For deploying workflows across different environments, one of the important activities is to parameterize the API connections. With the latest update of the logic apps extension (starting on version 1.0.40) parametrization of the Logic Apps Standard apps becomes easier, as now both runtime and designer support the interpolation of app settings or parameter references. More details on this concept are explained in the blog- Parameterizing Managed Connections with Logic Apps Standard - Microsoft Community Hub
In this article, we will walk through the process of parameterizing different connection types.
In this example, we are using:
- A managed API connection to connect to Azure Service bus,
- A built-in API connection to connect to Azure blob,
- A function connection to call a function app.
The Connections.json file looks like the snippet below when I create this workflow in VS Code.
{
"serviceProviderConnections": {
"serviceBus": {
"parameterValues": {
"connectionString": "@appsetting('serviceBus_connectionString')"
},
"serviceProvider": {
"id": "/serviceProviders/serviceBus"
},
"displayName": "service bus-builtin"
}
},
"managedApiConnections": {
"azureblob_2": {
"api": {
"id": "/subscriptions/ea3e783f-6b4a-4e74-b379-9fa512da2b7f/providers/Microsoft.Web/locations/eastus/managedApis/azureblob"
},
"connection": {
"id": "/subscriptions/ea3e783f-6b4a-4e74-b379-9fa512da2b7f/resourceGroups/TriageDemo/providers/Microsoft.Web/connections/azureblob-2"
},
"connectionRuntimeUrl": "https://28e4576f9043090d.05.common.logic-eastus.azure-apihub.net/apim/azureblob/64a89f8747fb4ee8b772a26b837965c3/",
"authentication": {
"type": "Raw",
"scheme": "Key",
"parameter": "@appsetting('azureblob_2-connectionKey')"
}
}
},
"functionConnections": {
"azureFunctionOperation": {
"function": {
"id": "/subscriptions/ea3e783f-6b4a-4e74-b379-9fa512da2b7f/resourceGroups/Myresourcegroup/providers/Microsoft.Web/sites/DivyaTestFunction/functions/HttpTriggerCSharp1"
},
"triggerUrl": "https://divyatestfunction.azurewebsites.net/api/httptriggercsharp1",
"authentication": {
"type": "QueryString",
"name": "Code",
"value": "@appsetting('azureFunctionOperation_functionAppKey')"
},
"displayName": "Functionconnectiion"
}
}
}
Also, once we choose “Use Connections from Azure” from the context menu of the designer, the below app settings get added to local.settings.json file.
WORKFLOWS_TENANT_ID |
WORKFLOWS_SUBSCRIPTION_ID |
WORKFLOWS_RESOURCE_GROUP_NAME |
WORKFLOWS_LOCATION_NAME |
WORKFLOWS_MANAGEMENT_BASE_URI |
Parameterizing Managed API Connections
For the managed API connection, we can parameterize api ID and connection ID with the use of the above app settings.
"api": {
"id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/providers/Microsoft.Web/locations/@appsetting('WORKFLOWS_LOCATION_NAME')/managedApis/azureblob"
},
"connection": {
"id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/resourceGroups/@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')/providers/Microsoft.Web/connections/azureblob"
}
Connection runtime URL is a unique URL of the API connection. During DevOps deployment of API connection, this URL can be exported as an app setting.
Please refer the blog for more details on exporting the connection runtime URL as an app setting- Deploying Logic App Standard resource through DevOps pipeline - Microsoft Community Hub
While creating API connection from VS Code, this URL is hardcoded in Connections.json. Copy this URL to local.settings file and parameterize the field in Connections.json
Alternatively, Connection runtime URL can be stored as a parameter in the parameters.json and referred in Connections.json.
"connectionRuntimeUrl": "@appsetting('BLOB_CONNECTION_RUNTIMEURL')"
Using the right authentication type:
Authentication field is populated by the raw authentication key when authenticated through VS Code.
While deploying through DevOps, this needs to be changed to the corresponding authentication type to be used in the portal.
This can be achieved by parameterizing this field in the Connections.json and creating a parameter file to store the value.
In this example, I have created one parameter file for local VS Code usage which uses raw authentication.
Parameters.json:
{
"blob_auth": {
"type":"object",
"value": {
"type": "Raw",
"scheme": "Key",
"parameter": "@appsetting('azureblob_2-connectionKey')"
}
}
}
And another one for Azure portal deployment which uses managed identity authentication.
Parameters_azure.json:
{
"blob_auth": {
"type":"object",
"value": {
"type": "ManagedServiceIdentity"
}
}
}
Either the corresponding parameter file can be included in the zip folder itself or it can be separately applied to the existing zip deployment using the below CLI command:
az functionapp | Microsoft Learn
az functionapp deploy --resource-group <Resource group> --name <logic app name> --src-path <Parameter file path> --type static --target-path parameters.json
Example:
az functionapp deploy --resource-group TriageDemo --name shmvlastandarddemo1 --src-path /home/shree/parameters_azure.json --type static --target-path parameters.json
Parameterizing Function Connections:
Functions connection has two fields that can be parametrized- Function ID and trigger URL.
"function": {
"id": "@appsetting('azureFunctionOperation_functionResourceURI')"
},
"triggerUrl": "@appsetting('azureFunctionOperation_functionTriggerURI')"
}
Parameterizing Service Provider Connections:
Service provider connection is parametrized while creating through VS Code itself, hence it doesn’t require any additional step.
Final result:
The resulting Connections.json file would look like below, which can be used for both local development and remote deployment with different parameter files and app settings.
{
"functionConnections": {
"azureFunctionOperation": {
"authentication": {
"name": "Code",
"type": "QueryString",
"value": "@appsetting('azureFunctionOperation_functionAppKey')"
},
"displayName": "FunctionApiConnection",
"function": {
"id": "@appsetting('azureFunctionOperation_functionResourceURI')"
},
"triggerUrl": "@appsetting('azureFunctionOperation_functionTriggerURI')"
}
},
"managedApiConnections": {
"azureblob": {
"api": {
"id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/providers/Microsoft.Web/locations/@appsetting('WORKFLOWS_LOCATION_NAME')/managedApis/azureblob"
},
"authentication": "@parameters('blob_auth')",
"connection": {
"id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/resourceGroups/@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')/providers/Microsoft.Web/connections/azureblob"
},
"connectionRuntimeUrl": "@appsetting('BLOB_CONNECTION_RUNTIMEURL')"
}
},
"serviceProviderConnections": {
"serviceBus": {
"displayName": "ServiceBus-Builtin",
"parameterValues": {
"connectionString": "@appsetting('serviceBus_connectionString')"
},
"serviceProvider": {
"id": "/serviceProviders/serviceBus"
}
}
}
}
Key Vault reference for App settings:
Key Vault references can be used as values for Application Settings, allowing us to keep secrets in Key Vault instead of the site config.
If any of the above app settings you would like to secure, it can be done by creating a secret in the Key vault and by providing access to Logic App to access the secret.
Use Key Vault references - Azure App Service | Microsoft Learn
At app settings, set the reference as the value of the setting as below.
.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/<secret name>/)
Example:
@microsoft.KeyVault(SecretUri=https://shmvkeyvault.vault.azure.net/secrets/ConnectionString/)
References:
Deploying Logic App Standard resource through DevOps pipeline - Microsoft Community Hub
Parameterizing Managed Connections with Logic Apps Standard - Microsoft Community Hub
LogicAppStandard/azure-devops-sample at master · ShreeDivyaMV/LogicAppStandard (github.com)