ExternalVendorCode/onefuzz
1
0
Fork 0
mirror of https://github.com/microsoft/onefuzz.git synced 2025-06-14 02:58:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

adding function app settings bicep template and updating deploy.py (#1973)

Browse Source 
* adding function app settings bicep templates and updating deploy.py for toggling function states through enable_dotnet argument

* fixes #1948
This commit is contained in:
Adam
2022-05-25 09:30:38 -07:00
committed by GitHub
parent 6e84fd6dcb
commit 29fbb28ad9
4 changed files with 227 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
src/deployment/azuredeploy.bicep
View File

@ -24,6 +24,9 @@ param diagnosticsLogLevel string = 'Verbose'
var log_retention = 30 var log_retention = 30
var tenantId = subscription().tenantId var tenantId = subscription().tenantId
var python_functions_disabled = '0'
var dotnet_functions_disabled = '1'
var scaleset_identity = '${name}-scalesetid' var scaleset_identity = '${name}-scalesetid'
var StorageBlobDataReader = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' var StorageBlobDataReader = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
@ -261,6 +264,45 @@ module pythonFunctionSettings 'bicep-templates/function-settings.bicep' = {
keyvault_name: keyVaultName keyvault_name: keyVaultName
monitor_account_name: operationalInsights.outputs.monitorAccountName monitor_account_name: operationalInsights.outputs.monitorAccountName
multi_tenant_domain: multi_tenant_domain multi_tenant_domain: multi_tenant_domain
functions_disabled: python_functions_disabled
all_function_names: [
'agent_can_schedule' //0
'agent_commands' //1
'agent_events' //2
'agent_registration' //3
'containers' //4
'download' //5
'info' //6
'instance_config' //7
'jobs' //8
'job_templates' //9
'job_templates_manage' //10
'negotiate' //11
'node' //12
'node_add_ssh_key' //13
'notifications' //14
'pool' //15
'proxy' //16
'queue_file_changes' //17
'queue_node_heartbeat' //18
'queue_proxy_update' //19
'queue_signalr_events' //20
'queue_task_heartbeat' //21
'queue_updates' //22
'queue_webhooks' //23
'repro_vms' //24
'scaleset' //25
'tasks' //26
'timer_daily' //27
'timer_proxy' //28
'timer_repro' //29
'timer_retention' //30
'timer_tasks' //31
'timer_workers' //32
'webhooks' //33
'webhooks_logs' //34
'webhooks_ping' //35
]
} }
dependsOn: [ dependsOn: [
pythonFunction pythonFunction
@ -286,6 +328,45 @@ module netFunctionSettings 'bicep-templates/function-settings.bicep' = {
keyvault_name: keyVaultName keyvault_name: keyVaultName
monitor_account_name: operationalInsights.outputs.monitorAccountName monitor_account_name: operationalInsights.outputs.monitorAccountName
multi_tenant_domain: multi_tenant_domain multi_tenant_domain: multi_tenant_domain
functions_disabled: dotnet_functions_disabled
all_function_names: [
'AgentCanSchedule' //0
'AgentCommands' //1
'AgentEvents' //2
'AgentRegistration' //3
'Containers' //4
'Download' //5
'Info' //6
'InstanceConfig' //7
'Jobs' //8
'JobTemplates' //9
'JobTemplatesManage' //10
'Negotiate' //11
'Node' //12
'NodeAddSshKey' //13
'Notifications' //14
'Pool' //15
'Proxy' //16
'QueueFileChanges' //17
'QueueNodeHeartbeat' //18
'QueueProxyUpdate' //19
'QueueSignalrEvents' //20
'QueueTaskHeartbeat' //21
'QueueUpdates' //22
'QueueWebhooks' //23
'ReproVms' //24
'Scaleset' //25
'Tasks' //26
'TimerDaily' //27
'TimerProxy' //28
'TimerRepro' //29
'TimerRetention' //30
'TimerTasks' //31
'TimerWorkers' //32
'Webhooks' //33
'WebhooksLogs' //34
'WebhooksPing' //35
]
} }
dependsOn: [ dependsOn: [
netFunction netFunction

55
src/deployment/bicep-templates/function-settings-disabled-apps.bicep Normal file
View File

