Az Function App PowerShell

Deploy Azure Functions to Azure Function App using ARM (Cross Tenant)

Environment:

  • Azure functions code resides in tenant X (Az DevOps). Azure Cloud is in tenant Y. X and Y tenant’s are restricted to communictae.
  • Source code is in extetnal git and no access to user A (Deployment Engineer).
  • PAT is adviced to use than GIT Credentials (Heard from Security Advisor)

Note: I added only the Az Functions Code SYNC snippet – Not full ARM template (In my next blog I will cover all the steps including the nuances) 

Of late I became a great fan of serverless and worked on few projects at work place using Azure Functions. I got stuck in an Az functions deployment deployment issue because Azure DevOps and Azure Cloud are in two different tenants. I can’t use the deployment center to deploy the solution at ease. Authentication fails!

All the team projects in Azure DevOps are private and has restrictions. Oh well, GitHub enterprise is not an option for me due to other reasons (It’s not in scope of this article). So, what’s next? PAT is my best bet!

Yes, I used Personal Access Token! It’s that simple and git credentials is an alternate! Before showing the ARM template let me show the challenges I faced!

  1. I need to write – yes, write a lot about the deployment steps.
  2. Ensure deployment engineer machine meets pre-requisites.
  3. Unforeseen issue – Timeout during the func azure functionapp publish “myapp” execution.
  4. Function App needs to be deployed manually and functions are published using local GIT / from Azure DevOps.

Manually creating Azure Functions is not a big deal, but I have multiple environments. I want to get rid of manual intervention. No more cribbing right? 😊 – Developer missed to enable a function, Ops missed to enabled Identity – Those days are gone long back right! 😊😊😊

With no doubt you can choose any ARM templates – available in web (GitHub, Blogs etc). In “Microsoft.Web/sites” resource add below snippet to get your code as “External Git”

"resources": [
                {
                    "apiVersion": "2018-11-01",
                    "name": "web",
                    "type": "sourcecontrols",
                    "dependsOn": [
                        "[resourceId('Microsoft.Web/Sites/', parameters('functionAppName'))]"
                    ],
                    "properties": {
                        "RepoUrl": "https://anything:{PAT}@ORG.visualstudio.com/TEAM PROJECT/_git/REPOSITORY",
                        "branch": "master",
                        "publishRunbook": true,
                        "IsManualIntegration": true
                    }
                }
            ]

Checkout the REPOURL – It uses a format as shown below

https://anything:{PAT}@ORG.visualstudio.com/TEAM PROJECT/_git/REPOSITORY

You can opt like 

https://PAT:PAT@ORG.visualstudio.com/TEAM PROJECT/_git/REPOSITORY

Note: The below format fails with 401 error – Leads to other confusion! 

https://PAT@ORG.visualstudio.com/TEAM PROJECT/_git/REPOSITORY

Upon success, don’t expect Azure functions to get updated when your source code gets updated – One with permission needs to press SYNC button in deployment center.

In my next blog I will walk through steps to build ARM template which provisions az function apps, get functions from azure devops (as external git). #Serverless #IaC

Leave a Reply

Your e-mail address will not be published. Required fields are marked *