I am creating my first logic app which connects to SharePoint and adds entries into some sharepoint list.
Whenever I create a SharePoint Connection it adds below resource to my logic app.
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('sharepointonline_1_Connection_Name')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'sharepointonline')]"
},
"displayName": "[parameters('sharepointonline_1_Connection_DisplayName')]",
"nonSecretParameterValues": {
"token:TenantId": "[parameters('sharepointonline_1_token:TenantId')]"
}
}
Could anyone give an explanation of "token:TenantId". How/where to get this value in my dev tenant. How this can be moved to UAT/PROD environment?
Whenever I recreate my logic app with the SharePoint connection it loses the connection and shows me below screen with a warning icon.
Is there a way we can authenticate this connection via PowerShell or via Azure DevOps deployment?
This seems to the OAuth connection and will need to be re-authorized after the template deployment to obtain valid access token. Some connections support using an Azure Active Directory (Azure AD) service principal to authorize connections for a logic app that's registered in Azure AD.
Documentation here shows how Azure data lake's connection resource definition can be configured to use parameter values of the template and Azure AD service principal to generate the token so you might want to check if SharePoint connection can be configured in same way or not.
{
<other-template-objects>
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('azuredatalake_1_Connection_Name')]",
"location": "[parameters('LogicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', 'resourceGroup().location', '/managedApis/', 'azuredatalake')]"
},
"displayName": "[parameters('azuredatalake_1_Connection_DisplayName')]",
"parameterValues": {
"token:clientId": "[parameters('azuredatalake_1_token:clientId')]",
"token:clientSecret": "[parameters('azuredatalake_1_token:clientSecret')]",
"token:TenantId": "[parameters('azuredatalake_1_token:TenantId')]",
"token:grantType": "[parameters('azuredatalake_1_token:grantType')]"
}
}
}
Reference: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview#authenticate-connections
Related
I am trying to create an Azure bot using Azure Rest API.
I am hitting this API (PUT Request) via the code by replacing the subscription id, resource group name
https://management.azure.com/subscriptions/{subscription id}/resourceGroups/{resourcegroupId}
/providers/Microsoft.BotService/botServices/{botName}?api-version=2018-07-12
Request body as follows
{"location":"global","properties":{"displayName":"{botName}","description":"{botName}","iconUrl":"https://docs.botframework.com/static/devportal/client/images/bot-framework-default.png","endpoint":"{endPoint}","msaAppId":"{app ID}"}}
However I am getting the error as
{
"error": {
"code": "InvalidBotData",
"message": "Bot is not valid. Errors: RuntimeVersion is required. See https://aka.ms/bot-requirements for detailed requirements."
}
}
I tried using nodejs (arm-botservice SDK) to create the bot using the same parameters (of course changing the parameters according to our azure portal ids) but I am still getting the same error. I guess internally it will call the same API as above.
Any help would be appreciated to resolve this issue.
Finally, I was able to do it.
I added the kind parameter and then it worked.
Following is the request
{"location":"global",kind="registration","properties":{"displayName":"{botName}","description":"{botName}","iconUrl":"https://docs.botframework.com/static/devportal/client/images/bot-framework-default.png","endpoint":"{endPoint}","msaAppId":"{app ID}"}}
Programmatic bot creation can not be done with REST at this time.
How to create Web App bot in azure using programmatically?
Use az cli as #joey-cai mentioned.
To create a Microsoft.BotService/botServices/channels resource, add the following JSON to the resources section of your template.
{
"name": "string",
"type": "Microsoft.BotService/botServices/channels",
"apiVersion": "2018-07-12",
"location": "string",
"tags": {},
"sku": {
"name": "string"
},
"kind": "string",
"properties": {
"channelName": "string"
}
}
Source : https://learn.microsoft.com/en-us/azure/templates/microsoft.botservice/2018-07-12/botservices/channels
I have made a Logic app that listens to an Event Grid Topic and it works fine, but if I delete it and try to create from the template it doesn't work. It never runs.
The problem is that while it does create the API connection to the event grid, it leaves it unauthorized and it doesn't create any subscription to the event grid topic either. At no point are any errors displayed. Everything succeeds, but it just doesn't create everything it is supposed to.
To get around this, I added commands to the Powershell script to authenticate it. This works fine, but this of course does not create the subscription.
If I run the ARM-template again, I expected it to create it now as connection is not valid, but no, it doesn't. I suppose Azure realizes nothing has changed in the template and does nothing? If I edit the ARM-template and change the subscription name, and deploy it again, then the subscription is created and it starts working.
I could of course call the template twice with 2 different subscription names as parameter but that sounds silly. There has to be some better way.
So what would be the best way to create that kind of logic app from templates and scripts?
