Merge pull request Azure#4048 from solankisamir/master

Templates for API Management with MSI and KeyVault Integration

101-api-management-create-with-msi/README.md

@@ -0,0 +1,10 @@
+# Azure API Management Service
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fazure-quickstart-templates%2Fmaster%2F101-api-management-create-with-msi%2Fazuredeploy.json" target="_blank">
+    <img src="http://azuredeploy.net/deploybutton.png"/>
+</a>
+<a href="http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-api-management-create-with-msi%2Fazuredeploy.json" target="_blank">
+    <img src="http://armviz.io/visualizebutton.png"/>
+</a>
+
+This template deploys an Azure API Management instance having an MSI Identity with api-version 2017-03-01

101-api-management-create-with-msi/azuredeploy.json

@@ -0,0 +1,62 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "publisherEmail": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "The email address of the owner of the service"
+            }
+        },
+        "publisherName": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "The name of the owner of the service"
+            }
+        },
+        "sku": {
+            "type": "string",
+            "allowedValues": [
+                "Developer",
+                "Standard",
+                "Premium"
+            ],
+            "defaultValue": "Developer",
+            "metadata": {
+                "description": "The pricing tier of this API Management service"
+            }
+        },
+        "skuCount": {
+            "type": "int",
+            "defaultValue": 1,
+            "metadata": {
+                "description": "The instance size of this API Management service."
+            }
+        }
+    },
+    "variables": {
+        "apiManagementServiceName": "[concat('apiservice', uniqueString(resourceGroup().id))]"
+    },
+    "resources": [
+        {
+            "apiVersion": "2017-03-01",
+            "name": "[variables('apiManagementServiceName')]",
+            "type": "Microsoft.ApiManagement/service",
+            "location": "[resourceGroup().location]",
+            "tags": {},
+            "sku": {
+                "name": "[parameters('sku')]",
+                "capacity": "[parameters('skuCount')]"
+            },
+            "properties": {
+                "publisherEmail": "[parameters('publisherEmail')]",
+                "publisherName": "[parameters('publisherName')]"
+            },
+            "identity": {
+                "type": "systemAssigned"
+            }
+        }
+    ]
+}

101-api-management-create-with-msi/azuredeploy.parameters.json

@@ -0,0 +1,12 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {        
+        "publisherEmail": {
+            "value": "[email protected]"
+        },
+        "publisherName": {
+            "value": "templateTest"
+        }
+    }
+}

101-api-management-create-with-msi/metadata.json

@@ -0,0 +1,7 @@
+{
+  "itemDisplayName": "Create an API Management instance having MSI Identity",
+  "description": "This template creates a developer instance of Azure API Management having an MSI Identity",
+  "summary": "Create an API Management instance having MSI Identity using a template",
+  "githubUsername": "solankisamir",
+  "dateUpdated": "2017-10-27"
+}

201-api-management-create-with-keyvault-ssl/README.md

@@ -0,0 +1,22 @@
+# Azure API Management Service
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-keyvault-ssl%2Fazuredeploy.json" target="_blank">
+    <img src="http://azuredeploy.net/deploybutton.png"/>
+</a>
+<a href="http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-keyvault-ssl%2Fazuredeploy.json" target="_blank">
+    <img src="http://armviz.io/visualizebutton.png"/>
+</a>
+
+This template shows an example of how to deploy an Azure API Management service with SSL Certificate from KeyVault.  
+* This template creates API Management service having an MSI Identity in Developer tier 
+* Retrieves the MSI Identity of the API Management service and gives it GET permissions on the KeyVault Secrets.
+* It then executes a second template on API Management to configure hostnames with Certificate references from KeyVault.
+
+<P>
+In order to deploy this template, you need to have the following resources: <br />
+1. A Key Vault (specified in 'keyVaultName' parameter) <br />
+2. A Key Vault secret having the Certificate(specified in 'keyVaultSecretsIdToCertificate' parameter) <br />
+3. The Certificate need to be issued for the Domain you want to configure (specified in 'proxyCustomHostname' parameter) <br />
+</P>
+
+The Template expects the keyVaultSecretsIdToCertificate as https://constosovault.vault.azure.net/secrets/msitestingCert

