Source from repo
Azure Prepare

Prepare Azure environments for new workloads—subscriptions, networking, identity, and landing zones
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
165
Skill
n/a
Size
547.0 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/services/functions/bicep.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown338 linesFree
references/services/functions/bicep.md
1# Functions Bicep Patterns — REFERENCE ONLY
2 
3> ⛔ **DO NOT COPY THIS CODE DIRECTLY**
4>
5> This file contains **reference patterns** for understanding Azure Functions Bicep structure.
6> **You MUST use the composition algorithm** to generate infrastructure:
7>
8> 1. Load `templates/selection.md` to choose the correct base template
9> 2. Follow `templates/recipes/composition.md` for the exact algorithm
10> 3. Use `functions_template_get` MCP tool to list and fetch templates and write `functionFiles[]` + `projectFiles[]` directly — NEVER hand-write Bicep/Terraform and use `azd init -t <template>`/`func init`/`func new` as fallback when composing multiple recipes and required templates are not found
11>
12> Hand-writing Bicep from these patterns will result in missing RBAC, incorrect managed identity configuration, and security vulnerabilities.
13 
14## Flex Consumption (Recommended)
15 
16**Use Flex Consumption for new deployments with managed identity (no connection strings).**
17 
18```bicep
19resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
20  name: '${resourcePrefix}func${uniqueHash}'
21  location: location
22  sku: { name: 'Standard_LRS' }
23  kind: 'StorageV2'
24  properties: {
25    minimumTlsVersion: 'TLS1_2'
26    allowBlobPublicAccess: false
27    allowSharedKeyAccess: false  // Enforce managed identity
28  }
29}
30 
31resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
32  parent: storageAccount
33  name: 'default'
34}
35 
36resource deploymentContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = {
37  parent: blobService
38  name: 'deploymentpackage'
39}
40 
41resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
42  name: 'appi-${uniqueHash}'
43  location: location
44  kind: 'web'
45  properties: {
46    Application_Type: 'web'
47  }
48}
49 
50resource functionAppPlan 'Microsoft.Web/serverfarms@2024-04-01' = {
51  name: 'plan-${uniqueHash}'
52  location: location
53  sku: {
54    name: 'FC1'
55    tier: 'FlexConsumption'
56  }
57  properties: {
58    reserved: true
59  }
60}
61 
62resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
63  name: '${resourcePrefix}-${serviceName}-${uniqueHash}'
64  location: location
65  kind: 'functionapp,linux'
66  identity: {
67    type: 'SystemAssigned'
68  }
69  properties: {
70    serverFarmId: functionAppPlan.id
71    httpsOnly: true
72    functionAppConfig: {
73      deployment: {
74        storage: {
75          type: 'blobContainer'
76          value: '${storageAccount.properties.primaryEndpoints.blob}deploymentpackage'
77          authentication: {
78            type: 'SystemAssignedIdentity'
79          }
80        }
81      }
82      scaleAndConcurrency: {
83        maximumInstanceCount: 100
84        instanceMemoryMB: 2048
85      }
86      runtime: {
87        name: 'python'  // or 'node', 'dotnet-isolated'
88        version: '<version>'  // Query latest GA: https://learn.microsoft.com/en-us/azure/azure-functions/supported-languages
89      }
90    }
91    siteConfig: {
92      appSettings: [
93        {
94          name: 'AzureWebJobsStorage__blobServiceUri'
95          value: storageAccount.properties.primaryEndpoints.blob
96        }
97        {
98          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
99          value: appInsights.properties.ConnectionString
100        }
101        {
102          name: 'FUNCTIONS_EXTENSION_VERSION'
103          value: '~4'
104        }
105        {
106          name: 'FUNCTIONS_WORKER_RUNTIME'
107          value: 'python'
108        }
109      ]
110    }
111  }
112}
113 
114// Grant Function App access to Storage for runtime
115resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
116  name: guid(storageAccount.id, functionApp.id, 'Storage Blob Data Owner')
117  scope: storageAccount
118  properties: {
119    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')
120    principalId: functionApp.identity.principalId
121    principalType: 'ServicePrincipal'
122  }
123}
124```
125 
126> 💡 **Key Points:**
127>
128> - Use `AzureWebJobsStorage__blobServiceUri` instead of connection string
129> - Set `allowSharedKeyAccess: false` for enhanced security
130> - Use `SystemAssignedIdentity` for deployment authentication
131> - Grant `Storage Blob Data Owner` role for full access to blobs, queues, and tables
132 
133## Consumption Plan (Legacy)
134 
135> ⛔ **DO NOT USE** — Y1/Dynamic SKU is deprecated for new deployments.
