Source from repo

Azure Prepare

Prepare Azure environments for new workloads—subscriptions, networking, identity, and landing zones

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

165

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/services/functions/terraform.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown381 linesFree

references/services/functions/terraform.md

1# Functions Terraform Patterns — REFERENCE ONLY
2 
3> ⛔ **DO NOT COPY THIS CODE DIRECTLY**
4>
5> This file contains **reference patterns** for understanding Azure Functions Terraform structure.
6> **You MUST use the composition algorithm** to generate infrastructure:
7>
8> 1. Load `templates/selection.md` to choose the correct base template
9> 2. Follow `templates/recipes/composition.md` for the exact algorithm
10> 3. Use `functions_template_get` MCP tool (with `infrastructure: "terraform"`) to list and fetch templates and write `functionFiles[]` + `projectFiles[]` directly — NEVER hand-write Bicep/Terraform and use `azd init -t <template>`/`func init`/`func new` as fallback when composing multiple recipes and required templates are not found
11>
12> Hand-writing Terraform from these patterns will result in missing RBAC, incorrect managed identity configuration, and security vulnerabilities.
13 
14## Flex Consumption (Recommended)
15 
16**Use Flex Consumption for new deployments with managed identity (no connection strings).**
17 
18> **⚠️ IMPORTANT**: Flex Consumption requires **azurerm provider v4.2 or later**.
19 
20```hcl
21terraform {
22  required_providers {
23    azurerm = {
24      source  = "hashicorp/azurerm"
25      version = "~> 4.2"
26    }
27  }
28}
29 
30provider "azurerm" {
31  features {}
32}
33 
34resource "azurerm_storage_account" "function_storage" {
35  name                     = "${var.resource_prefix}func${var.unique_hash}"
36  location                 = var.location
37  resource_group_name      = azurerm_resource_group.main.name
38  account_tier             = "Standard"
39  account_replication_type = "LRS"
40  
41  min_tls_version              = "TLS1_2"
42  allow_nested_items_to_be_public = false
43  shared_access_key_enabled    = false  # Enforce managed identity
44}
45 
46resource "azurerm_storage_container" "deployment_package" {
47  name                  = "deploymentpackage"
48  storage_account_id    = azurerm_storage_account.function_storage.id
49  container_access_type = "private"
50}
51 
52resource "azurerm_application_insights" "function_insights" {
53  name                = "appi-${var.unique_hash}"
54  location            = var.location
55  resource_group_name = azurerm_resource_group.main.name
56  application_type    = "web"
57}
58 
59resource "azurerm_service_plan" "function_plan" {
60  name                = "plan-${var.unique_hash}"
61  location            = var.location
62  resource_group_name = azurerm_resource_group.main.name
63  os_type             = "Linux"
64  sku_name            = "FC1"
65}
66 
67resource "azurerm_linux_function_app" "function_app" {
68  name                       = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
69  location                   = var.location
70  resource_group_name        = azurerm_resource_group.main.name
71  service_plan_id            = azurerm_service_plan.function_plan.id
72  storage_account_name       = azurerm_storage_account.function_storage.name
73  storage_uses_managed_identity = true
74  https_only                 = true
75 
76  identity {
77    type = "SystemAssigned"
78  }
79 
80  function_app_config {
81    deployment {
82      storage {
83        type  = "blob_container"
84        value = "${azurerm_storage_account.function_storage.primary_blob_endpoint}${azurerm_storage_container.deployment_package.name}"
85        authentication {
86          type = "SystemAssignedIdentity"
87        }
88      }
89    }
90 
91    scale_and_concurrency {
92      maximum_instance_count = 100
93      instance_memory_mb     = 2048
94    }
95 
96    runtime {
97      name    = "python"  # or "node", "dotnet-isolated"
98      version = "3.11"
99    }
100  }
101 
102  site_config {
103    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
104    
105    application_stack {
106      python_version = "3.11"  # Adjust based on runtime
107    }
108  }
109 
110  app_settings = {
111    "AzureWebJobsStorage__blobServiceUri"  = azurerm_storage_account.function_storage.primary_blob_endpoint
112    "FUNCTIONS_EXTENSION_VERSION"          = "~4"
113    "FUNCTIONS_WORKER_RUNTIME"             = "python"
114  }
115}
116 
117# Grant Function App access to Storage for runtime
118resource "azurerm_role_assignment" "function_storage_access" {
119  scope                = azurerm_storage_account.function_storage.id
120  role_definition_name = "Storage Blob Data Owner"
121  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
122}
123```
124 
125> 💡 **Key Points:**
