Deploy a Flex Consumption Function App with Terraform

In May 2024 Microsoft released the Public Preview of the new Flex Consumption Azure Functions. This is an exciting release, primarily because it finally allows a consumption Function App to be VNet integrated. Before the release of Flex Consumption Function Apps, we had to either decide to use a consumption plan or allow access to internal resources (and pay 24/7 for the privilege). While there have been workarounds (e.g. run a Function App in Container Apps) none were ideal.

Ansible, Python, PEP668, and Virtual Environments

Have you ever had one of those days where your troubleshooting resembles doing the foxtrot? Forward. Sideways. Backwards. Round in Circles. I had one of those last week.

My current customer is using Ansible for orchestration. As part of proving out the capabilities, and working through the best way to make it all work, I needed to set up my local environment.

Running macOS typically makes setup a breeze. Thanks to the wonderful Homebrew Pacakge Manager. Tools such as Ansible and Ansible Lint are just a brew install away.

Azure Virtual WAN Route Maps and Reflected Routes

Microsoft have make controlling routing within a Virtual WAN much easier thanks to a combination of Routing Intent and Route Maps (in preview at time of writing). Route Maps work in the same manner (at least theoretically) to route map configuratons network administrators are used to in on-premises equipment.

In testing tehm out for a customer, I ran straight into a problem. I like to keep things tidy, and when I looked at the output of the outbound route map configuration for a site to site VPN with AWS, I didn’t like that it showed all my AWS routes being published back out to the VPN. So I configured a route map rule to drop reflected routes.

Grant Admin Consent for an Azure AD application with Terraform

One challenge we often run into when provisioning Azure AD applications with Terraform is a need to grant admin consent for API permissions. Sadly there is not a native resource within Terraform to make this happen, however with some creative use of provisioners (yes, I feel bad about it too) we can ensure that admin consent is granted for our applications.

To start with, we deploy our Azure AD application as normal. As part of the configuration, we also assign the required API permissions.

Authenticating Terraform with a GitHub App

In my current role, I configured Terraform to manage our GitHub organisation. As with all providers, we need need to provide credentials for authentication. I didn’t want to use an access token, as they are tied to an individual user and will cause breakage should the user depart the organisation. Thankfully, GitHub supports using an application for authentication.

Create the GitHub Application

The first step in the process is to create a new GitHub application. While this can be done either in a personal account or within an organisation, I recommend doing this within the organisation. That way, if someone leaves the organisation the application doesn’t go with.

App Service, App Settings, and Container Registry with Managed Identity

Managed Identities in Azure are a wonderful thing. No passwords to change, no keys to rotate. The biggest shame is that frequently they seem to be implemented as an afterthought.

One example I recently ran into was the use of an App Service Managed Identity to pull a container from Azure Container Registry. While you can configure an App Service to pull from ACR with a Managed Identity, what the documentation doesn’t tell you is that you still need the DOCKER_REGISTRY_SERVER_USERNAME and DOCKER_REGISTRY_SERVER_PASSWORD App Settings to be configured on the App Service. It doesn’t matter what values you put in these, the point is they must exist. If they don’t, the container will fail to pull with a credential error.

Using Table Storage as an Alternative to Remote State

Terraform is a fantastic tool for Infrastructure as Code. From the YAML-like HCL syntax (no JSON!), to importing files (linting JSON files FTW!), to retrieving the results of previous runs to link resources, Terraform has made a massive difference in my work. However, like all technologies, it is not without its weaknesses. Terraform uses state files to keep track of what the world looked like when it last ran, which is wonderful for identifying drift. The default pattern is to use these state files for passing data between Terraform modules. But this is actually an anti-pattern, for HashiCorp recommend not using remote state for passing data, in large part because to read the outputs from a state file the caller must have full access to read the entire remote state file, which include secrets they probably shouldn’t be allowed to access.