Skip to content

Commit

Permalink
Update Azure Functions deployment to use managed identities
Browse files Browse the repository at this point in the history
  • Loading branch information
dayland committed Aug 2, 2024
1 parent 3b4d713 commit 761020b
Show file tree
Hide file tree
Showing 9 changed files with 59 additions and 20 deletions.
2 changes: 1 addition & 1 deletion functions/FileFormRecPollingPDF/function.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"type": "queueTrigger",
"direction": "in",
"queueName": "pdf-polling-queue",
"connection": ""
"connection": "AzureStorageConnection1"
}
]
}
2 changes: 1 addition & 1 deletion functions/FileFormRecSubmissionPDF/function.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"type": "queueTrigger",
"direction": "in",
"queueName": "pdf-submit-queue",
"connection": ""
"connection": "AzureStorageConnection1"
}
]
}
2 changes: 1 addition & 1 deletion functions/FileLayoutParsingOther/function.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"type": "queueTrigger",
"direction": "in",
"queueName": "non-pdf-submit-queue",
"connection": ""
"connection": "AzureStorageConnection1"
}
]
}
2 changes: 1 addition & 1 deletion functions/FileUploadedFunc/function.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"type": "blobTrigger",
"direction": "in",
"path": "upload",
"connection": ""
"connection": "AzureStorageConnection1"
}
],
"retry": {
Expand Down
2 changes: 1 addition & 1 deletion functions/ImageEnrichment/function.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"type": "queueTrigger",
"direction": "in",
"queueName": "image-enrichment-queue",
"connection": ""
"connection": "AzureStorageConnection1"
}
]
}
2 changes: 1 addition & 1 deletion functions/TextEnrichment/function.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"type": "queueTrigger",
"direction": "in",
"queueName": "text-enrichment-queue",
"connection": ""
"connection": "AzureStorageConnection1"
}
]
}
4 changes: 2 additions & 2 deletions infra/core/db/cosmosdb.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ resource "azurerm_cosmosdb_account" "cosmosdb_account" {
kind = "GlobalDocumentDB"
tags = var.tags
public_network_access_enabled = var.is_secure_mode ? false : true
#local_authentication_disabled = var.is_secure_mode ? true : false
local_authentication_disabled = var.is_secure_mode ? true : false

consistency_policy {
consistency_level = var.defaultConsistencyLevel
Expand Down Expand Up @@ -65,7 +65,7 @@ resource "azurerm_cosmosdb_sql_container" "log_container" {
account_name = azurerm_cosmosdb_account.cosmosdb_account.name
database_name = azurerm_cosmosdb_sql_database.log_database.name

partition_key_path = "/file_name"
partition_key_paths = ["/file_name"]
}

data "azurerm_subnet" "subnet" {
Expand Down
28 changes: 17 additions & 11 deletions infra/core/host/functions/functions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,21 +98,21 @@ resource "azurerm_linux_function_app" "function_app" {
site_config {
application_stack {
docker {
image_name = "${var.container_registry}/functionapp"
image_tag = "latest"
registry_url = "https://${var.container_registry}"
registry_username = var.container_registry_admin_username
registry_password = var.container_registry_admin_password
image_name = "${var.container_registry}/functionapp"
image_tag = "latest"
registry_url = "https://${var.container_registry}"
registry_username = var.container_registry_admin_username
registry_password = var.container_registry_admin_password
}
}
container_registry_use_managed_identity = true
always_on = true
http2_enabled = true
ftps_state = var.is_secure_mode ? "Disabled" : var.ftpsState
container_registry_use_managed_identity = true
always_on = true
http2_enabled = true
ftps_state = var.is_secure_mode ? "Disabled" : var.ftpsState
cors {
allowed_origins = concat([var.azure_portal_domain, "https://ms.portal.azure.com"], var.allowedOrigins)
allowed_origins = concat([var.azure_portal_domain, "https://ms.portal.azure.com"], var.allowedOrigins)
}
vnet_route_all_enabled = var.is_secure_mode ? true : false
vnet_route_all_enabled = var.is_secure_mode ? true : false
}