You can create both your Event Grid Topic Subscription and the Logic Apps connection to it as separate resources. Examples template objects are below. Keep in mind that the connection is using oauth.
Event Grid Topic Subscription
{
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"name": "[concat(parameters('TopicName'), '/Microsoft.EventGrid/', variables('name'))]",
"location": "[parameters('Location')]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[parameters('Endpoint')]"
}
},
"filter": {
"includedEventTypes": [
"[parameters('EventType')]"
]
}
},
"dependsOn": [
]
}
Web Connection
{
"type": "Microsoft.Web/connections",
"name": "[variables('connectionName')]",
"apiVersion": "2016-06-01",
"location": "[parameters('ConnectionLocation')]",
"properties": {
"displayName": "[variables('connectionName')]",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/northcentralus/managedApis/azureeventgrid/')]"
},
"parameterValues": {
"token:clientId": "[parameters('ConnectionClientId')]",
"token:clientSecret": "[parameters('ConnectionClientSecret')]",
"token:TenantId": "[parameters('ConnectionTenantId')]",
"token:resourceUri": "https://management.core.windows.net/",
"token:grantType": "client_credentials"
}
},
"dependsOn": []
}
I believe there isn't a way to workaround the authorization required after the first time you deploy. So the simplest solution would be to have 2 separate templates - one for the API connection and the other for the Logic App.
Your PowerShell script would deploy the API Connection first, authorize it and then deploy the Logic App.
You could also have them in the same template too and control which is deployed by using a condition on each resource.
I'm able to deploy Azure Bot registration channel using Azure CLI template
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-cli
But I can't figure out how to set Facebook Channel credentials for new-created channel in the same script.
https://learn.microsoft.com/en-us/bot-framework/bot-service-manage-channels
I can't find any informations in the official docs
Here is part of my deployment template:
{
"resources": [
{
"type": "Microsoft.BotService/botServices",
"sku": {
"name": "[parameters('sku')]"
},
"kind": "[parameters('kind')]",
"name": "[parameters('botId')]",
"apiVersion": "2017-12-01",
"location": "global",
"properties": {
"name": "[parameters('botId')]",
"displayName": "[parameters('botId')]",
"endpoint": "[variables('botEndpoint')]",
"msaAppId": "[parameters('appId')]",
"developerAppInsightsApplicationId": "[variables('insightsName')]",
"developerAppInsightKey": "[reference(resourceId('microsoft.insights/components/', variables('insightsName')), '2015-05-01').InstrumentationKey]",
"enabledChannels": [
"webchat",
"directline",
"facebook"
],
"configuredChannels": [
"webchat",
"facebook"
]
},
"dependsOn": [
"[resourceId('microsoft.insights/components/', variables('insightsName'))]"
]
}
]
}
Any ideas here?
As you said, currently we cannot find official docs explain how to define ARM template (script) for Bot Channels Registration. I try to find that part in Automation script on Azure portal, I find that Microsoft.BotService/botServices is not exported and included in the template.
how to set Facebook Channel credentials for new-created channel in the same script.
I suspect that we cannot achieve that via ARM template at the moment. You had better to configure it on Azure portal. Besides, you can give a feedback for your feature request on github or Azure Bot Service UserVoice site.
Note:
This SO thread discussed a similar issue: Automating Deployment in Bot Framework (Bot + LUIS+ QnA + Table Storage)
You can set the Facebook channel with the Azure CLI.
https://learn.microsoft.com/en-us/cli/azure/bot/facebook?view=azure-cli-latest
az bot facebook create --appid
--name
--page-id
--resource-group
--secret
--token
[--add-disabled {false, true}]
[--subscription]
Duplicate Question?
I don't believe it is. As stated, this is working using my user from a local deployment and all (as I understand it) permissions have been granted to the Service Principal and the test user that also fails locally.
I have an ARM template that provisions and deploys a web app, part of that is to apply a certificate binding to the webapp. That part of the template looks like this:
{
"type": "Microsoft.Web/sites",
"kind": "api",
"name": "[parameters('name')]",
"apiVersion": "2015-08-01",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('name')]",
"serverFarmId": "[resourceId(parameters('servicePlanGroup'), 'Microsoft.Web/serverFarms', parameters('servicePlanName'))]"
},
"resources": [
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('name'))]"
],
"properties": {
"keyVaultId": "[parameters('keyVaultId')]",
"keyVaultSecretName": "[parameters('keyVaultSecretName')]"
}
}
]
}
When I run this locally from my PC it works fine, when I run it from the VSTS the deployment fails, and look like this:
Where the error is:
"operationName": {
"localizedValue": "Microsoft.Web/certificates/write",
"value": "Microsoft.Web/certificates/write"
},
"properties": {
"statusCode": "Unauthorized",
"statusMessage": "{\"error\":{\"code\":\"BadRequest\",\"message\":\"\"}}"
}
The SSL certificate and the KeyVault both have permissions added for the Service Principal that VSTS runs under for this release.