126> - Use `AzureWebJobsStorage__blobServiceUri` instead of connection string
127> - Set `shared_access_key_enabled = false` for enhanced security
128> - Use `storage_uses_managed_identity = true` for deployment authentication
129> - Grant `Storage Blob Data Owner` role for full access to blobs, queues, and tables
130> - Requires azurerm provider **v4.2 or later**
131 
132### Using Azure Verified Module
133 
134For production deployments, use the official Azure Verified Module:
135 
136```hcl
137module "function_app" {
138  source  = "Azure/avm-res-web-site/azurerm"
139  version = "~> 0.0"
140 
141  name                = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
142  location            = var.location
143  resource_group_name = azurerm_resource_group.main.name
144  
145  kind    = "functionapp"
146  os_type = "Linux"
147 
148  sku_name = "FC1"
149 
150  function_app_storage_account_name       = azurerm_storage_account.function_storage.name
151  function_app_storage_uses_managed_identity = true
152 
153  site_config = {
154    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
155    
156    application_stack = {
157      python_version = "3.11"
158    }
159  }
160 
161  app_settings = {
162    "AzureWebJobsStorage__blobServiceUri" = azurerm_storage_account.function_storage.primary_blob_endpoint
163    "FUNCTIONS_EXTENSION_VERSION"         = "~4"
164    "FUNCTIONS_WORKER_RUNTIME"            = "python"
165  }
166 
167  identity = {
168    type = "SystemAssigned"
169  }
170}
171```
172 
173> 💡 **Example Reference:** [HashiCorp Flex Consumption Example](https://registry.terraform.io/modules/Azure/avm-res-web-site/azurerm/latest/examples/flex_consumption)
174 
175## Consumption Plan (Legacy)
176 
177> ⛔ **DO NOT USE** — Y1/Dynamic SKU is deprecated for new deployments.
178> **ALWAYS use Flex Consumption (FC1)** for all new Azure Functions.
179> The Y1 example below is only for reference when migrating legacy apps.
180 
181**⚠️ Not recommended for new deployments. Use Flex Consumption instead.**
182 
183> 💡 **OS and Slots Matter for Consumption:**
184> - **Linux Consumption** (`os_type = "Linux"`): Does **not** support deployment slots.
185> - **Windows Consumption** (`os_type = "Windows"`): Supports **1 staging slot** (2 total including production).
186>   If a user specifically needs Windows Consumption with a slot, that is supported — use the Windows pattern below.
187>   For new apps needing slots, prefer **Elastic Premium (EP1)** for better performance and no cold-start issues.
188 
189### Linux Consumption (no slot support)
190 
191```hcl
192resource "azurerm_storage_account" "function_storage" {
193  name                     = "${var.resource_prefix}func${var.unique_hash}"
194  location                 = var.location
195  resource_group_name      = azurerm_resource_group.main.name
196  account_tier             = "Standard"
197  account_replication_type = "LRS"
198}
199 
200resource "azurerm_service_plan" "function_plan" {
201  name                = "${var.resource_prefix}-funcplan-${var.unique_hash}"
202  location            = var.location
203  resource_group_name = azurerm_resource_group.main.name
204  os_type             = "Linux"
205  sku_name            = "Y1"
206}
207 
208resource "azurerm_linux_function_app" "function_app" {
209  name                = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
210  location            = var.location
211  resource_group_name = azurerm_resource_group.main.name
212  service_plan_id     = azurerm_service_plan.function_plan.id
213  https_only          = true
214  
215  storage_account_name       = azurerm_storage_account.function_storage.name
216  storage_account_access_key = azurerm_storage_account.function_storage.primary_access_key
217  
218  site_config {
219    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
220    
221    application_stack {
222      python_version = "3.11"
223    }
224  }
225 
226  app_settings = {
227    "FUNCTIONS_EXTENSION_VERSION" = "~4"
228    "FUNCTIONS_WORKER_RUNTIME"    = "python"
229  }
230 
231  identity {
232    type = "SystemAssigned"
233  }
234}
235```
236 
237### Windows Consumption (supports 1 staging slot)
238 
239> ⚠️ **Windows Consumption is not recommended for new projects** — consider Flex Consumption or Elastic Premium.
240> Use this pattern only for existing Windows apps or when Windows-specific features are required.
241 
242```hcl
243resource "azurerm_service_plan" "function_plan" {
244  name                = "${var.resource_prefix}-funcplan-${var.unique_hash}"
245  location            = var.location
246  resource_group_name = azurerm_resource_group.main.name
247  os_type             = "Windows"
248  sku_name            = "Y1"
249}
250 
251resource "azurerm_windows_function_app" "function_app" {
252  name                = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
253  location            = var.location
