BICEP-Create API connections for Logic Apps
Creating API connections automatically from the deployment pipeline.
There is a rich set of connectors available for logic apps when it needs to connect to any external applications. When the connectors are configured in the workflow, an API connection is created internally. It saves the authentication and maintains the authenticated status. It is very important to automate the creation of the API connections as this is a dependency for the logic app.
Using BICEP, these API connections can be created by using the following syntax:
'Microsoft.Web/connections@2016-06-01'Dataverse API connection:
Dataverse is the backend for the new Power apps platform and Microsoft’s version of CRM. Logic apps and Power automate are frequently used to perform CRUD operations on Dataverse. Logic Apps has a connector to help with the authentication and to perform the various data operations. When this connector is configured, an API connection is created. The connector uses Service Principal to establish connection to dataverse.
Please note service principal should be added as an application user in Dataverse environment.
Following BICEP snippet is used to create dataverse API connection
resource la_dataverse_con 'Microsoft.Web/connections@2016-06-01' = {
name: dataverseConnectionName
location:location
tags: tagValues
properties: {
api: {
id: 'subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/locations/${location}/managedApis/commondataservice'
}
displayName:dataverseConnectionName
parameterValues: {
'token:clientId': dataverseClientId
'token:clientSecret': dataverseClientSecret
'token:TenantId': subscription().tenantId
'token:grantType': client_credentials}
}
}
Salesforce API connection:
Salesforce integration is another frequent story. Logic App has a powerful connector which can perform variety of operations on Salesforce.
This needs an integration account created at Salesforce with relevant accesses. These values should be stored in a key vault and read from key vault during the pipeline execution. Salesforce API connection can be created using the below snippet.
resource la_salesforce_con 'Microsoft.Web/connections@2016-06-01' = {
name: salesforceConnectionName
location:location
tags: tagValues
properties: {
api: {
id: 'subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/locations/${location}/managedApis/salesforce'
}
displayName:salesforceConnectionName
parameterValues: {}
nonSecretParameterValues:{
'token:LoginUri': token_LoginUri
salesforceApiVersion: salesforceApiVersion
username: salesforceUserName
password: salesforcePassword
redirectUrl: redirectUrl
}
}
}Parameter values are as below. For production environment login uri would change accordingly.
"token_LoginUri": {
"value": "https://test.salesforce.com"
},
"salesforceApiVersion": {
"value": "v41"
},
"salesforceUserName": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyvaultName>"
},
"secretName": "salesforce-ia-username"
}
},
"salesforcePassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyvaultName>"
},
"secretName": "salesforce-ia-password"
}
}One of the outstanding issue in creating Salesforce API connection is if the integration account has MFA enabled, API connection can’t automatically complete the authentication. This might require a manual step after the deployment, to complete the authorization.
Create Send grid API connection:
Send grid is an email delivery service; When we need to send email alerts from Logic Apps, send grid can be used. There is a connector for send grid available which helps in authentication and also allows you to perform lot of operations.
Send grid API connection is created using the below script
resource la_sendgrid_con 'Microsoft.Web/connections@2016-06-01' = {
name: sendgridConnectionName
location:location
tags: tagValues
properties: {
api: {
id: 'subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/locations/${location}/managedApis/sendgrid'
}
displayName:sendgridConnectionName
parameterValues: {
apiKey: sendgridApiKey
}
}
}Send grid API key can be created from the send grid management portal and should be stored in key vault. Parameter file retrieves the API key using key vault reference.
Create Key Vault API connection:
Key vault API connection can be created either using service principal authentication or using managed identity.
using service principal:
resource la_keyvault_con 'Microsoft.Web/connections@2016-06-01' = {
name: keyvaultConnectionName
location:location
tags: tagValues
properties: {
api: {
id: 'subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/locations/${location}/managedApis/keyvault'
}
displayName:keyvaultConnectionName
parameterValues: {
'token:clientId': spApplicationId
'token:clientSecret': spSecret
'token:TenantId': ${subscription().tenantId}
'token:grantType': 'client_credential'
'vaultName': '${keyvaultName}-${env}'
}
}
}using Managed Identity:
resource la_keyvault_con 'Microsoft.Web/connections@2016-06-01' = {
name: keyvaultConnectionName
location:location
tags: tagValues
properties: {
api: {
id: 'subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/locations/${location}/managedApis/keyvault'
}
displayName:keyvaultConnectionName
parameterValueType: 'Alternative'
alternativeParameterValues: {
'vaultName': '${keyvaultName}-${env}'
}
}
}This list could go on and I am planning to extend this as I get to explore more. Happy reading!
