azurerm_api_connection broke up the support of the Managed identity authentication

[JiriKovar]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.4

AzureRM Provider Version

3.30.0

Affected Resource(s)/Data Source(s)

azurerm_api_connection

Terraform Configuration Files

locals {
  api_connection_with_managed_identity = {
    id             = data.azurerm_managed_api.type.id
    connectionId   = azurerm_api_connection.connection.id
    connectionName = azurerm_api_connection.connection.name
    connectionProperties = {
      authentication = {
        type = "ManagedServiceIdentity"
      }
    }
  }
}

data "azurerm_managed_api" "type" {
  name     = "kusto"
  location = var.resource_group.location
}

resource "azurerm_api_connection" "connection" {
  name                = "dataexplorer"
  resource_group_name = var.resource_group.name
  managed_api_id      = data.azurerm_managed_api.type.id
  display_name        = var.display_name

  lifecycle {
    ignore_changes = [parameter_values]
  }
}

resource "azurerm_logic_app_workflow" "workflow" {
  name                = var.name
  location            = var.resource_group.location
  resource_group_name = var.resource_group.name
  enabled             = true

  workflow_parameters = {
    "$connections" = jsonencode({ "defaultValue" = {}, "type" = "Object" })
  }

  parameters = {
    "$connections" = jsonencode({
      "kusto" = local.api_connection_with_managed_identity
    })
  }

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_kusto_database_principal_assignment" "logic_app_permissions" {
  name                = "${replace(azurerm_logic_app_workflow.workflow.name, "/[^a-zA-Z0-9]/", "-")}-logic-app"
  resource_group_name = var.data_explorer_connection.resource_group.name
  cluster_name        = var.data_explorer_connection.cluster_name
  database_name       = var.data_explorer_connection.database_name

  tenant_id      = azurerm_logic_app_workflow.workflow.identity[0].tenant_id
  principal_id   = azurerm_logic_app_workflow.workflow.identity[0].principal_id
  principal_type = "App"
  role           = "Viewer"
}

Debug Output/Panic Output

Error: [ERROR] Error creating Logic App Workflow Workflow: (Name "jirik_logic_app" / Resource Group "jirik"): logic.WorkflowsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="WorkflowManagedIdentityConfigurationInvalid" Message="The workflow connection parameter 'kusto' is not valid. The API connection 'kusto' is not configured to support managed identity."

Expected Behaviour

I expect this to work like it used to (the last observed working time was 2021-11-02T08:27:17.4938458Z). We have been able to work around this issue by rolling back to ARM template usage. The ARM template of the API connection looks like this:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "defaultValue": "dataexplorer",
            "type": "String"
        }
    },
    "variables": {
        "apiId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', toLower(replace(resourceGroup().location,' ', '')), '/managedApis/kusto')]"
    },
    "resources": [{
        "type": "Microsoft.Web/connections",
        "apiVersion": "2016-06-01",
        "name": "[parameters('name')]",
        "location": "[resourceGroup().location]",
        "kind": "V1",
        "properties": {
            "displayName": "[parameters('name')]",
            "api": {
                "name": "kusto",
                "id": "[variables('apiId')]",
                "type": "Microsoft.Web/locations/managedApis"
            },
            "parameterValueType": "Alternative",
            "alternativeParameterValues": {
                "privacySetting": "None"
            }
        }
    }],
    "outputs": {
        "name": {
            "type": "String",
            "value": "[parameters('name')]"
        }
    }
}

Actual Behaviour

It fails with the output mentioned above.

Steps to Reproduce

Please see the configuration provided above:

• Have a logic app that has SystemAssigned identity enabled
• Give the logic app identity an access to the Data Explorer (kusto engine)
• Try to add a connection intended for querying the Data Explorer via the Logic App Managed Identity
• The logic app creation will fail
• Also, the status of the API connection will be broken and in portal it will look like it's waiting for a manual authorization (IMHO a fallback behaviour)

It looks like it's somwhow connected to the empty "nonSecretParameterValues" object in the ARM template (or at least that's the only difference we have been able to observe). Please compare the following results:

