Last year I have published a blog using Terraform to deploy standard logic app in public network (Deploy Logic App Standard with Terraform and Azure DevOps pipelines). However in many cases public access to storage is not allowed due to organization's policies. I have received many requests on deploying standard logic app to storage account within private network. This article gives example to create the standard logic app to storage account with private endpoint using Terraform.
You can clone the sample code from this Github repo LogicApp-Terraform-Deploy-PE. The terraform code is in TerraformPE/LAstandardPE.tf, and logic-app-pipeline-infra-PE.yml is the DevOps pipeline yml file.
In the terraform code the following resources will be created:
- VNET and subnets for Logic App and storage account
- Storage account and file share
- Private endpoints and private DNS zones for storage file, blob, table and queue services
- App service plan
- Application insight
- Standard Logic App with VNET integration
- Private endpoint and private DNS zone for Logic App
You can modify the code to just deploy the resources that are needed, and here are a few places that require special attention:
- In the previous blog
azurerm_app_service_plan
was used to create the app service plan. This resource has been deprecated in version 3.0 of the AzureRM provider and will be removed in version 4.0. This blog usesazurerm_service_plan
resource instead. - The storage file share need to be created first. When deploying the logic app, we need to use the custom share name, which is specified in argument
storage_account_share_name
. This is optional for public storage deployment, and if not specified this resource will generate a dynamic name. - When deploying the resource
azurerm_logic_app_standard
, the argumentversion
is optional. However the runtime version defaults to ~3, which is already out of support from December 3 2022. We need to specify the version to ~4