Deploying API Management XML Policy with unique endpoints to multiple environments

[c64breadbin]

Hi!

I am attempting to deploy a different API Management policy file dependent on environment.

main.bicep

//API Management Policy File
param apimXmlPolicyFile string = loadTextContent('modules/apimpolicy/devapimpolicy.xml')

// Set API Management Policy
module setApiManagementPolicyDeploy './modules/apimpolicy.bicep' = {
  name: 'apiManagementPolicyDeploy'
  scope:resourceGroup('${sharedResourceGroupName}')
  params: {
    sharedApiManagementName:sharedApiManagementName
    apimXmlPolicyFile:apimXmlPolicyFile
 }

apimpolicy.bicep

resource sharedApiManagementPolicy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {
  parent: sharedApiManagementAPI
  name: 'policy'
  properties: {
  value: apimXmlPolicyFile
  format: 'rawxml'
  }
}

The above snip works great for one environment. However, we have multiple environments (dev/sit/uat/prod etc) that each have their own unique policy settings (CORS, Backend Service Id, Auth Managed Id etc).

I have tried creating a separate policy file per environment such as

var apimXmlPolicyFile = loadTextContent('modules/apimpolicy/${env}apimpolicy.xml')

but that generates an error saying the value must be a compile-time constant. ${env} is set from a deployment pipeline variable.

Is there any way I can either:

1. set a var/param to pass through to the XML file so those values change per deployment (one XML file to manage)?

<policies>
    <inbound>
        <base />
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>https://Variable Dependent on Environment</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="1209600">
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
        </cors>
        <set-backend-service id="apim-generated-policy" backend-id="Variable Dependent on Environment" />
        <authentication-managed-identity resource="Variable Dependent on Environment" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

2. Be able to deploy this conditional on environment:

var apimXmlPolicyFile = loadTextContent('modules/apimpolicy/${env}apimpolicy.xml')

Failing that, how would I go about deploying a different XML policy file depending on the deployment environment (dev/sit/uat/prod)?

Hope that makes sense, thanks!

[brwilkinson]

Hi @c64breadbin

There is likely a few different ways to achieve this and also a few different formats.

I will suggest a few options.

In the most simplest I think is Use Replacement strings along with placeholders

e.g. {0}, {1}, {2} etc.

Then save the XML text file, since we will use loadtextcontext

<policies>
    <inbound>
        <base />
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>{0}</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="1209600">
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
        </cors>
        <set-backend-service id="apim-generated-policy" backend-id="{1}" />
        <authentication-managed-identity resource="{2}" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

@allowed([
  'dev'
  'prod'
])
param enviro string = 'dev'

var content = loadTextContent('./loadtextcontent/policy.xml')

var uri = enviro == 'dev' ? 'https://dev.com' : 'https://prod.com'
var beid = enviro == 'dev' ? 'devid' : 'prodid'
var uai = enviro == 'dev' ? 'devuai' : 'produai'

var policy = replace(replace(replace(content, '{0}', uri),'{1}',beid),'{2}',uai)

output policy string = policy

Which would provide you with the following output.

• i used 2 examples with quote and left quotes off the other one, so if you need an int or a string etc it should work.

<policies>
    <inbound>
        <base />
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>https://dev.com</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="1209600">
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
        </cors>
        <set-backend-service id="apim-generated-policy" backend-id="devid" />
        <authentication-managed-identity resource="devuai" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Other than that there are other ways to do the lookup, since you could have an object for Prod and and Object for Dev etc., then untilise the properties of the object in the replace. etc.

Happy to share some more examples.

I think this method would scale better than attemping to use different files for each environment etc.

[c64breadbin]

Given this appears to be a workable solution for you I will mark this as answered.

Thank you - this will work. I am trying to pass more that 2 environments into those variables (using 4) but that is for another topic, cheers!

[brwilkinson]

@c64breadbin There is a long thread here with different patterns for doing lookups and configuration management etc.

#4586

I think I lookup table is likely the best way to have multiple environments or else a double lookup if some environments share similar configurations.

[levimatheri]

@brwilkinson @c64breadbin Here's how I did it to parameterize policy.xml files:
In my policy.xml file, I specify the parameterized values with the syntax, $(param), for instance:

<policies>
    ...
    <outbound>
        <base />
        <set-status code="$(statusCode)" reason="$(statusReason)" />
    </outbound>
</policies>

Then in my api.bicep file, I pass an object as a parameter to the main.bicep file defining a mapping of the parameter in the policy.xml file to it's value. i.e.,

// policy file  parameters
param statusCode string
param statusReason string

module api '../../modules/main.bicep' = {
  name: '${apiName}-API'
  params: {
    apiManagementServiceName: apimServiceName
    name: apiName
    ...
    policy: {
      format: 'rawxml'
      value: loadTextContent('policies/apiPolicy.xml')
      params: {
        statusCode: statusCode
        statusReason: statusReason
      }
    }

Then in my main.bicep file, I use the reduce and replace functions to replace the parameters with their values in the policy.xml file. i.e.,

param policy object = {}
...
// API policy
resource api_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = if (!empty(policy)) {
  name: 'policy'
  parent: api
  properties: {
    format: contains(policy, 'format') ? policy.format : 'rawxml'
    value: !contains(policy, 'params') ? policy.value : reduce(items(policy.params), policy.value, (result, param) => replace(string(result), '\$(${param.key})', param.value))
  }
}

This has worked for me. 😃

[dirkslab]

@levimatheri golden, thank you.

[chsami]

@levimatheri Thanks for sharing your solution. I have one more question regarding your code.

Is there any benefit in passing your policy as one big object vs seperate params?

param policy object = {}

VS

@description('The name of the existing API Management service.')
param apiManagementName string

@description('The name of the existing API within the API Management service.')
param apiName string

@description('The name of the operation to be assigned to the operation.')
param operationName string

@description('The name of the policy to be assigned to the operation.')
param policyName string

@description('The format of the policy to be assigned to the operation.')
@allowed(['rawxml', 'rawxml-link', 'xml', 'xml-link'])
param format string

@description('The content of the xml policy.')
param value string