEWAY_FQDNThe Azure location to deploy to. apim.example.com my.org.com CERT_TYPEselfsigned will create a self-signed certificate for the APPGATEWAY_FQDN. custom will use an existing certificate in pfx format that needs to be available in the certs folder and named appgw.pfx selfsigned custom CERT_PWDThe password for the pfx certificate. Only required if CERT_TYPE is custom. N/A password123 RANDOM_IDENTIFIEROptional 3 character random string to ensure deployments are unique. Automatically assigned if not provided abc pqr -
For terraform to work, you'll need to setup the tf backend. As part of the repository we provide a
azure-backend-sample.shscript. This script will create a storage account and a container to store the terraform state. You can run the script with the following command:./azure-backend-sample.sh \ --resource-group my-resource-group \ --storage-account mystorageaccount \ --container my-container -
After setting up your backend, create a
${ENVIRONMENT_TAG}-backend.hclfile in the same directory as your.env. Don't include the key value, as it is hardcoded in the script. If you are using the sample script (TF Backend in Azure), the file should look like thesample.backend.hclfile. So if you are going to use an Azure Backend for your Terraform provider and your ENVIRONMENT_TAG isdev, you should have adev-backend.hclfile in the same directory as your.envfile that looks like this:resource_group_name = "my-resource-group" storage_account_name = "mystorageaccount" container_name = "my-container"
-
Deploy the reference implementation.
Run the following command to deploy the APIM baseline
./scripts/terraform/deploy-apim-baseline.sh
During script execution, you will encounter prompts and will need to respond with a 'y' to continue.
Test the echo api using the generated command from the output.
If you see the message -bash: ./deploy-apim-baseline.sh: /bin/bash^M: bad interpreter: No such file or directory when running the script, you can fix this by running the following command:
sed -i -e 's/\r$//' deploy-apim-baseline.sh