@ -0,0 +1,55 @@
param functions_disabled_setting string
param allFunctions array
var disabledFunctions = [for f in allFunctions: 'AzureWebJobs.${f}.Disabled' ]
var disabledFunctionsAppSettings = {
'${disabledFunctions[0]}' : functions_disabled_setting
'${disabledFunctions[1]}' : functions_disabled_setting
'${disabledFunctions[2]}' : functions_disabled_setting
'${disabledFunctions[3]}' : functions_disabled_setting
'${disabledFunctions[4]}' : functions_disabled_setting
'${disabledFunctions[5]}' : functions_disabled_setting
'${disabledFunctions[6]}' : functions_disabled_setting
'${disabledFunctions[7]}' : functions_disabled_setting
'${disabledFunctions[8]}' : functions_disabled_setting
'${disabledFunctions[9]}' : functions_disabled_setting
'${disabledFunctions[10]}' : functions_disabled_setting
'${disabledFunctions[11]}' : functions_disabled_setting
'${disabledFunctions[12]}' : functions_disabled_setting
'${disabledFunctions[13]}' : functions_disabled_setting
'${disabledFunctions[14]}' : functions_disabled_setting
'${disabledFunctions[15]}' : functions_disabled_setting
'${disabledFunctions[16]}' : functions_disabled_setting
'${disabledFunctions[17]}' : functions_disabled_setting
'${disabledFunctions[18]}' : functions_disabled_setting
'${disabledFunctions[19]}' : functions_disabled_setting
'${disabledFunctions[20]}' : functions_disabled_setting
'${disabledFunctions[21]}' : functions_disabled_setting
'${disabledFunctions[22]}' : functions_disabled_setting
'${disabledFunctions[23]}' : functions_disabled_setting
'${disabledFunctions[24]}' : functions_disabled_setting
'${disabledFunctions[25]}' : functions_disabled_setting
'${disabledFunctions[26]}' : functions_disabled_setting
'${disabledFunctions[27]}' : functions_disabled_setting
'${disabledFunctions[28]}' : functions_disabled_setting
'${disabledFunctions[29]}' : functions_disabled_setting
'${disabledFunctions[30]}' : functions_disabled_setting
'${disabledFunctions[31]}' : functions_disabled_setting
'${disabledFunctions[32]}' : functions_disabled_setting
'${disabledFunctions[33]}' : functions_disabled_setting
'${disabledFunctions[34]}' : functions_disabled_setting
'${disabledFunctions[35]}' : functions_disabled_setting
}
output functions array = disabledFunctions
output appSettings object = disabledFunctionsAppSettings

18
src/deployment/bicep-templates/function-settings.bicep
View File

@ -26,16 +26,30 @@ param monitor_account_name string
param functions_worker_runtime string param functions_worker_runtime string
param functions_extension_version string param functions_extension_version string
param functions_disabled string
param all_function_names array
var disabledFunctionName = 'disabledFunctions-${functions_worker_runtime}'
var telemetry = 'd7a73cf4-5a1a-4030-85e1-e5b25867e45a' var telemetry = 'd7a73cf4-5a1a-4030-85e1-e5b25867e45a'
resource function 'Microsoft.Web/sites@2021-02-01' existing = { resource function 'Microsoft.Web/sites@2021-02-01' existing = {
name: name name: name
} }
module disabledFunctions 'function-settings-disabled-apps.bicep' = {
name: disabledFunctionName
params:{
functions_disabled_setting: functions_disabled
allFunctions: all_function_names
}
}
resource functionSettings 'Microsoft.Web/sites/config@2021-03-01' = { resource functionSettings 'Microsoft.Web/sites/config@2021-03-01' = {
parent: function parent: function
name: 'appsettings' name: 'appsettings'
properties: { properties: union({
'FUNCTIONS_EXTENSION_VERSION': functions_extension_version 'FUNCTIONS_EXTENSION_VERSION': functions_extension_version
'FUNCTIONS_WORKER_RUNTIME': functions_worker_runtime 'FUNCTIONS_WORKER_RUNTIME': functions_worker_runtime
'FUNCTIONS_WORKER_PROCESS_COUNT': '1' 'FUNCTIONS_WORKER_PROCESS_COUNT': '1'
@ -56,6 +70,6 @@ resource functionSettings 'Microsoft.Web/sites/config@2021-03-01' = {
'ONEFUZZ_KEYVAULT': keyvault_name 'ONEFUZZ_KEYVAULT': keyvault_name
'ONEFUZZ_OWNER': owner 'ONEFUZZ_OWNER': owner
'ONEFUZZ_CLIENT_SECRET': client_secret 'ONEFUZZ_CLIENT_SECRET': client_secret
} }, disabledFunctions.outputs.appSettings)
} }