254  resource_group_name = azurerm_resource_group.main.name
255  service_plan_id     = azurerm_service_plan.function_plan.id
256  https_only          = true
257 
258  storage_account_name       = azurerm_storage_account.function_storage.name
259  storage_account_access_key = azurerm_storage_account.function_storage.primary_access_key
260 
261  site_config {
262    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
263    application_stack {
264      node_version = "~20"
265    }
266  }
267 
268  app_settings = {
269    "FUNCTIONS_EXTENSION_VERSION"             = "~4"
270    "FUNCTIONS_WORKER_RUNTIME"                = "node"
271    "WEBSITE_CONTENTSHARE"                    = "${lower(var.service_name)}-prod"  # must differ per slot; Azure Files share names are lowercase
272    "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = azurerm_storage_account.function_storage.primary_connection_string
273  }
274 
275  sticky_settings {
276    app_setting_names = ["WEBSITE_CONTENTSHARE", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING"]
277  }
278 
279  identity {
280    type = "SystemAssigned"
281  }
282}
283 
284# 1 staging slot is supported on Windows Consumption
285resource "azurerm_windows_function_app_slot" "staging" {
286  name            = "staging"
287  function_app_id = azurerm_windows_function_app.function_app.id
288 
289  storage_account_name       = azurerm_storage_account.function_storage.name
290  storage_account_access_key = azurerm_storage_account.function_storage.primary_access_key
291 
292  site_config {
293    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
294    application_stack {
295      node_version = "~20"
296    }
297  }
298 
299  app_settings = {
300    "FUNCTIONS_EXTENSION_VERSION"             = "~4"
301    "FUNCTIONS_WORKER_RUNTIME"                = "node"
302    "WEBSITE_CONTENTSHARE"                    = "${var.service_name}-staging"  # MUST differ from production
303    "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = azurerm_storage_account.function_storage.primary_connection_string
304  }
305}
306```
307 
308## Service Bus Integration (Managed Identity)
309 
310```hcl
311data "azurerm_servicebus_namespace" "example" {
312  name                = var.servicebus_namespace_name
313  resource_group_name = var.servicebus_resource_group
314}
315 
316resource "azurerm_linux_function_app" "function_app" {
317  # ... (Function App definition from above)
318  
319  app_settings = {
320    # Storage with managed identity
321    "AzureWebJobsStorage__blobServiceUri" = azurerm_storage_account.function_storage.primary_blob_endpoint
322    
323    # Service Bus with managed identity
324    "SERVICEBUS__fullyQualifiedNamespace" = "${data.azurerm_servicebus_namespace.example.name}.servicebus.windows.net"
325    "SERVICEBUS_QUEUE_NAME"               = var.servicebus_queue_name
326    
327    # Other settings...
328    "FUNCTIONS_EXTENSION_VERSION"  = "~4"
329    "FUNCTIONS_WORKER_RUNTIME"     = "python"
330    "APPLICATIONINSIGHTS_CONNECTION_STRING" = azurerm_application_insights.function_insights.connection_string
331  }
332}
333 
334# Grant Service Bus Data Receiver role for triggers
335resource "azurerm_role_assignment" "servicebus_receiver" {
336  scope                = data.azurerm_servicebus_namespace.example.id
337  role_definition_name = "Azure Service Bus Data Receiver"
338  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
339}
340 
341# Grant Service Bus Data Sender role (if function sends messages)
342resource "azurerm_role_assignment" "servicebus_sender" {
343  scope                = data.azurerm_servicebus_namespace.example.id
344  role_definition_name = "Azure Service Bus Data Sender"
345  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
346}
347```
348 
349> 💡 **Key Points:**
350> - Use `SERVICEBUS__fullyQualifiedNamespace` (double underscore) for managed identity
351> - Grant `Service Bus Data Receiver` role for reading messages
352> - Grant `Service Bus Data Sender` role for sending messages (if needed)
353> - Role assignments automatically enable connection via managed identity
354 
355## Premium Plan (No Cold Starts)
356 
357```hcl
358resource "azurerm_service_plan" "function_plan" {
359  name                = "${var.resource_prefix}-funcplan-${var.unique_hash}"
360  location            = var.location
361  resource_group_name = azurerm_resource_group.main.name
362  os_type             = "Linux"
363  sku_name            = "EP1"  # EP1, EP2, or EP3
364}
365 
366resource "azurerm_linux_function_app" "function_app" {
367  # ... (rest of configuration similar to Flex Consumption)
368  
369  site_config {
370    # Premium-specific settings
371    always_on                      = true
372    pre_warmed_instance_count      = 1
373    elastic_instance_minimum       = 1
374    
375    application_stack {
376      python_version = "3.11"
377    }
378  }
379}
380```
381

