This is a follow-up to the PR which adds a timer-triggered function to function app. Azure Functions use storage accounts to store the state and checkpoints for timer-triggered functions to ensure that they run on schedule and can recover from failures.
We've disabled account key access to storage account for security reasons, we only temporarily enable it during deployment, so in order for function app to run successfully, it needs to use System-assigned managed identity to access the storage account.
I did not catch this during testing in previous PR because several invocations of functions were triggered during deployment where account key access was enabled.
Implementation
I upgraded azurerm_function_app to azurerm_linux_function_app for two reasons:
In Terraform doc, azurerm_function_app has been deprecated in provider 3.0 and will be removed in 4.0
storage_uses_managed_identity is only available in azurerm_linux_function_app and it allows the function app to use managed identity instead of account key
I also disabled remote build because it relies on account access key and enabled local build & deploy to Azure function runtime
How to build & deploy it?
local build: install dependencies
cd pcfuncs
pip install --target=".python_packages/lib/site-packages" -r requirements.txt
Due to this issue with azure core tools, AzureWebJobsStorage = {connection string} has to be configured in function.tf/azurerm_linux_function_app/app_settings but it will be deleted in the next step. Then deploy:
Remove AzureWebJobsStorage from function.tf/azurerm_linux_function_app/app_settings and add "WEBSITE_RUN_FROM_PACKAGE"="https://{storageAccount}.blob.core.windows.net/function-releases/xxx.zip". WEBSITE_RUN_FROM_PACKAGE can be found in environment variables section of the function app page. Deploy again ./bin/deploy -t terraform/staging
This step will not move forward because AzureWebJobsStorage is not configured and it will throw the following error:
Azure Functions Core Tools does not support this deployment path. Please configure the app to deploy from a remote package using the steps here: https://aka.ms/deployfromurl But AzureWebJobsStorage_accountName is used for identity-based storage connection from now on.
Type of change
Please delete options that are not relevant.
[x] Bug fix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] This change requires a documentation update
How Has This Been Tested?
After local deploy, check if the function can be triggered manually and periodically in UI. However, this will cause build & deploy of the function app in pipeline to fail due to the reasons mentioned above.
Description
This is a follow-up to the PR which adds a timer-triggered function to function app. Azure Functions use storage accounts to store the state and checkpoints for timer-triggered functions to ensure that they run on schedule and can recover from failures.
We've disabled account key access to storage account for security reasons, we only temporarily enable it during deployment, so in order for function app to run successfully, it needs to use System-assigned managed identity to access the storage account.
I did not catch this during testing in previous PR because several invocations of functions were triggered during deployment where account key access was enabled.
Implementation
I upgraded
azurerm_function_app
toazurerm_linux_function_app
for two reasons:azurerm_function_app
has been deprecated in provider 3.0 and will be removed in 4.0storage_uses_managed_identity
is only available inazurerm_linux_function_app
and it allows the function app to use managed identity instead of account keyI also disabled remote build because it relies on account access key and enabled local build & deploy to Azure function runtime
How to build & deploy it?
AzureWebJobsStorage = {connection string}
has to be configured infunction.tf/azurerm_linux_function_app/app_settings
but it will be deleted in the next step. Then deploy:AzureWebJobsStorage
fromfunction.tf/azurerm_linux_function_app/app_settings
and add"WEBSITE_RUN_FROM_PACKAGE"="https://{storageAccount}.blob.core.windows.net/function-releases/xxx.zip"
.WEBSITE_RUN_FROM_PACKAGE
can be found in environment variables section of the function app page. Deploy again./bin/deploy -t terraform/staging
This step will not move forward because
AzureWebJobsStorage
is not configured and it will throw the following error:Azure Functions Core Tools does not support this deployment path. Please configure the app to deploy from a remote package using the steps here: https://aka.ms/deployfromurl
ButAzureWebJobsStorage_accountName
is used for identity-based storage connection from now on.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
After local deploy, check if the function can be triggered manually and periodically in UI. However, this will cause build & deploy of the function app in pipeline to fail due to the reasons mentioned above.
Checklist:
Please delete options that are not relevant.