201-api-management-create-with-keyvault-ssl/azuredeploy.json

@@ -0,0 +1,154 @@
+{
+	"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+	"contentVersion": "1.0.0.0",
+	"parameters": {
+		"publisherEmail": {
+			"type": "string",
+			"minLength": 1,
+			"metadata": {
+				"description": "The email address of the owner of the service"
+			}
+		},
+		"publisherName": {
+			"type": "string",
+			"defaultValue": "Contoso",
+			"minLength": 1,
+			"metadata": {
+				"description": "The name of the owner of the service"
+			}
+		},
+		"sku": {
+			"type": "string",
+			"allowedValues": [
+				"Developer",
+				"Standard",
+				"Premium"
+			],
+			"defaultValue": "Developer",
+			"metadata": {
+				"description": "The pricing tier of this API Management service"
+			}
+		},
+		"skuCount": {
+			"type": "int",
+			"defaultValue": 1,
+			"metadata": {
+				"description": "The instance size of this API Management service."
+			}
+		},
+		"keyVaultName": {
+			"type": "string",
+			"metadata": {
+				"description": "Name of the vault"
+			}
+		},
+		"proxyCustomHostname": {
+			"type": "string",
+			"metadata": {
+				"description": "Proxy Custom hostname."
+			}
+		},
+		"keyVaultSecretsIdToCertificate": {
+			"type": "string",
+			"metadata": {
+				"description": "Reference to the KeyVault Secret storing the Certificate used to bind for SSL."
+			}
+		},
+		"_artifactsLocation": {
+			"type": "string",
+			"defaultValue": "https://apimtemplates.blob.core.windows.net",
+			"metadata": {
+				"description": "Change this value to your repo name if deploying from a fork"
+			}
+		},
+		"_artifactsLocationSasToken": {
+			"type": "securestring",
+			"defaultValue": "",
+			"metadata": {
+				"description": "Auto-generated token to access _artifactsLocation"
+			}
+		}
+	},
+	"variables": {
+		"nestedTemplatesFolderName": "nestedtemplate",
+		"masterTemplateFileName": "update-apim-with-keyvaultssl.json",
+		"apiManagementServiceName": "[concat('apiservice', uniqueString(resourceGroup().id))]",
+		"apimServiceIdentityResourceId": "[concat(resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName')),'/providers/Microsoft.ManagedIdentity/Identities/default')]"
+	},
+	"resources": [
+		{
+			"apiVersion": "2017-03-01",
+			"name": "[variables('apiManagementServiceName')]",
+			"type": "Microsoft.ApiManagement/service",
+			"location": "[resourceGroup().location]",
+			"tags": {},
+			"sku": {
+				"name": "[parameters('sku')]",
+				"capacity": "[parameters('skuCount')]"
+			},
+			"properties": {
+				"publisherEmail": "[parameters('publisherEmail')]",
+				"publisherName": "[parameters('publisherName')]"
+			},
+			"identity": {
+				"type": "systemAssigned"
+			}
+		},
+		{
+			"type": "Microsoft.KeyVault/vaults/accessPolicies",
+			"name": "[concat(parameters('keyVaultName'), '/add')]",
+			"apiVersion": "2015-06-01",
+			"dependsOn": [
+				"[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]"
+			],
+			"properties": {
+				"accessPolicies": [
+					{
+						"tenantId": "[reference(variables('apimServiceIdentityResourceId'), '2015-08-31-PREVIEW').tenantId]",
+						"objectId": "[reference(variables('apimServiceIdentityResourceId'), '2015-08-31-PREVIEW').principalId]",
+						"permissions": {
+							"secrets": [
+								"get"
+							]
+						}
+					}
+				]
+			}
+		},
+		{
+			"apiVersion": "2017-05-10",
+			"name": "apimWithKeyVault",
+			"type": "Microsoft.Resources/deployments",
+			"dependsOn": [
+				"[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]"
+			],
+			"properties": {
+				"mode": "incremental",
+				"templateLink": {
+					"uri": "[concat(parameters('_artifactsLocation'), '/', variables('nestedTemplatesFolderName'), '/', variables('masterTemplateFileName'), parameters('_artifactsLocationSasToken'))]",
+					"contentVersion": "1.0.0.0"
+				},
+				"parameters": {
+					"publisherEmail": {
+						"value": "[parameters('publisherEmail')]"
+					},
+					"publisherName": {
+						"value": "[parameters('publisherName')]"
+					},
+					"sku": {
+						"value": "[parameters('sku')]"
+					},
+					"skuCount": {
+						"value": "[parameters('skuCount')]"
+					},
+					"proxyCustomHostname": {
+						"value": "[parameters('proxyCustomHostname')]"
+					},
+					"keyVaultSecretsIdToCertificate": {
+						"value": "[parameters('keyVaultSecretsIdToCertificate')]"
+					}
+				}
+			}
+		}
+	]
+}

