Blog Post

Azure Integration Services Blog
5 MIN READ

A walkthrough of parameterization of different connection types in Logic App Standard

Shree_Divya_M_V's avatar
Mar 03, 2023

For deploying workflows across different environments, one of the important activities is to parameterize the API connections. With the latest update of the logic apps extension (starting on version 1.0.40) parametrization of the Logic Apps Standard apps becomes easier, as now both runtime and designer support the interpolation of app settings or parameter references.  More details on this concept are explained in the blog- Parameterizing Managed Connections with Logic Apps Standard - Microsoft Community Hub

 

In this article, we will walk through the process of parameterizing different connection types.

In this example, we are using:

  1. A managed API connection to connect to Azure Service bus,
  2. A built-in API connection to connect to Azure blob,
  3. A function connection to call a function app.

 

 

The Connections.json file looks like the snippet below when I create this workflow in VS Code.

 

 

 

 

{
  "serviceProviderConnections": {
    
    "serviceBus": {
      "parameterValues": {
        "connectionString": "@appsetting('serviceBus_connectionString')"
      },
      "serviceProvider": {
        "id": "/serviceProviders/serviceBus"
      },
      "displayName": "service bus-builtin"
    }
  },
  "managedApiConnections": {
    
    "azureblob_2": {
      "api": {
        "id": "/subscriptions/ea3e783f-6b4a-4e74-b379-9fa512da2b7f/providers/Microsoft.Web/locations/eastus/managedApis/azureblob"
      },
      "connection": {
        "id": "/subscriptions/ea3e783f-6b4a-4e74-b379-9fa512da2b7f/resourceGroups/TriageDemo/providers/Microsoft.Web/connections/azureblob-2"
      },
      "connectionRuntimeUrl": "https://28e4576f9043090d.05.common.logic-eastus.azure-apihub.net/apim/azureblob/64a89f8747fb4ee8b772a26b837965c3/",
      "authentication": {
        "type": "Raw",
        "scheme": "Key",
        "parameter": "@appsetting('azureblob_2-connectionKey')"
      }
    }
  },
  "functionConnections": {
    "azureFunctionOperation": {
      "function": {
        "id": "/subscriptions/ea3e783f-6b4a-4e74-b379-9fa512da2b7f/resourceGroups/Myresourcegroup/providers/Microsoft.Web/sites/DivyaTestFunction/functions/HttpTriggerCSharp1"
      },
      "triggerUrl": "https://divyatestfunction.azurewebsites.net/api/httptriggercsharp1",
      "authentication": {
        "type": "QueryString",
        "name": "Code",
        "value": "@appsetting('azureFunctionOperation_functionAppKey')"
      },
      "displayName": "Functionconnectiion"
    }
  }
}

 

 

 

 

Also, once we choose “Use Connections from Azure” from the context menu of the designer, the below app settings get added to local.settings.json file.

 

WORKFLOWS_TENANT_ID

WORKFLOWS_SUBSCRIPTION_ID

WORKFLOWS_RESOURCE_GROUP_NAME

WORKFLOWS_LOCATION_NAME

WORKFLOWS_MANAGEMENT_BASE_URI

 

Parameterizing Managed API Connections

For the managed API connection, we can parameterize api ID and connection ID with the use of the above app settings.

 

 

 


"api": {
                "id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/providers/Microsoft.Web/locations/@appsetting('WORKFLOWS_LOCATION_NAME')/managedApis/azureblob"
            },

"connection": {
                "id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/resourceGroups/@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')/providers/Microsoft.Web/connections/azureblob"
            }

 

 

 

 

Connection runtime URL is a unique URL of the API connection. During DevOps deployment of API connection, this URL can be exported as an app setting.

Please refer the blog for more details on exporting the connection runtime URL as an app setting- Deploying Logic App Standard resource through DevOps pipeline - Microsoft Community Hub

 

While creating API connection from VS Code, this URL is hardcoded in Connections.json. Copy this URL to local.settings file and parameterize the field in Connections.json

Alternatively, Connection runtime URL can be stored as a parameter in the parameters.json and referred in Connections.json.

 

 

 

"connectionRuntimeUrl": "@appsetting('BLOB_CONNECTION_RUNTIMEURL')"

 

 

 

Using the right authentication type:

Authentication field is populated by the raw authentication key when authenticated through VS Code.

While deploying through DevOps, this needs to be changed to the corresponding authentication type to be used in the portal.

This can be achieved by parameterizing this field in the Connections.json and creating a parameter file to store the value.

In this example, I have created one parameter file for local VS Code usage which uses raw authentication.

Parameters.json:

 

 

 

   {
    "blob_auth": {
        "type":"object", 
        "value": {
            "type": "Raw",
            "scheme": "Key",
            "parameter": "@appsetting('azureblob_2-connectionKey')"
        }
    }

}

 

 

 

 

And another one for Azure portal deployment which uses managed identity authentication.

Parameters_azure.json:

 

 

 

{
    "blob_auth": {
        "type":"object", 
        "value": {
            "type": "ManagedServiceIdentity"
        }
    }
}

 

 

 

 

 

Either the corresponding parameter file can be included in the zip folder itself or it can be separately applied to the existing zip deployment using the below CLI command:

az functionapp | Microsoft Learn

 

 

 

az functionapp deploy --resource-group <Resource group> --name <logic app name> --src-path <Parameter file path> --type static --target-path parameters.json

Example:

az functionapp deploy --resource-group TriageDemo --name shmvlastandarddemo1 --src-path /home/shree/parameters_azure.json --type static --target-path parameters.json

 

 

 

 

Parameterizing Function Connections:

Functions connection has two fields that can be parametrized- Function ID and trigger URL.

