azure-pipelines.yml

pool: 'Azure Pipelines'

parameters:
- name: resourceGroupName
  displayName: "Resource Group name:"
  type: string

- name: functionAppName
  displayName: "Function App name:"
  type: string

- name: storageAccountName
  displayName: "Storage Account name (globally unique):"
  type: string

- name: serviceConnection
  displayName: "Azure Service Connection:"
  type: string

- name: subscriptionId
  displayName: "Azure Subscription ID:"
  type: string

- name: location
  displayName: "Azure Region:"
  type: string
  default: westeurope

- name: managedIdentityRoleName
  displayName: "Managed Identity Role name:"
  type: string
  default: Contributor

- name: expiryDays
  displayName: "Number of days before cleaning Subscription:"
  type: number
  default: 14

- name: createInfrastructure
  displayName: "Create Infrastructure"
  type: boolean
  default: true

steps:
- ${{ if parameters.createInfrastructure }}:
  - task: AzureCLI@2
    displayName: Set up Function App Infrastructure
    inputs:
      azureSubscription: "${{ parameters.serviceConnection }}"
      scriptType: 'bash'
      scriptLocation: 'inlineScript'
      inlineScript: |
        tags="ExpiryDate=Exempt"

        echo "Setting up Azure CLI..."
        az config set core.only_show_errors=yes

        echo "Switching to Subscription ${{ parameters.subscriptionId }}..."
        az account set --subscription ${{ parameters.subscriptionId }} --output "none"

        echo "Creating Resource Group ${{ parameters.resourceGroupName }} in Location ${{ parameters.location }}..."
        az group create \
          --name "${{ parameters.resourceGroupName }}" \
          --location "${{ parameters.location }}" \
          --tags "$tags" \
          --output "none"

        echo "Creating Storage Account ${{ parameters.storageAccountName }} in Resource Group ${{ parameters.resourceGroupName }}..."
        az storage account create \
          --name "${{ parameters.storageAccountName }}" \
          --location "${{ parameters.location }}" \
          --resource-group "${{ parameters.resourceGroupName }}" \
          --https-only \
          --min-tls-version "TLS1_2" \
          --allow-blob-public-access false \
          --sku "Standard_LRS" \
          --tags "$tags" \
          --output "none"

        echo "Creating Managed Identity for Function App ${{ parameters.functionAppName }} in Resource Group ${{ parameters.resourceGroupName }}..."
        managedIdentityJson=$(az identity create --name "${{ parameters.functionAppName }}-identity" --resource-group "${{ parameters.resourceGroupName }}" --tags "$tags" --output "json")
          
        managedIdentityName=$(echo $managedIdentityJson | jq -r '.name')
        managedIdentityId=$(echo $managedIdentityJson | jq -r '.id')
        managedIdentityClientId=$(echo $managedIdentityJson | jq -r '.clientId')
        managedIdentityPrincipalId=$(echo $managedIdentityJson | jq -r '.principalId')

        echo "Assigning Managed Identity $managedIdentityName permissions on Subscription ${{ parameters.subscriptionId }}..."
        az role assignment create \
          --assignee-object-id "$managedIdentityPrincipalId" \
          --role ${{ parameters.managedIdentityRoleName }} \
          --assignee-principal-type "ServicePrincipal" \
          --scope "/subscriptions/${{ parameters.subscriptionId }}" \
          --output "none"

        echo "Creating Function App ${{ parameters.functionAppName }} in Resource Group ${{ parameters.resourceGroupName }}..."
        az functionapp create \
          --name "${{ parameters.functionAppName }}" \
          --storage-account "${{ parameters.storageAccountName }}" \
          --consumption-plan-location "${{ parameters.location }}" \
          --resource-group "${{ parameters.resourceGroupName }}" \
          --assign-identity "$managedIdentityId" \
          --functions-version "4" \
          --os-type "Linux" \
          --runtime "python" \
          --runtime-version "3.9" \
          --tags "$tags" \
          --output "none"

        echo "Setting app settings on Function App ${{ parameters.functionAppName }}..."
        values=("EXPIRY_DAYS=${{ parameters.expiryDays }}" "MANAGED_IDENTITY_CLIENT_ID=$managedIdentityClientId" "AZURE_SUBSCRIPTION_ID=${{ parameters.subscriptionId }}")

        for value in "${values[@]}"; do
          echo "Setting app setting $value on Function App ${{ parameters.functionAppName }}..."
          az functionapp config appsettings set \
            --name ${{ parameters.functionAppName }} \
            --resource-group "${{ parameters.resourceGroupName }}" \
            --settings "$value" \
            --output "none"
        done

- task: AzureCLI@2
  displayName: Install requirements from requirements.txt
  inputs:
    azureSubscription: "${{ parameters.serviceConnection }}"
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      python -m venv worker_venv
      source worker_venv/bin/activate
      pip install setuptools
      pip install -r requirements.txt

- task: ArchiveFiles@2
  displayName: "Prepare zip file for deployment"
  inputs:
    rootFolderOrFile: "$(System.DefaultWorkingDirectory)"
    includeRootFolder: false
    archiveFile: "build.zip"

- task: AzureCLI@2
  displayName: Deploy zipped application to Azure Function
  inputs:
    azureSubscription: "${{ parameters.serviceConnection }}"
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      echo "Deploying zipped application to Azure Function ${{ parameters.functionAppName }} in Resource Group ${{ parameters.resourceGroupName }}..."
      az functionapp deployment source config-zip \
        --name "${{ parameters.functionAppName }}" \
        --resource-group "${{ parameters.resourceGroupName }}" \
        --src build.zip \
        --build-remote true