Update Function IaC for Containers

Author: marvinbuss

code/infra/function.tf

@@ -7,7 +7,7 @@ resource "azurerm_service_plan" "service_plan" {
   # maximum_elastic_worker_count = 20
   os_type                  = "Linux"
   per_site_scaling_enabled = false
-  sku_name                 = "P1v3"
+  sku_name                 = var.function_sku
   worker_count             = 1     # Update to '3' for production
   zone_balancing_enabled   = false # Update to 'true' for production
 }
@@ -50,7 +50,7 @@ resource "azapi_resource" "function" {
   }
 
   body = jsonencode({
-    kind = "functionapp,linux"
+    kind = "functionapp,linux,container"
     properties = {
       clientAffinityEnabled     = false
       clientCertEnabled         = false
@@ -64,14 +64,28 @@ resource "azapi_resource" "function" {
       publicNetworkAccess       = "Disabled"
       redundancyMode            = "None"
       reserved                  = true
-      scmSiteAlsoStopped        = false
+      scmSiteAlsoStopped        = true
       serverFarmId              = azurerm_service_plan.service_plan.id
       storageAccountRequired    = false
       vnetContentShareEnabled   = true
+      vnetImagePullEnabled      = true
       virtualNetworkSubnetId    = azapi_resource.subnet_function.id
       vnetRouteAllEnabled       = true
       siteConfig = {
-        autoHealEnabled            = false
+        autoHealEnabled = true
+        autoHealRules = {
+          actions = {
+            actionType = "LogEvent"
+          }
+          triggers = {
+            statusCodes = [
+              "429",
+              "504",
+              "507",
+              "508"
+            ]
+          }
+        }
         acrUseManagedIdentityCreds = false
         alwaysOn                   = true
         appSettings = [
@@ -80,8 +94,12 @@ resource "azapi_resource" "function" {
             value = azurerm_application_insights.application_insights.connection_string
           },
           {
-            name  = "APPINSIGHTS_INSTRUMENTATIONKEY"
-            value = azurerm_application_insights.application_insights.instrumentation_key
+            name  = "AZURE_FUNCTIONS_ENVIRONMENT"
+            value = "Production"
+          },
+          {
+            name  = "FUNCTIONS_WORKER_PROCESS_COUNT"
+            value = "${var.function_sku_cpus}"
           },
           {
             name  = "FUNCTIONS_EXTENSION_VERSION"
@@ -91,6 +109,22 @@ resource "azapi_resource" "function" {
             name  = "FUNCTIONS_WORKER_RUNTIME"
             value = "python"
           },
+          {
+            name  = "FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED"
+            value = "1"
+          },
+          {
+            name  = "DOCKER_SHM_SIZE"
+            value = "268435456"
+          },
+          {
+            name  = "PYTHON_THREADPOOL_THREAD_COUNT"
+            value = "None"
+          },
+          {
+            name  = "PYTHON_ENABLE_DEBUG_LOGGING"
+            value = "0"
+          },
           {
             name  = "WEBSITE_CONTENTOVERVNET"
             value = "1"
@@ -115,6 +149,14 @@ resource "azapi_resource" "function" {
             name  = "AzureWebJobsStorage__accountName"
             value = azurerm_storage_account.storage.name
           },
+          {
+            name  = "AzureWebJobsSecretStorageType"
+            value = "keyvault"
+          },
+          {
+            name  = "AzureWebJobsSecretStorageKeyVaultUri"
+            value = azurerm_key_vault.key_vault.vault_uri
+          },
           {
             name  = "MY_SECRET_CONFIG"
             value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.key_vault_secret_sample.id})"
@@ -126,15 +168,18 @@ resource "azapi_resource" "function" {
         functionsRuntimeScaleMonitoringEnabled = false
         ftpsState                              = "Disabled"
         healthCheckPath                        = var.function_health_path
-        http20Enabled                          = false
+        http20Enabled                          = true
         ipSecurityRestrictionsDefaultAction    = "Deny"
-        linuxFxVersion                         = "Python|${var.function_python_version}"
+        linuxFxVersion                         = "DOCKER|${var.function_container_image}"
         localMySqlEnabled                      = false
         loadBalancing                          = "LeastRequests"
         minTlsVersion                          = "1.2"
+        minTlsCipherSuite                      = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
         minimumElasticInstanceCount            = 0
         numberOfWorkers                        = 1
         preWarmedInstanceCount                 = 0
+        remoteDebuggingEnabled                 = false
+        requestTracingEnabled                  = true
         scmMinTlsVersion                       = "1.2"
         scmIpSecurityRestrictionsUseMain       = false
         scmIpSecurityRestrictionsDefaultAction = "Deny"
@@ -144,6 +189,18 @@ resource "azapi_resource" "function" {
       }
     }
   })
+  
+  schema_validation_enabled = false
+  # ignore_body_changes = [
+  #   "properties.siteConfig.appSettings"
+  # ]
+  depends_on = [
+    azurerm_private_endpoint.key_vault_private_endpoint,
+    azurerm_private_endpoint.storage_private_endpoint_blob,
+    azurerm_private_endpoint.storage_private_endpoint_file,
+    azurerm_private_endpoint.storage_private_endpoint_queue,
+    azurerm_private_endpoint.storage_private_endpoint_table,
+  ]
 }
 
