Fix Azure Functions Role Assignments to Host Storage (dotnet#8290)

eerhardt · web-flow · commit 6900eeb0fa6f · 2025-03-25T15:00:37.000-05:00
* Fix Azure Functions Role Assignments to Host Storage With dotnet#8127, a mistake was made in that WithRoleAssignments only works if the app is using ACA infrastructure. If the app isn't using our ACA infrastructure, WithRoleAssignments throws an exception at startup. To make Azure Functions work correctly both with and without ACA infrastructure we use the internal WithDefaultRoleAssignments method to set the default role assignments on the Host Storage, which will be respected for both. * Add FunctionsTest without AzureContainerApps
diff --git a/playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.AppHost/aspire-manifest.json b/playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.AppHost/aspire-manifest.json
@@ -53,11 +53,11 @@
     },
     "mydatabase": {
       "type": "value.v0",
-      "connectionString": "{cosmosdb.outputs.connectionString}"
+      "connectionString": "AccountEndpoint={cosmosdb.outputs.connectionString};Database=mydatabase"
     },
     "mycontainer": {
       "type": "value.v0",
-      "connectionString": "{cosmosdb.outputs.connectionString}"
+      "connectionString": "AccountEndpoint={cosmosdb.outputs.connectionString};Database=mydatabase;Container=mycontainer"
     },
     "funcstorage67c6c": {
       "type": "azure.bicep.v0",
@@ -98,8 +98,8 @@
         "messaging__fullyQualifiedNamespace": "{messaging.outputs.serviceBusEndpoint}",
         "Aspire__Azure__Messaging__ServiceBus__messaging__FullyQualifiedNamespace": "{messaging.outputs.serviceBusEndpoint}",
         "cosmosdb__accountEndpoint": "{cosmosdb.outputs.connectionString}",
-        "Aspire__Microsoft__Azure__Cosmos__cosmosdb__AccountEndpoint": "{cosmosdb.outputs.connectionString}",
         "Aspire__Microsoft__EntityFrameworkCore__Cosmos__cosmosdb__AccountEndpoint": "{cosmosdb.outputs.connectionString}",
+        "Aspire__Microsoft__Azure__Cosmos__cosmosdb__AccountEndpoint": "{cosmosdb.outputs.connectionString}",
         "blob__blobServiceUri": "{storage.outputs.blobEndpoint}",
         "blob__queueServiceUri": "{storage.outputs.queueEndpoint}",
         "Aspire__Azure__Storage__Blobs__blob__ServiceUri": "{storage.outputs.blobEndpoint}",
diff --git a/src/Aspire.Hosting.Azure.Functions/Aspire.Hosting.Azure.Functions.csproj b/src/Aspire.Hosting.Azure.Functions/Aspire.Hosting.Azure.Functions.csproj
@@ -16,6 +16,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <Compile Include="$(SharedDir)AzureRoleAssignmentUtils.cs" />
     <Compile Include="$(SharedDir)CommandLineArgsParser.cs" />
     <Compile Include="$(SharedDir)\LaunchProfiles\*.cs" />
   </ItemGroup>
diff --git a/src/Aspire.Hosting.Azure.Functions/AzureFunctionsProjectResourceExtensions.cs b/src/Aspire.Hosting.Azure.Functions/AzureFunctionsProjectResourceExtensions.cs
@@ -46,7 +46,19 @@ public static IResourceBuilder<AzureFunctionsProjectResource> AddAzureFunctionsP
             .OfType<AzureStorageResource>()
             .FirstOrDefault(r => r.Name == storageResourceName);
 
-        storage ??= builder.AddAzureStorage(storageResourceName).RunAsEmulator().Resource;
+        if (storage is null)
+        {
+            storage = builder.AddAzureStorage(storageResourceName)
+                // Azure Functions blob triggers require StorageAccountContributor access to the host storage
+                // account when deployed. We assign this role to the implicit host storage resource.
+                .WithDefaultRoleAssignments(StorageBuiltInRole.GetBuiltInRoleName,
+                    StorageBuiltInRole.StorageBlobDataContributor,
+                    StorageBuiltInRole.StorageTableDataContributor,
+                    StorageBuiltInRole.StorageQueueDataContributor,
+                    StorageBuiltInRole.StorageAccountContributor)
+                .RunAsEmulator()
+                .Resource;
+        }
 
