search

Azure / logicapps

Azure Logic Apps labs, samples, and tools
MIT License
358 stars 299 forks source link

Error in creating access policy for connection in reference when connection is parameterized #367

Closed skyaddict closed 2 years ago

skyaddict commented 3 years ago

After parameterizing my connections.json as show in the example found at: https://github.com/Azure/logicapps/blob/master/azure-devops-sample/logic/connections.json the following errors occur when publishing to the logic app from VSCode

Error in creating access policy for connection in reference - 'sql'. Error: Error in getting connection - /subscriptions/@appsetting('WORKFLOWS_SUBSCRIPTION_ID')/resourceGroups/@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')/providers/Microsoft.Web/connections/sql. Error: The provided subscription identifier '@appsetting('WORKFLOWS_SUBSCRIPTION_ID')' is malformed or invalid. Error: Resource group '@appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')' could not be found.

It appears that the method for creating the access policy is running before the tokens are replaced.

puspraj-repos commented 2 years ago

@skyaddict Can you please confirm, if WORKFLOWS_SUBSCRIPTION_ID parameter is present in local.settings.json . Also, you can only use appsetting expression only in workflow.json, connection.json and parameters.json files. If you're developing this logic app in portal, you can check if these settings are present in application settings under configuration blade.

skyaddict commented 2 years ago

@puspraj-repos yes the parameter is present in the local.settings.json file and in the configuration blade. This seems to be an issue when deploying the workflows from vscode

puspraj-repos commented 2 years ago

@skyaddict , this is expected. when we are doing local testing then local.settings.json file has their significance. Once we try to deploy our project to azure, this file and its contents will get ignored. For more details you can refer this Doc : https://docs.microsoft.com/en-us/azure/logic-apps/edit-app-settings-host-settings?tabs=visual-studio-code#visual-studio-code-project-structure image

sven5 commented 2 years ago

@puspraj-repos So how do you suggest working around here? We still need parameterized connection settings and we like to deploy from VSCode

puspraj-repos commented 2 years ago

@sven5 you can use parameters.json file to move the same properties which are referenced in local.settings.json file. One change that you need to do in the connection.json file is to replace the appsetting with parameter

sven5 commented 2 years ago

@puspraj-repos Thanks for your suggestion. However, I'm still getting an error when trying to deploy to Azure using VSCode

Error: Error in creating access policy for connection in reference - 'azurefile'. Error: Error in getting connection - /subscriptions/@parameters('SubscriptionId')/resourceGroups/@parameters('ResourceGroupName')/providers/Microsoft.Web/connections/azurefile. Error: The provided subscription identifier '@parameters('SubscriptionId')' is malformed or invalid.

I have this in my parameters.json

  "SubscriptionId": {
    "type": "String",
    "value": "@appsetting('WORKFLOWS_SUBSCRIPTION_ID')"
  },
puspraj-repos commented 2 years ago

@sven5 you need to provide the actual subscriptionid and other details in the parameter file.

{ "SubscriptionId": { "type": "String", "value": "subscription-id-value" } }

sven5 commented 2 years ago

@puspraj-repos Thanks for your support. But still the same error. Error: Error in creating access policy for connection in reference - 'azurefile'. Error: Error in getting connection - /subscriptions/@parameters('SubscriptionId')/resourceGroups/@parameters('ResourceGroupName')/providers/Microsoft.Web/connections/azurefile. Error: The provided subscription identifier '@parameters('SubscriptionId')' is malformed or invalid.

my parameters.json

  "SubscriptionId": {
    "type": "String",
    "value": "xxxxxxx-xaa6-4fdd-b8f5-0090f37fda5b"
  },

my connections.json

  "managedApiConnections": {
    "azurefile": {
      "api": {
        "id": "/subscriptions/@parameters('SubscriptionId')/providers/Microsoft.Web/locations/germanywestcentral/managedApis/azurefile"
      },
      "connection": {
        "id": "/subscriptions/@parameters('SubscriptionId')/resourceGroups/@parameters('ResourceGroupName')/providers/Microsoft.Web/connections/azurefile"
      },
      "connectionRuntimeUrl": "https://xxxxx.03.common.logic-germanywestcentral.azure-apihub.net/apim/azurefile/ac7a0e0dadfa2f4c16a6413282580f91d9",
      "authentication": {
        "type": "Raw",
        "scheme": "Key",
        "parameter": "@appsetting('STORAGE1_KEY')"
      },
      "displayName": "storage1"
    }
  },
puspraj-repos commented 2 years ago

@sven5 You might be getting this error because of access policies. In Standard Logic app, Managed API connection must have access policy which associates the API connection with Logic app. Unlike consumption logic app where you can use any api connection in any logic app, here we need to bind the API connection with logic app, which is done by access policy.

For more details on ARM template of API connection with access policies you can refer this

If you create the same API connection from portal, the access policies are automatically created. To confirm this, you can go on portal and check connections blade in logic app standard resource.

image

In the above image, the API connection with azureblob-1 is created from local machine while testing and others are created either from the ARM template or from portal.

sven5 commented 2 years ago

@puspraj-repos Thanks for guiding. However, the deployment using VSCode still does not work. The error is the same. I only can deploy manually copying the parameterized connection.json to Azure portal. I've recreated the connection using a workflow just for connections as described here

sven5 commented 2 years ago

I've found out that it's impossible to parameterize the value of connection id in a managedApiConnection. All other values (ids) can be parameterized as mentioned. Seems like a bug to me.

"managedApiConnections": {
    "azurefile": {
        "api": {
            "id": "/subscriptions/@parameters('SubscriptionId')/providers/Microsoft.Web/locations/germanywestcentral/managedApis/azurefile"
        },
        "authentication": {
            "parameter": "@appsetting('STORAGE1_KEY')",
            "scheme": "Key",
            "type": "Raw"
        },
        "connection": {
            "id": "**/subscriptions/<subscription id>/resourceGroups/env-stage/providers/Microsoft.Web/connections/azurefile**"
        },
        "connectionRuntimeUrl": "https://xxxx.03.common.logic-germanywestcentral.azure-apihub.net/apim/azurefile/xxx",
        "displayName": "storage1"
    }
  }
puspraj-repos commented 2 years ago

@sven5 Actually it is possible. I tried this and it works. below is the example where I've used this and it works.

"connection": { "id": "/subscriptions/@parameters('subscription-id')/resourcegroups/pujaiswa-v2/providers/microsoft.web/connections/azureblob" }

sven5 commented 2 years ago

This is really strange. When I tried your code, it worked at first time. But later, the error comes up again.

ag-be commented 1 year ago

@sven5 Were you able to find a solution to your problem? I am facing exactly the same problem...