identity {
Expand All @@ -136,6 +136,12 @@ resource "azurerm_linux_function_app" "function_app" {
AzureWebJobsStorage__fileServiceUri = "https://${var.blobStorageAccountName}.file.${var.endpointSuffix}"
AzureWebJobsSecretStorageKeyVaultUri = data.azurerm_key_vault.existing.vault_uri
AzureWebJobsSecretStorageType = "keyvault"

AzureStorageConnection1__accountName = var.blobStorageAccountName
AzureStorageConnection1__blobServiceUri = "https://${var.blobStorageAccountName}.blob.${var.endpointSuffix}"
AzureStorageConnection1__queueServiceUri = "https://${var.blobStorageAccountName}.queue.${var.endpointSuffix}"
AzureStorageConnection1__tableServiceUri = "https://${var.blobStorageAccountName}.table.${var.endpointSuffix}"
AzureStorageConnection1__fileServiceUri = "https://${var.blobStorageAccountName}.file.${var.endpointSuffix}"

FUNCTIONS_WORKER_RUNTIME = var.runtime
FUNCTIONS_EXTENSION_VERSION = "~4"
Expand Down
35 changes: 34 additions & 1 deletion infra/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -739,6 +739,17 @@ module "functionApp_CognitiveServicesUser" {
resourceGroupId = azurerm_resource_group.rg.id
}

module "enrichmentApp_CognitiveServicesUser" {
source = "./core/security/role"

scope = azurerm_resource_group.rg.id
principalId = module.enrichmentApp.identityPrincipalId
roleDefinitionId = local.azure_roles.CognitiveServicesUser
principalType = "ServicePrincipal"
subscriptionId = data.azurerm_client_config.current.subscription_id
resourceGroupId = azurerm_resource_group.rg.id
}

module "enrichmentApp_StorageQueueDataContributor" {
source = "./core/security/role"

Expand Down Expand Up @@ -799,7 +810,7 @@ module "encrichmentApp_SearchIndexDataReader" {

scope = azurerm_resource_group.rg.id
principalId = module.enrichmentApp.identityPrincipalId
roleDefinitionId = local.azure_roles.SearchIndexDataReader
roleDefinitionId = local.azure_roles.SearchIndexDataContributor
principalType = "ServicePrincipal"
subscriptionId = data.azurerm_client_config.current.subscription_id
resourceGroupId = azurerm_resource_group.rg.id
Expand All @@ -816,6 +827,28 @@ module "fuctionApp_StorageBlobDataOwner" {
resourceGroupId = azurerm_resource_group.rg.id
}

module "enrichmentApp_StorageBlobDataOwner" {
source = "./core/security/role"

scope = azurerm_resource_group.rg.id
principalId = module.enrichmentApp.identityPrincipalId
roleDefinitionId = local.azure_roles.StorageBlobDataOwner
principalType = "ServicePrincipal"
subscriptionId = data.azurerm_client_config.current.subscription_id
resourceGroupId = azurerm_resource_group.rg.id
}

module "fuctionApp_StorageAccountContributor" {
source = "./core/security/role"

scope = azurerm_resource_group.rg.id
principalId = module.functions.identityPrincipalId
roleDefinitionId = local.azure_roles.StorageAccountContributor
principalType = "ServicePrincipal"
subscriptionId = data.azurerm_client_config.current.subscription_id
resourceGroupId = azurerm_resource_group.rg.id
}

resource "azurerm_cosmosdb_sql_role_assignment" "webApp_cosmosdb_data_contributor" {
resource_group_name = azurerm_resource_group.rg.name
account_name = module.cosmosdb.name
Expand Down

0 comments on commit 761020b

Please sign in to comment.