tf-azurerm-module_reference-api_management

Overview

This module provisions an Azure API Management instance along with all its dependencies like resource group, public IP, private DNS zone, VNET links, DNS records, NSG, NSG subnet association etc. It is capable to provision both public and private instances.

More details about the API Management installation can be found here

Pre-Commit hooks

.pre-commit-config.yaml file defines certain pre-commit hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.

commitlint hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:

• fix: a commit of the type fix patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
• feat: a commit of the type feat introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
• BREAKING CHANGE: a commit that has a footer BREAKING CHANGE:, or appends a ! after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type. footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
• build: a commit of the type build adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
• chore: a commit of the type chore adds changes that don't modify src or test files
• ci: a commit of the type ci adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
• docs: a commit of the type docs adds documentation only changes
• perf: a commit of the type perf adds code change that improves performance
• refactor: a commit of the type refactor adds code change that neither fixes a bug nor adds a feature
• revert: a commit of the type revert reverts a previous commit
• style: a commit of the type style adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
• test: a commit of the type test adds missing tests or correcting existing tests

Base configuration used for this project is commitlint-config-conventional (based on the Angular convention)

If you are a developer using vscode, this plugin may be helpful.

detect-secrets-hook prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS

In order for pre-commit hooks to work properly

• You need to have the pre-commit package manager installed. Here are the installation instructions.
• pre-commit would install all the hooks when commit message is added by default except for commitlint hook. commitlint hook would need to be installed manually using the command below

pre-commit install --hook-type commit-msg

To test the resource group module locally

1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the configure target in the project's Makefile. Before you can run configure, familiarize yourself with the variables in the Makefile and ensure they're pointing to the right places.

make configure

This adds in several files and directories that are ignored by git. They expose many new Make targets.

2. THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP. The first target you care about is env. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.

make configure command will bring down azure_env.sh file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.

These environment variables are used by terratest integration suit.

Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.

"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"

Then run this make target to set the environment variables on developer workstation.

make env

3. The first target you care about is check.

Pre-requisites Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are azure specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.

• A file named provider.tf with contents below

provider "azurerm" {
  features {}
}

• A file named terraform.tfvars which contains key value pair of variables used.

Note that since these files are added in gitignore they would not be checked in into primitive/segment's git repo.

After creating these files, for running tests associated with the primitive/segment, run

make check

If make check target is successful, developer is good to commit the code to primitive/segment's git repo.

make check target

• runs terraform commands to lint,validate and plan terraform code.
• runs conftests. conftests make sure policy checks are successful.
• runs terratest. This is integration test suit.
• runs opa tests

Requirements

Name	Version
terraform	~> 1.0
azurerm	~>3.117

Providers

No providers.

Modules

Name	Source	Version
resource_names	terraform.registry.launch.nttdata.com/module_library/resource_name/launch	~> 1.0
resource_names_v2	terraform.registry.launch.nttdata.com/module_library/resource_name/launch	~> 2.0
resource_group	terraform.registry.launch.nttdata.com/module_primitive/resource_group/azurerm	~> 1.0
public_ip	terraform.registry.launch.nttdata.com/module_primitive/public_ip/azurerm	~> 1.0
apim_default_dns_zone	terraform.registry.launch.nttdata.com/module_primitive/private_dns_zone/azurerm	~> 1.0
vnet_links	terraform.registry.launch.nttdata.com/module_primitive/private_dns_vnet_link/azurerm	~> 1.0
dns_records	terraform.registry.launch.nttdata.com/module_primitive/private_dns_records/azurerm	~> 1.0
nsg	terraform.registry.launch.nttdata.com/module_primitive/network_security_group/azurerm	~> 1.0
nsg_subnet_assoc	terraform.registry.launch.nttdata.com/module_primitive/nsg_subnet_association/azurerm	~> 1.0
apim	terraform.registry.launch.nttdata.com/module_primitive/api_management/azurerm	~> 1.0

