JohnRoos/Create_Lab_function_app.ps1

## Create_Lab_function_app.ps1
<#
Requires Az module. Use Connect-AzAccount before running.

Creates the following:
    Resource group
    Key vault
    Storage account (Standard_LRS)
    Function app (EP1)
        PowerShell 7 runtime
        Assigned identity
        Preconfigured connection string to storage account in app settings
        Contributor on storage account
        Access to key vault
#>

# Change name and location before running
$Name = 'myname'
$Location = 'North Europe'

# Variables
$Name = $Name.ToLower()
$ResourceGroupName = "rg-$Name"
$KeyVaultName = "kv-$Name"
$StorageAccountName = "sa$Name"
$FunctionPlanName = "sp$Name"
$FunctionAppName = "fa-$Name"

# Vault permissions
$VaultPermissionsToKeys = 'Get', 'List', 'Update', 'Create', 'Import', 'Delete', 'Recover', 'Backup', 'Restore'
$VaultPermissionsToSecrets = 'Get', 'List', 'Set', 'Delete', 'Recover', 'Backup', 'Restore'

# Do it
$null = New-AzResourceGroup -Name $ResourceGroupName -Location $Location
$null = New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $Location
$StorageAccount = New-AzStorageAccount -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Location $Location -SkuName 'Standard_LRS'
$StorageAccountKey = Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName | Select-Object -First 1
$null = New-AzStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $StorageAccountKey.Value
$FunctionAppPlan = New-AzFunctionAppPlan -Name $FunctionPlanName -ResourceGroupName $ResourceGroupName -Location $Location -Sku 'EP1' -WorkerType 'Windows'
$null = New-AzFunctionApp -Name $FunctionAppName -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -Runtime 'PowerShell' -RuntimeVersion '7.0' -PlanName $FunctionAppPlan.Name
$AppIdentity = Set-AzWebApp -AssignIdentity $true -Name $FunctionAppName -ResourceGroupName $ResourceGroupName
$StorageAccountConnectionString = "DefaultEndpointsProtocol=https;AccountName=$($StorageAccountName);AccountKey=$($StorageAccountKey.value);EndpointSuffix=core.windows.net"
$null = Update-AzFunctionAppSetting -Name $FunctionAppName -ResourceGroupName $ResourceGroupName -AppSetting @{ "AzureWebJobs$StorageAccountName" = $StorageAccountConnectionString }
$ServicePrincipal = Get-AzADServicePrincipal -DisplayName $AppIdentity.name
$null = New-AzRoleAssignment -ApplicationId $ServicePrincipal.ApplicationId -RoleDefinitionName 'Storage Account Contributor' -Scope $StorageAccount.Id
$null = Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ObjectId $ServicePrincipal.Id  -PermissionsToKeys $VaultPermissionsToKeys -PermissionsToSecrets $VaultPermissionsToSecrets
	<#
	Requires Az module. Use Connect-AzAccount before running.

	Creates the following:
	Resource group
	Key vault
	Storage account (Standard_LRS)
	Function app (EP1)
	PowerShell 7 runtime
	Assigned identity
	Preconfigured connection string to storage account in app settings
	Contributor on storage account
	Access to key vault
	#>

	# Change name and location before running
	$Name = 'myname'
	$Location = 'North Europe'

	# Variables
	$Name = $Name.ToLower()
	$ResourceGroupName = "rg-$Name"
	$KeyVaultName = "kv-$Name"
	$StorageAccountName = "sa$Name"
	$FunctionPlanName = "sp$Name"
	$FunctionAppName = "fa-$Name"

	# Vault permissions
	$VaultPermissionsToKeys = 'Get', 'List', 'Update', 'Create', 'Import', 'Delete', 'Recover', 'Backup', 'Restore'
	$VaultPermissionsToSecrets = 'Get', 'List', 'Set', 'Delete', 'Recover', 'Backup', 'Restore'

	# Do it
	$null = New-AzResourceGroup -Name $ResourceGroupName -Location $Location
	$null = New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $Location
	$StorageAccount = New-AzStorageAccount -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Location $Location -SkuName 'Standard_LRS'
	$StorageAccountKey = Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName \| Select-Object -First 1
	$null = New-AzStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $StorageAccountKey.Value
	$FunctionAppPlan = New-AzFunctionAppPlan -Name $FunctionPlanName -ResourceGroupName $ResourceGroupName -Location $Location -Sku 'EP1' -WorkerType 'Windows'
	$null = New-AzFunctionApp -Name $FunctionAppName -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -Runtime 'PowerShell' -RuntimeVersion '7.0' -PlanName $FunctionAppPlan.Name
	$AppIdentity = Set-AzWebApp -AssignIdentity $true -Name $FunctionAppName -ResourceGroupName $ResourceGroupName
	$StorageAccountConnectionString = "DefaultEndpointsProtocol=https;AccountName=$($StorageAccountName);AccountKey=$($StorageAccountKey.value);EndpointSuffix=core.windows.net"
	$null = Update-AzFunctionAppSetting -Name $FunctionAppName -ResourceGroupName $ResourceGroupName -AppSetting @{ "AzureWebJobs$StorageAccountName" = $StorageAccountConnectionString }
	$ServicePrincipal = Get-AzADServicePrincipal -DisplayName $AppIdentity.name
	$null = New-AzRoleAssignment -ApplicationId $ServicePrincipal.ApplicationId -RoleDefinitionName 'Storage Account Contributor' -Scope $StorageAccount.Id
	$null = Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ObjectId $ServicePrincipal.Id -PermissionsToKeys $VaultPermissionsToKeys -PermissionsToSecrets $VaultPermissionsToSecrets