Search code examples
azureazure-logic-appsazure-bicep

Azure Logic App Authorization Policy set via Bicep


When creating a consumption Azure Logic App using Azure Bicep -

How do you create configure Azure Active Directory Authorization Policies and set the

  • Policy Name
  • Policy Type
  • Claims (Issuer, Audience and a custom claim)

From Azure Portal its under Logic App > Authorization > Add Policy:

Logic App Authorization screen

Here's my bicep file:

param name string = 'testlogicapptb'
param location string = 'Australia Southeast'

resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: name
  location: location
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
    }
    parameters: {}
    accessControl: {
      triggers: {
        allowedCallerIpAddresses: [
          {
            addressRange: '123.1.1.1-123.1.1.1'
          }
        ]

        //Doesn't work - just trying anything
        openAuthenticationPolicies: {
          policies: {
            name: 'test'
            type: 'AAD'
            issuer: 'https://123/'
            audience: '123'
            claim: {
              name: 'role'
              value: '123'
            }
          }
        }
    }
    }
  }
}

Here's the reference documentation but it doesn't describe how to format the policies and it just circles back around on itself.

https://learn.microsoft.com/en-us/azure/templates/microsoft.logic/workflows?pivots=deployment-language-bicep#bicep-resource-definition

If I search the web for anything related to OpenAuthenticationAccessPolicies I can't find anything or even know if I'm looking at the right thing.

I've tried exporting the ARM template and converting that to bicep - however the policies entered through the Portal do not come out in the export.

Even if its not bicep how do I programmatically set these up?


Solution

  • main.bicep

    @description('The name of the logic app to create.')
    param logicAppName string = 'wbtestlogicapp'
    
    @description('A test URI')
    param testUri string = 'https://azure.status.microsoft/status/'
    
    @description('Location for all resources.')
    param location string = resourceGroup().location
    
    var policyName = 'aadPolicyTest'
    var frequency = 'Hour'
    var interval = '1'
    var type = 'recurrence'
    var actionType = 'http'
    var method = 'GET'
    
    resource stg 'Microsoft.Logic/workflows@2019-05-01' = {
      name: logicAppName
      location: location
      tags: {
        displayName: logicAppName
      }
      properties: {
        definition: {
          '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
          contentVersion: '1.0.0.0'
          parameters: {
            testUri: {
              type: 'string'
              defaultValue: testUri
            }
          }
          triggers: {
            recurrence: {
              type: type
              recurrence: {
                frequency: frequency
                interval: interval
              }
            }
          }
          actions: {
            actionType: {
              type: actionType
              inputs: {
                method: method
                uri: testUri
              }
            }
          }
        }
        accessControl: {
          triggers: {
            openAuthenticationPolicies:{
              policies: {
                '${policyName}': {
                  type: 'AAD'
                  claims: [
                    {
                      name: 'iss'
                      value: 'https://sts.windows.net/2xxxxxxx-3a06-xxxxxxxxx-8a1e-xxxxxx/'
                    }
                    {
                      name: 'aud'
                      value: 'https://management.core.windows.net'
                    }
                    {
                      name: 'sub'
                      value: 'xxxxxxxxxxx-7d1e-4d9f-xxx-xxxxxxxxxxxxxxx'
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
    
    output name string = stg.name
    output resourceId string = stg.id
    output resourceGroupName string = resourceGroup().name
    output location string = location
    
    

    result

    enter image description here