 data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_function" {

code/infra/roleassignments.tf

@@ -12,7 +12,7 @@ resource "azurerm_role_assignment" "function_role_assignment_storage" {
 
 resource "azurerm_role_assignment" "function_role_assignment_key_vault" {
   scope                = azurerm_key_vault.key_vault.id
-  role_definition_name = "Key Vault Secrets User"
+  role_definition_name = "Key Vault Secrets Officer"
   principal_id         = azapi_resource.function.identity[0].principal_id
 }
 

code/infra/variables.tf

@@ -1,3 +1,4 @@
+# General variables
 variable "location" {
   description = "Specifies the location for all Azure resources."
   type        = string
@@ -32,44 +33,42 @@ variable "tags" {
   default     = {}
 }
 
-variable "vnet_id" {
-  description = "Specifies the resource ID of the Vnet used for the Azure Function."
+# Function variables
+variable "function_container_image" {
+  description = "Specifies the container image reference of the Azure Function."
   type        = string
   sensitive   = false
   validation {
-    condition     = length(split("/", var.vnet_id)) == 9
-    error_message = "Please specify a valid resource ID."
+    condition = alltrue(
+      length(var.function_container_image) > 2,
+      length(split("/", var.function_container_image)) > 2,
+      length(split(":", var.function_container_image)) > 2,
+    )
+    error_message = "Please specify a valid container image reference."
   }
 }
 
-variable "nsg_id" {
-  description = "Specifies the resource ID of the default network security group for the Azure Function."
+variable "function_sku" {
+  description = "Specifies the sku name used in the function app service plan."
   type        = string
   sensitive   = false
+  nullable    = false
+  default     = "P0v3"
   validation {
-    condition     = length(split("/", var.nsg_id)) == 9
-    error_message = "Please specify a valid resource ID."
+    condition     = contains(["F1", "B1", "B2", "B3", "S1", "S2", "S3", "P0v3", "P1v3", "P2v3", "P3v3", "P1mv3", "P2mv3", "P3mv3", "P4mv3", "P5mv3"], var.function_sku)
+    error_message = "Please specify a valid sku name."
   }
 }
 
-variable "route_table_id" {
-  description = "Specifies the resource ID of the default route table for the Azure Function."
-  type        = string
+variable "function_sku_cpus" {
+  description = "Specifies the number of CPUs available for the function sku used in the app service plan."
+  type        = number
   sensitive   = false
+  nullable    = false
+  default     = 1
   validation {
-    condition     = length(split("/", var.route_table_id)) == 9
-    error_message = "Please specify a valid resource ID."
-  }
-}
-
-variable "function_python_version" {
-  description = "Specifies the python version of the Azure Function."
-  type        = string
-  sensitive   = false
-  default     = "3.10"
-  validation {
-    condition     = contains(["3.9", "3.10"], var.function_python_version)
-    error_message = "Please specify a valid Python version."
+    condition     = var.function_sku_cpus > 0
+    error_message = "Please specify a valid number of cpus."
   }
 }
 
@@ -93,6 +92,38 @@ variable "my_secret" {
   }
 }
 
+# Network variables
+variable "vnet_id" {
+  description = "Specifies the resource ID of the Vnet used for the Azure Function."
+  type        = string
+  sensitive   = false
+  validation {
+    condition     = length(split("/", var.vnet_id)) == 9
+    error_message = "Please specify a valid resource ID."
+  }
+}
+
+variable "nsg_id" {
+  description = "Specifies the resource ID of the default network security group for the Azure Function."
+  type        = string
+  sensitive   = false
+  validation {
+    condition     = length(split("/", var.nsg_id)) == 9
+    error_message = "Please specify a valid resource ID."
+  }
+}
+
+variable "route_table_id" {
+  description = "Specifies the resource ID of the default route table for the Azure Function."
+  type        = string
+  sensitive   = false
+  validation {
+    condition     = length(split("/", var.route_table_id)) == 9
+    error_message = "Please specify a valid resource ID."
+  }
+}
+
+# DNS variables
 variable "private_dns_zone_id_blob" {
   description = "Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azue Policy."
   type        = string

config/PerfectThymeTech/vars.tfvars

@@ -1,12 +1,21 @@
-location                              = "northeurope"
-environment                           = "dev"
-prefix                                = "myfunc"
-tags                                  = {}
-function_python_version               = "3.10"
-function_health_path                  = "/v1/health/heartbeat"
-vnet_id                               = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-function-vnet001"
-nsg_id                                = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-function-nsg001"
-route_table_id                        = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-function-rt001"
+# General variables
+location    = "northeurope"
+environment = "dev"
+prefix      = "myfunc"
+tags        = {}
+
+# Function variables
+function_container_image = "ghcr.io/perfectthymetech/azurefunctionpython:main"
+function_sku             = "P0v3"
+function_sku_cpus        = 1
+function_health_path     = "/v1/health/heartbeat"
+
+# Network variables
+vnet_id        = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-function-vnet001"
+nsg_id         = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-function-nsg001"
+route_table_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-function-rt001"
+
+# DNS variables
 private_dns_zone_id_blob              = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
 private_dns_zone_id_queue             = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net"
 private_dns_zone_id_table             = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net"