APIM manager API policy creation using azuredevops pipeline

[vivuu1989]

Looking for a way to automate the custom policy creation across the scope of api and operations idempoently in Azure API manager.

The pipeline input is as below

stages:
  - template: api-ops-pipeline.yaml
    parameters:
      policyList:
      - name: rate_limit_ip
        scope: api
        apiname: test-policy, test2-policy

      - name: IPfilter
        scope: operation
        ipAddressesFrom: xxxxx
        ipAddressesTo: xxxxxxx
        operationname: getxxx, getyy, getzz

policy.xml template

<policies>
    <inbound>
        <base />
         $(rate-limit-by_ip)
		 $(rate-limit-by_subkey)
		 $(rate-limit-by_DevID)
		 $(rate-limit-by_ip)+$(rate-limit-by_DevID)
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
		 $(rate-limit-by-ip_error)
		 $(rate-limit-by_DevID_error)
		 
    </on-error>
</policies>

As a first task, we have to create the custom initial_policy.xml file in different scenarios as per the policy list provided by the app team and need to generate it in accordance with the scope of the policy (might be specific to api or might be specifically to a single operation in it or multiple operation in it)

We may have the different combination as below and, when the scope is only to operations, it should first check whether the same policy is applied in its parent api or APIM instance level itself.

Combinations

• rate-limit-by_ip
• rate-limit-by_subkey
• rate-limit-by_DevID
• rate-limit-by_ip+ rate-limit-by_DevID
• Or any custom combination with on error properties as well

Once the above step is completed, in the above created custom initial_policy.xml , the users inputs parameters are replaced (threshold, time etc..) and final_policy.xml will be created.

Then , finally it can be applied to the scope given, (might be to api/apis or operation/operations)

The pipeline template drafyed as below.

  jobs:
  - job: api
    displayName: 'api policy'
    variables:
    - group: api_policy
    workspace:
      clean: all
    pool:
      name: xxxxxxx
    steps:
    - ${{ each policy in parameters.policyList }}:
      - ${{ if and(eq(policy.name, 'rate_limit_ip'), eq(policy.scope, 'api') ) }}:
        - bash: |      
           apiName=${{ policy.Name }}
           echo "##vso[task.setvariable variable=apiName]$apiName" 
           xxxxxxxxxxxxxxxxx
           xxxxxxxxxxxxxxxxxxxxxxxx
            xxxxxxxxxxxxxxxxxxxxxx          
          name: Resolve_variable  

        - task: qetza.replacetokens.replacetokens-task.replacetokens@3
          displayName: 'create initial xml'
          inputs:
            rootDirectory: '$(System.DefaultWorkingDirectory)/policy'
            targetFiles: initial_policy.xml
            tokenPrefix: '${'
            tokenSuffix: '}$'
            enableTelemetry: false
          continueOnError: true

        - task: qetza.replacetokens.replacetokens-task.replacetokens@3
          displayName: 'create final xml'
          inputs:
            rootDirectory: '$(System.DefaultWorkingDirectory)/policy'
            targetFiles: final_policy.xml
            tokenPrefix: '${'
            tokenSuffix: '}$'
            enableTelemetry: false
          continueOnError: true

[mikebudzynski]

@vivuu1989, could you explain:

1. What are you trying to achieve and why are you looking to automate policy creation in the CI/CD pipelines?
2. What is your question specifically?

We don't provide any tooling to programmatically parse, serialize, deserialize, or manipulate policy files.

Also, have you considered applying this policy on the all-APIs scope using conditional choose-when policy statement?