Wonder if anyone can share production experiences regarding safe and reliable way of deploying code to Azure Function within the Azure Managed Application. I've found an official sample here that uses WEBSITE_RUN_FROM_PACKAGE setting pointing to the staging storage of the Managed Application based on
uri(deployment().properties.templateLink.uri
Is that storage:
- Secure? By this example absolutely not - it is based on public access as there is no SAS token added. How to achieve SAS token security - lifetime should be maxed out?
- Persistent? Other words - not ephemeral that will be ultimately deleted.
Thanks
One solution is to use a 'proxy' Function App which you host on a public storage blob. The 'proxy' Azure function is deployed first and takes a URI and personal access token so that it can proxy the request to a private git repo / storage. Next, within your ARM template you can store a Personal Access token which you append to the base URI of this proxy that will return the data for the WEBSITE_RUN_FROM_PACKAGE property.
Now, you can pull code from a private git repo via the proxy function app. A fully worked example can be found here. This is unfortunately the best solution which was proposed from the support team when I wanted to securely deploy code to an App service. Our team ended up with automating CI/CD pipelines from the Managed Application notification system so that we would push the source code to the App Service/ Function App when it was fully deployed.