2

I'm setting up an azure function with ADAL authentication and I have one issue with pulumi because the function app needs the ad app to be created and then the ad app needs the function app to be created in order to set the reply url.

const adAppName = `${projectName}-${env}`
const adApp = new azuread.Application(adAppName, {
    name: adAppName,
    requiredResourceAccesses: [
        {
            resourceAccesses: [
                {
                    id: "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
                    type: "Scope",
                },
            ],
            resourceAppId: "00000002-0000-0000-c000-000000000000",
        }
    ],
    replyUrls: [ 'https://myapp.azurewebsites.net/.auth/login/aad/callback' ] // This url is hardcoded
});

const appFunctionName = `${projectName}-${env}`;
const appFunction = new azure.appservice.FunctionApp(appFunctionName, {
    ...resourceGroupArgs,
    name: appFunctionName,
    appServicePlanId: appServicePlan.id,
    authSettings: {
        enabled: true,
        unauthenticatedClientAction: 'RedirectToLoginPage',
        defaultProvider: 'AzureActiveDirectory',
        issuer: `https://sts.windows.net/${azure.config.tenantId}/`,
        activeDirectory: {
            clientId: adApp.applicationId
        }
    },
    storageConnectionString: storageAccount.primaryConnectionString,
    version: '~2',
    appSettings: appSettings,

});

How do we solve this kind of circular reference? I'd like to have the replyUrls created with the value of the appFunction url.

Thanks

Cindy Pau
  • 13,085
  • 1
  • 15
  • 27
JuChom
  • 5,717
  • 5
  • 45
  • 78

1 Answers1

3

I think there's no way to fix this circular dependency.

But since you have a fixed name for the App Service, its URL is predictable. You can move your appFunctionName declaration to the top and then use it in the replyUrls assignment:

replyUrls: [ `https://${appFunctionName}.azurewebsites.net/.auth/login/aad/callback` ]

I don't see much downside of doing so. You would have to format this URL regardless, now you only get an extra .azurewebsites.net bit in it compared to using defaultHostName.

Mikhail Shilkov
  • 34,128
  • 3
  • 68
  • 107
  • Thanks, is there any chance this scenario will be supported in a near future? – JuChom Oct 30 '19 at 12:45
  • 1
    The change required would be to make `authSettings` a separate resource and create it after the other two resources are created. Otherwise, a cyclic dependency isn't likely to be supported. – Mikhail Shilkov Oct 30 '19 at 12:59