AzureRmProvider.FunctionApp with UserManagedIdentity

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I followed the guide for https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial. The goal of this article, imho, is to provision an azure function to use ManagedIdentites to access both its keyvault and its storageaccount so that no secret values are stored in the FunctionApp configuration where anyone with access to the FunctionApp can see them.

The problem: cdktf is still forces me to provide a StorageAccountAccessKey in order to provision the FunctionApp whereby an AppSetting is autogenerated for AzureWebJobsStorage whose value is DefaultEndpointsProtocol=https;AccountName=ACCOUNT_NAME;AccountKey=fake;EndpointSuffix=core.windows.net. This is an issue, I believe, because the guide already had me set an AppSetting for AzureWebJobsStorage__accountName whose value is STORAGE_ACCOUNT_NAME and it’s therefore unclear to me which will be chosen.

When trying to deploy the FunctionApp without that StorageAccountAccessKey I get the following error:

[2022-06-15T13:31:57.909] [ERROR] default - ╷
│ Error: storage_account_access_key must not be empty, got
│
│   with azurerm_function_app.Poc_FunctionApp_FDAE6E57,
│   on cdk.tf.json line 63, in resource.azurerm_function_app.CdktfPoc_FunctionApp_FDAE6E57:
│   63:         "storage_account_access_key": "",

I apologize if there’s a beta package that supports this somewhere but I didn’t find it after a quick search, nor did I find documentation detailing how to use Managed Identities for this.

References