201-api-management-create-with-keyvault-ssl/azuredeploy.parameters.json

@@ -0,0 +1,21 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "publisherEmail": {
+            "value": "[email protected]"
+        },
+        "publisherName": {
+            "value": "Fabrikam"
+        },
+        "proxyCustomHostname": {
+            "value": "GEN-CUSTOM-FQDN-NAME"
+        },
+        "keyVaultName": {
+            "value": "GEN-KEYVAULT-NAME"
+        },
+        "keyVaultSecretsIdToCertificate": {
+            "value": "GEN-KEYVAULT-SSL-SECRET-URI"
+        }
+    }
+}

201-api-management-create-with-keyvault-ssl/metadata.json

@@ -0,0 +1,7 @@
+{
+  "itemDisplayName": "Create API Management with custom hostname for proxy using KeyVault Ssl.",
+  "description": "This template demonstrates how to Create a instance of Azure API Management having an MSI and then setting up custom hostname for proxy with ssl certificate from keyvault.",
+  "summary": "This template demonstrates how to create a instance of Azure API Management having an MSI and then setting it with custom hostname for proxy with ssl certificate from keyvault",
+  "githubUsername": "solankisamir",
+  "dateUpdated": "2017-10-27"
+}

201-api-management-create-with-keyvault-ssl/nestedtemplate/update-apim-with-keyvaultssl.json

@@ -0,0 +1,81 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "publisherEmail": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "The email address of the owner of the service"
+            }
+        },
+        "publisherName": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "The name of the owner of the service"
+            }
+        },
+        "sku": {
+            "type": "string",
+            "allowedValues": [
+                "Developer",
+                "Standard",
+                "Premium"
+            ],
+            "defaultValue": "Developer",
+            "metadata": {
+                "description": "The pricing tier of this API Management service"
+            }
+        },
+        "skuCount": {
+            "type": "int",
+            "defaultValue": 1,
+            "metadata": {
+                "description": "The instance size of this API Management service."
+            }
+        },
+        "proxyCustomHostname": {
+            "type": "string",
+            "metadata": {
+                "description": "Proxy Custom hostname."
+            }
+        },
+        "keyVaultSecretsIdToCertificate": {
+            "type": "string",
+            "metadata": {
+                "description": "Reference to the KeyVault Certificate used to bind for SSL."
+            }
+        }
+    },
+    "variables": {
+        "apiManagementServiceName": "[concat('apiservice', uniqueString(resourceGroup().id))]"
+    },
+    "resources": [
+        {
+            "apiVersion": "2017-03-01",
+            "name": "[variables('apiManagementServiceName')]",
+            "type": "Microsoft.ApiManagement/service",
+            "location": "[resourceGroup().location]",
+            "tags": {},
+            "sku": {
+                "name": "[parameters('sku')]",
+                "capacity": "[parameters('skuCount')]"
+            },
+            "properties": {
+                "publisherEmail": "[parameters('publisherEmail')]",
+                "publisherName": "[parameters('publisherName')]",
+                "hostnameConfigurations": [
+                    {
+                        "type": "Proxy",
+                        "hostName": "[parameters('proxyCustomHostname')]",
+                        "keyVaultId": "[parameters('keyVaultSecretsIdToCertificate')]"
+                    }
+                ]
+            },
+            "identity": {
+                "type": "systemAssigned"
+            }
+        }
+    ]
+}