136> **ALWAYS use Flex Consumption (FC1)** for all new Azure Functions.
137> The Y1 example below is only for reference when migrating legacy apps.
138 
139**⚠️ Not recommended for new deployments. Use Flex Consumption instead.**
140 
141> 💡 **OS and Slots Matter for Consumption:**
142>
143> - **Linux Consumption** (`kind: 'functionapp,linux'`, `reserved: true`): Does **not** support deployment slots.
144> - **Windows Consumption** (`kind: 'functionapp'`, no `reserved`): Supports **1 staging slot** (2 total including production).
145>   If a user specifically needs Windows Consumption with a slot, that is supported — use the Windows pattern below.
146>   For new apps needing slots, prefer **Elastic Premium (EP1)** for better performance and no cold-start issues.
147 
148### Linux Consumption (no slot support)
149 
150```bicep
151resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
152  name: '${resourcePrefix}func${uniqueHash}'
153  location: location
154  sku: { name: 'Standard_LRS' }
155  kind: 'StorageV2'
156}
157 
158resource functionAppPlan 'Microsoft.Web/serverfarms@2022-09-01' = {
159  name: '${resourcePrefix}-funcplan-${uniqueHash}'
160  location: location
161  sku: { name: 'Y1', tier: 'Dynamic' }
162  properties: { reserved: true }
163}
164 
165resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
166  name: '${resourcePrefix}-${serviceName}-${uniqueHash}'
167  location: location
168  kind: 'functionapp,linux'
169  identity: { type: 'SystemAssigned' }
170  properties: {
171    serverFarmId: functionAppPlan.id
172    httpsOnly: true
173    siteConfig: {
174      linuxFxVersion: 'Node|20'
175      appSettings: [
176        { name: 'AzureWebJobsStorage', value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value}' }
177        { name: 'FUNCTIONS_EXTENSION_VERSION', value: '~4' }
178        { name: 'FUNCTIONS_WORKER_RUNTIME', value: 'node' }
179        { name: 'APPLICATIONINSIGHTS_CONNECTION_STRING', value: appInsights.properties.ConnectionString }
180      ]
181    }
182  }
183}
184```
185 
186### Windows Consumption (supports 1 staging slot)
187 
188> ⚠️ **Windows Consumption is not recommended for new projects** — consider Flex Consumption or Elastic Premium.
189> Use this pattern only for existing Windows apps or when Windows-specific features are required.
190 
191```bicep
192resource functionAppPlan 'Microsoft.Web/serverfarms@2022-09-01' = {
193  name: '${resourcePrefix}-funcplan-${uniqueHash}'
194  location: location
195  sku: { name: 'Y1', tier: 'Dynamic' }
196  // No 'reserved: true' for Windows
197}
198 
199resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
200  name: '${resourcePrefix}-${serviceName}-${uniqueHash}'
201  location: location
202  kind: 'functionapp'  // Windows (no 'linux' suffix)
203  identity: { type: 'SystemAssigned' }
204  properties: {
205    serverFarmId: functionAppPlan.id
206    httpsOnly: true
207    siteConfig: {
208      appSettings: [
209        { name: 'WEBSITE_NODE_DEFAULT_VERSION', value: '~20' }
210        { name: 'FUNCTIONS_EXTENSION_VERSION', value: '~4' }
211        { name: 'FUNCTIONS_WORKER_RUNTIME', value: 'node' }
212        { name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING', value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value}' }
213        { name: 'WEBSITE_CONTENTSHARE', value: '${toLower(serviceName)}-prod' }
214        { name: 'AzureWebJobsStorage', value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value}' }
215        { name: 'APPLICATIONINSIGHTS_CONNECTION_STRING', value: applicationInsights.properties.ConnectionString }
216      ]
217    }
218  }
219}
220 
221// 1 staging slot is supported on Windows Consumption
222resource stagingSlot 'Microsoft.Web/sites/slots@2022-09-01' = {
223  parent: functionApp
224  name: 'staging'
225  location: location
226  kind: 'functionapp'
227  properties: {
228    serverFarmId: functionAppPlan.id
229    siteConfig: {
230      appSettings: [
231        { name: 'WEBSITE_NODE_DEFAULT_VERSION', value: '~20' }
232        { name: 'FUNCTIONS_EXTENSION_VERSION', value: '~4' }
