[AVM Module Issue]: Output connectionstring of StorageAccount

[tvriesde]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Feature Request

Module Name

avm/res/storage/storage-account

(Optional) Module Version

0.11.0

Description

When creating azure functions app it is required to submit the app setting AZUREWEBJOBSSTORAGE and provide connectionstring to the storage account. Currently i dont see a way how to create this connectionstring when using the module, as certain values are missing from the outputs.

missing values:
accountkey
endpointsuffix

better yet, it would be if the entire connection string could be as one output.

any tips on how to solve this when using the module are welcome.

(Optional) Correlation Id

No response

[avm-team-linter]

@tvriesde, thanks for submitting this issue for the avm/res/storage/storage-account module!

Important

A member of the @Azure/avm-res-storage-storageaccount-module-owners-bicep or @Azure/avm-res-storage-storageaccount-module-contributors-bicep team will review it soon!

[donheerschap]

Hi @tvriesde the br/public:avm/res/web/site:0.3.9 module of AVM itself will construct this for you, when providing the storageAccountResourceId it will set the AZUREWEBJOBSSTORAGE for you (or better it uses the entra ID variant when enabling storageAccountUseIdentityAuthentication)

This is a working example:

metadata name = 'Infrastructure for the smallestAzureDataplatform'
metadata description = 'This is the main entry point for the smallestAzureDataplatform'

targetScope = 'subscription'

param location string = 'northeurope'
param rgName string
param dlName string
param fnName string
param fnstgName string
param aspName string
param sqlServerName string

module rg 'br/public:avm/res/resources/resource-group:0.2.4' = { // Resource group to contain all resources
  name: '${deployment().name}-resourceGroup' 
  params: {
    name: rgName
    location: location
  }
}

module asp 'br/public:avm/res/web/serverfarm:0.2.2' = { // Hosting for the function app
  name: '${deployment().name}-appServicePlan'
  scope: resourceGroup(rgName)
  dependsOn: [
    rg
  ]
  params: {
    name: aspName
    location: location
    skuCapacity: 1 
    skuName: 'B1' // Can't use free tier because it doesn't support deployments from a package
    reserved: true // Required for Linux
    kind: 'Linux' // Needed for a python function app
  } 
}

module fnstg 'br/public:avm/res/storage/storage-account:0.9.1' = { // Storage account for the function app backend (where the function app triggers and logging functions is stored)
  name: '${deployment().name}-functionStorage'
  scope: resourceGroup(rgName)
  dependsOn: [
    rg
  ]
  params: {
    name: fnstgName
    location: location
    publicNetworkAccess: 'Enabled'
  }
}

module fn 'br/public:avm/res/web/site:0.3.9' = { // Function app which will run the python code
  name: '${deployment().name}-function'
  scope: resourceGroup(rgName)
  dependsOn: [
    rg
    asp
    fnstg
  ]
  params: {
    name: fnName
    location: location   
    kind: 'functionapp,linux'
    serverFarmResourceId: asp.outputs.resourceId
    siteConfig: {
      pythonVersion: '3.11'
      linuxFxVersion: 'python|3.11'
    }
    appSettingsKeyValuePairs: {
      FUNCTIONS_WORKER_RUNTIME: 'python'
      FUNCTIONS_EXTENSION_VERSION: '~4'
      WEBSITE_RUN_FROM_PACKAGE: '1' // This is required to deploy the function app from a package (github cicd)
      DATALAKE__serviceUri: dl.outputs.primaryBlobEndpoint // Required to have a storage account output binding in the function app
    }
    managedIdentities: {
      systemAssigned: true // Creates a managed identity for the function app to access other azure resources
    }
    storageAccountResourceId: fnstg.outputs.resourceId // Backend storage account for the function app
    storageAccountUseIdentityAuthentication: true // Required to be able to access the storage account without access keys
  }
}

[tvriesde]

Nice one, thanks @donheerschap.

[microsoft-github-policy-service]

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

[AlexanderSehr]

Thanks @donheerschap for chiming in.
To briefly also provide some further context before I'll close this issue

• The module is and won't be able to return sensitive information like the storage account key as there is no @secure() output decorator in ARM/Bicep today. (ref: Add securestring support for template output type bicep#2163)
• To mitigate this (aside from relying on other modules to solve it for us, like the app module), this implementation will be specified as an interface and on demand made available for modules. In short : It allows you to tell the module to add its sensitive information to a key vault from which you can fetch it after.

@Agazoth was already so keen to start working on that for the storage account module as you can see here and finish the PR up once he's back from vacation.