Marketplace

Source from repo

Azure Prepare

Prepare Azure environments for new workloads—subscriptions, networking, identity, and landing zones

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

165

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/services/functions/terraform.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown381 linesFree

references/services/functions/terraform.md

1# Functions Terraform Patterns — REFERENCE ONLY
2 
3> ⛔ **DO NOT COPY THIS CODE DIRECTLY**
4>
5> This file contains **reference patterns** for understanding Azure Functions Terraform structure.
6> **You MUST use the composition algorithm** to generate infrastructure:
7>
8> 1. Load `templates/selection.md` to choose the correct base template
9> 2. Follow `templates/recipes/composition.md` for the exact algorithm
10> 3. Use `functions_template_get` MCP tool (with `infrastructure: "terraform"`) to list and fetch templates and write `functionFiles[]` + `projectFiles[]` directly — NEVER hand-write Bicep/Terraform and use `azd init -t <template>`/`func init`/`func new` as fallback when composing multiple recipes and required templates are not found
11>
12> Hand-writing Terraform from these patterns will result in missing RBAC, incorrect managed identity configuration, and security vulnerabilities.
13 
14## Flex Consumption (Recommended)
15 
16**Use Flex Consumption for new deployments with managed identity (no connection strings).**
17 
18> **⚠️ IMPORTANT**: Flex Consumption requires **azurerm provider v4.2 or later**.
19 
20```hcl
21terraform {
22  required_providers {
23    azurerm = {
24      source  = "hashicorp/azurerm"
25      version = "~> 4.2"
26    }
27  }
28}
29 
30provider "azurerm" {
31  features {}
32}
33 
34resource "azurerm_storage_account" "function_storage" {
35  name                     = "${var.resource_prefix}func${var.unique_hash}"
36  location                 = var.location
37  resource_group_name      = azurerm_resource_group.main.name
38  account_tier             = "Standard"
39  account_replication_type = "LRS"
40  
41  min_tls_version              = "TLS1_2"
42  allow_nested_items_to_be_public = false
43  shared_access_key_enabled    = false  # Enforce managed identity
44}
45 
46resource "azurerm_storage_container" "deployment_package" {
47  name                  = "deploymentpackage"
48  storage_account_id    = azurerm_storage_account.function_storage.id
49  container_access_type = "private"
50}
51 
52resource "azurerm_application_insights" "function_insights" {
53  name                = "appi-${var.unique_hash}"
54  location            = var.location
55  resource_group_name = azurerm_resource_group.main.name
56  application_type    = "web"
57}
58 
59resource "azurerm_service_plan" "function_plan" {
60  name                = "plan-${var.unique_hash}"
61  location            = var.location
62  resource_group_name = azurerm_resource_group.main.name
63  os_type             = "Linux"
64  sku_name            = "FC1"
65}
66 
67resource "azurerm_linux_function_app" "function_app" {
68  name                       = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
69  location                   = var.location
70  resource_group_name        = azurerm_resource_group.main.name
71  service_plan_id            = azurerm_service_plan.function_plan.id
72  storage_account_name       = azurerm_storage_account.function_storage.name
73  storage_uses_managed_identity = true
74  https_only                 = true
75 
76  identity {
77    type = "SystemAssigned"
78  }
79 
80  function_app_config {
81    deployment {
82      storage {
83        type  = "blob_container"
84        value = "${azurerm_storage_account.function_storage.primary_blob_endpoint}${azurerm_storage_container.deployment_package.name}"
