One of the new functionalities of Azure Functions is that they can get triggered by an Event. One of the use cases that I encountered at one of my clients was to copy a file from a Blob Storage to Azure Data Lake Store, whenever a new file arrived to the blob storage. A simple way to do this was to create an Azure Event Subscription, which would listen to events of the blob storage, then kick off Azure Function to trigger copy process. Most of the stuff was easy to implement: ARM templates, Azure Function itself, key rotations, configurations, CI/CD pipeline, etc. But one thing was an issue: When deploying an Event Subscription via ARM templates, you need to create the Webhook URL yourself, which included getting the authentication code and putting onto Webhook URL.
Problem
If you create the subscription through the Azure Portal, it automatically resolves the auth code; but you cannot do the same thing with ARM templates. Furthermore, that code it creates is not one of the keys available on function app/function itself. Apparently it's something called "Event Grid Extension System Key", which can only be obtained through Kudu/Admin API of Function App. We somehow need to obtain this key and pass it as a parameter to ARM template, so we can create the Webhook URL properly and deploy the ARM template through VSTS Release.
Solution
In order to get this "system key", we need to create a Powershell script and do some chained API calls. Here are our steps:
- Obtain a Bearer token to call Kudu API to obtain Function App master key. (Explained here.)
- Call Kudu API and get the master key. (Explained here and here.)
- Call Kudu API and pass the master key to obtain Event Grid Extension System Key (Explained here.)
Let's get on the road. My starting point was the Powershell script developed here; which was really great. I refactored it and added the System Key codes into it. Furthermore, it's now ready to use directly on your VSTS pipeline. Here is the full script:
The script will do all the API calls and write the System Key onto a VSTS variable called FunctionAppEventGridSystemKey. Through this variable, we can construct the Webhook URL, which we do in following ARM template for Event Subscription:
If you wish to add it to your deployment pipeline, first you add an Azure Powershell task and execute your Script:
Then, execute your Event Subscription ARM template by passing the System Key as a template parameter:
And, voila! You have (hopefully) successfully deployed your Event Subscription. In this particular example, your Event Subscription will pick up events from your storage account and push the event to your Azure Function.
Conclusion
There are many easy ways to do things with ARM templates, but sadly this wasn't one of them. I am hoping in the future Microsoft will somehow embed Kudu into Azure RM API, so we can do all of this through Powershell commands.