Open sinedied opened 2 weeks ago
Hm, my Python ones are working? https://github.com/pamelafox/simple-flask-api-azure-function/pull/15/files
@pamelafox did you try deploying from scratch? When trying with Node functions, deployment succeed but all my functions returns 404 when called
I believe I did, but I can tear down the group from scratch and confirm.
@sinedied Does it work if you set scmDoBuildDuringDeployment
to false
in functions.bicep? I read through the documentation, I couldn't quite find where it states that "remote build doesn't work with managed identities". This may however align with @pamelafox previous findings, that: "Linux-based Python functions with managed identities wasn't working quite as expected", and she was waiting for azd to support flex consumption function apps.
For context, since there was a comment made on #4003:
WEBSITE_RUN_FROM_PACKAGE
or SCM_DO_BUILD_DURING_DEPLOYMENT
are fully deprecated. The variable is instead specified at deployment time. Managed identity with AzureWebJobsStorage__accountName
works in this model, there isn't a limitation to disable remote build.WEBSITE_RUN_FROM_PACKAGE
or SCM_DO_BUILD_DURING_DEPLOYMENT
are specified in Bicep, so if there is a need to disable this, users do have the ability to configure it outside of azd
(I think this is the scenario you're running into). I would note that this is a rather strange limitation if it exists.I did test mine from scratch as well by the way, and it also seemed to work. I do get errors when I try to specify those old variables, but if I just remove them, it seems like it does the build.
@weikanglim this is the part in the doc where it's mentioned (here in the "important" note: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#edit-the-azurewebjobsstorage-configuration):
Similarly, AzureWebJobsStorage is used for deployment artifacts when using server-side build in Linux Consumption. When you enable identity-based connections for AzureWebJobsStorage in Linux Consumption, you will need to deploy via an external deployment package.
I tried to create a simple repro repository of the issue, and these are my results
azd up
)azd env set USE_STORAGE_MANAGED_IDENTITY true && azd up
)
scmDoBuildDuringDeployment
and enableOryxBuild
, it has no effect(to repro: azd env set USE_VNET true && azd up
)
@sinedied Hm, looking at this line: https://github.com/sinedied/node-functions-vnet/blob/main/infra/main.bicep#L103 Shouldnt that be Flex for useStorageManagedIdentity too? The azd code checks the service plan, I think, when it's deciding how to deploy the code.
Storage managed identity works with consumption plan, so I would like to keep it that way.
BTW I've updated the repo, and now I have the full working infra with vnet for storage and functions and SWA linked backend. Deployment works with func CLI, but not AZD, same when using managed identity only.
using managed identity / vnet with flex consumption API => does not deploy
Apologies for not mentioning this earlier. For flex consumption, until the bits are released, if you'd like to deploy with azd, you'll need to grab a daily build, the support is coming out with the next release. The 404 error you're seeing is what I would expect in the current latest build without the working flex consumption bits.
Regarding normal Linux consumption:
you will need to deploy via an external deployment package.
I'm wondering if when the doc says "an external deployment package" it means to pre-create a blob storage container, and then set WEBSITE_RUN_FROM_PACKAGE
to the storage container URL directly. This limitation seems rather heavy. I'm not sure what func
CLI is doing yet for this scenario, but I'll try it out later today.
@sinedied With the sample repository, I tried to provision with USE_STORAGE_MANAGED_IDENTITY=true
.
In the Portal, I see a warning:
Trying to deploy using func
, I get a similar error:
The experimentation for me doesn't convince me that function apps, without being on flex consumption plan, works seamlessly without AzureWebJobsStorage
. I know you had better luck in your prior experimentation which is interesting.
You're right, when using managed identity the deployment using func
CLI does not work.
Looking at the docs it seems we have to use WEBSITE_RUN_FROM_PACKAGE=<URL>
and manually upload the zip package to the container.
Regarding the AZD daily build, I just tried installing it (version returns azd version 1.10.0-beta.1-daily.3865598 (commit f1e42702ca796b58210f9818ad45829a8c746fa7)
) and I still have the same error when deploying the vnet (flex-consumption) version:
Output from
azd version
azd version 1.9.3 (commit e1624330dcc7dde440ecc1eda06aac40e68aa0a3)Describe the bug Currently AZD uses remote builds when deploying Node/Python Function apps (see related https://github.com/Azure/azure-dev/issues/368).
However, when enabling managed identity for the Functions backing storage (following the docs here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#use-managed-identity-for-azurewebjobsstorage), we also need to disable remote builds as in that case as
WEBSITE_RUN_FROM_PACKAGE
needs to be enabled.To Reproduce
AzureWebJobsStorage__accountName
)Deployment reports no error, but the function app doesn't work.
Expected behavior Default AZD behavior is suitable for most use case, but we should have an option to enable disabling remote build and enabling
WEBSITE_RUN_FROM_PACKAGE
option inazure.yaml
file.Environment Information on your environment: