Upgrade to linux function app and use identity based storage connection for function app

deployment/bin/lib

@@ -122,7 +122,7 @@ function deploy_funcs() {
     prepare_funcs
 
     pushd /opt/src/pcfuncs_deploy
-    func azure functionapp publish ${FUNCTION_APP_NAME} --python
+    func azure functionapp publish ${FUNCTION_APP_NAME} --python --no-build
     popd
 }
 

deployment/terraform/resources/functions.tf

@@ -11,22 +11,20 @@ resource "azurerm_app_service_plan" "pc" {
   }
 }
 
-resource "azurerm_function_app" "pcfuncs" {
-  name                       = "func-${local.prefix}"
-  location                   = azurerm_resource_group.pc.location
-  resource_group_name        = azurerm_resource_group.pc.name
-  app_service_plan_id        = azurerm_app_service_plan.pc.id
-  storage_account_name       = azurerm_storage_account.pc.name
-  storage_account_access_key = azurerm_storage_account.pc.primary_access_key
-  https_only                 = true
+resource "azurerm_linux_function_app" "pcfuncs" {
+  name                          = "func-${local.prefix}"
+  location                      = azurerm_resource_group.pc.location
+  resource_group_name           = azurerm_resource_group.pc.name
+  service_plan_id               = azurerm_app_service_plan.pc.id
+  storage_account_name          = azurerm_storage_account.pc.name
+  storage_uses_managed_identity = true
+  https_only                    = true
 
   identity {
     type = "SystemAssigned"
   }
 
   app_settings = {
-    "ENABLE_ORYX_BUILD"              = "true",
-    "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true",
     "FUNCTIONS_WORKER_RUNTIME"       = "python",
     "APP_INSIGHTS_IKEY"              = azurerm_application_insights.pc_application_insights.instrumentation_key,
     "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key,
@@ -48,18 +46,15 @@ resource "azurerm_function_app" "pcfuncs" {
     "LOG_ANALYTICS_WORKSPACE_ID" = var.prod_log_analytics_workspace_id,
   }
 
-  os_type = "linux"
-  version = "~4"
   site_config {
-    linux_fx_version          = "PYTHON|3.9"
-    use_32_bit_worker_process = false
-    ftps_state                = "Disabled"
-
+    ftps_state = "Disabled"
     cors {
       allowed_origins = ["*"]
     }
+    application_stack {
+      python_version = "3.9"
+    }
   }
-
   lifecycle {
     ignore_changes = [
       tags
@@ -73,23 +68,29 @@ data "azurerm_storage_container" "output" {
   storage_account_name = var.output_storage_account_name
 }
 
+resource "azurerm_role_assignment" "function-app-storage-account-access" {
+  scope                = azurerm_storage_account.pc.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = azurerm_linux_function_app.pcfuncs.identity[0].principal_id
+}
+
 resource "azurerm_role_assignment" "function-app-animation-container-access" {
   scope                = data.azurerm_storage_container.output.resource_manager_id
   role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = azurerm_function_app.pcfuncs.identity[0].principal_id
+  principal_id         = azurerm_linux_function_app.pcfuncs.identity[0].principal_id
 
   depends_on = [
-    azurerm_function_app.pcfuncs
+    azurerm_linux_function_app.pcfuncs
   ]
 }
 
 resource "azurerm_role_assignment" "function-app-storage-table-data-contributor" {
   scope                = azurerm_storage_account.pc.id
   role_definition_name = "Storage Table Data Contributor"
-  principal_id         = azurerm_function_app.pcfuncs.identity[0].principal_id
+  principal_id         = azurerm_linux_function_app.pcfuncs.identity[0].principal_id
 
   depends_on = [
-    azurerm_function_app.pcfuncs
+    azurerm_linux_function_app.pcfuncs
   ]
 }
 
@@ -102,9 +103,9 @@ data "azurerm_log_analytics_workspace" "prod_log_analytics_workspace" {
 resource "azurerm_role_assignment" "function-app-log-analytics-access" {
   scope                = data.azurerm_log_analytics_workspace.prod_log_analytics_workspace.id
   role_definition_name = "Log Analytics Reader"
-  principal_id         = azurerm_function_app.pcfuncs.identity[0].principal_id
+  principal_id         = azurerm_linux_function_app.pcfuncs.identity[0].principal_id
 
   depends_on = [
-    azurerm_function_app.pcfuncs
+    azurerm_linux_function_app.pcfuncs
   ]
 }

deployment/terraform/resources/output.tf

@@ -137,5 +137,5 @@ output "redis_port" {
 # Functions
 
 output "function_app_name" {
-  value = azurerm_function_app.pcfuncs.name
+  value = azurerm_linux_function_app.pcfuncs.name
 }