azurerm_logic_app_standard deployment without using Storage account key

[titol85]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Is it possible to deploy logic app standard in azure without using storage account keys?

The current resource has this field as mandatory storage_account_access_key
In my subscription we have an azure policy preventing storage account to use storage account keys as authorization, I'd rather use identity of the logic App if possible.

The storage account is private endpointed and has user managed identity assigned with contributor access.

While deploying logic App standard with user managed identity the deployment fails with
web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible." Details=[{"Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"99022","Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.","MessageTemplate":"Creation of storage file share failed with: '{0}'. Please check if the storage account is accessible.","Parameters":["The remote server returned an error: (403) Forbidden."]}}]

New or Affected Resource(s)/Data Source(s)

azurerm_logic_app_standard

Potential Terraform Configuration

resource "azurerm_logic_app_standard" "example" {
  name                       = "example-logicapp"
  location                   = "West Europe"
  resource_group_name        = "example-rg"
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  https_only                 = true

 identity {
    type = "UserAssigned"
    identity_ids = [xxxx]
  }
}

References

No response

[ziyeqf]

Hi @titol85, thanks for opening the issue.

It might be not possible to support for now. It requires an upstream enhancement on the Logic service side.

The access_key is used to combine a connection string, then be used in the following two app settings:

1. AzureWebJobsStorage

2. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING

Per the above two document, AzureWebJobsStorage is optional, however, WEBSITE_CONTENTAZUREFILECONNECTIONSTRING does not support using managed identity and is required for Consumption and Elastic Premium plan apps running on both Windows and Linux.

Per my testing, it's required by during the creation of azurerm_logic_app_standard, if it's not provided, the service will return an error:

Required parameter WEBSITE_CONTENTAZUREFILECONNECTIONSTRING is missing.

For any further questions, please leave comments.
Thanks!

[rcskosir]

Thanks for taking the time to open this issue. It looks like the behavior you requested is not supported by the underlying Azure API so I am going to label this issue as such and close it for now. If you create a request on Azure/azure-rest-api-specs, feel free to add the link here. When it gets added, we can reopen this request or you can create a new one.