Add an API to Azure API Management (Platform Administrator)

This guide describes the responsibilities and actions required by the Platform Administrator to prepare the API Management instance so that a Product Team can deploy their API securely and independently.

🔐 Role of the Platform Administrator

Platform Admins:

Configure the overall API Management platform
Set up and manage RBAC roles
Ensure product teams are scoped to only their own API/backends

This model ensures one team’s infrastructure configuration cannot affect another’s deployment.

🛠 Prerequisites

Two User Managed Identities have already been provisioned:

Acceptance: api-management-identity
Production: api-management-production-identity

To be able to grant the Product Team the necessary permissions to deploy their API, a custom role APIM Roles Administrator was assigned to these managed identities in the corresponding scopes. This role is a combination of User Access Administrator and Role Based Access Control Administrator, but limited to only the API-ApiManagement resource group.

A custom role, APIM Roles Administrator, is already assigned to these identities:

json

{
  "roleName": "APIM Roles Administrator",
  "assignableScopes": [
    "/subscriptions/.../resourceGroups/API-ApiManagement",
    "/subscriptions/.../resourceGroups/API-ApiManagement-Production"
  ],
  "permissions": [
    {
      "actions": ["*/read", "Microsoft.Authorization/*", "Microsoft.Support/*"]
    }
  ]
}

🧩 Steps to Onboard a New API

Option A: Review Pull Request (preferred)

The team can create a pull request as described in the Developer Add API to Api Management documentation.

Option B: Team provides input

1. Receive Product Team Inputs

Ensure the team provides:

The Object ID of their Managed Identity
API name (e.g. waterfuser)
Friendly API name (e.g. WaterFuser API)
Backend name (e.g. waterfuser-backend)

2. Add to Terraform Configuration

Edit the terraform.tfvars for the correct environment:

hcl

team_managed_apis = [
  {
    azure_managed_identity_object_id = "..."
    api_name                         = "waterfuser"
    api_friendly_name                = "WaterFuser API"
    backend_name                     = "waterfuser-backend"
  }
]

3. Create a Pull Request & automatically run pipeline

Create a pull request, when approved and completed, the appropriate pipeline run automatically.

This will:

Create a custom "API Maintainer" role scoped only to this API/backend
Assign it to the team’s managed identity

INFO

📌 This step does not create the API/backend itself. It simply enables the team to do so independently.

Once complete, the Product Team can proceed with deploying and managing their API using the assigned role and scoped permissions.

Add an API to Azure API Management (Platform Administrator) ​

🔐 Role of the Platform Administrator ​

🛠 Prerequisites ​

🧩 Steps to Onboard a New API ​

Option A: Review Pull Request (preferred) ​

Option B: Team provides input ​

1. Receive Product Team Inputs ​

2. Add to Terraform Configuration ​

3. Create a Pull Request & automatically run pipeline ​