Managed Identity Authentication in Logic Apps

Question

Pulumi · Accepted Answer

To implement managed identity authentication in Azure Logic Apps with Pulumi, you would typically use the IntegrationServiceEnvironment and Workflow resources from the azure-native provider. The IntegrationServiceEnvironment resource allows you to scale and manage multiple logic apps within a dedicated environment, and the Workflow resource is used to represent Logic Apps workflows themselves.

A Managed Identity in Azure provides an identity for your application to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. It eliminates the need for credentials in your code, reducing the risk of credential leakage.

In this program, I will create an Azure Logic App with a system-assigned managed identity within an Integration Service Environment (ISE). The managed identity will then be used for authenticating to other Azure services that the Logic App needs to interact with, which supports Azure AD authentication.

Here's a high-level explanation of the program:

We'll create an instance of IntegrationServiceEnvironment, which is a fully isolated and dedicated environment for all Logic App resources.
We'll then create a Workflow, which is essentially a Logic App, and we'll enable a managed identity for it.
We'll set the managed identity type of the workflow to 'SystemAssigned' to create an identity that will be managed by Azure.

Below is the detailed Python program using Pulumi:

import pulumi
import pulumi_azure_native as azure_native

# Create a resource group to host all the resources
resource_group = azure_native.resources.ResourceGroup('logicapps-resource-group')

# Create an Integration Service Environment which Logic Apps can run within
# Replace "<location>" with your desired Azure region, like "East US" or "West Europe"
integration_service_environment = azure_native.logic.IntegrationServiceEnvironment(
    'ise',
    resource_group_name=resource_group.name,
    location='<location>',  # Your specific location
    sku=azure_native.logic.SkuArgs(
        name='Developer',  # Choose the SKU that suits your needs; 'Developer' is used for demo purposes
        capacity=0  # Capacity setting is mandatory; '0' for Developer SKU
    ),
    properties=azure_native.logic.IntegrationServiceEnvironmentPropertiesArgs(
        network_configuration=azure_native.logic.NetworkConfigurationArgs(
            access_endpoint=azure_native.logic.AccessEndpointArgs(
                type='Developer', # The type of access endpoint; should align with the chosen SKU
            )
        )
    )
)

# Create a Logic App Workflow with Managed Identity
logic_app = azure_native.logic.Workflow(
    'logicapp',
    resource_group_name=resource_group.name,
    location=integration_service_environment.location,
    integration_service_environment=azure_native.logic.ResourceReferenceArgs(
        id=integration_service_environment.id,
    ),
    identity=azure_native.logic.ManagedServiceIdentityArgs(
        type='SystemAssigned',
    )
    # You can add more configurations for triggers, actions, and definitions as needed
)

# Export the Logic App Workflow URL and Managed Identity Principal ID
pulumi.export('logic_app_url', logic_app.endpoint_configuration.apply(lambda c: c.workflow_endpoint_access_control_configuration_maps))
pulumi.export('managed_identity_principal_id', logic_app.identity.apply(lambda i: i.principal_id if i else None))

Remember to replace the placeholder '<location>' with the Azure region you wish to deploy your resources to. The program defines a ResourceGroup, creates the IntegrationServiceEnvironment with necessary properties using a billing SKU suited for development, and sets up a Workflow to represent the Logic App.

The workflow is configured with a system-assigned identity by setting the type property of ManagedServiceIdentityArgs to 'SystemAssigned'. The Logic App can now use the managed identity to authenticate to other Azure services that support Azure AD without storing credentials in your Logic App.

Lastly, we export two values: the URL of the Logic App and the principal ID of the managed identity associated with the Logic App. These values can be used to interact with the Logic App outside of Pulumi and to configure role assignments for the managed identity, granting it the necessary permissions to other resources.

Be sure to install the required Pulumi Azure Native package using pip:

pip install pulumi_azure_native

After running pulumi up, this program will deploy the described resources in your Azure subscription. The program assumes you have already logged into Azure and have set up Pulumi to communicate with your Azure subscription.