Unknown's avatar antobriones 5:35 pm on August 1, 2019  

Deploy Logic app and API connection using a Service Principal with an ARM template

A few days ago I created a simple Logic App that gets triggered by http post and then executes a runbook. Given the simplicity, I could have just used a Flow instead of a Logic App, but the reason behind it is that it needs to connect to the Automation Account using a Service Principal rather than client credentials, and that’s only available to Logic Apps connectors.

Overall, the app is pretty simple:

The challange appeared when I tried to automate the deployment process. I generated the ARM template for both the connection and the logic app and tried to deploy it. I was expecting the app id and secret to be just there in the template and I would then replace them by parameters, but that wasn’t the case. In fact, every time I deployed the connection using the ARM template, I found I had to go an authorize it and it would end up using the deployment account credentials. I needed a way to automate this deployment in DevOps so that it could use a client id/secret specific to the environment.

Get the API connection template

When you get the ARM template, it will look something like this:

As you see, there’s no authentication information there, although my connection was configured to use a service principal, with an app id and password. So, the challenge was to find a way to specify it in the ARM template.

That information can be specified inside the properties node, in parameterValues. But, how can you know how to specify that information. Well, that depends on the type of connection.

Getting the API parameters

I used ARMClient to get the API metadata:

armclient.exe get https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Web/locations/{region}/managedApis/{Api}?api-version=2016-06-01

That will return a json file, you need to look at the “connectionParameters” node:

There were several connection parameters and I didn’t know if I had to specify values to all of them. But then found that, while editing the logic app, the browser will also authenticate using the same approach. I opened the logic app and searched for the app id in the browser requests. There, I found this request:

The request was sending the following parameters (from the full list of parameters I found in the definition before):

  • token:TenantId
  • token:clientId
  • token:grantType
  • token:clientSecret

So, I just went ahead and specified those values (as parameters) in the “parameterValues”:

Then, declared those parameters:

Now, my ARM template contains both the connection and the logic app, and I can automate the deployment to any envirionment: