In collaboration with Wagner Silveira
Automating the deployment of Logic Apps Standard through a CI/CD pipeline requires a different process from that used by Logic Apps Consumption. As Logic Apps Standard now encapsulates a group of workflows in a single unit of deployment (the Logic App Standard App), to fully automate the deployment process the following artefacts are required:
There are a few things to consider when deploying Azure connectors (managed connectors).
1. Access policies:
Logic app resource requires permission to read the connection secrets from APIHUB to interact with connector backend.
In case of consumption logic app, this is implemented internally (Being a shared cloud service, Logic App’s service principal has these permissions to read connection secrets).
Whereas in the case of standard logic app, as runtime is hosted in customer’s environment, there is a need to explicitly add an access policy at Azure connection to add permissions for System assigned managed identity of Logic App.
To achieve this, in the Logic app ARM template we would be creating system managed identity for logic app, input this identity value to Connection creation ARM template and add access policy.
2. Connection runtime URL:
In Logic App Standard, the connections.json file would have a field called “connectionRuntimeUrl” that refers to the runtime URL of the azure connection being used. Hence while deploying workflows, it is important to retrieve the “connectionRuntimeUrl” from the azure connection which is deployed in the portal and apply it to the correct entry in connections.json file.
To achieve this, In the connection creation ARM template, we would push the connection runtime URL as an app setting and in connections.json, we would refer to this app setting.
Please refer to the diagram below and the reference article for more details on these concepts.
Set up DevOps for Standard logic apps - Azure Logic Apps | Microsoft Docs
Based on the above considerations, please find below the detailed steps for deploying a logic app and its workflows with all three types of connections (built-in/service provider connections, Azure connections and function connections).
In this template we add Logic app infrastructure resource and all the dependent resources like Storage Account, Application Insight, App service plan and VNET configurations. In this step we:
In this template, we would add Azure connection resources. This template would take inputs from the previous template and use them to create access policy for Logic App’s managed identity. In this step we:
Example: LogicAppStandard/connectors-template.json at master · ShreeDivyaMV/LogicAppStandard (github.com)
Once both templates (Logic app infrastructure and Connections) are ready, create a DevOps pipeline to deploy these resources to Azure and to update app settings.
Define a DevOps pipeline that include the steps below:
Example: LogicAppStandard/iac-pipeline.yml at master · ShreeDivyaMV/LogicAppStandard (github.com)
In this step, we would create a ZIP package of the workflows folder, based on the source code repository. For example, you can push your VSCode project to source control and trigger a run of this pipeline whenever there is any commit to the project.
Please note that the changes below are required in the connections.json file.
Update the Azure connections section with the app setting property of connection runtime URL and parameterize the authentication field. Create a parameter file for storing the authentication details.
In this example, we are using built-in and function app connections as well, so we update the connection metadata for these connections as well with app settings. Make note of these App setting fields, as they are required later in the CD pipeline.
Please refer to the code snippet below for more details.
{
"functionConnections": {
"azureFunctionOperation": {
"authentication": {
"name": "Code",
"type": "QueryString",
"val-ue": "@appsetting('azureFunctionOperation_functionAppKey')"
},
"displayName": "FunctionApiConnection",
"function": {
"id": "@appsetting('azureFunctionOperation_functionResourceURI')"
},
"trig-gerUrl": "@appsetting('azureFunctionOperation_functionTriggerURI')"
}
},
"managedApiConnections": {
"azureblob": {
"api": {
"id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/providers/Microsoft.Web/locations/@appsetting('WORKFLOWS_LOCATION_NAME')/managedApis/azureblob"
},
"authentication": "@parameters('blob_auth')",
"connection": {
"id": "/subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/resourceGroups/@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')/providers/Microsoft.Web/connections/azureblob"
},
"connec-tionRuntimeUrl": "@appsetting('BLOB_CONNECTION_RUNTIMEURL')"
}
},
"serviceProviderConnections": {
"serviceBus": {
"displayName": "ServiceBus-Builtin",
"parameterValues": {
"connection-String": "@appsetting('serviceBus_connectionString')"
},
"serviceProvider": {
"id": "/serviceProviders/serviceBus"
}
}
}
}
Follow the steps below:
Example: LogicAppStandard/ci-pipeline.yml at master · ShreeDivyaMV/LogicAppStandard (github.com)
In this step, we would create a pipeline to deploy the zip package created in the previous step. During this step we update the app settings for all the app settings parameters used in the Connections.json file, so they can be found during runtime.
Create a DevOps pipeline to include the steps below
Example: LogicAppStandard/cd-pipeline.yml at master · ShreeDivyaMV/LogicAppStandard (github.com)
In this example, I am using two workflows with an azure connection, a service provider connection and a function connection.
Create an Azure DevOps project and create a service connection for your Azure subscription.
Connect to Microsoft Azure - Azure Pipelines | Microsoft Docs
Create three azure pipelines (IAC pipeline, CI pipeline and CD pipeline) using the yaml files created in the above steps.
Update the service connection name, resource group and LA name in the variables.yaml and the TODO sections in the pipeline yaml files.
Run the pipelines one by one, verify that the logic app, connections, and workflows are deployed.
DevOps deployment for single-tenant Azure Logic Apps - Azure Logic Apps | Microsoft Docs
Set up DevOps for Standard logic apps - Azure Logic Apps | Microsoft Docs
Root Repository: logicapps/azure-devops-sample at master · Azure/logicapps (github.com)
GitHub Repo used in the example: LogicAppStandard/azure-devops-sample at master · ShreeDivyaMV/LogicAppStandard (github.com)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.