76
src/deployment/deploy.py
View File

@ -152,6 +152,7 @@ class Client:
subscription_id: Optional[str], subscription_id: Optional[str],
admins: List[UUID], admins: List[UUID],
allowed_aad_tenants: List[UUID], allowed_aad_tenants: List[UUID],
enable_dotnet: List[str],
): ):
self.subscription_id = subscription_id self.subscription_id = subscription_id
self.resource_group = resource_group self.resource_group = resource_group
@ -186,6 +187,8 @@ class Client:
self.arm_template = bicep_to_arm(bicep_template) self.arm_template = bicep_to_arm(bicep_template)
self.enable_dotnet = enable_dotnet
machine = platform.machine() machine = platform.machine()
system = platform.system() system = platform.system()
@ -1065,6 +1068,67 @@ class Client:
if error is not None: if error is not None:
raise error raise error
def enable_dotnet_func(self) -> None:
if self.enable_dotnet:
func = shutil.which("az")
assert func is not None
for function_name in self.enable_dotnet:
format_name = function_name.split("_")
dotnet_name = "".join(x.title() for x in format_name)
error: Optional[subprocess.CalledProcessError] = None
max_tries = 5
for i in range(max_tries):
try:
# disable python function
logger.info(f"disabling PYTHON function: {function_name}")
subprocess.check_output(
[
func,
"functionapp",
"config",
"appsettings",
"set",
"--name",
self.application_name,
"--resource-group",
self.application_name,
"--settings",
f"AzureWebJobs.{function_name}.Disabled=1",
],
env=dict(os.environ, CLI_DEBUG="1"),
)
# enable dotnet function
logger.info(f"enabling DOTNET function: {dotnet_name}")
subprocess.check_output(
[
func,
"functionapp",
"config",
"appsettings",
"set",
"--name",
self.application_name + "-net",
"--resource-group",
self.application_name,
"--settings",
f"AzureWebJobs.{dotnet_name}.Disabled=0",
],
env=dict(os.environ, CLI_DEBUG="1"),
)
break
except subprocess.CalledProcessError as err:
error = err
if i + 1 < max_tries:
logger.debug("func failure error: %s", err)
logger.warning(
f"{function_name} function didn't respond to "
"status change request, waiting 60 seconds "
"and trying again"
)
time.sleep(60)
if error is not None:
raise error
def update_registration(self) -> None: def update_registration(self) -> None:
if not self.create_registration: if not self.create_registration:
return return
@ -1128,6 +1192,7 @@ def main() -> None:
("dotnet-api", Client.deploy_dotnet_app), ("dotnet-api", Client.deploy_dotnet_app),
("export_appinsights", Client.add_log_export), ("export_appinsights", Client.add_log_export),
("update_registration", Client.update_registration), ("update_registration", Client.update_registration),
("enable_dotnet", Client.enable_dotnet_func),
] ]
formatter = argparse.ArgumentDefaultsHelpFormatter formatter = argparse.ArgumentDefaultsHelpFormatter
@ -1238,7 +1303,15 @@ def main() -> None:
nargs="*", nargs="*",
help="Set additional AAD tenants beyond the tenant the app is deployed in", help="Set additional AAD tenants beyond the tenant the app is deployed in",
) )
parser.add_argument(
"--enable_dotnet",
type=str,
nargs="+",
default=[],
help="Provide a space-seperated list of python function names to disable "
"their functions and enable corresponding dotnet functions in the Azure "
"Function App deployment",
)
args = parser.parse_args() args = parser.parse_args()
if shutil.which("func") is None: if shutil.which("func") is None:
@ -1268,6 +1341,7 @@ def main() -> None:
subscription_id=args.subscription_id, subscription_id=args.subscription_id,
admins=args.set_admins, admins=args.set_admins,
allowed_aad_tenants=args.allowed_aad_tenants or [], allowed_aad_tenants=args.allowed_aad_tenants or [],
enable_dotnet=args.enable_dotnet,
) )
if args.verbose: if args.verbose:
level = logging.DEBUG level = logging.DEBUG