Terraform-provider-azurerm: Add Function Apps as backend to API Management

Is this the same as #4938 @markti ?

@brunhil I don't think so. APIM has an import feature as well as backend resources. #4938 is about importing a function. this one is about actually having the backend resources support azure functions.

@brunhil and @markti, my understanding is that they go hand-in-hand. The import publishes the function as a backend service for the api management to link to. This is currently a manual process for my team as well. I have tried using the azure rest API with no luck on appropriately linking the two.

@arifsundrani the import resources are not required to use if you are manually constructing the backend... I am using a work around to configure Functions with APIM...works quite well...

@arifsundrani the import resources are not required to use if you are manually constructing the backend... I am using a work around to configure Functions with APIM...works quite well...

Thanks for the insights @markti, I will dive into that further. Do you create the policy with backend-id or a base url with func key?

Back to the topic of the issue, adding the func app as a backend as you suggest would streamline setting up the functions.

Yes, pretty much.

I create a Backend w/ Credentials Header with the "x-functions-key" and the key that gets output from the resource_group_deployment. Then I reference the backend using an API-operation-policy on the inbound...

I ended up with this solution by reverse engineering what the Azure Portal does when you "Import from an Azure Function" through the Portal UI, but I think I could probably use the set-backend-service in the API policy instead of the API-operation-policy to be more efficient.

I will post my modules to github soon.

Here is my github repo with the modules I'm using...

https://github.com/markti/terraform-azfn-microservices

Thanks for sharing @markti! That is align in my thinking. I am trying to improve how api ops are managed, which your modules help with. One thing I found that I had to do was add a

<backend> <forward-request timeout="60" /> </backend>

to the policy. Otherwise, the request would return a 200, but not actually call the function app.

@arifsundrani agreed. I also had to put a forward-request tag in there. I put it into the root policy but there may be cases where you wouldn't want to it there (i.e. if you want some APIs to be mocked or something).

My favorite module that I wrote is the apim-op-crud. With that one, I can bust out a 5 REST operation CRUD for an entity. Then I handle edge cases (i.e. search/query, one-off actions) with the lower level apim-op-noparams / param1...

The problem I found is that because the template_parameter is not an array, I have to create a module for each time i change the number of modules... hopefully that can get updated in the future to make it a bit easier to configure the api operations...

@markti that is a cool module

One thing I have discussed with my team that we may try out over the next few weeks is to incorporate the function app specific terraform infrastructure within the same repository as the function app C# code.

The pros:

• Segmenting the terraform state for the items that are changing the most
• C# developers have more ownership of their function apps, i.e. can update app settings from same repository
• Automatically import the swagger/openapi file into terraform so the API operations are automatically built out
• Reduced deployment times for "base" architecture since there are fewer resources

The cons:

• Manual configuration on selecting the right api management
  
  
  
  • can be mitigated by having the api management terraform code live with the function app terraform code
  
  
• Follow naming conventions to be able to lookup items in key vault, easy to mess up
• Deployment time may increase for function app code, but acceptable due to streamlining

@markti that is a cool module

One thing I have discussed with my team that we may try out over the next few weeks is to incorporate the function app specific terraform infrastructure within the same repository as the function app C# code.

The pros:

• Segmenting the terraform state for the items that are changing the most

• C# developers have more ownership of their function apps, i.e. can update app settings from same repository

• Automatically import the swagger/openapi file into terraform so the API operations are automatically built out

• Reduced deployment times for "base" architecture since there are fewer resources

The cons:

• Manual configuration on selecting the right api management

  • can be mitigated by having the api management terraform code live with the function app terraform code

• Follow naming conventions to be able to lookup items in key vault, easy to mess up

• Deployment time may increase for function app code, but acceptable due to streamlining

Would love to hear how you crack the swagger problem. I’ve been very frustrated with the tooling on the azure function side

@markti We had to scrap that solution because of the swagger problem. For now, we are doing a manual import into our api management after fn app code is deployed. This is not an ideal solution, but limits our manual steps in deployment which we already had due to Azure AD B2C

@markti We had to scrap that solution because of the swagger problem. For now, we are doing a manual import into our api management after fn app code is deployed. This is not an ideal solution, but limits our manual steps in deployment which we already had due to Azure AD B2C

How do you deploy the function code? I’m using azure blob storage to drop zip packages of the code. However, it requires me to restart the function app to “tickle” it to refresh the code from blob storage. Kind of a pain.

@markti same issue for us. A colleague of mine had started a poc for zero downtime deployments, but I have not had a chance to follow up with him yet as our app is not in production yet. I can look later this week and share my findings

@markti same issue for us. A colleague of mine had started a poc for zero downtime deployments, but I have not had a chance to follow up with him yet as our app is not in production yet. I can look later this week and share my findings

I think there is a way to do it without a restart. There is a cli operation that can do a sync trigger that can do the update without restart likewise I’ll post here if I solve it

@markti do you have a working example that uses your modules project? It looks awesome, but the dummy deployment you use to get the function key always bombs out for me.

@markti do you have a working example that uses your modules project? It looks awesome, but the dummy deployment you use to get the function key always bombs out for me.

Thanks @aaavang, The modules are in use but I’m doing some refactoring and cleanup, complete with samples. I took a bit of a detour because my sample was using data factory and I noticed the data factory service had pretty spotty coverage in the azurerm provider. I’ll try and post a link tonight. If you’re using eventgrid the key I’ve found is that you MUST deploy code with terraform otherwise it will fail. So make sure to include a sas token url to blob storage where your zipped up code is or don’t use the “eg” modules.

@aaavang just posted a massive update with the refactored module library here:

https://dev.azure.com/persistent-cloud-northamerica/terraform-azure

Look at the /labs/microservices_lab module, that is the root module for provisioning a microservices hub and multiple microservices modules...

I haven't added API Management in yet...but most of the security / plumbing is all there...

Thanks @markti! I'll take a look.

Any idea when the API Management integration will be added?

Thanks @markti! I'll take a look.

Any idea when the API Management integration will be added?

@aaavang Ran into a bug with the function key and spent some time isolating that issue. Cracked it today and will be layering in the APIM stuff. There are some improvements I’ve made to the operation definitions that will allow you to dynamically setup url templates easier. The APIM stuff should push tonight. I’m working on Azure AD security next.

Excellent!

@markti did this ever get pushed? is this functionality to import function apps now available within the APIM tf resource?