Search code examples
azureazure-functionsazure-eventhubazure-managed-identity

Azure Function App Listen to Event Hub using Managed Identity


I am trying to create a function app on Azure with an Event Hub trigger using a managed identity. I seem to have created everything so that all the references resolve, but when I send a message to the event hub, the function app is not getting triggered (or at least, I'm not seeing the log entry it should be producing).

Trying to follow the documentation here.

Provisioning using Terraform:

main.tf

variable "resource_group_name" {}
variable "location" { default = null }

variable "function_app_name" {}
variable "event_hub_name" {}


resource "azurerm_resource_group" "rg" {
  name     = var.resource_group_name
  location = var.location
}

resource "azurerm_service_plan" "sp" {
  name                = "fnappserviceplan"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = "Linux"
  sku_name            = "B1"
}

resource "azurerm_eventhub_namespace" "hub" {
  name                = var.event_hub_name
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "Standard"
  capacity            = 1
}

resource "azurerm_eventhub" "hub" {
  name                = "myEventHub"
  namespace_name      = azurerm_eventhub_namespace.hub.name
  resource_group_name = azurerm_resource_group.rg.name
  partition_count     = 2
  message_retention   = 1
}

resource "azurerm_storage_account" "fnapp" {
  name                     = "safnapp"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_linux_function_app" "fnapp" {
  name                = var.function_app_name
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  service_plan_id     = azurerm_service_plan.sp.id

  storage_account_name       = azurerm_storage_account.fnapp.name
  storage_account_access_key = azurerm_storage_account.fnapp.primary_access_key

  app_settings = {
    # tried this but it doesn't recognize the connection, so I went with the connection string instead
    # "EVENTHUB__fullyQualifiedNamespace" = "${azurerm_eventhub_namespace.hub.name}.servicebus.windows.net"

    "EVENTHUB"                = azurerm_eventhub_namespace.hub.default_primary_connection_string
    "EVENTHUB_CONSUMER_GROUP" = azurerm_eventhub_consumer_group.fnapp.name
  }

  site_config {
    always_on = true

    application_stack {
      python_version = "3.11"
    }
  }

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_eventhub_consumer_group" "fnapp" {
  name                = "${var.function_app_name}ConsumerGroup"
  namespace_name      = azurerm_eventhub_namespace.hub.name
  eventhub_name       = azurerm_eventhub.hub.name
  resource_group_name = azurerm_resource_group.rg.name
}

And then the main function:

function_app.py
import logging
import os

import azure.functions as func


app = func.FunctionApp()


@app.function_name(name="mylistener")
@app.event_hub_message_trigger(arg_name="hub",
                               event_hub_name="myEventHub",
                               connection="EVENTHUB",
                               consumer_group=os.getenv("EVENTHUB_CONSUMER_GROUP", "$Default"))
def myeventlistener(hub: func.EventHubEvent):
    event_body = hub.get_body().decode('utf-8')
    logging.info(f'Python EventHub trigger processed an event: {event_body}')

After provisioning, I add the "Azure Event Hubs Data Receiver" role to this function app on the resource group. (And "Azure Event Hubs Data Owner" to myself for my own interactions with the event hub.)

I then deploy the code using func azure functionapp publish MyFunctionAppName, and monitor using func azure functionapp logstream MyFunctionAppName. (This logstream is where I expect to see the logging.info() output. Or at least some system logs indicating the function has been triggered. Is this correct?)

When inspecting the connection on the Azure portal (mylistener function > Integration > Triggers > Azure Event Hub) all the parameters appear correct and the Connection seems to be recognized – it's not giving me "No connection found" or anything, it's using the named connection I set in the app settings.

After waiting for all the setup/launching/initializing to settle down, I then publish a (plaintext) message to the event hub (not the namespace). I have tried sending specifically to each partition. I expect the log message to appear but it does not. I see no indication that the function is getting triggered.

UPDATE

ChatGPT suggested that this doesn't use managed identities if I feed it a connection string, and instead I should set EVENTHUB = azurerm_eventhub.hub.name in order to use managed identities. It was double-minded on whether the argument in Python should be connection="EVENTHUB" or connection="EVENTHUB__fullyQualifiedNamespace". I tried both (while uncommenting the one line in the tf app_settings), and with both, it gives me "No existing connections available" when I check the trigger's connection on the portal. I also get the message "Azure.Messaging.EventHubs: The connection string could not be parsed; either it was malformed or contains no well-known tokens."


Solution

  • Follow below steps to establish connection between Azure function app and Event Hub using managed identity.

    • Create an EventHub and Event Hub Trigger in Azure function App.
    • Enable Managed Identity in Azure function App. I have enabled System Managed Identity.
    • Navigate to Event Hub=>Access Role(IAM)=>Add Role Assignment, assign Azure EventHub Data Owner and Azure Event Hub Data Receiver to Function App's Managed Identity.

    enter image description here

    enter image description here

    • Add the application setting <CONNECTION_NAME_PREFIX>__fullyQualifiedNamespace=<eventhub_name>.servicebus.windows.net under Functionapp=>settings=>Environment Variables=>App Settings:

    CONNECTION_NAME_PREFIX should be the connection value you have used in the function code.

    enter image description here

    • Update EventHub name in the function code.

    Code Snippet:

    import azure.functions as func
    import logging
    
    app = func.FunctionApp()
    
    @app.event_hub_message_trigger(arg_name="azeventhub", event_hub_name="<eventhub_name>",
                                   connection="rkspace_RootManageSharedAccessKey_EVENTHUB") 
    def eventhub_trigger1(azeventhub: func.EventHubEvent):
        logging.info('Python EventHub trigger processed an event: %s',
                    azeventhub.get_body().decode('utf-8'))
    
    • Send the events:

    enter image description here

    • Able to trigger the function:

    You can check the function logs under Function=>Invocation Logs. select the particular log to see the detailed output/invocation.

    enter image description here