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
product_family	(Required) Name of the product family for which the resource is created. Example: org_name, department_name.	string	"dso"	no
product_service	(Required) Name of the product service for which the resource is created. For example, backend, frontend, middleware etc.	string	"apim"	no
environment	Environment in which the resource should be provisioned like dev, qa, prod etc.	string	"dev"	no
environment_number	The environment count for the respective environment. Defaults to 000. Increments in value of 1	string	"000"	no
resource_number	The resource count for the respective resource. Defaults to 000. Increments in value of 1	string	"000"	no
region	Azure Region in which the infra needs to be provisioned	string	"eastus"	no
resource_names_map	A map of key to resource_name that will be used by tf-launch-module_library-resource_name to generate resource names	map(object( { name = string max_length = optional(number, 60) } ))	{ "apim": { "max_length": 60, "name": "apim" }, "key_vault": { "max_length": 24, "name": "kv" }, "nsg": { "max_length": 60, "name": "nsg" }, "public_ip": { "max_length": 60, "name": "pip" }, "resource_group": { "max_length": 60, "name": "rg" } }	no
resource_group_name	Name of the resource group. If not specified, this module will create a resource group.	string	null	no
resource_names_version	Major version of the resource names module to use	string	"1"	no
sku_name	String consisting of two parts separated by an underscore. The fist part is the name, valid values include: Developer, Basic, Standard and Premium. The second part is the capacity. Default is Developer_1.	string	"Developer_1"	no
publisher_name	The name of publisher/company.	string	n/a	yes
publisher_email	The email of publisher/company.	string	n/a	yes
additional_location	List of the name of the Azure Region in which the API Management Service should be expanded to.	list(map(string))	[]	no
zones	(Optional) Specifies a list of Availability Zones in which this API Management service should be located. Changing this forces a new API Management service to be created. Supported in Premium Tier.	list(number)	[]	no
certificate_configuration	List of certificate configurations. The Certificate must be base encoded pfx or pem format. certificate_password can be null if not present. store_name can be CertificateAuthority or Root.	list(object({ encoded_certificate = string certificate_password = string store_name = string }))	[]	no
client_certificate_enabled	(Optional) Enforce a client certificate to be presented on each request to the gateway? This is only supported when SKU type is Consumption.	bool	false	no
gateway_disabled	(Optional) Disable the gateway in main region? This is only supported when additional_location is set.	bool	false	no
min_api_version	(Optional) The version which the control plane API calls to API Management service are limited with version equal to or newer than.	string	null	no
enable_http2	Should HTTP/2 be supported by the API Management Service?	bool	false	no
management_hostname_configuration	List of management hostname configurations	list(map(string))	[]	no
scm_hostname_configuration	List of scm hostname configurations	list(map(string))	[]	no
proxy_hostname_configuration	List of proxy hostname configurations	list(map(string))	[]	no
portal_hostname_configuration	Legacy portal hostname configurations	list(map(string))	[]	no
developer_portal_hostname_configuration	Developer portal hostname configurations	list(map(string))	[]	no
notification_sender_email	Email address from which the notification will be sent	string	null	no
policy_configuration	Map of policy configuration	map(string)	{}	no
public_network_access_enabled	Should the API Management Service be accessible from the public internet? This option is applicable only to the Management plane, not the API gateway or Developer portal. It is required to be true on the creation. For sku=Developer/Premium and network_type=Internal, it must be true. It can only be set to false if there is at least one approve private endpoint connection.	bool	true	no
enable_sign_in	Should anonymous users be redirected to the sign in page?	bool	false	no
enable_sign_up	Can users sign up on the development portal?	bool	false	no
terms_of_service_configuration	Map of terms of service configuration	list(map(string))	[ { "consent_required": false, "enabled": false, "text": "" } ]	no
security_configuration	Map of security configuration	map(string)	{}	no
virtual_network_type	The type of virtual network you want to use, valid values include: None, External, Internal. External and Internal are only supported in the SKUs - Premium and Developer	string	"None"	no
virtual_network_configuration	The id(s) of the subnet(s) that will be used for the API Management. Required when virtual_network_type is External or Internal that is in the SKUs - Premium and Developer	list(string)	[]	no
additional_nsg_rules	A list of additional NSG rules to be applied to the API Management subnet. Only applicable when virtual_network_type is External or Internal. Use priority > 105 to avoid conflicts with default rules.	list(object({ name = string priority = number direction = string access = string protocol = string source_port_range = string destination_port_range = string source_address_prefix = string destination_address_prefix = string }))	[]	no
identity_type	Type of Managed Service Identity that should be configured on this API Management Service	string	"SystemAssigned"	no
identity_ids	A list of IDs for User Assigned Managed Identity resources to be assigned. This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.	list(string)	[]	no
dns_zone_suffix	The DNS Zone suffix for APIM private DNS Zone. Default is azure-api.net for Public Cloud For gov cloud it may be different	string	"azure-api.net"	no
default_ttl	The default TTL for the DNS Zone	number	300	no
additional_vnet_links	A list of VNET IDs for which vnet links to be created with the private AKS cluster DNS Zone. Applicable only when network_type=Internal	map(string)	{}	no
tags	A mapping of tags to assign to the resource.	map(string)	{}	no

Outputs

Name	Description
api_management_name	The name of the API Management Service
api_management_id	The ID of the API Management Service
api_management_additional_location	Map listing gateway_regional_url and public_ip_addresses associated
api_management_gateway_url	The URL of the Gateway for the API Management Service
api_management_gateway_regional_url	The Region URL for the Gateway of the API Management Service
api_management_management_api_url	The URL for the Management API associated with this API Management service
api_management_portal_url	The URL for the Publisher Portal associated with this API Management service
api_management_public_ip_addresses	The Public IP addresses of the API Management Service
api_management_private_ip_addresses	The Private IP addresses of the API Management Service
api_management_scm_url	The URL for the SCM Endpoint associated with this API Management service
api_management_identity	The identity of the API Management
public_ip_address	n/a
resource_group_name	n/a