Getting started
Lately I have been working a lot with Azure Logic Apps for all kinds of different solutions. When creating the Logic Apps they also need to be deployed, and the best way to do this is via Infrastructure as code (IaC) to make it immutable.
If you have worked with Azure Logic Apps before, you might have seen them: the API connection resources that will be created when using a connector for Blob storage, Azure AD, SQL Database, etc. These connections offer different kinds of authentication and the best practise is using Managed Service Identities (MSI), but when looking at Microsoft's documentation you will see it isn't documented when it comes to IaC, and even the API is quite old and isn't updated.
While this is the case for the documentation, in reality there is a new API version available. Let me show you how to enable MSI within your Bicep.
The Bicep
If you have been searching the internet you might have found solutions such as parameterValueType: 'Alternative', which is being used for User Assigned Identities and is available within the older versions of the API itself. However, we want to use Managed Service Identities which need a newer version of itself, in our case 'Microsoft.Web/connections@2018-07-01-preview'. This 2018-07-01 version allows us to use the follow properties within our Bicep:
parameterValueSet: {
name: 'managedIdentityAuth'
values: {}The above example enables the MSI authentication within the API connection resource, and when deploying your Logic App with the connector, referencing towards the API connection via MSI will not be broken after deployment.
For further context, see the complete module for an API connection via Bicep below:
param subscriptionID string = subscription().subscriptionId
param location string = resourceGroup().location
param apiName string = 'azureblobdev'
param apiConnector string = 'azureblob'
resource BlobAPI 'Microsoft.Web/connections@2018-07-01-preview' = {
name: apiName
location: location
kind: 'V1'
properties: {
displayName: apiName
alternativeParameterValues: {}
customParameterValues: {}
api: {
name: apiName
id: '/subscriptions/${subscriptionID}/providers/Microsoft.Web/locations/${location}/managedApis/${apiConnector}'
type: 'Microsoft.Web/locations/managedApis'
}
parameterValueSet: {
name: 'managedIdentityAuth'
values: {}
}
}
}I will submit the information to the Microsoft docs as well, so it will become widely available.
What's next?
Since I'm on the subject of deploying Logic Apps, in next week's blog I will show how to setup a proper bicep for a logic app deployment, making it modular and usable for more than just one logic app. Stay tuned!