Search code examples
azure-bicepazure-logic-app-standard

How to deploy "connections" of Azure Logic Apps using bicep?

I'm confused by connections used in Azure Logic Apps (stateful, standard). My Logic App has a user managed identity assigned.

I used the designer to create a flow and it resulted in JSON like shown below. The example is executing a KQL query on Azure Monitor:

"actions": {
    "AppEvents_run_query_and_list_results": {
        "inputs": {
            "body": "let customStartDate = [...]",
            "host": {
                "connection": {
                    "referenceName": "azuremonitorlogs-2"
                }
            },
            "method": "post",
            "path": "/queryData",
            "queries": {
                "resourcegroups": "rg-main",
                "resourcename": "logmain",
                "resourcetype": "Log Analytics Workspace",
                "subscriptions": "04...",
                "timerange": "Set in query"
            }
        },
        "type": "ApiConnection"
    }
    [...]

While using the designer I created a new connection and configured it to use the user managed identity. This resulted in two separate resources being created:

  1. A connection resource in my resource group of type Microsoft.Web/connections@2016-06-01 which I was able to replicate using bicep. No problem here.
  2. In the "Connections" menu item of The Logic App, there is JSON that points to the connection resource but it also contains the configuration (?) of the connection (see below):
"managedApiConnections": {
    "azuremonitorlogs-2": {
        "api": {
            "id": "/subscriptions/7e.../providers/Microsoft.Web/locations/eastus2/managedApis/azuremonitorlogs"
        },
        "authentication": {
            "identity": "/subscriptions/7e.../resourcegroups/rg-main/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-userid",
            "type": "ManagedServiceIdentity"
        },
        "connection": {
            "id": "/subscriptions/7.../resourceGroups/rg-main/providers/Microsoft.Web/connections/azuremonitorlogs-2"
        },
        "connectionProperties": {
            "authentication": {
                "additionalAudiences": [
                    "https://api.loganalytics.io"
                ],
                "audience": "https://management.core.windows.net/",
                "identity": "/subscriptions/7e.../resourcegroups/rg-main/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-userid",
                "type": "ManagedServiceIdentity"
            }
        }
    }
    [...]

I understand that "referenceName": "azuremonitorlogs-2" is referring to the content in the Logic App's connections JSON, which in turns points to the actual connection resource and tells it to use my user managed identity.

How can I deploy the connections configuration JSON when using bicep to create a Logic App?

Solution

  • You can deploy the connections.json alongside your workflows to Azure in a ZIP deploy. It is separated from the Infrastructure like the Logic App Standard resource is. Please see the docs for a explanation of this: API connection resources and access policies

    Of course you can combine this in your pipelines but you need to create a Zip file of the project following the project structure and publish the zip as build artifact to be deployed into the Logic App resource.

    You can parameterize most of these connection configuration by using the Logic App app settings which you can set when deploying the Logic App resource, to be used in the workflows and connections.