The Release Principal user has Read,List for keys and secrets in the KeyVault and is a Contributor in the subscription. My account which works locally is co-admin.
Any ideas on what permissions need to be added?
Update
I added another user testuser which has the same rights as the Service Principal and it now fails locally. I guess it will be some trial and error to add permissions and see what works.
This is not a duplicate question - as mentioned it was pointing to strange permission issue across accounts, even though the permissions were set. It turns out that for some reason the co-admin will work despite the below issue - a potential bug in the ARM/permission infrastructure, maybe?
This works for co-admin user but not anyone else.
Whereas this works for a lesser privileged user/principal.
Note the schema version change. The original schema of 2014-04-01 doesn't actually include anything about Microsoft.Web/Certificates whereas the updated schema 2015-08-01 does include this information.
Local testing using the testuser with same privileges as the VSTS service principal is working fine with this change.
Side Note for anyone else trying to achieve SSL bindings:
The location of resources in my example is all the same. I suspect if the vault is in a different location, then its resource group may also need to be specified for this to work the same - I haven't tested that theory though.
I'm writing a custom task to publish documents to the Azure API portal. I want the UI for the task to list out the available API Management services for a selected Subscription and Resource Group. According to this issue, this should technically be possible by specifying the endpointUrl inline with my datasource binding. I've tried to model the endpoint after the datasources in the Azure RM Web Deployment task, but I can't seem to get it working. In my task I am able to select my subscription, select my resource group, but the pickList for my custom data source is always empty. I'm not doing any explicit authentication in my task defintion, so I'm not sure if that's somehow related. Below are the inputs and dataSourceBindings for my task:
"inputs": [
{
"name": "ConnectedServiceName",
"type": "connectedService:AzureRM",
"label": "Azure RM Subscription",
"defaultValue": "",
"required": true,
"helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
},
{
"name": "ResourceGroupName",
"label": "Resource Group",
"type": "pickList",
"required": true,
"helpMarkDown": "Select resource group which contains the API portal"
},
{
"name": "ApiPortalName",
"type": "pickList",
"label": "API Portals",
"defaultValue": "",
"required": true,
"properties": {
"EditableOptions": "True"
},
"helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
}
],
"dataSourceBindings": [
{
"target": "ResourceGroupName",
"endpointId": "$(ConnectedServiceName)",
"dataSourceName": "AzureResourceGroups"
},
{
"name": "ApiPortals",
"target": "ApiPortalName",
"endpointId": "$(ConnectedServiceName)",
"endpointUrl": "https://management.azure.com/subscriptions/$(endpoint.subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.ApiManagement/service?api-version=2016-07-07",
"resultSelector": "jsonpath:$.value[*].name",
"parameters": {
"ResourceGroupName": "$(ResourceGroupName)"
}
}
UPDATE
After inspecting the console in Chrome I received an error message indicating that I cannot call URLs that don't start with {{endpoint.url}}. I updated my task with {{endpoint.url}} at the root and I did see it attempt to make the API call I expected:
{
"name": "ApiPortals",
"target": "ApiPortalName",
"endpointId": "$(ConnectedServiceName)",
"endpointUrl": "{{endpoint.url}}/subscriptions/$(endpoint.subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.ApiManagement/service?api-version=2016-07-07",
"resultSelector": "jsonpath:$.value[*].name",
"parameters": {
"ResourceGroupName": "$(ResourceGroupName)"
}
}
The problem now is that for some reason endpoint.url resolves to https://management.core.windows.net for Azure RM endpoint types. Azure RM APIs are hosted at https://management.azure.com. As a result I am receiving a 403 since my endpoint credentials are for an Azure RM Service Principal, not the Azure Classic Management APIs.
I've updated my Github Issue with this information as well. I believe this is a bug and endpoint.url for the Azure RM Service endpoint should resolve to https://management.azure.com. If you look at the data sources that are defined in the Azure RM Service Endpoint, they all reference APIs hosted at https://managemnet.azure.com not https://management.core.windows.net.
Check Custom build task JSON schema, you cannot use "endpointUrl" and "resultSelector" for "dataSourceBindings" in task.json. There are used to define the custom service endpoint in vss-extension.json file. And you also missed the "dataSourceName" for "ApiPortals".
If you want to call the Rest API with URL and use the selector from task.json, you can use "sourceDefinitions" instead of "dataSourceBindings". Refer to my answer in this question for details. However, only basic authentication is supported with "sourceDefinitions" for now which means that this is not applicable to you scenario either.
So you need to create a custom service endpoint to achieve the feature you want for now.