azure-functionsazure-container-apps

Unable to setup continuous deployment in new Azure Container App due to "deny assignment" error

I've successfully completed the tutorial for containerized functions on Azure Container Apps.

Now when I go to setup up Github Actions for continuous deployment from the container app in the Azure portal, I get an error like this:

Failed to set up continuous deployment with error: The client '{email-address}' with object id '{user-uuid}' has permission to perform action 'Microsoft.Resources/deployments/write' on scope '/subscriptions/{subscription-uuid}/resourcegroups/{strange-containerapp-resource group}/providers/Microsoft.Resources/deployments/Microsoft-Continuous-Deployment-cb0020a2-8aed'; however, the access is denied because of the deny assignment with name '{deny-assignment-uuid}' and Id '{deny-assignment-uuid}' at scope '/subscriptions/{subscription-uuid}/resourceGroups/{strange-containerapp-resource-group}'.

What is this "deny assignment" and why is it blocking me from setting up continuous deployment?

The container app itself is in a strange resource group, with a name like MyContainerappEnvironment_FunctionApps_{deny-assignment-uuid}. All the other resources created by following the tutorial are in the expected resource group AzureFunctionsContainers-rg, but not the container app itself!

If I try to move the container app to a different resource group, I get a similar "deny assignment" error.

What is this about? Are we not supposed to configure continuous deployment from within the container app itself? Help!

Related question on Github:

https://github.com/Azure/azure-functions-on-container-apps/issues/65

Solution

  • Failed to set up continuous deployment with error: The client '{email-address}' with object id '{user-uuid}' has permission to perform action 'Microsoft.Resources/deployments/write' on scope '/subscriptions/{subscription-uuid}/resourcegroups/{strange-containerapp-resource group}/providers/Microsoft.Resources/deployments/Microsoft-Continuous-Deployment-cb0020a2-8aed'; however, the access is denied because of the deny assignment with name '{deny-assignment-uuid}' and Id '{deny-assignment-uuid}' at scope '/subscriptions/{subscription-uuid}/resourceGroups/{strange-containerapp-resource-group}'.

    This error occurs due to deny assignments within the generated Resource Group that hosts the Container App.

    I encountered the same error when deploying functions to Container Apps using GitHub Actions.

    This is because Azure automatically creates deny assignments to safeguard the resources, and these assignments cannot be deleted. This blocks the users from performing deployments even after having full access.

    enter image description here

    Follow below steps to configure the deployment using GitHub actions:

    1. Create a new Function App along with a new Container Apps Environment.

    2. Set up the below secrets under GitHub=>Settings=>Secrets:

    Use below CLI command to generate RBAC credentials:

     az ad sp create-for-rbac --name <appname> --role contributor \
                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Web/sites/{app-name} \
                            --sdk-auth

    Output:

    {
  "clientId": "3d45e7b0-72d7-XXXXXX",
  "clientSecret": ".148Q~jpO4zA6vGoIdzmiXXXXv",
  "subscriptionId": "d93995e6-2XXXXX52bc",
  "tenantId": "9329cXXXXXXb6e37b19af6d",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

    CLI command to get the Username and password:

    az acr credential show -n <registryname> --query "[username, passwords[0].value]" -o tsv

    enter image description here

    1. Create a workflow in your GitHub repository and add the below yml code with proper values.

    Workflow:

    name: Deploy container to Azure Functions App

on:
  push:
    branches: [ main ]

permissions:
  contents: read
  
# set up the environment variables

env: 
  AZURE_FUNCTION_APP_NAME: 'your-app-name'   
  LOGIN_SERVER: 'login-server'                 
  REGISTRY: 'your-registry'                       
  NAMESPACE: 'your-namespace'                     
  IMAGE: 'your-image'                             
  TAG: ${{ github.sha }}                          

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout to the branch
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Log in to container registry
        uses: docker/login-action@v1
        with:
          registry: ${{ env.LOGIN_SERVER }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build and push container image to registry
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }}
          file: ./Dockerfile
          context: ./

  deploy:
    runs-on: ubuntu-latest
    needs: build
    
    steps:
      - name: Azure Login
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }}

      - name: 'Run Azure Functions Container Action'
        uses: Azure/functions-container-action@v1
        id: fa
        with:
          app-name: ${{ env.AZURE_FUNCTION_APP_NAME }}
          image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }}

      - name: Azure logout
        run: |
          az logout

    Deployment Status:

    enter image description here