changed function app to use globally managed identity for storage

nc-shahidazim · nc-shahidazim · commit 59e359550f3b · 2026-04-29T16:26:06.000+01:00
diff --git a/application/CohortManager/src/Functions/CaasIntegration/receiveCaasFile/ProcessFileClasses/CopyFailedBatchToBlob.cs b/application/CohortManager/src/Functions/CaasIntegration/receiveCaasFile/ProcessFileClasses/CopyFailedBatchToBlob.cs
@@ -29,7 +29,7 @@ public async Task<bool> writeBatchToBlob(string jsonFromBatch, InvalidOperationE
         {
             // we do this so that we do not have files with the same names either failing to be added or over writing another failed batch
             var blobFile = new BlobFile(stream, $"failedBatch-{Guid.NewGuid()}.json");
-            bool copied = false;
+            var copied = false;
             if (_config.caasfolder_STORAGE != null)
             {
                 copied = await _blobStorageHelper.UploadFileToBlobStorage(new Uri(_config.caasfolder_STORAGE.BlobServiceUri), "failed-batch", blobFile);
diff --git a/infrastructure/tf-core/environments/development.tfvars b/infrastructure/tf-core/environments/development.tfvars
@@ -293,24 +293,24 @@ function_apps = {
   docker_CI_enable  = "true"
   docker_img_prefix = "cohort-manager"
 
-  enable_appsrv_storage    = "false"
-  ftps_state               = "Disabled"
-  https_only               = true
-  http2_enabled            = true
-  remote_debugging_enabled = false
-  worker_32bit             = false
-  health_check_path        = "/api/health"
+  enable_appsrv_storage         = "false"
+  ftps_state                    = "Disabled"
+  https_only                    = true
+  http2_enabled                 = true
+  remote_debugging_enabled      = false
+  storage_uses_managed_identity = true
+  worker_32bit                  = false
+  health_check_path             = "/api/health"
 
   fa_config = {
 
     ReceiveCaasFile = {
-      name_suffix                   = "receive-caas-file"
-      function_endpoint_name        = "ReceiveCaasFile"
-      app_service_plan_key          = "NonScaling"
-      db_connection_string          = "DtOsDatabaseConnectionString"
-      service_bus_connections       = ["internal"]
-      storage_account_env_var_name  = "caasfolder_STORAGE"
-      storage_uses_managed_identity = true
+      name_suffix                  = "receive-caas-file"
+      function_endpoint_name       = "ReceiveCaasFile"
+      app_service_plan_key         = "NonScaling"
+      db_connection_string         = "DtOsDatabaseConnectionString"
+      service_bus_connections      = ["internal"]
+      storage_account_env_var_name = "caasfolder_STORAGE"
       app_urls = [
         {
           env_var_name     = "ExceptionFunctionURL"
@@ -364,12 +364,11 @@ function_apps = {
     }
 
     RetrieveMeshFile = {
-      name_suffix                   = "retrieve-mesh-file"
-      function_endpoint_name        = "RetrieveMeshFile"
-      app_service_plan_key          = "NonScaling"
-      key_vault_url                 = "KeyVaultConnectionString"
-      storage_account_env_var_name  = "caasfolder_STORAGE"
-      storage_uses_managed_identity = true
+      name_suffix                  = "retrieve-mesh-file"
+      function_endpoint_name       = "RetrieveMeshFile"
+      app_service_plan_key         = "NonScaling"
+      key_vault_url                = "KeyVaultConnectionString"
+      storage_account_env_var_name = "caasfolder_STORAGE"
       app_urls = [
         {
           env_var_name     = "ExceptionFunctionURL"
@@ -383,13 +382,12 @@ function_apps = {
     }
 
     ProcessNemsUpdate = {
-      name_suffix                   = "process-nems-update"
-      function_endpoint_name        = "ProcessNemsUpdate"
-      app_service_plan_key          = "NonScaling"
-      key_vault_url                 = "KeyVaultConnectionString"
-      storage_account_env_var_name  = "nemsmeshfolder_STORAGE"
-      storage_uses_managed_identity = true
-      service_bus_connections       = ["internal"]
+      name_suffix                  = "process-nems-update"
+      function_endpoint_name       = "ProcessNemsUpdate"
+      app_service_plan_key         = "NonScaling"
+      key_vault_url                = "KeyVaultConnectionString"
+      storage_account_env_var_name = "nemsmeshfolder_STORAGE"
+      service_bus_connections      = ["internal"]
       app_urls = [
         {
           env_var_name     = "ExceptionFunctionURL"
@@ -1184,12 +1182,11 @@ function_apps = {
     }
 
