Logic Apps managed identity deployed with DevOps bicep template gets error sending to Service Bus topic

By -

I'm creating a logic app with managed identity to send a message to service bus using bicep.

My main.bicep runs four modules in sequence (using DependsOn) to do the following.

  • Set up Service Bus with system-assigned identity and creating the target topic.
  • Create the API connection to the namespace endpoint
  • Create the Logic App with system assigned identity and referencing the Service Bus API connection, specifying the authentication as managed identity.
  • Assigning Service Bus Sender RBAC role to the topic.

Everything looks right when I view the deployment in the portal. However, I am encountering a 401 error in trying to send a message to the topic from the Logic App I have granted access to.

"status": 401, "message": "40100: Unauthorized : Unauthorized access for 'Send' operation on endpoint 'sb://[sb-name-redacted].servicebus.windows.net/[topic-name-redacted]'

Manually creating an API connection post-deployment via the logic app designer results in successful message delivery so I'm obviously doing something wrong.

It’s driving me absolutely crazy not being able to figure out where the issue is.

Below is the code from the modules being run. Can anyone help??

Service Bus module

//service bus
resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {
  name: servicebus
  location: location
  sku: {
    [removed for brevity]
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    [removed for brevity]
  }
}


//topics
resource resource_topic_recurlywebhook 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' = {
  parent: resource_servicebus
  name: topic_[redacted]
  location: location
  properties: {
    [removed for brevity]
  }
}

API Connections module

resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: connections_servicebus
  location: location
  kind: 'V1'
  properties: {
    api: {
      id: connections_id_servicebus
    }
    displayName: connections_servicebus
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        namespaceEndpoint:{
          value: 'sb://${servicebus}.servicebus.windows.net'
        }
      }
    }
  }
}

Logic Apps module


//api connections

resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' existing = {
  name: connections_servicebus
}


//logic apps
resource resource_lapp_ae_[redacted] 'Microsoft.Logic/workflows@2019-05-01' = {
  name: lapp_ae_[redacted]
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    state: 'Enabled'
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
        '$connections': {
          defaultValue: {
          }
          type: 'Object'
        }
      }
      triggers: [removed for brevity]
      actions: {
        Response_200: [removed for brevity]
        Response_500: [removed for brevity]
        Send_message_to_[redacted]_topic: {
          runAfter: {
          }
          type: 'ApiConnection'
          inputs: {
            body: {
              ContentData: '@{base64(triggerBody())}'
              CorrelationId: '@{guid()}'
              Properties: '@triggerBody()'
            }
            host: {
              connection: {
                name: '@parameters(\'$connections\')[\'servicebus\'][\'connectionId\']'
              }
            }
            method: 'post'
            path: '/@{encodeURIComponent(encodeURIComponent(\'[redacted]\'))}/messages'
          }
        }
      }
      outputs: {
      }
    }
    parameters: {
      '$connections': {
        value: {
          servicebus: {
            connectionId: resource_connections_servicebus.id
            connectionName: resource_connections_servicebus.name
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
              }
            }
            id: connections_id_servicebus
          }
        }
      }
    }
  }
}

///////////////////////////////// outputs ///////////////////////////////////////////////

output principalid_lapp_ae_rc_to_sb_connector string = resource_lapp_ae_rc_to_sb_connector.identity.principalId

Service Bus Role Assignment module

//define roles to assign
var rbac_service_bus_data_sender = '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'


//define apps to send to topics
param topic_[redacted]_access_list array = [
  principalid_lapp_ae_[redacted]
]

//////////////////////////// call resources to grant access to ////////////////////////////////

resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' existing = {
   name: servicebus
}



resource resource_topic_[redacted] 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' existing = {
  parent: resource_servicebus
  name: topic_[redacted]
}


//////////////////////////// make role assignments ////////////////////////////////

resource resource_topic_[redacted]_access_list 'Microsoft.Authorization/roleAssignments@2022-04-01'  = [for principalID in topic_[redacted]_access_list: {
  scope: resource_topic_[redacted]
  name: guid(resource_topic_[redacted].id, principalID, rbac_service_bus_data_sender)
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', rbac_service_bus_data_sender)
    principalId: principalID
    principalType: 'ServicePrincipal'
  }
}]


Comments

Post a Comment

Popular posts from this blog

Spring Elasticsearch Operations

By -
Elasticsearch Operations Spring Data Elasticsearch uses two interfaces to define the operations that can be called against an Elasticsearch index. These are ElasticsearchOperations and ReactiveElasticsearchOperations. Whereas the first is used with the classic synchronous implementations, the second one uses reactive infrastructure. The default implementations of the interfaces offer: Read/Write mapping support for domain types. A rich query and criteria api. Resource management and Exception translation. ElasticsearchTemplate The ElasticsearchTemplate is an implementation of the ElasticsearchOperations interface using the Transport Client. @Configuration public class TransportClientConfig extends ElasticsearchConfigurationSupport {   @Bean   public Client elasticsearchClient() throws UnknownHostException {                      Settings settings = Settings.builder().put("cluster.name", "elasticsearch")....
Read more

Network Error and Timeout on Authorize.net JS

By -
i am using authorize.net acceptUI.js in order to create a hosted payment form for credit card acceptance. The problem arising now is that, going on the checkout page, I have the following console message: GET https://js.authorize.net/v3/AcceptUI.js net::ERR_NAME_NOT_RESOLVED Which is weird, cause I cannot ping the domain or anything, as my computer cannot resolve the domain. However, this issue is also reported by individual customers and it seems to be sporadically and not happening the entire time, cause i can see other orders going through. Does anyone know how such an error can be caused, or any ideas how it can be resolved? Thanks for your help EDIT: I just checked the A DNS record for js.authorize.net and am getting the following result only: js.authorize.net. 100 IN CNAME js.authorize.net.cdn.cloudflare.net. Doing the same for js.authorize.net.cdn.cloudflare.net. does not return an A Record, unless I specifically instruct to use 1.1.1.1 as DNS server I...
Read more

Object oriented programming concepts (OOPs)

By -
Object-oriented programming (OOP) is a programming paradigm based on the concept of "objects". Re-usability is the main concept of Oops. There are few major principles of object-oriented paradigm. If any programming Language supports this principles that programming language called Object-oriented programming. Below are object oriented programming concepts : 1. Object        Read More about Object     http://theprogrammersfirst.blogspot.in/2016/07/java-object-concept.html
Read more