azure-dev icon indicating copy to clipboard operation
azure-dev copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Issue] No option for zip deployments / disable remote builds with Node.js and Python functions

Open sinedied opened this issue 1 year ago • 11 comments
trafficstars

  • [x] Make sure you've installed the latest version using instructions in the wiki

Output from azd version azd version 1.9.3 (commit e1624330dcc7dde440ecc1eda06aac40e68aa0a3)

Describe the bug Currently AZD uses remote builds when deploying Node/Python Function apps (see related https://github.com/Azure/azure-dev/issues/368).

However, when enabling managed identity for the Functions backing storage (following the docs here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#use-managed-identity-for-azurewebjobsstorage), we also need to disable remote builds as in that case as WEBSITE_RUN_FROM_PACKAGE needs to be enabled.

To Reproduce

  1. Create a function app with managed identity for its backing storage (using AzureWebJobsStorage__accountName)
  2. Deploy with AZD

Deployment reports no error, but the function app doesn't work.

Expected behavior Default AZD behavior is suitable for most use case, but we should have an option to enable disabling remote build and enabling WEBSITE_RUN_FROM_PACKAGE option in azure.yaml file.

Environment Information on your environment: * Language name and version: TypeScript/JavaScript * IDE and version : VS Code

sinedied avatar Jun 19 '24 14:06 sinedied

Hm, my Python ones are working? https://github.com/pamelafox/simple-flask-api-azure-function/pull/15/files

pamelafox avatar Jun 19 '24 15:06 pamelafox

@pamelafox did you try deploying from scratch? When trying with Node functions, deployment succeed but all my functions returns 404 when called

sinedied avatar Jun 19 '24 15:06 sinedied

I believe I did, but I can tear down the group from scratch and confirm.

pamelafox avatar Jun 19 '24 16:06 pamelafox

@sinedied Does it work if you set scmDoBuildDuringDeployment to false in functions.bicep? I read through the documentation, I couldn't quite find where it states that "remote build doesn't work with managed identities". This may however align with @pamelafox previous findings, that: "Linux-based Python functions with managed identities wasn't working quite as expected", and she was waiting for azd to support flex consumption function apps.

For context, since there was a comment made on #4003:

  • In the new Flex Consumption function app plan, variables like WEBSITE_RUN_FROM_PACKAGE or SCM_DO_BUILD_DURING_DEPLOYMENT are fully deprecated. The variable is instead specified at deployment time. Managed identity with AzureWebJobsStorage__accountName works in this model, there isn't a limitation to disable remote build.
  • In other function app plans, variables like WEBSITE_RUN_FROM_PACKAGE or SCM_DO_BUILD_DURING_DEPLOYMENT are specified in Bicep, so if there is a need to disable this, users do have the ability to configure it outside of azd (I think this is the scenario you're running into). I would note that this is a rather strange limitation if it exists.

weikanglim avatar Jun 19 '24 19:06 weikanglim

I did test mine from scratch as well by the way, and it also seemed to work. I do get errors when I try to specify those old variables, but if I just remove them, it seems like it does the build.

pamelafox avatar Jun 19 '24 19:06 pamelafox

@weikanglim this is the part in the doc where it's mentioned (here in the "important" note: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#edit-the-azurewebjobsstorage-configuration):

Similarly, AzureWebJobsStorage is used for deployment artifacts when using server-side build in Linux Consumption. When you enable identity-based connections for AzureWebJobsStorage in Linux Consumption, you will need to deploy via an external deployment package.

I tried to create a simple repro repository of the issue, and these are my results

  • use a "regular" consumption functions API hosted on a Linux plan, no VNET/MI => works (to repro: azd up)
  • using managed identity with consumption functions API hosted on a Linux plan => deploys but functions does not work, returns 404 (to repro: azd env set USE_STORAGE_MANAGED_IDENTITY true && azd up)
    • looking at the function in the portal, it's empty so something did not work
    • tried disabling scmDoBuildDuringDeployment and enableOryxBuild, it has no effect
  • using managed identity / vnet with flex consumption API => does not deploy:
image

(to repro: azd env set USE_VNET true && azd up)

sinedied avatar Jun 21 '24 11:06 sinedied

@sinedied Hm, looking at this line: https://github.com/sinedied/node-functions-vnet/blob/main/infra/main.bicep#L103 Shouldnt that be Flex for useStorageManagedIdentity too? The azd code checks the service plan, I think, when it's deciding how to deploy the code.

pamelafox avatar Jun 21 '24 19:06 pamelafox

Storage managed identity works with consumption plan, so I would like to keep it that way.

BTW I've updated the repo, and now I have the full working infra with vnet for storage and functions and SWA linked backend. Deployment works with func CLI, but not AZD, same when using managed identity only.

sinedied avatar Jun 21 '24 19:06 sinedied

using managed identity / vnet with flex consumption API => does not deploy

Apologies for not mentioning this earlier. For flex consumption, until the bits are released, if you'd like to deploy with azd, you'll need to grab a daily build, the support is coming out with the next release. The 404 error you're seeing is what I would expect in the current latest build without the working flex consumption bits.

Regarding normal Linux consumption:

you will need to deploy via an external deployment package.

I'm wondering if when the doc says "an external deployment package" it means to pre-create a blob storage container, and then set WEBSITE_RUN_FROM_PACKAGE to the storage container URL directly. This limitation seems rather heavy. I'm not sure what func CLI is doing yet for this scenario, but I'll try it out later today.

weikanglim avatar Jun 24 '24 17:06 weikanglim

@sinedied With the sample repository, I tried to provision with USE_STORAGE_MANAGED_IDENTITY=true.

In the Portal, I see a warning: image

Trying to deploy using func, I get a similar error: image

The experimentation for me doesn't convince me that function apps, without being on flex consumption plan, works seamlessly without AzureWebJobsStorage. I know you had better luck in your prior experimentation which is interesting.

weikanglim avatar Jun 24 '24 18:06 weikanglim

You're right, when using managed identity the deployment using func CLI does not work. Looking at the docs it seems we have to use WEBSITE_RUN_FROM_PACKAGE=<URL> and manually upload the zip package to the container.

Regarding the AZD daily build, I just tried installing it (version returns azd version 1.10.0-beta.1-daily.3865598 (commit f1e42702ca796b58210f9818ad45829a8c746fa7)) and I still have the same error when deploying the vnet (flex-consumption) version: image

sinedied avatar Jun 25 '24 12:06 sinedied

@sinedied can you try with the latest 1.9.4

rajeshkamal5050 avatar Jul 10 '24 06:07 rajeshkamal5050

@rajeshkamal5050 Just tested, it works flawlessly now! 🎉 I'm closing this issue then

sinedied avatar Jul 11 '24 15:07 sinedied