Upgrade to linux function app and use identity based storage connection for function app #226
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This is a follow-up to the PR which adds a timer-triggered function to function app. Azure Functions use storage accounts to store the state and checkpoints for timer-triggered functions to ensure that they run on schedule and can recover from failures.
We've disabled account key access to storage account for security reasons, we only temporarily enable it during deployment, so in order for function app to run successfully, it needs to use System-assigned managed identity to access the storage account.
I did not catch this during testing in previous PR because several invocations of functions were triggered during deployment where account key access was enabled.
Implementation
I upgraded
azurerm_function_apptoazurerm_linux_function_appfor two reasons:azurerm_function_apphas been deprecated in provider 3.0 and will be removed in 4.0storage_uses_managed_identityis only available inazurerm_linux_function_appand it allows the function app to use managed identity instead of account keyI also disabled remote build because it relies on account access key and enabled local build & deploy to Azure function runtime
How to build & deploy it?
AzureWebJobsStorage = {connection string}has to be configured infunction.tf/azurerm_linux_function_app/app_settingsbut it will be deleted in the next step. Then deploy:AzureWebJobsStoragefromfunction.tf/azurerm_linux_function_app/app_settingsand add"WEBSITE_RUN_FROM_PACKAGE"="https://{storageAccount}.blob.core.windows.net/function-releases/xxx.zip".WEBSITE_RUN_FROM_PACKAGEcan be found in environment variables section of the function app page. Deploy again./bin/deploy -t terraform/stagingThis step will not move forward because
AzureWebJobsStorageis not configured and it will throw the following error:Azure Functions Core Tools does not support this deployment path. Please configure the app to deploy from a remote package using the steps here: https://aka.ms/deployfromurlButAzureWebJobsStorage_accountNameis used for identity-based storage connection from now on.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
After local deploy, check if the function can be triggered manually and periodically in UI. However, this will cause build & deploy of the function app in pipeline to fail due to the reasons mentioned above.
Checklist:
Please delete options that are not relevant.