Here is the ARM template export from the Azure Portal of the OLD connection that works:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "connections_dataexplorer_name": {
            "defaultValue": "dataexplorer",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[parameters('connections_dataexplorer_name')]",
            "location": "westeurope",
            "kind": "V1",
            "properties": {
                "displayName": "[parameters('connections_dataexplorer_name')]",
                "statuses": [
                    {
                        "status": "Ready"
                    }
                ],
                "customParameterValues": {},
                "createdTime": "2021-11-02T08:27:17.4938458Z",
                "changedTime": "2021-11-02T08:27:17.4938458Z",
                "api": {
                    "name": "kusto",
                    "displayName": "Azure Data Explorer",
                    "description": "Azure Data Explorer a.k.a Kusto is a log analytics cloud platform optimized for ad-hoc big data queries. Read more about it here: http://aka.ms/kdocs",
                    "iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1601/1.0.1601.3047/kusto/icon.png",
                    "brandColor": "#20427f",
                    "id": "/subscriptions/ba69ff19-e0dc-4466-8a71-6ea19aab0879/providers/Microsoft.Web/locations/westeurope/managedApis/kusto",
                    "type": "Microsoft.Web/locations/managedApis"
                },
                "testLinks": []
            }
        }
    ]
}

Here is an export of the newly created connection that works and is created by the ARM template mentioned above (the workaround):

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "connections_dataexplorer_name": {
            "defaultValue": "dataexplorer",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[parameters('connections_dataexplorer_name')]",
            "location": "eastus",
            "kind": "V1",
            "properties": {
                "displayName": "[parameters('connections_dataexplorer_name')]",
                "statuses": [
                    {
                        "status": "Ready"
                    }
                ],
                "customParameterValues": {},
                "createdTime": "2022-11-10T12:05:59.2511197Z",
                "changedTime": "2022-11-10T12:05:59.2511197Z",
                "api": {
                    "name": "kusto",
                    "displayName": "Azure Data Explorer",
                    "description": "Azure Data Explorer a.k.a Kusto is a log analytics cloud platform optimized for ad-hoc big data queries. Read more about it here: http://aka.ms/kdocs",
                    "iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1601/1.0.1601.3047/kusto/icon.png",
                    "brandColor": "#20427f",
                    "id": "/subscriptions/ba69ff19-e0dc-4466-8a71-6ea19aab0879/providers/Microsoft.Web/locations/eastus/managedApis/kusto",
                    "type": "Microsoft.Web/locations/managedApis"
                },
                "testLinks": []
            }
        }
    ]
}

And here is the broken one created today by the "azurerm_api_connection" resource:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "connections_dataexplorer_name": {
            "defaultValue": "dataexplorer",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[parameters('connections_dataexplorer_name')]",
            "location": "eastus",
            "kind": "V1",
            "properties": {
                "displayName": "[parameters('connections_dataexplorer_name')]",
                "statuses": [
                    {
                        "status": "Error",
                        "target": "token",
                        "error": {}
                    }
                ],
                "customParameterValues": {},
                "nonSecretParameterValues": {},
                "createdTime": "2022-11-09T16:51:39.5420074Z",
                "changedTime": "2022-11-09T16:51:39.5420074Z",
                "api": {
                    "name": "kusto",
                    "displayName": "Azure Data Explorer",
                    "description": "Azure Data Explorer a.k.a Kusto is a log analytics cloud platform optimized for ad-hoc big data queries. Read more about it here: http://aka.ms/kdocs",
                    "iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1601/1.0.1601.3047/kusto/icon.png",
                    "brandColor": "#20427f",
                    "id": "/subscriptions/ba69ff19-e0dc-4466-8a71-6ea19aab0879/providers/Microsoft.Web/locations/eastus/managedApis/kusto",
                    "type": "Microsoft.Web/locations/managedApis"
                },
                "testLinks": []
            }
        }
    ]
}

Important Factoids

No response

References

No response

[commakoerschgen]

I'm having a similar problem with an Azure Blob Storage connection. Here, it appears that Managed Identity authentication is configured by the property "parameterValueSet": { "name": "managedIdentityAuth", "values": {}} which is still unsupported by the azurerm provider #16818

[nguyenanhducs]

An alternative way to create Azure connection is use azapi_resource resource. For example

resource "azapi_resource" "automation_connection" {
  type                      = "Microsoft.Web/connections@2016-06-01"
  name                      = "azureautomation"
  location                  = azurerm_resource_group.rg.location
  parent_id                 = azurerm_resource_group.rg.id
  schema_validation_enabled = false

  body = jsonencode({
    properties = {
      customParameterValues      = {}
      alternativeParameterValues = {},
      parameterValueType         = "Alternative",

      api = {
        name        = "azureautomation"
        displayName = "Azure Automation"
        description = "Azure Automation provides tools to manage your cloud and on-premises infrastructure seamlessly."
        id          = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Web/locations/${azurerm_resource_group.rg.location}/managedApis/azureautomation"
        type        = "Microsoft.Web/locations/managedApis"
      }
    }
  })
}

[zasanski]

I have a similar problem connecting with managed identity to an SQL database. Furthermore, due to a broken connection, later manual configuration is not possible.