Bicep Module Documentation
← Back to Overview
Module api-management
apiManagement
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| skuCapacity (required) | int | Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. |
| skuName (required) | 'Basic' 'Consumption' 'Developer' 'Isolated' 'Premium' 'Standard' |
Name of the Sku. |
| identity | identity | |
| additionalLocations | apiManagementAdditionalLocation[] | Additional datacenter locations of the API Management service. |
| minApiVersion | string | Control Plane Apis version constraint for the API Management service. Limit control plane API calls to API Management service with version equal to or newer than this value. |
| certificates | apiManagementCertificateConfiguration[] | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. |
| legacyApi | 'Disabled' 'Enabled' |
Configuration API configuration of the API Management service. Indication whether or not the legacy Configuration API (v1) should be exposed on the API Management service. Value is optional but must be Enabled or Disabled. If Disabled, legacy Configuration API (v1) will not be available for self-hosted gateways. (default: Disabled) |
| customProperties | object | Custom properties of the API Management service. (see documentation) |
| developerPortalStatus | 'Disabled' 'Enabled' |
Status of developer portal in this API Management service. |
| disableGateway | bool | Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. |
| enableClientCertificate | bool | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. |
| hostnameConfigurations | apiManagementHostnameConfiguration[] | Custom hostname configuration of the API Management service. |
| legacyPortalStatus | 'Disabled' 'Enabled' |
Status of legacy portal in the API Management service. |
| natGatewayState | 'Disabled' 'Enabled' |
Property can be used to enable NAT Gateway for this API Management service. (default: Disabled) |
| notificationSenderEmail | string | Email address from which the notification will be sent. |
| publicIpAddressId | string | Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be Enabled or Disabled. If Disabled, private endpoints are the exclusive access method. (default: Enabled) |
| publisherEmail (required) | string | Publisher email. |
| publisherName (required) | string | Publisher name. |
| restore | bool | Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. |
| virtualNetworkConfigurationSubnetId | string | Virtual network configuration of the API Management service. |
| virtualNetworkType | 'External' 'Internal' 'None' |
The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. (default: None) |
| zones | Array containing any of: '1' '2' '3' |
A list of availability zones denoting where the resource needs to come from. |
| namedValues | apiManagementNamedValue[] | API Management Named Vaules |
| loggers | apiManagementLogger[] | API Management Loggers |
| apis | apiManagementApi[] | API Management API's |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
apiManagementAdditionalLocation
| Property | Value | Description |
|---|---|---|
| disableGateway | bool | Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. |
| location (required) | string | The location name of the additional region among Azure Data center regions. |
| natGatewayState | 'Disabled' 'Enabled' |
Property can be used to enable NAT Gateway for this API Management service. |
| publicIpAddressId | string | Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. |
| sku (required) | sku | |
| virtualNetworkConfiguration (required) | virtualNetworkConfiguration | Virtual network configuration for the location. |
| zones | Array containing any of: '1' '2' '3' |
A list of availability zones denoting where the resource needs to come from. |
sku
| Property | Value | Description |
|---|---|---|
| capacity (required) | int | Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. |
| name (required) | 'Basic' 'Consumption' 'Developer' 'Isolated' 'Premium' 'Standard' |
Name of the Sku. |
virtualNetworkConfiguration
| Property | Value | Description |
|---|---|---|
| subnetResourceId | string |
apiManagementCertificateConfiguration
| Property | Value | Description |
|---|---|---|
| certificate (required) | certificate | Certificate information. |
| certificatePassword | string | Certificate Password. |
| encodedCertificate (required) | string | Base64 Encoded certificate. |
| storeName (required) | 'CertificateAuthority' 'Root' |
The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. |
certificate
| Property | Value | Description |
|---|---|---|
| expiry | string | Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard. |
| subject (required) | string | Subject of the certificate. |
| thumbprint (required) | string | Thumbprint of the certificate. |
apiManagementHostnameConfiguration
| Property | Value | Description |
|---|---|---|
| certificate (required) | certificate | Certificate information. |
| certificatePassword | string | Certificate Password. |
| certificateSource | 'BuiltIn' 'Custom' 'KeyVault' 'Managed' |
Certificate Source. |
| defaultSslBinding | bool | Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to gateway Hostname Type. |
| encodedCertificate | string | Base64 Encoded certificate. |
| hostName (required) | string | Hostname to configure on the Api Management service. |
| identityClientId | string | System or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate. |
| keyVaultId | string | Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12 |
