Bicep Module Documentation
← Back to Overview
Module api-management
apiManagement
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| skuCapacity (required) | int | Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. |
| skuName (required) | 'Basic' 'Consumption' 'Developer' 'Isolated' 'Premium' 'Standard' |
Name of the Sku. |
| identity | identity | |
| additionalLocations | apiManagementAdditionalLocation[] | Additional datacenter locations of the API Management service. |
| minApiVersion | string | Control Plane Apis version constraint for the API Management service. Limit control plane API calls to API Management service with version equal to or newer than this value. |
| certificates | apiManagementCertificateConfiguration[] | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. |
| legacyApi | 'Disabled' 'Enabled' |
Configuration API configuration of the API Management service. Indication whether or not the legacy Configuration API (v1) should be exposed on the API Management service. Value is optional but must be Enabled or Disabled. If Disabled, legacy Configuration API (v1) will not be available for self-hosted gateways. Default value is Disabled |
| customProperties | object | Custom properties of the API Management service. (see documentation) |
| developerPortalStatus | 'Disabled' 'Enabled' |
Status of developer portal in this API Management service. |
| disableGateway | bool | Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. |
| enableClientCertificate | bool | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. |
| hostnameConfigurations | apiManagementHostnameConfiguration[] | Custom hostname configuration of the API Management service. |
| legacyPortalStatus | 'Disabled' 'Enabled' |
Status of legacy portal in the API Management service. |
| natGatewayState | 'Disabled' 'Enabled' |
Property can be used to enable NAT Gateway for this API Management service. |
| notificationSenderEmail | string | Email address from which the notification will be sent. |
| publicIpAddressId | string | Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be Enabled or Disabled. If Disabled, private endpoints are the exclusive access method. (default: Enabled) |
| publisherEmail (required) | string | Publisher email. |
| publisherName (required) | string | Publisher name. |
| restore | bool | Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. |
| virtualNetworkConfigurationSubnetId | string | Virtual network configuration of the API Management service. |
| virtualNetworkType | 'External' 'Internal' 'None' |
The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. |
| zones | Array containing any of: '1' '2' '3' |
A list of availability zones denoting where the resource needs to come from. |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
apiManagementAdditionalLocation
| Property | Value | Description |
|---|---|---|
| disableGateway | bool | Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. |
| location (required) | string | The location name of the additional region among Azure Data center regions. |
| natGatewayState | 'Disabled' 'Enabled' |
Property can be used to enable NAT Gateway for this API Management service. |
| publicIpAddressId | string | Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. |
| sku (required) | sku | |
| virtualNetworkConfiguration (required) | virtualNetworkConfiguration | Virtual network configuration for the location. |
| zones | Array containing any of: '1' '2' '3' |
A list of availability zones denoting where the resource needs to come from. |
sku
| Property | Value | Description |
|---|---|---|
| capacity (required) | int | Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. |
| name (required) | 'Basic' 'Consumption' 'Developer' 'Isolated' 'Premium' 'Standard' |
Name of the Sku. |
virtualNetworkConfiguration
| Property | Value | Description |
|---|---|---|
| subnetResourceId | string |
apiManagementCertificateConfiguration
| Property | Value | Description |
|---|---|---|
| certificate (required) | certificate | Certificate information. |
| certificatePassword | string | Certificate Password. |
| encodedCertificate (required) | string | Base64 Encoded certificate. |
| storeName (required) | 'CertificateAuthority' 'Root' |
The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. |
certificate
| Property | Value | Description |
|---|---|---|
| expiry (required) | string | Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard. |
| subject (required) | string | Subject of the certificate. |
| thumbprint (required) | string | Thumbprint of the certificate. |
apiManagementHostnameConfiguration
| Property | Value | Description |
|---|---|---|
| certificate (required) | certificate | Certificate information. |
| certificatePassword | string | Certificate Password. |
| certificateSource | 'BuiltIn' 'Custom' 'KeyVault' 'Managed' |
Certificate Source. |
| defaultSslBinding | bool | Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to gateway Hostname Type. |
| encodedCertificate (required) | string | Base64 Encoded certificate. |
| hostName (required) | string | Hostname to configure on the Api Management service. |
| identityClientId | string | System or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate. |
| keyVaultId | string | Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12 |
| negotiateClientCertificate | bool | Specify true to always negotiate client certificate on the hostname. Default Value is false. |
| type (required) | 'ConfigurationApi' 'DeveloperPortal' 'Management' 'Portal' 'Proxy' 'Scm' |
Hostname type. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Cant end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they cant modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
| principalType (required) | 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
The principal type of the assigned principal ID |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
9.4.0 (2025-10-06)
Features
- update resource api versions
9.3.3 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
9.3.2 (2025-06-20)
Bug Fixes
- make certificate settings optional
9.3.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
9.3.0 (2025-03-26)
Features
- create separate API module
9.2.0 (2025-03-25)
Features
- add output principalId
9.1.0 (2025-03-24)
Features
- add outputs
9.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
8.0.1 (2025-02-28)
Bug Fixes
- revise descriptions
8.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.