Logic app trigger in terraform

Terraform Providers Azure
1

Hi ,

I am trying to replicate this example in terraform Invoking batch endpoints from Event Grid events in storage - Azure Machine Learning | Microsoft Learn

Does anyone know how to create the resource When a resource event occurs ?

I tried using azurerm_logic_app_trigger_custom but it give the error to provide a type but it is going to be trigger by event grid

2

It’s not that straight forward.

This deployment reveals hidden concerns that I wasn’t prepared for

  • how do you deploy the api connection to use managed identity
  • what happens if the resources event grid is listening to is in another subscription
  • this doesn’t include the code for private endpoints
  • logic app managed identity needs to be able to read the storage account that the event grid trigger will watch
  • certain things just aren’t documents and azurerm provider isn’t enough so where that’s the case i’ve used azapi provider
  • how do you create an event subscription on the topic (outside of logic apps see comment on event subscription)

The thing I found interesting was turns out the only thing that makes a trigger a trigger i.e. determine which properties it can accept at an api level is which api connection it references. But you’ll see that below reading through the code.

      "connection": {
        "referenceName": "${azapi_resource.azureeventgrid.name}"
      }

In this example I’ve got event grid listening to create blob events in a storage account that’s in my “management” subscription so resources pertaining to that I’ve decorated with provider =. If everything is in the same subscription you can remove the provider part. This should be enough for anyone to derive their solution form.

// where my sa is
data "azurerm_resource_group" "rg" {
  provider = azurerm.management
  name     = "rgname"
}

data "azurerm_storage_account" "sa" {
  provider            = azurerm.management
  name                = "some_name"
  resource_group_name = "some_name"
}

resource "azurerm_eventgrid_system_topic" "wic" {
  provider               = azurerm.management
  name                   = "wic"
  location               = data.azurerm_resource_group.rg.location
  resource_group_name    = data.azurerm_resource_group.rg.name
  source_arm_resource_id = data.azurerm_storage_account.sa.id
  topic_type             = "Microsoft.Storage.StorageAccounts"
  tags                   = {}

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_logic_app_workflow" "app" {
  name                = "workflow1"
  location            = module.wic_rg.location
  resource_group_name = module.wic_rg.name
  tags                = {}

  identity {
    type = "SystemAssigned"
  }
}

data "azurerm_subscription" "management" {
  provider = azurerm.management
}

// needs to be able to see the sa way Contributor is way too much but works for this
// this is my module so assign rbac according to your governance
module "logic_app_read_on_mgmt" {
  source           = "mymodule?ref=v1.3.1"
  principal_id     = azurerm_logic_app_workflow.app.identity[0].principal_id
  role_name        = "Contributor"
  scope            = data.azurerm_subscription.management.id
  role_description = "contrib"
}

data "azurerm_managed_api" "azureeventgrid" {
  name     = "azureeventgrid"
  location = module.wic_rg.location
}

// azurerm_api_connection doesn't work with managed identity enabled api connections yet
// parameterValueType = "Alternative" required for managed identity
// using jsonencode() for body here will fail schema validation mashalling string to map[string]interface{} 
resource "azapi_resource" "azureeventgrid" {
  type      = "Microsoft.Web/connections@2016-06-01"
  name      = "azureeventgrid"
  parent_id = module.wic_rg.id
  location  = module.wic_rg.location
  tags      = {}

  body = {
    properties = {
      parameterValueType = "Alternative"
      displayName        = "azureeventgrid"
      api = {
        id = data.azurerm_managed_api.azureeventgrid.id
      }
    }
  }

  schema_validation_enabled = false
}

resource "azurerm_logic_app_trigger_http_request" "azureeventgridtrigger" {
  name         = "trigger"
  logic_app_id = azurerm_logic_app_workflow.app.id

  schema = <<SCHEMA
{
  "type": "ApiConnectionWebhook",
  "inputs": {
    "host": {
      "connection": {
        "referenceName": "${azapi_resource.azureeventgrid.name}"
      }
    },
    "body": {
      "properties": {
        "topic": "${data.azurerm_storage_account.sa.id}",
        "destination": {
          "endpointType": "webhook",
          "properties": {
            "endpointUrl": "@listCallbackUrl()"
          }
        }
      }
    }
  }
}
SCHEMA
}


// logic app becomes an event subscription on the topic but if you needed to add one this is how you'd do it
// so you might not need this but it's here for completeness
resource "azurerm_eventgrid_system_topic_event_subscription" "wic" {
  provider            = azurerm.management
  name                = "change-feed-create"
  system_topic        = azurerm_eventgrid_system_topic.wic.name
  resource_group_name = data.azurerm_resource_group.rg.name

  included_event_types = ["Microsoft.Storage.BlobCreated"]

  webhook_endpoint {
    url = azurerm_logic_app_trigger_http_request.azureeventgridtrigger.callback_url
  }
}