| negotiateClientCertificate | bool | Specify true to always negotiate client certificate on the hostname. Default Value is false. |
| type (required) | 'ConfigurationApi' 'DeveloperPortal' 'Management' 'Portal' 'Proxy' 'Scm' |
Hostname type. |
apiManagementNamedValue
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name (Pattern = ^[^*#&+:<>?]+$) |
| displayName (required) | string | Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters (Pattern = ^[^*#&+:<>?]+$) |
| keyVault | keyVault | KeyVault location details of the namedValue. |
| secret | bool | Determines whether the value is a secret and should be encrypted or not. (default: false) |
| value (required) | string | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. |
keyVault
| Property | Value | Description |
|---|---|---|
| identityClientId (required) | string | Null for SystemAssignedIdentity or Client Id for UserAssignedIdentity , which will be used to access key vault secret. |
| secretIdentifier (required) | string | Key vault secret identifier for fetching secret. Providing a versioned secret will prevent auto-refresh. This requires API Management service to be configured with aka.ms/apimmsi |
apiManagementLogger
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name (Pattern = ^[^*#&+:<>?]+$) |
| description | string | Logger description. |
| isBuffered | bool | Whether records are buffered in the logger before publishing. Default is assumed to be true. |
| loggerType (required) | 'applicationInsights' 'azureEventHub' 'azureMonitor' |
Logger type. |
| resourceId (required) | string | Azure Resource Id of a log target (either Azure Event Hub resource or Azure Application Insights resource). |
| credentials (required) | object | The name and SendRule connection string of the event hub for azureEventHub logger. Instrumentation key for applicationInsights logger. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
dataMaskingEntity
| Property | Value | Description |
|---|---|---|
| mode (required) | 'Hide' 'Mask' |
Data masking mode. |
| value (required) | string | The name of an entity to mask (e.g. a name of a header or a query parameter). |
httpMessageDiagnostic
| Property | Value | Description |
|---|---|---|
| body | body | Body logging settings. |
| dataMasking | dataMasking | Data masking settings. |
| headers | string[] | Array of HTTP Headers to log. |
body
| Property | Value | Description |
|---|---|---|
| bytes (required) | int | Number of request body bytes to log. |
dataMasking
| Property | Value | Description |
|---|---|---|
| headers | dataMaskingEntity[] | Masking settings for headers |
| queryParams | dataMaskingEntity[] | Masking settings for Url query parameters |
llmMessageDiagnosticSettings
| Property | Value | Description |
|---|---|---|
| maxSizeInBytes (required) | int | Maximum size of message to logs in bytes. The default size is 32KB. |
| messages (required) | 'all' | Specifies which message should be logged. Currently there is only 'all' option. |
oAuth2AuthenticationSettingsContract
| Property | Value | Description |
|---|---|---|
| authorizationServerId (required) | string | OAuth authorization server identifier. |
| scope (required) | string | operations scope. |
openIdAuthenticationSettingsContract
| Property | Value | Description |
|---|---|---|
| bearerTokenSendingMethods (required) | Array containing any of: 'authorizationHeader' 'query' |
How to send token to the server. |
| openidProviderId (required) | string | OAuth authorization server identifier. |
pipelineDiagnosticSettings
| Property | Value | Description |
|---|---|---|
| request | httpMessageDiagnostic | Diagnostic settings for request. |
| response | httpMessageDiagnostic | Diagnostic settings for response. |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
apiManagementApi
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name (Pattern = ^[^*#&+:<>?]+$) |
| apiRevision | string | Describes the revision of the API. If no value is provided, default revision 1 is created |
| apiRevisionDescription | string | Description of the API Revision. |
| apiType | 'graphql' 'grpc' 'http' 'odata' 'openapi' 'soap' 'websocket' |
Type of API to create |
| apiVersion | string | Indicates the version identifier of the API if the API is versioned |
| apiVersionDescription | string | Description of the API Version. |
| apiVersionSet | apiVersionSet | Version set details |
| apiVersionSetId | string | A resource identifier for the related ApiVersionSet. |
| authenticationSettings | authenticationSettings | Collection of authentication settings included into this API. |
| contact | contact | Contact information for the API. |
| description | string | Description of the API. May include HTML formatting tags. |
| displayName (required) | string | API name |
| format | 'graphql-link' 'grpc' 'grpc-link' 'odata' 'odata-link' 'openapi' 'openapi+json' 'openapi+json-link' 'openapi-link' 'swagger-json' 'swagger-link-json' 'wadl-link-json' 'wadl-xml' 'wsdl' 'wsdl-link' |
Format of the Content in which the API is getting imported. |
| isCurrent | bool | Indicates if API revision is current api revision. (default: true) |
| license | license | License information for the API. |
| path (required) | string | Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. |
| protocols (required) | Array containing any of: 'http' 'https' 'ws' 'wss' |
Describes on which protocols the operations in this API can be invoked. |
| sourceApiId | string | API identifier of the source API. |