85        authentication {
86          type = "SystemAssignedIdentity"
87        }
88      }
89    }
90 
91    scale_and_concurrency {
92      maximum_instance_count = 100
93      instance_memory_mb     = 2048
94    }
95 
96    runtime {
97      name    = "python"  # or "node", "dotnet-isolated"
98      version = "3.11"
99    }
100  }
101 
102  site_config {
103    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
104    
105    application_stack {
106      python_version = "3.11"  # Adjust based on runtime
107    }
108  }
109 
110  app_settings = {
111    "AzureWebJobsStorage__blobServiceUri"  = azurerm_storage_account.function_storage.primary_blob_endpoint
112    "FUNCTIONS_EXTENSION_VERSION"          = "~4"
113    "FUNCTIONS_WORKER_RUNTIME"             = "python"
114  }
115}
116 
117# Grant Function App access to Storage for runtime
118resource "azurerm_role_assignment" "function_storage_access" {
119  scope                = azurerm_storage_account.function_storage.id
120  role_definition_name = "Storage Blob Data Owner"
121  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
122}
123```
124 
125> 💡 **Key Points:**
126> - Use `AzureWebJobsStorage__blobServiceUri` instead of connection string
127> - Set `shared_access_key_enabled = false` for enhanced security
128> - Use `storage_uses_managed_identity = true` for deployment authentication
129> - Grant `Storage Blob Data Owner` role for full access to blobs, queues, and tables
130> - Requires azurerm provider **v4.2 or later**
131 
132### Using Azure Verified Module
133 
134For production deployments, use the official Azure Verified Module:
135 
136```hcl
137module "function_app" {
138  source  = "Azure/avm-res-web-site/azurerm"
139  version = "~> 0.0"
140 
141  name                = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
142  location            = var.location
143  resource_group_name = azurerm_resource_group.main.name
144  
145  kind    = "functionapp"
146  os_type = "Linux"
147 
148  sku_name = "FC1"
149 
150  function_app_storage_account_name       = azurerm_storage_account.function_storage.name
151  function_app_storage_uses_managed_identity = true
152 
153  site_config = {
154    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
155    
156    application_stack = {
157      python_version = "3.11"
158    }
159  }
160 
161  app_settings = {
162    "AzureWebJobsStorage__blobServiceUri" = azurerm_storage_account.function_storage.primary_blob_endpoint
163    "FUNCTIONS_EXTENSION_VERSION"         = "~4"
164    "FUNCTIONS_WORKER_RUNTIME"            = "python"
165  }
166 
167  identity = {
168    type = "SystemAssigned"
169  }
170}
171```
172 
173> 💡 **Example Reference:** [HashiCorp Flex Consumption Example](https://registry.terraform.io/modules/Azure/avm-res-web-site/azurerm/latest/examples/flex_consumption)
174 
175## Consumption Plan (Legacy)
176 
177> ⛔ **DO NOT USE** — Y1/Dynamic SKU is deprecated for new deployments.
178> **ALWAYS use Flex Consumption (FC1)** for all new Azure Functions.
179> The Y1 example below is only for reference when migrating legacy apps.
180 
181**⚠️ Not recommended for new deployments. Use Flex Consumption instead.**
182 
183> 💡 **OS and Slots Matter for Consumption:**
184> - **Linux Consumption** (`os_type = "Linux"`): Does **not** support deployment slots.
185> - **Windows Consumption** (`os_type = "Windows"`): Supports **1 staging slot** (2 total including production).
186>   If a user specifically needs Windows Consumption with a slot, that is supported — use the Windows pattern below.
187>   For new apps needing slots, prefer **Elastic Premium (EP1)** for better performance and no cold-start issues.
188 
