Tracked Property expression that should be valid is not accepted

[TWolversonReply]

Describe the Bug

Using an HTTP action with a multipart/form-data body
Setting a trackedProperty on this action to any expression referencing action().inputs.body
Deployment from local filesystem via az group deployment create passing just the resource group name and the template file is rejected with the error message:

tracked properties can only reference its own action's inputs and outputs when secureData setting is not enabled

I have tried various permutations, including literally just copying the action input with @{action().inputs.body}. It does only reference the action's inputs, so at the very least, the error message is wrong - the reason it states for rejecting the deployment isn't valid.

I can only guess the reason is something to do with this being a multipart body, because doing very similar things for other HTTP actions in other logic apps works fine.

Plan Type

Consumption

Steps to Reproduce the Bug or Issue

1. use an expression including action().inputs.body as a tracked property of an HTTP multipart action
2. Deploy using AZ CLI

Workflow JSON

"Call_MyPGR_file_service": {
                  "runAfter": {
                    "Get_EIS_Internal_APIM_Subscription_key_for_MyPGR": [
                      "Succeeded"
                    ]
                  },
                  "type": "Http",
                  "inputs": {
                    "authentication": {
                      "password": "@body('Get_MyPGR_API_Key')?['value']",
                      "type": "Basic",
                      "username": "@parameters('MyPGRUsername')"
                    },
                    "body": {
                      "$content-type": "multipart/form-data; boundary=\"kqxmrpl41G904t7s345km\"",
                      "$multipart": [
                        {
                          "body": "@{body('Parse_Claim_Check_Message')?['StaffType']}Staff",
                          "headers": {
                            "Content-Disposition": "form-data; name=name"
                          }
                        },
                        {
                          "body": "@{binary(xml(json(body('Transform'))))}",
                          "headers": {
                            "Content-Disposition": "form-data; name=file; filename=@{body('Parse_Claim_Check_Message')?['StaffType']}Staff.xml",
                            "Content-Type": "application/xml"
                          }
                        }
                      ]
                    },
                    "headers": {
                      "Ocp-Apim-Subscription-Key": "@body('Get_EIS_Internal_APIM_Subscription_key_for_MyPGR')?['value']"
                    },
                    "method": "POST",
                    "uri": "@parameters('MyPGRUrl')"
                  },
                  "trackedProperties": {
                    "numberOfRecords": "@{action().inputs.body}"
                  }
                }

Screenshots or Videos

No response

Additional context

No response

AB#17581659

[VeeraMS]

Hi @TWolversonReply

Could you help me with the template you have used for deployment to test this and validate it.

[TWolversonReply]

I have just seen this recur for another template after setting secret outputs on a prior key vault action that retrieves the API key, where nothing else has changed and deployment of that template worked fine previously. In this case the expression is

"trackedProperties": {
                    "status": "@{json(action().outputs.body).status}"
                  }

This doesn't reference the key vault action's outputs at all, it's just taking a single json value from the output of the HTTP request action. If it is secret outputs that is causing this, that behaviour is wrong. It doesn't expose the secret at all.

[TWolversonReply]

I have further reproduced this in the Azure portal designer, where the same Logic App will refuse to save if the tracked properties field references the action's own outputs, and a secure output is referenced in the HTTP action's Headers section - but it will tolerate a secure output referenced in the Authorization section.

[VeeraMS]

Hi @TWolversonReply ,
Could you share the workflow definitions please.

[TWolversonReply]

Hi @TWolversonReply , Could you share the workflow definitions please.

Sorry, I cannot, this is a customer implementation that is commercial in confidence.

[VeeraMS]

Hi @TWolversonReply ,

Ok, No worries, could give me steps or expressions used to repro this error please.

Any screenshots that could help me to repro at my side , you can mask any confidential data .

[TWolversonReply]

See resource group template for a minimal example: https://gist.github.com/TWolversonReply/116e06ef1a7a466d5d56fb84b2c335c6

When setting the secure outputs property on the key vault action in "746-with-secure-outputs", I can't save it, and receive the linked error message in the portal: https://imgur.com/a/cSjFmwx

I amended the template for this logic app to what I would expect to work, and find I can't deploy it, with the same error message mentioned previously.

[github-actions]

This issue is stale because it has been open for 45 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.

[TWolversonReply]

The stated resolution from a Microsoft support ticket was to use a compose action to capture the value required, and then refer to that action in the tracked property expression. action() captures the inputs and outputs of the action, and if the inputs are secret because they refer to a prior action's secret output, the action state itself is secret and can't be referenced in a tracking expression.