 

 

 

"function": {
                "id": "@appsetting('azureFunctionOperation_functionResourceURI')"
            },
            "triggerUrl": "@appsetting('azureFunctionOperation_functionTriggerURI')"
        }

 

 

 

 

Parameterizing Service Provider Connections:

Service provider connection is parametrized while creating through VS Code itself, hence it doesn’t require any additional step.

 

Final result:

The resulting Connections.json file would look like below, which can be used for both local development and remote deployment with different parameter files and app settings.

 

 

 

{
    "functionConnections": {
        "azureFunctionOperation": {
            "authentication": {
                "name": "Code",
                "type": "QueryString",
                "value": "@appsetting('azureFunctionOperation_functionAppKey')"
            },
            "displayName": "FunctionApiConnection",
            "function": {
                "id": "@appsetting('azureFunctionOperation_functionResourceURI')"
            },
            "triggerUrl": "@appsetting('azureFunctionOperation_functionTriggerURI')"
        }
    },
    "managedApiConnections": {
        "azureblob": {
            "api": {
                "id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/providers/Microsoft.Web/locations/@appsetting('WORKFLOWS_LOCATION_NAME')/managedApis/azureblob"
            },
            "authentication": "@parameters('blob_auth')",
            "connection": {
                "id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/resourceGroups/@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')/providers/Microsoft.Web/connections/azureblob"
            },
            "connectionRuntimeUrl": "@appsetting('BLOB_CONNECTION_RUNTIMEURL')"
        }
    },
    "serviceProviderConnections": {
        "serviceBus": {
            "displayName": "ServiceBus-Builtin",
            "parameterValues": {
                "connectionString": "@appsetting('serviceBus_connectionString')"
            },
            "serviceProvider": {
                "id": "/serviceProviders/serviceBus"
            }
        }
    }
}

 

 

 

 

Key Vault reference for App settings:

Key Vault references can be used as values for Application Settings, allowing us to keep secrets in Key Vault instead of the site config. 

If any of the above app settings you would like to secure, it can be done by creating a secret in the Key vault and by providing access to Logic App to access the secret.

Use Key Vault references - Azure App Service | Microsoft Learn

At app settings, set the reference as the value of the setting as below.

 

 

 

.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/<secret name>/)

Example:

@microsoft.KeyVault(SecretUri=https://shmvkeyvault.vault.azure.net/secrets/ConnectionString/)

 

 

 

 

References:

Deploying Logic App Standard resource through DevOps pipeline - Microsoft Community Hub

Parameterizing Managed Connections with Logic Apps Standard - Microsoft Community Hub

LogicAppStandard/azure-devops-sample at master · ShreeDivyaMV/LogicAppStandard (github.com)

 

Updated Mar 03, 2023
Version 1.0
  • anilnair92's avatar
    anilnair92
    Copper Contributor

    hello Divya thanks for this post it really helpful but i would like to know that local.settings.json (this file we will place in gitignore)is for local vscode and when we are moving the code this file will not be present in the repos then how we can get appsettings values when we are deploying through devops portal can you let me know is there anything iam missing here

     

    Can you let me know the stratergy for this

  • anilnair92's avatar
    anilnair92
    Copper Contributor

    thanks Shree_Divya_M_V  i have gone through this post so do we have to include this value as well inside the app setting 

    WORKFLOWS_RESOURCE_GROUP_NAME, 
    WORKFLOWS_LOCATION_NAME or it can be just sitting inside local.settings.json
  • AengusM's avatar
    AengusM
    Brass Contributor

    I am trying to parametrise using system assigned managed identity, in my case for an Azure automation action ... I do this ..

     

     

     

      "azureautomation-Authentication": {
        "type": "Object",
        "value": {
          "type": "ManagedServiceIdentity"
        }
      }

     

     

     

     but when I open the designer I get

    I suspect I am missing a value in the parameters to specifically say to use system assigned managed identity, but I have also found an article from an integrator that suggests system assigned managed identity cannot be deployed via code.
    Can you advise or provide suggestion?
    Thanks

    Edit ... of course as soon as I wrote above, I appear (not thoroughly tested) to have resolved my challenge ... so for others ... I added following to my connections.json 

     

     

          "connectionProperties": {
            "authentication": {
              "audience": "https://management.core.windows.net/",
              "type": "ManagedServiceIdentity"
            }

     

     

     so ...

     

     

        "azureautomation": {
          "api": {
            "id": "/subscriptions/@{appsetting('WORKFLOWS_SUBSCRIPTION_ID')}/providers/Microsoft.Web/locations/@{appsetting('WORKFLOWS_LOCATION_NAME')}/managedApis/azureautomation"
          },
          "connection": {
            "id": "/subscriptions/@{appsetting('WORKFLOWS_SUBSCRIPTION_ID')}/resourceGroups/@{appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')}/providers/Microsoft.Web/connections/api_logic_msi_to_azureautomation"
          },
          "connectionRuntimeUrl": "@parameters('azureautomation-ConnectionRuntimeUrl')",
          "authentication": "@parameters('azureautomation-Authentication')",
          "connectionProperties": {
            "authentication": {
              "audience": "https://management.core.windows.net/",
              "type": "ManagedServiceIdentity"
            }
          }
        }