microsoft / planetary-computer-apis

Planetary Computer APIs
MIT License
105 stars 28 forks source link

Upgrade to linux function app and use identity based storage connection for function app #226

Closed elayrocks closed 5 months ago

elayrocks commented 5 months ago

Description

This is a follow-up to the PR which adds a timer-triggered function to function app. Azure Functions use storage accounts to store the state and checkpoints for timer-triggered functions to ensure that they run on schedule and can recover from failures.

We've disabled account key access to storage account for security reasons, we only temporarily enable it during deployment, so in order for function app to run successfully, it needs to use System-assigned managed identity to access the storage account.

I did not catch this during testing in previous PR because several invocations of functions were triggered during deployment where account key access was enabled.

Implementation

I upgraded azurerm_function_app to azurerm_linux_function_app for two reasons:

  1. In Terraform doc, azurerm_function_app has been deprecated in provider 3.0 and will be removed in 4.0
  2. storage_uses_managed_identity is only available in azurerm_linux_function_app and it allows the function app to use managed identity instead of account key

I also disabled remote build because it relies on account access key and enabled local build & deploy to Azure function runtime

How to build & deploy it?

  1. local build: install dependencies
    cd pcfuncs
    pip install  --target=".python_packages/lib/site-packages"  -r requirements.txt
  2. Due to this issue with azure core tools, AzureWebJobsStorage = {connection string} has to be configured in function.tf/azurerm_linux_function_app/app_settings but it will be deleted in the next step. Then deploy:
    ./scripts/console --deploy
    ./bin/deploy -t terraform/staging
  3. Remove AzureWebJobsStorage from function.tf/azurerm_linux_function_app/app_settings and add "WEBSITE_RUN_FROM_PACKAGE"="https://{storageAccount}.blob.core.windows.net/function-releases/xxx.zip". WEBSITE_RUN_FROM_PACKAGE can be found in environment variables section of the function app page. Deploy again ./bin/deploy -t terraform/staging

This step will not move forward because AzureWebJobsStorage is not configured and it will throw the following error: Azure Functions Core Tools does not support this deployment path. Please configure the app to deploy from a remote package using the steps here: https://aka.ms/deployfromurl But AzureWebJobsStorage_accountName is used for identity-based storage connection from now on.

Type of change

Please delete options that are not relevant.

How Has This Been Tested?

After local deploy, check if the function can be triggered manually and periodically in UI. However, this will cause build & deploy of the function app in pipeline to fail due to the reasons mentioned above.

Checklist:

Please delete options that are not relevant.