Terraform AzAPI to Pull image over VNet for Containerized Azure Function Apps from ACR (Azure Container Registry)

In this article, we will learn how to use the Terraform AzAPI provider to enable the "Pull image over VNet" setting for an Azure Function App. This is necessary when provisioning an Azure Function with VNet Integration and an Azure Container Registry with a Private Endpoint, as there is no default Terraform setting for this configuration.

What is AzAPI?

The AzAPI provider is a very thin layer on top of the Azure ARM REST APIs. This provider compliments the AzureRM providerby enabling the management of Azure resources that are not yet or may never be supported in the AzureRM provider such as private/public preview services and features.

Prerequisites

1. Install Azure CLI

2. Create an Azure Function App with Container as deployment method

3. Enable VNet Integration for Azure Function App

4. Setup Azure Container Registry (ACR)

5. Enable Private EndPoint for Azure Container Registry (ACR)

Intro

1. When you provision an Azure Function with VNet Integration (for Outbound connectivity) and an Azure Container Registry (ACR) with a Private Endpoint using terraform, there is no default setting available in terraform for an Azure Function resource to Pull Docker Image over VNet.

2. We have to turn on the setting "Pull Docker Image over VNet" either manually or use terraform AzAPI provider to automate it while provisioning the resources.

Terraform Code Setup

Create providers.tf file

# Azure Provider source and version being used
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
    azapi = {
      source = "azure/azapi"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}
}

provider "azapi" {
}

Create main.tf file

• Replace name and resource_group_name values as per your azure function app name in azurerm_linux_function_app data block.

• In azapi_update_resource resource block, the values for type & body attributes can be found in JSON view of Azure Function App.

data "azurerm_linux_function_app" "python_app" {
  name                = "python-container-app"
  resource_group_name = "python-container-app-rg"
}

resource "azapi_update_resource" "example_vnet_container_pull_routing" {
  resource_id = data.azurerm_linux_function_app.python_app.id
  type        = "Microsoft.Web/sites@2022-09-01"
  body = jsonencode({
    properties = {
      vnetImagePullEnabled : true
    }
  })
}

Azure Login

1. Login into Azure using az login Azure CLI command.

2. Select the account through which you want to login.

3. Once Logged In, execute terraform code.

#First, you need to log in to Azure using the Azure CLI command `az login`. This command will prompt you to select the account you want to use for logging in. Follow the instructions to complete the login process. Once you are logged in, you can proceed to execute the Terraform code.
az login

Terraform Code Execution

Step 1: Initialize Terraform

terraform init will initialize the required providers and remote backend state(if configured)

terraform init

Step 2: Validate the Configuration

terraform validate will validate the resource dependencies and any syntax errors.

terraform validate

Step 3: Plan the Infrastructure

terraform plan will show you the blueprint of your infrastructure. You’ll see exactly what resources will be created, modified, or destroyed.

terraform plan

Step 4: Apply the Configuration

terraform apply -auto-approve will provision the resources.

terraform apply -auto-approve

Verify the changes

Conclusion

I hope you found this article helpful and learned how to use the Terraform AzAPI provider to update resources in Azure. If you enjoyed this article, please give it a like 👍 and follow me for more interesting and useful articles 😊.