| subscriptionKeyParameterNames | subscriptionKeyParameterNames | Protocols over which API is made available. |
| subscriptionRequired | bool | Specifies whether an API or Product subscription is required for accessing the API. (default: false) |
| termsOfServiceUrl | string | A URL to the Terms of Service for the API. MUST be in the format of a URL. |
| translateRequiredQueryParameters | 'query' 'template' |
Strategy of translating required query parameters to template ones. By default has value 'template'. |
| type | 'graphql' 'grpc' 'http' 'odata' 'soap' 'websocket' |
Type of API. (default: http) |
| value | string | Content value when Importing an API. |
| wsdlSelector | wsdlSelector | Criteria to limit import of WSDL to a subset of the document. |
| policy | policy | The API policy |
| diagnostics | diagnostics[] |
apiVersionSet
| Property | Value | Description |
|---|---|---|
| description | string | Description of API Version Set. |
| id | string | Identifier for existing API Version Set. Omit this value to create a new Version Set. |
| name (required) | string | The display Name of the API Version Set. |
| versionHeaderName | string | Name of HTTP header parameter that indicates the API Version if versioningScheme is set to header. |
| versioningScheme | 'Header' 'Query' 'Segment' |
An value that determines where the API Version identifier will be located in a HTTP request. |
| versionQueryName | string | Name of query parameter that indicates the API Version if versioningScheme is set to query. |
authenticationSettings
| Property | Value | Description |
|---|---|---|
| oAuth2 | oAuth2AuthenticationSettingsContract | OAuth2 Authentication settings |
| oAuth2AuthenticationSettings | oAuth2AuthenticationSettingsContract[] | Collection of OAuth2 authentication settings included into this API. |
| openid | openIdAuthenticationSettingsContract | OpenID Connect Authentication Settings |
| openidAuthenticationSettings | openIdAuthenticationSettingsContract[] | Collection of Open ID Connect authentication settings included into this API. |
contact
| Property | Value | Description |
|---|---|---|
| string | The email address of the contact person/organization. MUST be in the format of an email address | |
| name (required) | string | The identifying name of the contact person/organization |
| url | string | The URL pointing to the contact information. MUST be in the format of a URL |
license
| Property | Value | Description |
|---|---|---|
| name (required) | string | The license name used for the API |
| url | string | A URL to the license used for the API. MUST be in the format of a URL |
subscriptionKeyParameterNames
| Property | Value | Description |
|---|---|---|
| header (required) | string | Subscription key header name. |
| query (required) | string | Subscription key query string parameter name. |
wsdlSelector
| Property | Value | Description |
|---|---|---|
| wsdlEndpointName (required) | string | Name of endpoint(port) to import from WSDL |
| wsdlServiceName (required) | string | Name of service to import from WSDL |
policy
| Property | Value | Description |
|---|---|---|
| format (required) | 'rawxml' 'rawxml-link' 'xml' 'xml-link' |
Format of the policyContent. |
| value (required) | string | Contents of the Policy as defined by the format. |
largeLanguageModel
| Property | Value | Description |
|---|---|---|
| logs (required) | 'Disabled' 'Enabled' |
Specifies whether default diagnostic should be enabled for Large Language Models or not. |
| requests | llmMessageDiagnosticSettings | Diagnostic settings for Large Language Models requests. |
| responses | llmMessageDiagnosticSettings | Diagnostic settings for Large Language Models responses. |
diagnostics
| Property | Value | Description |
|---|---|---|
| name (required) | 'applicationinsights' 'local' |
The resource name |
| loggerName (required) | string | Name of a target logger. |
| backend | pipelineDiagnosticSettings | Diagnostic settings for incoming/outgoing HTTP messages to the Backend |
| frontend | pipelineDiagnosticSettings | Diagnostic settings for incoming/outgoing HTTP messages to the Gateway. |
| httpCorrelationProtocol | 'Legacy' 'None' 'W3C' |
Sets correlation protocol to use for Application Insights diagnostics. |
| largeLanguageModel | largeLanguageModel | Large Language Models diagnostic settings |
| logClientIp | bool | Log the ClientIP. (default: false) |
| metrics | bool | Emit custom metrics via emit-metric policy. Applicable only to Application Insights diagnostic settings. |
| operationNameFormat (required) | 'Name' 'Url' |
The format of the Operation Name for Application Insights telemetries. (default: Name) |
| samplingPercentage | int | Sampling settings for Diagnostic. Rate of sampling for fixed-rate sampling. |
| verbosity (required) | 'error' 'information' 'verbose' |
The verbosity level applied to traces emitted by trace policies. |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
9.4.0 (2025-10-06)
Features
- update resource api versions
9.3.3 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
9.3.2 (2025-06-20)
Bug Fixes
- make certificate settings optional
9.3.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
9.3.0 (2025-03-26)
Features
- create separate API module
9.2.0 (2025-03-25)
Features
- add output principalId
9.1.0 (2025-03-24)
Features
- add outputs
9.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
8.0.1 (2025-02-28)
Bug Fixes
- revise descriptions
8.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.