189### Linux Consumption (no slot support)
190 
191```hcl
192resource "azurerm_storage_account" "function_storage" {
193  name                     = "${var.resource_prefix}func${var.unique_hash}"
194  location                 = var.location
195  resource_group_name      = azurerm_resource_group.main.name
196  account_tier             = "Standard"
197  account_replication_type = "LRS"
198}
199 
200resource "azurerm_service_plan" "function_plan" {
201  name                = "${var.resource_prefix}-funcplan-${var.unique_hash}"
202  location            = var.location
203  resource_group_name = azurerm_resource_group.main.name
204  os_type             = "Linux"
205  sku_name            = "Y1"
206}
207 
208resource "azurerm_linux_function_app" "function_app" {
209  name                = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
210  location            = var.location
211  resource_group_name = azurerm_resource_group.main.name
212  service_plan_id     = azurerm_service_plan.function_plan.id
213  https_only          = true
214  
215  storage_account_name       = azurerm_storage_account.function_storage.name
216  storage_account_access_key = azurerm_storage_account.function_storage.primary_access_key
217  
218  site_config {
219    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
220    
221    application_stack {
222      python_version = "3.11"
223    }
224  }
225 
226  app_settings = {
227    "FUNCTIONS_EXTENSION_VERSION" = "~4"
228    "FUNCTIONS_WORKER_RUNTIME"    = "python"
229  }
230 
231  identity {
232    type = "SystemAssigned"
233  }
234}
235```
236 
237### Windows Consumption (supports 1 staging slot)
238 
239> ⚠️ **Windows Consumption is not recommended for new projects** — consider Flex Consumption or Elastic Premium.
240> Use this pattern only for existing Windows apps or when Windows-specific features are required.
241 
242```hcl
243resource "azurerm_service_plan" "function_plan" {
244  name                = "${var.resource_prefix}-funcplan-${var.unique_hash}"
245  location            = var.location
246  resource_group_name = azurerm_resource_group.main.name
247  os_type             = "Windows"
248  sku_name            = "Y1"
249}
250 
251resource "azurerm_windows_function_app" "function_app" {
252  name                = "${var.resource_prefix}-${var.service_name}-${var.unique_hash}"
253  location            = var.location
254  resource_group_name = azurerm_resource_group.main.name
255  service_plan_id     = azurerm_service_plan.function_plan.id
256  https_only          = true
257 
258  storage_account_name       = azurerm_storage_account.function_storage.name
259  storage_account_access_key = azurerm_storage_account.function_storage.primary_access_key
260 
261  site_config {
262    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
263    application_stack {
264      node_version = "~20"
265    }
266  }
267 
268  app_settings = {
269    "FUNCTIONS_EXTENSION_VERSION"             = "~4"
270    "FUNCTIONS_WORKER_RUNTIME"                = "node"
271    "WEBSITE_CONTENTSHARE"                    = "${lower(var.service_name)}-prod"  # must differ per slot; Azure Files share names are lowercase
272    "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = azurerm_storage_account.function_storage.primary_connection_string
273  }
274 
275  sticky_settings {
276    app_setting_names = ["WEBSITE_CONTENTSHARE", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING"]
277  }
278 
279  identity {
280    type = "SystemAssigned"
281  }
282}
283 
284# 1 staging slot is supported on Windows Consumption
285resource "azurerm_windows_function_app_slot" "staging" {
286  name            = "staging"
287  function_app_id = azurerm_windows_function_app.function_app.id
288 
