我想创建一个通过二头肌部署执行 LogAnalytics 查询的逻辑应用。逻辑应用使用系统分配的标识连接到 Log Analytics 工作区。
当我部署二头肌文件时,我收到以下错误:
工作流连接参数“azuremonitorlogs”无效。 API 连接“azuremonitorlogs”未配置为支持托管标识。 (代码:WorkflowManagedIdentityConfiguration无效)
我的连接配置如下:
resource logConnection 'Microsoft.Web/connections@2016-06-01' = {
name: 'azuremonitorlogs-cdn'
location: resourceGroup().location
properties: {
displayName: 'azuremonitorlogs-cdn'
customParameterValues: {}
statuses: [
{
status: 'Ready'
}
]
api: {
id: subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, 'azuremonitorlogs')
name: 'azuremonitorlogs-cdn'
displayName: 'Azure Monitor Logs'
type: 'Microsoft.Web/locations/managedApis'
}
testLinks: []
}
}
我的工作流程在这里:
resource logMonitor 'Microsoft.Logic/workflows@2019-05-01' = {
name: 'workflow-cdn-log-monitor'
location: resourceGroup().location
identity: {
type: 'SystemAssigned'
}
properties: {
state: 'Enabled'
definition: {
'$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
contentVersion: '1.0.0.0'
parameters: {
'$connections': {
defaultValue: {}
type: 'Object'
}
}
triggers: {
...
actions: {
Run_query_and_list_results: {
runAfter: {}
type: 'ApiConnection'
inputs: {
host: {
connection: {
name: '@parameters(\'$connections\')[\'azuremonitorlogs\'][\'connectionId\']'
}
}
method: 'post'
body: 'AzureDiagnostics | where Category == \'FrontDoorAccessLog\'\n'
path: '/queryData'
queries: {
subscriptions: subscription().subscriptionId
resourcegroups: resourceGroup().name
resourcetype: 'Log Analytics Workspace'
resourcename: 'log-cdn'
timerange: 'Last 4 hours'
}
}
}
}
outputs: {}
}
parameters: {
'$connections': {
value: {
azuremonitorlogs: {
id: subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, 'azuremonitorlogs')
connectionId: logConnection.id
connectionName: 'azuremonitorlogs'
connectionProperties: {
authentication: {
type: 'ManagedServiceIdentity'
}
}
}
}
}
}
}
}
将日志分析读取角色权限分配给工作流身份没有任何区别。工作流创建失败。连接已创建(并且我手动批准了连接)
我确实尝试了很多互联网上的例子,但没有成功。有人可以给我一个如何设置二头肌文件的提示吗
逻辑应用程序的托管身份验证已记录在此处
所以你的 API 连接应该是这样的:
resource logConnection 'Microsoft.Web/connections@2018-07-01-preview' = {
name: 'azuremonitorlogs-cdn'
location: location
kind: 'V1'
properties: {
api: {
id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'azuremonitorlogs')
type: 'Microsoft.Web/locations/managedApis'
}
customParameterValues: {}
displayName: 'Azure Monitor Logs'
parameterValueSet: {
name: 'managedIdentityAuth'
values: {
token: {}
}
}
}
}
您还需要向逻辑应用身份授予
Monitoring Reader
角色:
param logAnalyticsWorkspaceName string
param roleId string
param principalId string
param principalType string = 'ServicePrincipal'
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: logAnalyticsWorkspaceName
}
// Create role assignment
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(logAnalyticsWorkspace.id, roleId, principalId)
scope: logAnalyticsWorkspace
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
principalType: principalType
}
}
param location string = resourceGroup().location
param logAnalyticsWorkspaceName string = 'log-cdn'
param logicAppName string = 'workflow-cdn-log-monitor'
// Get a reference to the log analytics workspace
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: logAnalyticsWorkspaceName
}
// Create monitor connector for logic app
resource logConnection 'Microsoft.Web/connections@2018-07-01-preview' = {
name: 'azuremonitorlogs-cdn'
location: location
kind: 'V1'
properties: {
api: {
id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'azuremonitorlogs')
type: 'Microsoft.Web/locations/managedApis'
}
customParameterValues: {}
displayName: 'Azure Monitor Logs'
parameterValueSet: {
name: 'managedIdentityAuth'
values: {
token: {}
}
}
}
}
// Create the logic app
resource logMonitor 'Microsoft.Logic/workflows@2019-05-01' = {
name: logicAppName
location: resourceGroup().location
identity: {
type: 'SystemAssigned'
}
properties: {
state: 'Enabled'
definition: {
'$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
contentVersion: '1.0.0.0'
parameters: {
'$connections': {
defaultValue: {}
type: 'Object'
}
}
triggers: {
When_a_HTTP_request_is_received: {
type: 'Request'
kind: 'Http'
}
}
actions: {
Run_query_and_list_results: {
runAfter: {}
type: 'ApiConnection'
inputs: {
host: {
connection: {
name: '@parameters(\'$connections\')[\'azuremonitorlogs\'][\'connectionId\']'
}
}
method: 'post'
body: 'AzureDiagnostics | where Category == \'FrontDoorAccessLog\''
path: '/queryData'
queries: {
subscriptions: subscription().subscriptionId
resourcegroups: resourceGroup().name
resourcetype: 'Log Analytics Workspace'
resourcename: logAnalyticsWorkspace.name
timerange: 'Last 4 hours'
}
}
}
}
outputs: {}
}
parameters: {
'$connections': {
value: {
azuremonitorlogs: {
id: subscriptionResourceId(
'Microsoft.Web/locations/managedApis',
resourceGroup().location,
'azuremonitorlogs'
)
connectionId: logConnection.id
connectionName: 'azuremonitorlogs'
connectionProperties: {
authentication: {
type: 'ManagedServiceIdentity'
}
}
}
}
}
}
}
}
// Assign monitor reader role to the identity
module keyVaultRoleAssignment './log-analytics-role-assignement.bicep' = {
name: '${logMonitor.name}-log-analytics-rbac'
params: {
logAnalyticsWorkspaceName: logAnalyticsWorkspace.name
principalId: logMonitor.identity.principalId
roleId: '43d0d8ad-25c7-4714-9337-8ba259a9fe05' // Monitoring Reader
}
}