brwilkinson
commented
1 year ago @ems75 which mode for APIM are you using? https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts?tabs=stv2
- external
- internal
- inbound private endpoint
If internal, are you using a NAT Gateway? Did you consider adding a Firewall rule in the Keyvault for the NAT Gateway Public IP address/es? This would then allow you to use a User Assigned Identity?
Is your feature request related to a problem? Please describe. As of right now, it's not possible to create an Azure APIM resource with custom domain retrieving the certificate from Azure Key Vault because bicep uses the same resource Microsoft.ApiManagement/service to create the system-managed identity and to configure the custom domain. Key Vault has the certificate used in the HostNameConfiguration section of Microsoft.ApiManagement/service resource (custom domain configuration), but KV RBAC policies require the APIM MSI which has not been created yet. User-Assigned is out of scope as it does not work when you have KV Firewall enabled.
Describe the solution you'd like The solution desired is the ability to have a child resource to configure APIM custom domain as Terraform has (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_custom_domain)