289  storage_account_name       = azurerm_storage_account.function_storage.name
290  storage_account_access_key = azurerm_storage_account.function_storage.primary_access_key
291 
292  site_config {
293    application_insights_connection_string = azurerm_application_insights.function_insights.connection_string
294    application_stack {
295      node_version = "~20"
296    }
297  }
298 
299  app_settings = {
300    "FUNCTIONS_EXTENSION_VERSION"             = "~4"
301    "FUNCTIONS_WORKER_RUNTIME"                = "node"
302    "WEBSITE_CONTENTSHARE"                    = "${var.service_name}-staging"  # MUST differ from production
303    "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = azurerm_storage_account.function_storage.primary_connection_string
304  }
305}
306```
307 
308## Service Bus Integration (Managed Identity)
309 
310```hcl
311data "azurerm_servicebus_namespace" "example" {
312  name                = var.servicebus_namespace_name
313  resource_group_name = var.servicebus_resource_group
314}
315 
316resource "azurerm_linux_function_app" "function_app" {
317  # ... (Function App definition from above)
318  
319  app_settings = {
320    # Storage with managed identity
321    "AzureWebJobsStorage__blobServiceUri" = azurerm_storage_account.function_storage.primary_blob_endpoint
322    
323    # Service Bus with managed identity
324    "SERVICEBUS__fullyQualifiedNamespace" = "${data.azurerm_servicebus_namespace.example.name}.servicebus.windows.net"
325    "SERVICEBUS_QUEUE_NAME"               = var.servicebus_queue_name
326    
327    # Other settings...
328    "FUNCTIONS_EXTENSION_VERSION"  = "~4"
329    "FUNCTIONS_WORKER_RUNTIME"     = "python"
330    "APPLICATIONINSIGHTS_CONNECTION_STRING" = azurerm_application_insights.function_insights.connection_string
331  }
332}
333 
334# Grant Service Bus Data Receiver role for triggers
335resource "azurerm_role_assignment" "servicebus_receiver" {
336  scope                = data.azurerm_servicebus_namespace.example.id
337  role_definition_name = "Azure Service Bus Data Receiver"
338  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
339}
340 
341# Grant Service Bus Data Sender role (if function sends messages)
342resource "azurerm_role_assignment" "servicebus_sender" {
343  scope                = data.azurerm_servicebus_namespace.example.id
344  role_definition_name = "Azure Service Bus Data Sender"
345  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
346}
347```
348 
349> 💡 **Key Points:**
350> - Use `SERVICEBUS__fullyQualifiedNamespace` (double underscore) for managed identity
351> - Grant `Service Bus Data Receiver` role for reading messages
352> - Grant `Service Bus Data Sender` role for sending messages (if needed)
353> - Role assignments automatically enable connection via managed identity
354 
355## Premium Plan (No Cold Starts)
356 
357```hcl
358resource "azurerm_service_plan" "function_plan" {
359  name                = "${var.resource_prefix}-funcplan-${var.unique_hash}"
360  location            = var.location
361  resource_group_name = azurerm_resource_group.main.name
362  os_type             = "Linux"
363  sku_name            = "EP1"  # EP1, EP2, or EP3
364}
365 
366resource "azurerm_linux_function_app" "function_app" {
367  # ... (rest of configuration similar to Flex Consumption)
368  
369  site_config {
370    # Premium-specific settings
371    always_on                      = true
372    pre_warmed_instance_count      = 1
373    elastic_instance_minimum       = 1
374    
375    application_stack {
376      python_version = "3.11"
377    }
378  }
379}
380```
381

Azure Prepare

references/services/functions/terraform.md

Preparing the source view

Azure Prepare

references/services/functions/terraform.md