233        { name: 'FUNCTIONS_WORKER_RUNTIME', value: 'node' }
234        { name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING', value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value}' }
235        { name: 'WEBSITE_CONTENTSHARE', value: '${toLower(serviceName)}-staging' }  // MUST differ from production
236        { name: 'AzureWebJobsStorage', value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value}' }
237        { name: 'APPLICATIONINSIGHTS_CONNECTION_STRING', value: applicationInsights.properties.ConnectionString }
238      ]
239    }
240  }
241}
242 
243// Sticky settings — do not swap WEBSITE_CONTENTSHARE between slots
244resource slotConfigNames 'Microsoft.Web/sites/config@2022-09-01' = {
245  parent: functionApp
246  name: 'slotConfigNames'
247  properties: {
248    appSettingNames: [
249      'WEBSITE_CONTENTSHARE'
250      'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
251    ]
252  }
253}
254```
255 
256## Service Bus Integration (Managed Identity)
257 
258```bicep
259resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
260  name: serviceBusNamespaceName
261}
262 
263resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
264  // ... (Function App definition from above)
265  properties: {
266    // ... (other properties)
267    siteConfig: {
268      appSettings: [
269        // Storage with managed identity
270        {
271          name: 'AzureWebJobsStorage__blobServiceUri'
272          value: storageAccount.properties.primaryEndpoints.blob
273        }
274        // Service Bus with managed identity
275        {
276          name: 'SERVICEBUS__fullyQualifiedNamespace'
277          value: '${serviceBusNamespace.name}.servicebus.windows.net'
278        }
279        {
280          name: 'SERVICEBUS_QUEUE_NAME'
281          value: serviceBusQueueName
282        }
283        // Other settings...
284      ]
285    }
286  }
287}
288 
289// Grant Service Bus Data Receiver role for triggers
290resource serviceBusReceiverRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
291  name: guid(serviceBusNamespace.id, functionApp.id, 'Azure Service Bus Data Receiver')
292  scope: serviceBusNamespace
293  properties: {
294    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')
295    principalId: functionApp.identity.principalId
296    principalType: 'ServicePrincipal'
297  }
298}
299 
300// Grant Service Bus Data Sender role (if function sends messages)
301resource serviceBusSenderRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
302  name: guid(serviceBusNamespace.id, functionApp.id, 'Azure Service Bus Data Sender')
303  scope: serviceBusNamespace
304  properties: {
305    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')
306    principalId: functionApp.identity.principalId
307    principalType: 'ServicePrincipal'
308  }
309}
310```
311 
312> 💡 **Key Points:**
313>
314> - Use `SERVICEBUS__fullyQualifiedNamespace` (double underscore) for managed identity
315> - Grant `Service Bus Data Receiver` role for reading messages
316> - Grant `Service Bus Data Sender` role for sending messages (if needed)
317> - Role assignments automatically enable connection via managed identity
318 
319## Premium Plan (No Cold Starts)
320 
321```bicep
322resource functionAppPlan 'Microsoft.Web/serverfarms@2022-09-01' = {
323  name: '${resourcePrefix}-funcplan-${uniqueHash}'
324  location: location
325  sku: { name: 'EP1', tier: 'ElasticPremium' }
326  properties: {
327    reserved: true
328    minimumElasticInstanceCount: 1
329  }
330}
331```
332 
333## Functions on Azure Container Apps (Aspire)
334 
335> ⚠️ **Important for .NET Aspire:** When deploying Azure Functions to Azure Container Apps with identity-based storage, you must configure `AzureWebJobsSecretStorageType=Files`.
336 
337See [aspire-containerapps.md](aspire-containerapps.md) for complete guidance on Functions running on Azure Container Apps and configuration examples.
338
Preparing the source view

Azure Prepare

references/services/functions/bicep.md