         builder.Eventing.Subscribe<BeforeStartEvent>((data, token) =>
         {
@@ -59,17 +71,6 @@ public static IResourceBuilder<AzureFunctionsProjectResource> AddAzureFunctionsP
                 {
                     removeStorage = false;
                 }
-                else
-                {
-                    // Remove the role assignments associated with the implicit host storage resource
-                    // if an explicit one has been provided. Assume that users must configure their
-                    // own role assignments for the explicit storage resource.
-                    if (item.TryGetAnnotationsOfType<RoleAssignmentAnnotation>(out var roleAssignments) &&
-                        roleAssignments.SingleOrDefault(assignment => assignment.Target == storage) is { } roleAssignmentAnnotation)
-                    {
-                        item.Annotations.Remove(roleAssignmentAnnotation);
-                    }
-                }
             }
 
             if (removeStorage)
@@ -105,13 +106,6 @@ public static IResourceBuilder<AzureFunctionsProjectResource> AddAzureFunctionsP
                 // Set the storage connection string.
                 ((IResourceWithAzureFunctionsConfig)resource.HostStorage).ApplyAzureFunctionsConfiguration(context.EnvironmentVariables, "AzureWebJobsStorage");
             })
-            // Azure Functions blob triggers require StorageAccountContributor access to the host storage
-            // account when deployed. We assign this role to the implicit host storage resource when running in publish mode.
-            .WithRoleAssignments(builder.CreateResourceBuilder(storage),
-                StorageBuiltInRole.StorageBlobDataContributor,
-                StorageBuiltInRole.StorageQueueDataContributor,
-                StorageBuiltInRole.StorageTableDataContributor,
-                StorageBuiltInRole.StorageAccountContributor)
             .WithOtlpExporter()
             .WithFunctionsHttpEndpoint();
     }
diff --git a/tests/Aspire.Hosting.Azure.Tests/AzureFunctionsTests.cs b/tests/Aspire.Hosting.Azure.Tests/AzureFunctionsTests.cs
@@ -256,6 +256,39 @@ public async Task AddAzureFunctionsProject_WiresUpHttpsEndpointCorrectly_WhenOnl
         );
     }
 
+    [Fact]
+    public async Task AddAzureFunctionsProject_CanGetStorageManifestSuccessfully()
+    {
+        using var builder = TestDistributedApplicationBuilder.Create(DistributedApplicationOperation.Publish);
+
+        // hardcoded sha256 to make the storage name deterministic
+        builder.Configuration["AppHost:Sha256"] = "634f8";
+        var project = builder.AddAzureFunctionsProject<TestProjectWithHttpsNoPort>("funcapp");
+
+        var app = builder.Build();
+
+        var model = app.Services.GetRequiredService<DistributedApplicationModel>();
+
+        await ExecuteBeforeStartHooksAsync(app, default);
+
+        var storage = Assert.Single(model.Resources.OfType<AzureProvisioningResource>().Where(r => r.Name == $"funcstorage634f8"));
+
+        var (storageManifest, _) = await GetManifestWithBicep(storage);
+
+        var expectedRolesManifest =
+            """
+            {
+              "type": "azure.bicep.v0",
+              "path": "funcstorage634f8.module.bicep",
+              "params": {
+                "principalType": "",
+                "principalId": ""
+              }
+            }
+            """;
+        Assert.Equal(expectedRolesManifest, storageManifest.ToString());
+    }
+
     [Fact]
     public async Task AddAzureFunctionsProject_WorksWithAddAzureContainerAppsInfrastructure()
     {
@@ -312,21 +345,21 @@ param principalId string
               scope: funcstorage634f8
             }
 
-            resource funcstorage634f8_StorageQueueDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))
+            resource funcstorage634f8_StorageTableDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))
               properties: {
                 principalId: principalId
-                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
+                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
                 principalType: 'ServicePrincipal'
               }
               scope: funcstorage634f8
             }
-
-            resource funcstorage634f8_StorageTableDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))
+            
+            resource funcstorage634f8_StorageQueueDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))
               properties: {
                 principalId: principalId
-                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
+                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
                 principalType: 'ServicePrincipal'
               }
               scope: funcstorage634f8
@@ -593,21 +626,21 @@ param principalId string
               scope: funcstorage634f8
             }
 
-            resource funcstorage634f8_StorageQueueDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))
+            resource funcstorage634f8_StorageTableDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))
               properties: {
                 principalId: principalId
-                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
+                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
                 principalType: 'ServicePrincipal'
               }
               scope: funcstorage634f8
             }
 
-            resource funcstorage634f8_StorageTableDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))
+            resource funcstorage634f8_StorageQueueDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+              name: guid(funcstorage634f8.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))
               properties: {
                 principalId: principalId
-                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
+                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
                 principalType: 'ServicePrincipal'
               }
               scope: funcstorage634f8