     NemsMeshRetrieval = {
-      name_suffix                   = "nems-mesh-retrieval"
-      function_endpoint_name        = "NemsMeshRetrieval"
-      app_service_plan_key          = "NonScaling"
-      key_vault_url                 = "KeyVaultConnectionString"
-      storage_account_env_var_name  = "nemsmeshfolder_STORAGE"
-      storage_uses_managed_identity = true
+      name_suffix                  = "nems-mesh-retrieval"
+      function_endpoint_name       = "NemsMeshRetrieval"
+      app_service_plan_key         = "NonScaling"
+      key_vault_url                = "KeyVaultConnectionString"
+      storage_account_env_var_name = "nemsmeshfolder_STORAGE"
       app_urls = [
         {
           env_var_name     = "ExceptionFunctionURL"
diff --git a/infrastructure/tf-core/function_app.tf b/infrastructure/tf-core/function_app.tf
@@ -28,7 +28,7 @@ module "functionapp" {
 
   # Use the storage account assigned identity for the Function Apps:
   storage_account_name          = module.storage["fnapp-${each.value.region}"].storage_account_name
-  storage_uses_managed_identity = each.value.storage_uses_managed_identity
+  storage_uses_managed_identity = var.function_apps.storage_uses_managed_identity
 
   # Connection string for Application Insights:
   ai_connstring = data.azurerm_application_insights.ai.connection_string
@@ -221,7 +221,6 @@ locals {
             ]
 
           ])
-          storage_uses_managed_identity = config.storage_uses_managed_identity
         }
       )
     ]
diff --git a/infrastructure/tf-core/variables.tf b/infrastructure/tf-core/variables.tf
@@ -287,6 +287,7 @@ variable "function_apps" {
     http2_enabled                          = optional(bool, false)
     pull_image_over_vnet                   = optional(bool, true)
     remote_debugging_enabled               = bool
+    storage_uses_managed_identity          = bool
     worker_32bit                           = bool
     alert_4xx_threshold                    = optional(number, 1)
     alert_5xx_threshold                    = optional(number, 1)
@@ -314,8 +315,7 @@ variable "function_apps" {
         function_app_key = string
         endpoint_name    = optional(string, "")
       })), [])
-      env_vars_static               = optional(map(string), {})
-      storage_uses_managed_identity = optional(bool, false)
+      env_vars_static = optional(map(string), {})
     }))
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ public async Task<bool> writeBatchToBlob(string jsonFromBatch, InvalidOperationE`
`29`	`29`	`{`
`30`	`30`	`// we do this so that we do not have files with the same names either failing to be added or over writing another failed batch`
`31`	`31`	`var blobFile = new BlobFile(stream, $"failedBatch-{Guid.NewGuid()}.json");`
`32`		`- bool copied = false;`
	`32`	`+ var copied = false;`
`33`	`33`	`if (_config.caasfolder_STORAGE != null)`
`34`	`34`	`{`
`35`	`35`	`copied = await _blobStorageHelper.UploadFileToBlobStorage(new Uri(_config.caasfolder_STORAGE.BlobServiceUri), "failed-batch", blobFile);`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ module "functionapp" {`
`28`	`28`
`29`	`29`	`# Use the storage account assigned identity for the Function Apps:`
`30`	`30`	`storage_account_name = module.storage["fnapp-${each.value.region}"].storage_account_name`
`31`		`- storage_uses_managed_identity = each.value.storage_uses_managed_identity`
	`31`	`+ storage_uses_managed_identity = var.function_apps.storage_uses_managed_identity`
`32`	`32`
`33`	`33`	`# Connection string for Application Insights:`
`34`	`34`	`ai_connstring = data.azurerm_application_insights.ai.connection_string`
`@@ -221,7 +221,6 @@ locals {`
`221`	`221`	`]`
`222`	`222`
`223`	`223`	`])`
`224`		`- storage_uses_managed_identity = config.storage_uses_managed_identity`
`225`	`224`	`}`
`226`	`225`	`)`
`227`	`226`	`]`