0

I'm trying to create an Azure automation system to change the number of always ready instances of a Function App (the App Service Plan is Elastic Premium One EP1):

Always Ready Instances of my Function App

The Automation System is created in order to set the number of Always Ready Instances to 3 during week days, and set it to 1 during weekend days.

The System is composed by the following two runbooks created under the service Azure Automation Accounts:

  1. "runbook-Weekdays"

$resourceGroupName = "xxxxxxxxxxxx"
$functionApp = "xxxxxxxxxx-func"

$Resource = Get-AzResource -ResourceGroupName $resourceGroupName -ResourceName $functionApp/config/web -ResourceType Microsoft.Web/sites
$Resource.Properties.minimumElasticInstanceCount = 3
$Resource | Set-AzResource -Force
  1. "runbook-Weekend-days"

$resourceGroupName = "xxxxxxxxxxxx"
$functionApp = "xxxxxxxxxxxx-func"

$Resource = Get-AzResource -ResourceGroupName $resourceGroupName -ResourceName $functionApp/config/web -ResourceType Microsoft.Web/sites
$Resource.Properties.minimumElasticInstanceCount = 1
$Resource | Set-AzResource -Force

Note that I'm using a "System Assigned" identity in my Automation Account.

While the automation logic is implemented using Azure Logic Apps:

Logic App Design part 1

Where the expression under the "Condition" box is: formatDateTime(utcNow(),'dddd'), which set only for the week days as can be seen from the previous figure.

The following figure is the second part of the Logic App:

Logic App Design part 2

Note that, when creating the Automation Job in Logic Apps, I have selected "OAuth default" as authentication method, then I simply pasted the tenantID of my subscription.

Now, if I test the Logic App from the Logic App service, it works:

Logic App Design triggered

And I would expect a number of always ready instances equal to 3, but if I check the number of always ready instances, nothing changed:

Always ready instances

Also, going to the errors page of the runbook page:

Runbook error

I see the following two errors:

Get-AzResource : Run Connect-AzAccount to login. At line:4 char:13 + $Resource = Get-AzResource -ResourceGroupName $resourceGroupName -Res ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzResource], PSInvalidOperationException + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet

and

The property 'minimumElasticInstanceCount' cannot be found on this object. Verify that the property exists and can be set. At line:5 char:1 + $Resource.Properties.minimumElasticInstanceCount = 3 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : PropertyNotFound

Do you know what could be the problem?

Gregory
  • 75
  • 1
  • 7

2 Answers2

1

Have you logged in within your runbook?

The first error tells you to connect using Connect-AzAccount and the 2nd error is a generic error that the property doesn't exist because $Resource object doesn't have that property.

  1. First error:

In the Automation Account console, under Account Settings -> Identity, be sure to have the System Assigned identity to on:

System Assigned Identity

Then, click in the "Azure role assignments" button and check if you have the "Contributor" role in the resource group of your function app and assigned to the azure automation account:

Contributor role

Finally add this code in your scripts:

# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process

# Connect to Azure with system-assigned managed identity
$AzureContext = (Connect-AzAccount -Identity).context

# Set and store context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
  1. Second error:

Go to the Function App console, then under Settings click on "Configuration" and verify that you have the property "minimumElasticInstanceCount":

Azure Function property

If you don't have this property you can simply create it clicking in the "New application setting" button.

This is a useful Azure documentation:

https://learn.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation#authenticate-access-with-system-assigned-managed-identity

Gregory
  • 75
  • 1
  • 7
BrettMiller
  • 946
  • 2
  • 5
  • 12
  • 1
    Yes, so the LogicApp will be using a system assigned identity to authenticate with ARM and be able to trigger the runbook but when the runbook executes that will be authenticating back to ARM in the context of the automation account which requires it's own identity and API permissions assigned. Unless I am unaware of some passthru authentication in LogicApps. I tend to use Azure Functions over LogicApps – BrettMiller Jun 12 '23 at 09:15
0

The error "Run Connect-AzAccount to login" indicates that the call to run the command is not made in a security context that is allowed to make the call.

In your case it is the logic app that is making the call. So first thing to check is the security context of your logic app.

Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252