This repository contains the main infrastructure for the Azure API Management demo.
This demo requires the following prerequisites:
- Fork this repository and clone it locally.
- An Azure subscription
- The Azure CLI
- A Service Principal with Contributor rights on the subscription
- Setup credentials in Github Secrets
- Create an storage account and a container for the Terraform state
See next sections for instructions on how to set up these prerequisites.
Fork this repository first. Then, clone it locally by running the following command in the directory where you want to have the repository:
git clone <your_repository>.git
Move to the dev branch:
git checkout dev
We will use the dev branch to make changes to the infrastructure which will be deployed as the Develpoment environment. The main branch will be used to deploy the Production environment after the changes have been tested in the Development environment, create a PR from the dev branch to the main branch and merge it.
You must have an Azure subscription to deploy this demo. If you don't have an Azure subscription, you can create a free account.
We will create some prerequired resources with the Azure CLI.
This demo needs a Service Principal to deploy the infrastructure. You can create a Service Principal with the following instructions:
- Log in to Azure:
az login
- List the available subscriptions:
az account list -o table
- Init the SUBSCRIPTION_ID variable with the subscription ID you want to use:
export SUBSCRIPTION_ID=<subscriptionID>
- Create the Service Principal with contributor rights on the subscription:
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$SUBSCRIPTION_ID"
Copy the output of the command and keep it safe for next step.
For details, see the instructions in the Azure CLI documentation to create a Service Principal.
We will create the following secrets in Github Secrets, where all values are the ones you got from the previous step:
- TF_ARM_CLIENT_ID=<appId>
- TF_ARM_CLIENT_SECRET=<password>
- TENANT_ID=<tenant>
- SUBSCRIPTION_ID=<subscriptionID>
We will use a storage account and a container to store the Terraform state. You can create a storage account and a container with the following instructions:
- Init the RESORUCE_GROUP variable with the name of the resource group you want to use:
export RESOURCE_GROUP=terraform-global-rg
- Create the resource group:
az group create --name $RESOURCE_GROUP --location westeurope --subscription $SUBSCRIPTION_ID
- Init the STORAGE_ACCOUNT_NAME variable with the name of the storage account you want to use:
export STORAGE_ACCOUNT_NAME=tfstategithub$RANDOM
- Create the storage account:
az storage account create --name $STORAGE_ACCOUNT_NAME --resource-group $RESOURCE_GROUP --location westeurope --sku Standard_LRS --subscription $SUBSCRIPTION_ID
- Under apim directory, find the main.tf file and modify the name of the storage_account_name variable with the value of the STORAGE_ACCOUNT_NAME variable. To get the value of the STORAGE_ACCOUNT_NAME variable, run the following command:
echo $STORAGE_ACCOUNT_NAME
- Create both containers for dev and main environments:
az storage container create --name dev-tfapim --account-name $STORAGE_ACCOUNT_NAME --subscription $SUBSCRIPTION_ID
az storage container create --name main-tfapim --account-name $STORAGE_ACCOUNT_NAME --subscription $SUBSCRIPTION_ID
We have included a GitHub Action to run the Terraform automation.
This automation will create the following resources:
- Resource group
- API Management service
- Storage account for future use (to store the API Management APIs descriptors and the API Management policies. We will use this storage account in the next steps of the demo).
The storage account and the API Management service that we create in this automation have to be unique named. To make sure they are unique, modify the apim.tfvars file and change the value of the uniqueId variable. The final value of both names will be:
- storage account name: "${var.prefix}${var.environment}apimsa${var.uniqueId}"
- API Management service name: "${var.prefix}${var.environment}-apim-${var.uniqueId}"
To run the automation, push the changes to the dev branch. The automation will run automatically. Remember to activate GitHub actions in your repository before execute git push.
git add .
git commit -m "Initial commit"
git push origin dev
In order to test some feature we will need an OAuth identity, so we will proceed to create an App Registration in Azure Active Directory. To do so, we will execute this Terraform templates with an account that has at least Application.ReadWrite.All permissions Create AAD application
Open a command prompt in local and navigate to the content of the repo, go to apim folder.
Create the app registration
terraform init
terraform apply -auto-approve
This will create an App Registration named: "Cloud Solution Architect APIM Demo App"
delete main.tf file and rename main.tfconfigure to main.tf
terraform apply -auto-approve
This will configure the App: add scopes, give permissions to az-cli to request an access token, etc...
Once we have all the infrastructure deployed we can continue working, by registering APIs into APIM and assign policies. For that, go to repo: apim-demo-apis