Skip to content

Use WEBSITE_RUN_FROM_PACKAGE in azure functions for deployment #246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 3, 2024
Merged

Use WEBSITE_RUN_FROM_PACKAGE in azure functions for deployment #246

merged 3 commits into from
Jul 3, 2024

Conversation

msftrubengu
Copy link
Contributor

Azure Storage File Share doesn’t currently support managed identities. This is used by the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING environment variable and is required for azure functions that use a consumption plan.

There is a work around to use WEBSITE_RUN_FROM_PACKAGE where one needs to upload the azure function zip package into an storage account that is accessible to the function app. The main downside is that there is a 15 seconds cold start.

For this to work the release needs to be modified to not use the AzFunc deploy task as it is not supported. We have a task group that is specialized in azure function deployment. I modified that task with the following.

  • Upload the zip package into the storage account used for the function. I'm uploading it into a deployments container and the name is the $(Release.ReleaseName)-$(Release.AttemptNumber).zip name to keep it unique.
  • Set WEBSITE_RUN_FROM_PACKAGE to the full url of the blob in the container. For this, I'm taking advantage of the multiple parameter files deployment to dynamically generate a parameters file with the new runFromPackageUrl parameter by deserializing azurefunction.deployment.json and setting the full url at release time. Then is just passing that file a another paramater file
  • Deploy function app. Before we use to just run the ARM templates that will basically reset the function app. Internally they will use the zip to make the deployment.
  • The managed identity use for deployment must have contributor roles to the storage account in order to upload the zip package.
  • The managed identity of the azure function app must have at least reader roles to the storage account where the blob is updated. Each function app already have contributor roles to the storage account, so instead of using user assigned managed identities, I'm using the system assigned identity of the function app.

With these we completely remove the need to use access keys in the storage accounts used for azure functions.
I also moved away from app registrations to user assigned managed identities for deployment.

@msftrubengu msftrubengu requested a review from a team as a code owner July 2, 2024 21:49
@msftrubengu msftrubengu merged commit 24e1da8 into main Jul 3, 2024
7 checks passed
@msftrubengu msftrubengu deleted the blob_deployment branch July 3, 2024 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JohnMcPMS JohnMcPMS JohnMcPMS approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@msftrubengu @JohnMcPMS