Api connections(keyvault, servicebus and blob ) using managed identity through bicep

Question

Hi I am trying to create API connections for Key Vault, service bus and storage account using bicep. unfortunately do not see clear documentation from Microsoft side.

created API connections(Azure Key Vault, Service Bus and storage account) using below code, deployment going successfully but connection gets into error state.

    resource ServicebusApiCon 'Microsoft.Web/connections@2016-06-01' = {
    name: 'servicebus'
    location: Location
    kind: 'V2'
    properties: {
      displayName: 'servicebus'     
   
      api: {
       name: 'servicebus'
      description: 'Connect to Azure Serice Bus to send and receive messages'
      id:  '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/
            locations/${Location}/managedApis/servicebus'
      type: 'Microsoft.Web/locations/managedApis'
        }

       }
       }

       resource keyvaultApiCon 'Microsoft.Web/connections@2016-06-01' = {
         name: 'keyvault'
         location: Location
         kind: 'V2'
         properties: {
           displayName: 'keyvault'    

           api:{
            id: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/
                 locations/${Location}/managedApis/keyvault'
            displayName: ' Azure key vault'
            type: 'Microsoft.Web/locations/managedApis'
  
            }

           }
          }
          resource blobApiConnection 'Microsoft.Web/connections@2016-06-01' = {
          name: 'azureblob'
          location: Location
          kind: 'V2'
          properties: {
            displayName: 'azureblob'    
            api: {
              name: 'azureblob'
              displayName: 'Azure Blob storage'
              id: '/subscriptions/${subscription().subscriptionId}/providers
                   /Microsoft.Web/locations/${Location}/managedApis/azureblob'
                 }
                }
               }

could you please suggest me if i am doing something wrong or missing something

Answer 1

To be honest these connection apis are not documented at all... Your best shot is to create them from Azure portal with the networking tab open so you can see what are the requests sent:

From there I was able to create connection for

• key vault:

  param logicAppName string
  
  param location string = resourceGroup().location
  param keyVaultName string
  param name string = 'keyvault'
  
  // Get a reference to the existing logic app
  resource logicApp 'Microsoft.Web/sites@2021-03-01' existing = {
    name: logicAppName
  }
  
  resource keyvaultConnector 'Microsoft.Web/connections@2018-07-01-preview' = {
    name: name
    location: location
    kind: 'V2'
    properties: {
      displayName: name
      parameterValueType: 'Alternative'
      alternativeParameterValues: {
        vaultName: keyVaultName
      }
      api: {
        id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'keyvault')
        type: 'Microsoft.Web/locations/managedApis'
      }
    }
  }
  
  // Grant permission to the logic app standard to access the connection api
  resource keyvaultConnectorAccessPolicy 'Microsoft.Web/connections/accessPolicies@2018-07-01-preview' = {
    name: logicAppName
    parent: keyvaultConnector
    location: location
    properties: {
      principal: {
        type: 'ActiveDirectory'
        identity: {
          tenantId: subscription().tenantId
          objectId: logicApp.identity.principalId
        }
      }
    }
  }
  
  output connectionRuntimeUrl string = keyvaultConnector.properties.connectionRuntimeUrl
  

• service bus:

    param logicAppName string
  
  param location string = resourceGroup().location
  param servicebusName string
  param name string = 'servicebus'
  
  // Get a reference to the existing logic app
  resource logicApp 'Microsoft.Web/sites@2021-03-01' existing = {
    name: logicAppName
  }
  
  resource servicebusConnector 'Microsoft.Web/connections@2018-07-01-preview' = {
    name: name
    location: location
    kind: 'V2'
    properties: {
      api: {
        id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
      }
      displayName: name
      parameterValueSet: {
        name: 'managedIdentityAuth'
        values: {
          namespaceEndpoint: {
            value: 'sb://${servicebusName}.servicebus.windows.net/'
          }
        }
      }
    }
  }
  
  // Grant permission to the logic app standard to access the connection api
  resource servicebusConnectorAccessPolicy 'Microsoft.Web/connections/accessPolicies@2018-07-01-preview' = {
    name: logicAppName
    parent: servicebusConnector
    location: location
    properties: {
      principal: {
        type: 'ActiveDirectory'
        identity: {
          tenantId: subscription().tenantId
          objectId: logicApp.identity.principalId
        }
      }
    }
  }
  
  output connectionRuntimeUrl string = servicebusConnector.properties.connectionRuntimeUrl
  

You still need to grant permissions to the managed identity to access key vault or servicebus.

You also will need to update the connectionRuntimeUrl so probably create an app setting for that so it s easier to update: