The Azure Function will be deployed through Bicep. Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. According to Microsoft documentation Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
Prerequisites
Azure account
Before you begin, you must have an Azure account with an active subscription. Create an account for free.
Code repository
Download the sample code repository, run the following command in your local terminal window:
git clone https://github.com/JamesDLD/bicep-function-app-virtual-network-monitoring.git
cd bicep-function-app-virtual-network-monitoring
Review the Bicep files and create your environment
#variable
location=westeurope
resourceGroupName=exampleRG
#create the resource group
az group create --name $resourceGroupName --location $location
#create the function app
az deployment group create \
--name function_app \
--resource-group $resourceGroupName \
--template-file function_app.bicep \
--parameters appInsightsLocation=$location
When the deployment finishes, you should see a message indicating the deployment succeeded.
Bicep file to assign the Reader privilege to the Managed Identity of our Function App
@description('The principal Id of the object that will be granted the needed role.')
param principalId string
@description('This is the built-in Reader role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?WT.mc_id=AZ-MVP-5003548#reader')
resource readerRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
scope: subscription()
name: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
}
targetScope = 'subscription'
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(readerRoleDefinition.id, principalId, readerRoleDefinition.id)
properties: {
roleDefinitionId: readerRoleDefinition.id
principalId: principalId
principalType: 'ServicePrincipal'
}
}
The following Azure resource is created by this Bicep file:
#assign the azure built-in role to the function app
principalId=$(az deployment group show \
--resource-group $resourceGroupName \
--name function_app \
--query properties.outputs.principalId.value \
--output tsv )
az deployment sub create \
--location $location \
--template-file role_assignment.bicep \
--parameters principalId=$principalId
When the deployment finishes, you should see a message indicating the deployment succeeded.
Use Azure CLI to validate the deployment.
az resource list --resource-group $resourceGroupName
Perform a manual git deployment to the Azure Function App
Deploy the PowerShell code to the Function App using Azure CLI.
functionAppName=$(az deployment group show \
--resource-group $resourceGroupName \
--name function_app \
--query properties.outputs.functionAppName.value \
--output tsv )
az functionapp deployment source config \
--branch main \
--manual-integration \
--name $functionAppName \
--resource-group $resourceGroupName \
--repo-url https://github.com/JamesDLD/bicep-function-app-virtual-network-monitoring
View the audit result Azure Application Insights
You will then be able to monitor the Function App logs being inserted every 30 minutes by navigating to you Function App > Logs as illustrated in the following screenshot.