Setting parameterValueType on Microsoft.Web/connections resource throws an error

[sjuratov]

Bicep version
Bicep CLI version 0.4.1124 (66c84c8ee5)

Describe the bug
According to https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity?tabs=consumption#arm-template-for-managed-connections-and-managed-identities-consumption, I should be able to set parameterValueType to Alternative. So IMO following code should work:

param api_connection_sql_name string = 'sql'
param api_connection_sql_name_suffix string = '1'
param azure_sql_database string = 'cost-management'
param azure_subscription string = 'xxxxx-xxxx-xxxx-xxxx-xxxx'
param azure_region string = 'westeurope'

resource ApiConnectionSQL 'Microsoft.Web/connections@2016-06-01' = {
  name: '${api_connection_sql_name}-${api_connection_sql_name_suffix}'
  location: resourceGroup().location
  properties: {
    displayName: '${azure_sql_database}-${api_connection_sql_name}-db'
    api: {
      name: api_connection_sql_name
      displayName: 'SQL Server'
      iconUri: 'https://connectoricons-prod.azureedge.net/laborbol/patches/1520/${api_connection_sql_name}-mi/1.0.1520.2572/${api_connection_sql_name}/icon.png'
      brandColor: '#ba141a'
      id: '/subscriptions/${azure_subscription}/providers/Microsoft.Web/locations/${azure_region}/managedApis/${api_connection_sql_name}'
      type: 'Microsoft.Web/locations/managedApis'
    }
    **parameterValueType: 'Alternative'**
    customParameterValues: {}
  }
}

However, Intellisense (in VS Code) shows yellow squiggly and if I try to deploy template, I get following:

C:\repos\ApiConnectionSQL.bicep(20,5) : Warning BCP037: The property "parameterValueType" is not allowed on objects of type "ApiConnectionDefinitionProperties". Permissible properties include "changedTime", "createdTime", "nonSecretParameterValues", "parameterValues", "statuses", "testLinks". If this is an inaccuracy in the documentation, please report it to the Bicep Team. [https://aka.ms/bicep-type-issues]      

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"InvalidApiConnectionAlternativeParameters\",\r\n    \"message\": \"The API connection 'sql-4' has invalid inputs. Parameter value type cannot be set to 
'Alternative' because managed identity is not supported in the API definition's connection parameters.\"\r\n  }\r\n}"}]}}

Warning implies that parameterValueType is not allowed property (contradicting URL from above). Interesting enough error msg implies that parameterValueType should work BUT can't be set to Alternative.

Looking at https://docs.microsoft.com/en-us/azure/templates/microsoft.web/connections?tabs=bicep, parameterValueType is not listed.

Note that if I create this manually (through Logic App), I can use managed identity and all is good. Now I am trying to build this same logic to Bicep template.

So I am a bit confused, where is the problem and how do I fix it?

To Reproduce
See above

Additional context
Add any other context about the problem here.

[alex-frankel]

The Bicep warning is saying it does not know about the property, but that may be a false positive. As you note, the error message seems to indicate that the property is allowed, but the value 'Alternative' is not for this specific case.

The error you are hitting is not explicitly related to Bicep and we will need someone with more context on this resource type to help answer this. Otherwise, the recommendation will be to open a support case so the Web team can take a look.

[JeroenvdBurg]

hi! the logicapp connectors are quite difficult to follow when creating them with IaC.

When I create a new sql connections (with managed Identity ) in a logicapp from the portal and look at the POST request send by the browser it looks like the managed identity is defined by the following:

parameterValueSet: {
      name: 'oauthMI'
      values: {}
    }

so if you replace parameterValueType: 'Alternative' with the code above.
this still gives a bicep warning but deploys the sql connection with managed identiy

hope this helps you.

note that you can use the SubscriptionResourceId to simplify your Id parameter (subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, api_connection_sql_name)

[alex-frankel]

This also seems related (possibly a duplicate) of Azure/bicep#5056

[sjuratov]

@JeroenvdBurg , many thanks, that solved the problem! As you have indicated and I agree, code can be further improved. I wanted something quick, dirty and working before making adjustments.

@alex-frankel , agreed it's related yet different. I am not sure who in MSFT should be documenting these details. While @JeroenvdBurg approach works, IMO it's not something we should be doing - this should be well documented for each Microsoft.Web/connections resource.

Btw, for storage account, here is correct JSON payload

parameterValueSet: {
  name: 'managedIdentityAuth'
  values: {}
}

[JeroenvdBurg]

@sjuratov great to hear that it works for you

I agree fully that the definition of the logic app connectors could be approved. Reverse engineering the api specification is not a great way and the definition is also not consistent between the connectors.

It would be great if @alex-frankel could address this to the right person within Microsoft

[alex-frankel]

The Web team is aware of the issue. There are many issues with the API definition for various resource types within the Web RP. Last time we spoke with them we agreed we should take some to address as many of them as possible, so hoping they work on this in the next 3-6 months.

cc @seligj95 / @naveedaz

[alessandromoura]

Hi,

I'm trying to create a Bicep template for a service bus connection using Managed Identity as below:

resource apiConnectionServiceBus 'Microsoft.Web/connections@2016-06-01' = {
name: serviceBusApicName
location: location
properties: {
displayName: serviceBusApicName
api: {
id: serviceBusApiReferenceId
}
parameterValueSet: {
name: 'managedIdentityAuth'
values: { }
}
}
}

It creates the API connection, but an information is missing and before the Logic App can use this connection I need to manually edit the connection to add the namespace of the service bus as below:

I need to know which parameter to set in Bicep to do this while deploying the API connection through Azure DevOps and avoid any manual intervention.

Thanks

[WongKahWaiXOM]

Hi,

I'm trying to create a Bicep template for a service bus connection using Managed Identity as below:

resource apiConnectionServiceBus 'Microsoft.Web/connections@2016-06-01' = { name: serviceBusApicName location: location properties: { displayName: serviceBusApicName api: { id: serviceBusApiReferenceId } parameterValueSet: { name: 'managedIdentityAuth' values: { } } } }

It creates the API connection, but an information is missing and before the Logic App can use this connection I need to manually edit the connection to add the namespace of the service bus as below:

I need to know which parameter to set in Bicep to do this while deploying the API connection through Azure DevOps and avoid any manual intervention.

Thanks

According to Azure Support Engineer, there's no way Microsoft mentioned in docs for now how to set in Bicep.
However, the following pieces are provided by them.

{
              "properties": {
                           "api": {
                                         "id": "/subscriptions/[SubID]/providers/Microsoft.Web/locations/australiaeast/managedApis/servicebus"
                           },
                           "parameterValueSet": {
                                         "name": "managedIdentityAuth",
                                         "values": {
                                                       "namespaceEndpoint": {
                                                                     "value": "[Endpoint]"
                                                       }
                                         }
                           },
                           "displayName": "Test"
              },
              "kind": "V1",
              "location": "australiaeast"
}

[PrasannaK12]

Hello I'm also facing issues, while creating logic app api connection arm for SQL ,
Getting below error.

"the api connection 'sql' is not configured to support managed identity".
Anyone know why it's showing?

[alefred]

Hello! there is any plan to fix this warning for resource type like for web connection managed identity :

parameterValueSet: {
      name: 'oauthMI'
      values: {}
    }

Shall I need to refeer to another team ?

[alex-frankel]

@seligj95 can you take a look at this one?