This directory contains the Bicep template and a deployment script for provisioning Azure services in LocalStack for Azure. Refer to the Azure Functions App with Managed Identity guide for details about the sample application.
Before deploying this solution, ensure you have the following tools installed:
- LocalStack for Azure: Local Azure cloud emulator for development and testing
- Visual Studio Code: Code editor installed on one of the supported platforms
- Bicep extension: VS Code extension for Bicep language support and IntelliSense
- Docker: Container runtime required for LocalStack
- Azure CLI: Azure command-line interface
- azlocal CLI: LocalStack Azure CLI wrapper
- Python: Python runtime (version 3.13 or above)
- jq: JSON processor for scripting and parsing command outputs
The deploy.sh Bash script uses the azlocal CLI instead of the standard Azure CLI to work with LocalStack. Install it using:
pip install azlocalFor more information, see Get started with the az tool on LocalStack.
The deploy.sh script creates the Azure Resource Group for all the Azure resources, while the main.bicep Bicep module creates the following Azure resources:
- Azure Storage Account: Provides blob storage with
inputandoutputcontainers for storing text blobs processed by the function app. - Azure App Service Plan: Defines the compute resources (CPU, memory, and scaling options) that host the Azure Functions app.
- Azure Functions App: Hosts the serverless application that processes text blobs. The function app uses managed identity to securely access the Azure Storage Account without requiring explicit credentials.
- Managed Identity: Provides secure, credential-free authentication between the Azure Functions app and storage account. Supports both system-assigned and user-assigned identity types.
- Role Assignment: Grants the Azure Functions app's managed identity the Storage Blob Data Contributor and Storage Queue Data Contributor roles, enabling read/write access to blob containers and queues for processing text data.
For more information on the sample application, see Azure Functions App with Managed Identity.
Before deploying the main.bicep template, update the bicep.bicepparam file with your specific values. Note that the deploy.sh script overrides some of these parameters.
using 'main.bicep'
param prefix = 'local'
param suffix = 'test'
param runtimeName = 'python'
param runtimeVersion = '3.13'The deploy.sh script automates the deployment of all Azure resources and the sample application in a single step. Before running the script, customize the variable values based on your needs. In particular, use the MANAGED_IDENTITY_TYPE variable to specify the type of managed identity to provision: SystemAssigned or UserAssigned.
Note
You can use theazlocalCLI as a drop-in replacement for theazCLI to direct all commands to the LocalStack for Azure emulator. Alternatively, runazlocal start-interceptionto automatically intercept and redirect allazcommands to LocalStack. For more information, see Get started with the az tool on LocalStack.
The deploy.sh script executes the following steps:
- Specifies the variables used during deployment
- Creates the resource group if it does not exist
- Conditionally validates the
main.bicepmodule to check its syntax is correct and all parameters make sense - Conditionally runs a what-if deployment to execute a dry run to preview the resources that will be created, updated, or deleted
- Runs the
main.biceptemplate to create all the Azure resources - Collects important information from the deployment (like resource names) for later use
- Uses jq (a JSON tool) to extract the names of resources we just created
- Creates zip archive in format expected by Function App
- Uploads pre-built application package to the newly created Function App
Note
Azure CLI commands use--verboseargument to print execution details and the--debugflag to show low-level REST calls for debugging. For more information, see Get started with Azure CLI
You can set up the Azure emulator by utilizing LocalStack for Azure Docker image. Before starting, ensure you have a valid LOCALSTACK_AUTH_TOKEN to access the Azure emulator. Refer to the Auth Token guide to obtain your Auth Token and specify it in the LOCALSTACK_AUTH_TOKEN environment variable. The Azure Docker image is available on the LocalStack Docker Hub. To pull the Azure Docker image, execute the following command:
docker pull localstack/localstack-azure-alphaStart the LocalStack Azure emulator using the localstack CLI, execute the following command:
# Set the authentication token
export LOCALSTACK_AUTH_TOKEN=<your_auth_token>
# Start the LocalStack Azure emulator
IMAGE_NAME=localstack/localstack-azure-alpha localstack start -d
localstack wait -t 60
# Route all Azure CLI calls to the LocalStack Azure emulator
azlocal start-interceptionNavigate to the bicep folder:
cd samples/function-app-managed-identity/python/bicepMake the script executable:
chmod +x deploy.shRun the deployment script:
./deploy.shAfter deployment, you can use the validate.sh script to verify that all resources were created and configured correctly:
#!/bin/bash
# Variables
# Check resource group
az group show \
--name local-rg \
--output table
# List resources
az resource list \
--resource-group local-rg \
--output table
# Check function app status
az functionapp show \
--name local-func-test \
--resource-group local-rg \
--output table
# Check storage account properties
az storage account show \
--name localstoragetest \
--resource-group local-rg \
--output table
# List storage containers
az storage container list \
--account-name localstoragetest \
--output table \
--only-show-errorsTo destroy all created resources:
# Delete resource group and all contained resources
az group delete --name local-rg --yes --no-wait
# Verify deletion
az group list --output tableThis will remove all Azure resources created by the CLI deployment script.