APIM Policy Example

Demonstrates Terraform patterns for configuring Azure API Management policies, including authentication, routing, and policy composition.

📋 Overview

This example shows how to:

• Deploy Azure API Management using Terraform
• Configure API policies for authentication (Entra ID, Okta)
• Set up backend routing with multiple backends
• Compose reusable policy fragments

🏗️ Architecture

graph TD
    subgraph APIM["Azure API Management"]
        direction TB
        subgraph API["API: /person"]
            direction TB
            subgraph Policies["Inbound Policies"]
                Auth["• Authentication (Entra ID / Okta)"]
                Rate["• Rate Limiting"]
                Validate["• Request Validation"]
                Auth --- Rate --- Validate
            end
        end
        API --> Backends[" "]
        Backends --> Backend1["Backend: Google<br/>(WireMock)"]
        Backends --> Backend2["Backend: Microsoft<br/>(WireMock)"]
    end

    style APIM fill:#f9f9f9,stroke:#333,stroke-width:2px
    style API fill:#e8f4f8,stroke:#4a90e2,stroke-width:2px
    style Policies fill:#fff,stroke:#666,stroke-width:1px
    style Backends fill:none,stroke:none
    style Backend1 fill:#e8f5e9,stroke:#4caf50,stroke-width:2px
    style Backend2 fill:#e8f5e9,stroke:#4caf50,stroke-width:2px

    linkStyle 0,1 stroke:none

🧩 Components

Resource	Description
azurerm_api_management	API Management instance (StandardV2)
azurerm_api_management_api	Person API from OpenAPI spec
azurerm_api_management_backend	Backend configurations
Policy Fragments	Reusable policy components

🔑 Key Features

• OpenAPI Import: API definition imported from openapi.yml
• Multiple Backends: Route to different backends based on conditions
• Authentication Policies: Entra ID and Okta validation examples
• Policy Composition: Reusable policy fragments

📂 Project Structure

foundry/terraform/azure-apim-policy/
├── main.tf                           # Main resource definitions
├── provider.tf                       # Provider configuration
├── openapi.yml                       # API specification
├── tests.http                        # API test requests
├── policies/                         # Global policies
├── api_policies/                     # API-level policies
├── api_auth_policy_entraid/          # Entra ID auth policy
├── api_auth_policy_okta/             # Okta auth policy
└── apimanagement_policy/             # Policy fragments

🚀 Getting Started

Prerequisites

• Terraform 1.0+
• Azure subscription
• Azure CLI authenticated

Deploying the Example

cd foundry/terraform/azure-apim-policy
terraform init
terraform plan
terraform apply

📜 Policy Examples

Authentication Policy (Entra ID)

<validate-jwt header-name="Authorization" failed-validation-httpcode="401">
    <openid-config url="https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration" />
    <required-claims>
        <claim name="aud" match="all">
            <value>{client-id}</value>
        </claim>
    </required-claims>
</validate-jwt>

Backend Routing

<choose>
    <when condition="@(context.Request.Headers.GetValueOrDefault("X-Backend","") == "google")">
        <set-backend-service backend-id="azure-apim-policy-google" />
    </when>
    <otherwise>
        <set-backend-service backend-id="azure-apim-policy-microsoft" />
    </otherwise>
</choose>

💡 Use Cases

• API Gateway: Centralized API management
• Authentication: OAuth 2.0 / OIDC validation
• Rate Limiting: Protect backend services
• Request Transformation: Modify requests/responses

🔗 Related Documentation

• Azure APIM Policies
• Terraform AzureRM Provider

📍 Source Code

Location: foundry/terraform/azure-apim-policy/