Azure Logic App Authorization Policy set via Bicep

When creating a consumption Azure Logic App using Azure Bicep -

How do you create configure Azure Active Directory Authorization Policies and set the

Policy Name
Policy Type
Claims (Issuer, Audience and a custom claim)

From Azure Portal its under Logic App > Authorization > Add Policy:

Here's my bicep file:

param name string = 'testlogicapptb'
param location string = 'Australia Southeast'

resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: name
  location: location
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
    }
    parameters: {}
    accessControl: {
      triggers: {
        allowedCallerIpAddresses: [
          {
            addressRange: '123.1.1.1-123.1.1.1'
          }
        ]

        //Doesn't work - just trying anything
        openAuthenticationPolicies: {
          policies: {
            name: 'test'
            type: 'AAD'
            issuer: 'https://123/'
            audience: '123'
            claim: {
              name: 'role'
              value: '123'
            }
          }
        }
    }
    }
  }
}

Here's the reference documentation but it doesn't describe how to format the policies and it just circles back around on itself.

https://learn.microsoft.com/en-us/azure/templates/microsoft.logic/workflows?pivots=deployment-language-bicep#bicep-resource-definition

If I search the web for anything related to OpenAuthenticationAccessPolicies I can't find anything or even know if I'm looking at the right thing.

I've tried exporting the ARM template and converting that to bicep - however the policies entered through the Portal do not come out in the export.

Even if its not bicep how do I programmatically set these up?

Solution

main.bicep

@description('The name of the logic app to create.')
param logicAppName string = 'wbtestlogicapp'

@description('A test URI')
param testUri string = 'https://azure.status.microsoft/status/'

@description('Location for all resources.')
param location string = resourceGroup().location

var policyName = 'aadPolicyTest'
var frequency = 'Hour'
var interval = '1'
var type = 'recurrence'
var actionType = 'http'
var method = 'GET'

resource stg 'Microsoft.Logic/workflows@2019-05-01' = {
  name: logicAppName
  location: location
  tags: {
    displayName: logicAppName
  }
  properties: {
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
        testUri: {
          type: 'string'
          defaultValue: testUri
        }
      }
      triggers: {
        recurrence: {
          type: type
          recurrence: {
            frequency: frequency
            interval: interval
          }
        }
      }
      actions: {
        actionType: {
          type: actionType
          inputs: {
            method: method
            uri: testUri
          }
        }
      }
    }
    accessControl: {
      triggers: {
        openAuthenticationPolicies:{
          policies: {
            '${policyName}': {
              type: 'AAD'
              claims: [
                {
                  name: 'iss'
                  value: 'https://sts.windows.net/2xxxxxxx-3a06-xxxxxxxxx-8a1e-xxxxxx/'
                }
                {
                  name: 'aud'
                  value: 'https://management.core.windows.net'
                }
                {
                  name: 'sub'
                  value: 'xxxxxxxxxxx-7d1e-4d9f-xxx-xxxxxxxxxxxxxxx'
                }
              ]
            }
          }
        }
      }
    }
  }
}

output name string = stg.name
output resourceId string = stg.id
output resourceGroupName string = resourceGroup().name
output location string = location

result