locked
Logic App Deployment via ARM Template Authenticating Salesforce (Sandbox) Connector RRS feed

  • Question

  • Has anyone been able to get the Sales Force connector to Sandbox(test.salesforce.com) working when the Logic App is deployed through an ARM template??

    I am deploying a Logic App that contains a Salesforce connection. Our goal is to deploy to multiple environments (DEV, TEST, PROD) using the ARM template and VSTS. In the lower environments (DEV/TEST), I want to point to the the Salesforce Sandbox (https://test.salesforce.com). In PROD use the production salesforce site. My ARM template has a variable to define the LoginUri. Locally I am able to pick the Salesforce Sandbox environment and the solution works great in VS2017 designer. When I deploy the ARM template to a DEV or TEST resource group via the ARM template, I am asked to Authorize the connector. In doing so the popup defaults to the production Salesforce site even though I deployed the ARM with the test URL parameter. So, I choose the "Use custom Domain" option and enter the domain test.salesforce.com. This authenticates, with the multi-factor authentication, just fine. But then I get an error below. Has anyone been able to get the connector to Sandbox working when the LA is deployed through an ARM template??

    ERROR:

    Logic App Error - Salesforce Sandbox connection

    Template Excerpt:

    THANKS!

    BEN

    Friday, June 1, 2018 5:54 PM

Answers

  • Hi Guys,

    Looks like we have to authenticate the SalesForce connection when you happen to re-deploy the api connection resource.

    But API Connection is not something you will often redeploy.  Mostly it is the Logic App definition which is redeployed multiple times. So, an optimal way is to separate the resource definition into two JSON files -- LAPP_definition.json to contain the Logic App definition and APIConnections_Definition.json file to contain the resource definition of the Web.Connections.

    While deploying to a new resource group for the first time only, ensure the APIConnections_Definition.json file is deployed before the Logic App definition. Then after making changes to the Logic App definition, redeploy only that LAPP_definition.json file containing Logic definition. 

    Also in the LAPP_definition.json file Ensure you remove the API connection from the dependencies [] so that the template will get successfully deployed in isolation. 

    The above approach works fine as we usually have limited resource groups to create (for dev, uat etc). So, you authenticate once through the portal when you create the resource group. 

    Thanking you,

    Mohamed Ibrahim

    Tuesday, September 18, 2018 9:18 AM

All replies

  • Hey Ben

    It looks like it's been some time since you have posted this question here. Even though you didn't get a resolution here yet, were you able to get this issue resolved through different means/methods?

    If so, would you kindly share the solution with us here so that others visiting this post can learn from it?
    Thursday, June 14, 2018 1:06 AM
  • Ben I'm having the exact same issue - glad to see I'm not the only one. I haven't figured it out yet but I will update here if I do. 

    A workaround is adding the SF connection directly in Azure from the Logic App designer, but I really don't want to do that. I want it in my ARM template and I understand having to authorize post deployment but it should be able to pick up the test sandbox and not fail with the grant issue.

    Thanks.

    Monday, September 17, 2018 4:38 PM
  • Mike any ideas on how to fix this? My template looks the same as Ben's and I have Azure Logic Apps as a connected app in Salesforce. 

    If I add the connection directly through the logic app designer, it works, but I want to do it through the ARM template.


    Thanks.

    Monday, September 17, 2018 4:39 PM
  • even i face the similar thing, whenever we deploy our resources we have to go and re-authenticate our API Connections

    Sujith

    Tuesday, September 18, 2018 6:35 AM
  • Hi Guys,

    Looks like we have to authenticate the SalesForce connection when you happen to re-deploy the api connection resource.

    But API Connection is not something you will often redeploy.  Mostly it is the Logic App definition which is redeployed multiple times. So, an optimal way is to separate the resource definition into two JSON files -- LAPP_definition.json to contain the Logic App definition and APIConnections_Definition.json file to contain the resource definition of the Web.Connections.

    While deploying to a new resource group for the first time only, ensure the APIConnections_Definition.json file is deployed before the Logic App definition. Then after making changes to the Logic App definition, redeploy only that LAPP_definition.json file containing Logic definition. 

    Also in the LAPP_definition.json file Ensure you remove the API connection from the dependencies [] so that the template will get successfully deployed in isolation. 

    The above approach works fine as we usually have limited resource groups to create (for dev, uat etc). So, you authenticate once through the portal when you create the resource group. 

    Thanking you,

    Mohamed Ibrahim

    Tuesday, September 18, 2018 9:18 AM
  • I don't think this is an answer. Even with a separate Json file for the API Connection template, we still have the same problem - that is:

    The connection created in Azure does not use the token:LoginUri that is deployed the Arm template

    I am doing the same as the OP, which is setting the nonSecretParameterValues -> token:LoginUri to be "https://test.salesforce.com". Once deployed and trying to Authorize, the connection always defaults to https://login.salesforce.com. Changing it at this point to use https://test.salesforce.com fails with the error that the OP has shown.

    What is the correct way to deploy a Salesforce API connection via Arm template that uses https://test.salesforce.com?

    Edit: Below is a sample Json file you can use to deploy a Salesforce API Connection that sets it's LoginUri to https://test.salesforce.com:

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": { },
      "variables": { },
      "resources": [
        {
          "type": "Microsoft.Web/connections",
          "name": "test-salesforce-sandbox-connection",
          "apiVersion": "2016-06-01",
          "tags": { },
          "location": "australiaeast",
          "properties": {
            "api": {
              "id": "[concat('subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/salesforce')]"
            },
            "displayName": "test-salesforce-sandbox-connection",
            "nonSecretParameterValues": {
              "token:LoginUri": "https://test.salesforce.com",
              "salesforceApiVersion": "v43"
            }
          },
          "dependsOn": []
        }
      ],
      "outputs": {
      }
    }

    After deploying, when you try to Authorize this, you can see that it is using Production Salesforce, not using Sandbox

    When you change the domain in the authorization popup to test.salesforce.com, authorizing gives the error in the original post.


    • Edited by Glen Macdonald Friday, January 18, 2019 2:09 AM Added sample Json file
    Friday, January 18, 2019 12:53 AM
  • I'm having the same issue, don't seem to find a way to make it work from ARM templates. Has anyone found the solution for this yet? 

    It simply seems to ignore test.salesforce.com as provided in ARM. I have to create this connection manually from the Portal to make it work. 

    Thanks

    Sanjay

    Monday, July 29, 2019 1:32 AM
  • Instead of going to the connection. Open the Logic App in the portal. Head over to the action with Salesforce, click on information icon next to the salesforce connection that has been provisioned via ARM Template. 

    

    Here you will have an opportunity to choose Sandbox connection instead of production. 

    For some reason this selection is not available if you try to Authorize this directly from the connection. 

    Regards,

    Sanjay

    Monday, July 29, 2019 7:00 AM