Logic Apps and Functions work great together. Functions that are enabled for a Managed Service Identity can login to your Azure environment and collect lots of statistics. Logic Apps can take the data retrieved from an Azure Function and take action on it. For example, send the HTML report to an administrator. The purpose of this article is to demonstrate using an Azure Function and Logic App to collect and send an HTML Report to an Administrator E-mail Account for the following:
- Azure Virtual Machine CPU Metrics
These metrics will be collected, wrap it into an HTML Table, analyze metric thresholds and color code cells that are above the defined threshold limit, and have the Logic App send the HTML Data to an Administrator E-mail Account. Once you understand how this is done, you can include other code in the function to build additional tables of collected data.
What you end up getting is a report that looks like this:
The Logic App’s purpose in this solution is to:
- Run at a scheduled frequency (daily, weekly, monthly, etc.)
- Call an Azure HTTP Triggered Function that will create an HTML Report based on certain settings defined within the Logic App.
- Send an HTML Formatted E-mail to an E-mail Address with the results provided from the function
The Function App’s purpose in this solution is to:
- Collect data on Azure Virtual Machine CPU usage
- Format the results into HTML
- If any results are above a threshold that is defined when creating a Function App, the cell that is above the specified threshold (percentage), color the cell red and sort results with highest thresholds on top
- Return HTML Results to the Logic App
This is a two part article series.
In this first part we look at creating an Azure Function, assigning it a Managed Identity and assigning the Managed Identity RBAC Permissions. We then look through the default PowerShell code that is created when creating a PowerShell Function in order to better understand how to code an Azure PowerShell Function.
In the second part we will take a look at updating the code in our PowerShell Function to build a report on Azure Virtual Machine Quota limits for a specific region and color code cells above a certain threshold. We will then create our Logic App to call our Function and take the HTML Results from the Function and send it in an e-mail whether that may be daily, weekly, monthly, etc.
Part 1 – Create Azure Function App, create a Managed Service Identity, Assign RBAC Permissions, and learn how to modify the default PowerShell Function code.
Part 2 – Adding PowerShell code to our Function and Creating a Logic App to call the Function and send the HTML Output to your e-mail.
Creating the Azure Function App
Azure Function Apps provide support for PowerShell in a public preview. We will leverage PowerShell for developing this Azure Function App. We will be creating everything from within the portal. My preferred method is to use Visual Studio Code, creating a new Function Project, enabling git for our Functions Project Directory (git init), create a Github Repository, and linking the repository to my project folder (git remote add) and then using git for source control for all changes during development. But for simplicity sake, we’re going to use the portal for this article series.
To create the Function App, go to All Services, search for function, and click Function App.
Choose Add to create a new Function App.
When creating the Function App, ensure you are specifying the OS as Windows so you can use PowerShell Core as the Runtime Stack.
Once the Function App is created, you’ll be able to Refresh and see the Function App.
If you take a look within the Resource Group, you can see all the resources that were created. You will see the storage account, Application Insights if you selected to create an Application Insights Resource, the App Service (Function), and the App Service Plan (Consumption).
Creating the Managed Identity for the Function App
High-level, a Managed Identity gives the Function App an Active Directory Identity which can then be assigned Role Based Access Control (RBAC) permissions to resources within your Azure Subscription. For example, since this Function is only used for gathering information, you can simply grant Reader permissions to the entire subscription, to Resource Groups, or even directly down to specific resources. For more information around Managed Identities, click here.
After going into the Azure Function, click Platform Features, then click Identity.
Change the status under System assigned to On. Then click Save.
We can now see we have our system assigned Managed Identity.
Assigning the Managed Identity RBAC Permissions
We will be assigning Reader permissions to the Managed Identity for the entire subscriptions. You can instead do this at the Resource Group Level or the Resource Level as well.
Go into Subscriptions, select your subscription, choose Access control (IAM), click Add, click Add role assignment.
Choose the role you desire. Since this function will only be reading data and building reports, we will choose Reader. Change assign access to Function App. And search for your Function and add it. Finally, click Save.
To ensure our Function App has necessary permissions, run through a Check Access.
And a new Window will appear providing you what permissions your Function App have.
But why use the Managed Identity? Why did we create it? It allows our Azure Function to login to our Azure Subscriptions and execute AZ* PowerShell Commands and collect information, configure existing resources, and even create new resources.
If you’re curious how this works, on the Function App, click Platform features, then click App Service Editor.
In the App Service Editor, if you click on profile.ps1, you can see this code block says that if an MSI_SECRET exists, run Connect-AzAccount. This essentially logs into your Azure Subscription within the subscription the Azure Function is running in. And because we granted our Managed Identity Reader permissions to our Azure Subscription, the Managed Identity has the ability to read all resources in your Azure Subscription.
Note: We see the abbreviation as MSI which stands for Managed Service Identity. This was the previous name for this service. It has since been renamed to Managed Identity.
Creating the Function within the Function App
Let’s head back into the Function and create a Function within the Function App. Click + to create a new Function. To keep it simple, we will choose to modify the function from within the portal. Then choose Continue.
As we are going to be later calling this function from a Logic App, we will want to choose the Webhook + API option. Choose Create.
We now have our first function named HttpTrigger1 with our default code. This is not code we wrote. It is the template code that is created anytime you create a PowerShell Function.
If you would like to understand how the default code works and how to modify it so that you can start writing your own PowerShell Functions, I recorded a video to help you out on your journey.
In Part 2, we will take a look at updating the code in our PowerShell Function to build a report on Azure Virtual Machine Quota limits for a specific region and color code cells above a certain threshold. We will then create our Logic App to call our Function and take the HTML Results from the Function and send it in an e-mail whether that may be daily, weekly, monthly, etc.