Releases · pagopa/dx

17 Feb 12:02

dx-pagopa-bot

azure_function_app@4.3.0

5b375d9

azure_function_app@4.3.0 Latest

Latest

Minor Changes

c888e23: Add optional Entra ID authentication via entra_id_authentication variable.

When set, the module configures auth_settings_v2 with an Active Directory v2 identity provider on both the Function App and its staging slot. This allows callers (e.g. APIM) to authenticate via their Managed Identity instead of using function keys, eliminating shared secret management.

The variable is null by default, preserving the existing key-based authentication behavior with no breaking changes.

How it works

sequenceDiagram
    participant APIM
    participant Entra ID
    participant Function App

    APIM->>Entra ID: 1. Request token (Managed Identity)
    Entra ID-->>APIM: 2. Signed JWT
    APIM->>Function App: 3. Call with Authorization: Bearer <JWT>
    Function App->>Function App: 4. Validate token (client_id, allowed_applications)
    Function App-->>APIM: 5. Response (or 401 if invalid)

Example

module "function_app" {
  source = "pagopa-dx/azure-function-app/azurerm"
  # ... other parameters ...

  entra_id_authentication = {
    audience_client_id = data.azuread_application.my_app.client_id
    allowed_callers_client_ids = [data.azuread_service_principal.apim.client_id]
    tenant_id                   = data.azurerm_subscription.current.tenant_id
  }
}

Assets 2

16 Feb 17:17

dx-pagopa-bot

github_selfhosted_runner_on_container_app_jobs@1.3.0

1859000

github_selfhosted_runner_on_container_app_jobs@1.3.0

Minor Changes

92e5cc3: Switch to GitHub App-based authentication replacing PAT-based. This approach is generally more secure and scalable.

Assets 2

16 Feb 17:17

dx-pagopa-bot

azure_app_configuration@0.1.1

1859000

azure_app_configuration@0.1.1

Patch Changes

39b49d9: Allow the module usage with nonexistent resources with non-deterministic names

Assets 2

12 Feb 08:29

dx-pagopa-bot

azure_storage_account@2.1.4

508bb41

azure_storage_account@2.1.4

Patch Changes

dba6e7b: Expose storage account primary_queue_endpoint output.

Both azure_function_app and azure_storage_account modules now expose the primary queue endpoint: storage_account.primary_queue_endpoint.
This enables RBAC authentication configuration on queues.

Example

Configure managed identity authentication for Azure Functions queue triggers using the queue endpoint (where module.storage is an instance of the azure_storage_account module):
```
app_settings = {
  AzureWebJobsStorage__accountName      = module.storage.name                   # Set the storage account name for Azure Functions
  AzureWebJobsStorage__queueServiceUri  = module.storage.primary_queue_endpoint # Set the queue service URI for Azure Functions to enable identity-based authentication
}
```
This enables identity-based connections without requiring connection strings, improving security for Azure Functions bindings.

Assets 2

12 Feb 08:29

dx-pagopa-bot

azure_function_app@4.2.1

508bb41

azure_function_app@4.2.1

Patch Changes

dba6e7b: Expose storage account primary_queue_endpoint output.

Both azure_function_app and azure_storage_account modules now expose the primary queue endpoint: storage_account.primary_queue_endpoint.
This enables RBAC authentication configuration on queues.

Example

Configure managed identity authentication for Azure Functions queue triggers using the queue endpoint (where module.storage is an instance of the azure_storage_account module):
```
app_settings = {
  AzureWebJobsStorage__accountName      = module.storage.name                   # Set the storage account name for Azure Functions
  AzureWebJobsStorage__queueServiceUri  = module.storage.primary_queue_endpoint # Set the queue service URI for Azure Functions to enable identity-based authentication
}
```
This enables identity-based connections without requiring connection strings, improving security for Azure Functions bindings.