使用托管标识连接到 Log Analytics 工作区时逻辑应用部署失败

问题描述 投票:0回答:1

我想创建一个通过二头肌部署执行 LogAnalytics 查询的逻辑应用。逻辑应用使用系统分配的标识连接到 Log Analytics 工作区。

当我部署二头肌文件时,我收到以下错误:

工作流连接参数“azuremonitorlogs”无效。 API 连接“azuremonitorlogs”未配置为支持托管标识。 (代码:WorkflowManagedIdentityConfiguration无效)

我的连接配置如下:

resource logConnection 'Microsoft.Web/connections@2016-06-01' = {
    name: 'azuremonitorlogs-cdn'
    location: resourceGroup().location
    properties: {
      displayName: 'azuremonitorlogs-cdn'
      customParameterValues: {}
      statuses: [
        {
          status: 'Ready'
        }
      ]
      api: {
        id: subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, 'azuremonitorlogs')
        name: 'azuremonitorlogs-cdn'
        displayName: 'Azure Monitor Logs'

        type: 'Microsoft.Web/locations/managedApis'
      }
      testLinks: []
    }
}

我的工作流程在这里:

resource logMonitor 'Microsoft.Logic/workflows@2019-05-01' = {
    name: 'workflow-cdn-log-monitor'
    location: resourceGroup().location
    identity: {
       type: 'SystemAssigned'
    }
    properties: {
      state: 'Enabled'
      definition: {
        '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
        contentVersion: '1.0.0.0'
        parameters: {
          '$connections': {
            defaultValue: {}
            type: 'Object'
          }
        }
        triggers: {
        ...
        actions: {
          Run_query_and_list_results: {
            runAfter: {}
            type: 'ApiConnection'
            inputs: {
              host: {
                connection: {
                  name: '@parameters(\'$connections\')[\'azuremonitorlogs\'][\'connectionId\']'
                }
              }
              method: 'post'
              body: 'AzureDiagnostics | where Category == \'FrontDoorAccessLog\'\n'
              path: '/queryData'
              queries: {
                subscriptions: subscription().subscriptionId
                resourcegroups: resourceGroup().name
                resourcetype: 'Log Analytics Workspace'
                resourcename: 'log-cdn'
                timerange: 'Last 4 hours'
              }
            }
          }
        }
        outputs: {}
      }
      parameters: {
        '$connections': {
          value: {
            azuremonitorlogs: {
              id: subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, 'azuremonitorlogs')
              connectionId: logConnection.id
              connectionName: 'azuremonitorlogs'
              connectionProperties: {
                authentication: {
                  type: 'ManagedServiceIdentity'
                }
              }
            }
          }
        }
      }
    }
}

将日志分析读取角色权限分配给工作流身份没有任何区别。工作流创建失败。连接已创建(并且我手动批准了连接)

我确实尝试了很多互联网上的例子,但没有成功。有人可以给我一个如何设置二头肌文件的提示吗

azure azure-logic-apps azure-bicep azure-log-analytics-workspace
1个回答
0
投票

逻辑应用程序的托管身份验证已记录在此处

所以你的 API 连接应该是这样的:

resource logConnection  'Microsoft.Web/connections@2018-07-01-preview' = {
  name: 'azuremonitorlogs-cdn'
  location: location
  kind: 'V1'
  properties: {
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'azuremonitorlogs')
      type: 'Microsoft.Web/locations/managedApis'
    }
    customParameterValues: {}
    displayName: 'Azure Monitor Logs'
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        token: {}
      }
    }
  }
}

您还需要向逻辑应用身份授予 

Monitoring Reader
角色:

  • log-analytics-role-assignment.bicep 文件:
param logAnalyticsWorkspaceName string
param roleId string
param principalId string
param principalType string = 'ServicePrincipal'

resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
  name: logAnalyticsWorkspaceName
}

// Create role assignment
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(logAnalyticsWorkspace.id, roleId, principalId)
  scope: logAnalyticsWorkspace
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
    principalType: principalType
  }
}
  • 完整的工作示例 - main.bicep 文件
param location string = resourceGroup().location
param logAnalyticsWorkspaceName string = 'log-cdn'
param logicAppName string = 'workflow-cdn-log-monitor'

// Get a reference to the log analytics workspace
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
  name: logAnalyticsWorkspaceName
}

// Create monitor connector for logic app
resource logConnection  'Microsoft.Web/connections@2018-07-01-preview' = {
  name: 'azuremonitorlogs-cdn'
  location: location
  kind: 'V1'
  properties: {
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'azuremonitorlogs')
      type: 'Microsoft.Web/locations/managedApis'
    }
    customParameterValues: {}
    displayName: 'Azure Monitor Logs'
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        token: {}
      }
    }
  }
}

// Create the logic app
resource logMonitor 'Microsoft.Logic/workflows@2019-05-01' = {
  name: logicAppName
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    state: 'Enabled'
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
        '$connections': {
          defaultValue: {}
          type: 'Object'
        }
      }
      triggers: {
        When_a_HTTP_request_is_received: {
          type: 'Request'
          kind: 'Http'
        }
      }
      actions: {
        Run_query_and_list_results: {
          runAfter: {}
          type: 'ApiConnection'
          inputs: {
            host: {
              connection: {
                name: '@parameters(\'$connections\')[\'azuremonitorlogs\'][\'connectionId\']'
              }
            }
            method: 'post'
            body: 'AzureDiagnostics | where Category == \'FrontDoorAccessLog\''
            path: '/queryData'
            queries: {
              subscriptions: subscription().subscriptionId
              resourcegroups: resourceGroup().name
              resourcetype: 'Log Analytics Workspace'
              resourcename: logAnalyticsWorkspace.name
              timerange: 'Last 4 hours'
            }
          }
        }
      }
      outputs: {}
    }
    parameters: {
      '$connections': {
        value: {
          azuremonitorlogs: {
            id: subscriptionResourceId(
              'Microsoft.Web/locations/managedApis',
              resourceGroup().location,
              'azuremonitorlogs'
            )
            connectionId: logConnection.id
            connectionName: 'azuremonitorlogs'
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
              }
            }
          }
        }
      }
    }
  }
}

// Assign monitor reader role to the identity
module keyVaultRoleAssignment './log-analytics-role-assignement.bicep' = {
  name: '${logMonitor.name}-log-analytics-rbac'
  params: {
    logAnalyticsWorkspaceName: logAnalyticsWorkspace.name
    principalId: logMonitor.identity.principalId
    roleId: '43d0d8ad-25c7-4714-9337-8ba259a9fe05' // Monitoring Reader
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.