Terraform APIM DevOps

ujjwalDev 46 Reputation points


Could you please provide guidance or related samples for implementing DevOps for APIM using Terraform.

I've read some available documentation pages, but some scenarios are not clear to me.

  1. When a new method is added to the backendapi (webapi on app service), (how) would the operation show up in apim. would the policies be applied at the parent(api level). would any existing operation level policies remain unchanged for existing operations.
  2. How to automatically bring in any new methods added to a backend api to be imported to APIM using OpenApi
  3. If I wanted to split the same backend api to publish it as different APIM apis, how would one achieve that with DevOps and terraform.
  4. Are there any limitations for implementing DevOps + Terraform for IaC compared to using Arm for example.


Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,745 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adrian Hall (MSFT) 156 Reputation points Microsoft Employee

    Hi there,

    You seem to be looking at two different pieces - organizing your service using OpenAPI and ensuring policy is applied at each step. Hopefully, this answer will provide the necessary detail.

    Yes, you can deploy your service plus all the APIs and policies through Terraform. However, you should rig your DevOps pipeline such that a new API revision or version is generated when (and only when) you change your OpenAPI specification. This will not apply policy to the new operation. For that reason, I generally recommend that you only use the OpenAPI specification for the initial import. After that, you will want to ensure the operations are secured properly and that policies are appropriately applied - something that importing an OpenAPI specification alone will not do.

    When I use Terraform, each API has a .tf file. The .tf file creates the API, operations, and policies (together with any named values used within the API that are unique to the API). The Terraform plan/apply process will determine which APIs have been updated and apply the correct changes. Terraform files needs to be written - you cannot generate them from the service. Alternatives to this include ARM and Bicep. The DevOps Toolkit for API Management (which you can find on aka.ms/apimlove) provides a set of utilities that can copy an API Management service from a source service and generate ARM templates to apply to a destination service.

    You cannot split a single base path between APIs. For example, placing GET /foo and PUT /foo in different APIs is not possible - these would be two separate operations on the same API (/foo).

    Eventually, ARM, Bicep, and Terraform all end up executing APIs on the API Management REST API. As a result, what you can do in one can generally be done in the other, providing you are using the same API version (which, as of writing, is 2021-08-01). I do bump into limitations of the method (e.g. Terraform or ARM), but this is not because of a service limitation.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful