Azure Function in Container App Webhook validation handshake fails

Question

Azure Function in Container App Webhook validation handshake fails

Adrian Ruchti 20

Hello

Trying to provision a eventgrid subscription I get the following error:
ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/ad6ec112-366b-4221-9b70-cf3ccc089a41/resourceGroups/timescale-azfunctions-rg/providers/Microsoft.Resources/deployments/eventGridSubscriptionDeployment","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ResourceDeploymentFailure","target":"/subscriptions/ad6ec112-366b-4221-9b70-cf3ccc089a41/resourceGroups/timescale-azfunctions-rg/providers/Microsoft.EventGrid/systemTopics/system-blob-trigger-topic/eventSubscriptions/blop-trigger-systemtopic-subscription","message":"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","details":[{"code":"URL validation","message":"Webhook validation handshake failed for https://timescale-azfunctio-fa.salmonbeach-eec8bd4a.switzerlandnorth.azurecontainerapps.io/runtime/webhooks/eventgrid. Http POST request failed with response code Unknown. For troubleshooting, visit https://aka.ms/esvalidation. Activity id:d8da7ac7-3ec9-4724-915e-02c82ae85ca7, timestamp: 12/27/2024 11:19:36 AM (UTC)."}]}]}}

function_app.py

@app.function_name(name="myblobtrigger")
@app.event_grid_trigger(arg_name="event")
async def myblobtrigger(event: func.EventGridEvent):
    
    try:
        logging.info('Python EventGrid trigger processed an event: %s', event.get_json())
        
        # Handle validation event
        if event.event_type == 'Microsoft.EventGrid.SubscriptionValidationEvent':
            validation_code = event.get_json()['data']['validationCode']
            return func.HttpResponse(
                body=json.dumps({'validationResponse': validation_code}),
                status_code=200,
                mimetype='application/json'
            )
        
        # Handle blob events
        if event.event_type in ['Microsoft.Storage.BlobCreated', 'Microsoft.Storage.BlobDeleted']:
            event_data = event.get_json()
            logging.info(f'Processing blob event: {event_data}')
            return func.HttpResponse(status_code=200)
            
        return func.HttpResponse(status_code=400, body="Unsupported event type")
        
    except Exception as e:
        logging.error(f'Error processing event: {str(e)}')
        return func.HttpResponse(
            body=str(e),
            status_code=500
        )

functionsapp.bicep with functionEndpoint

param name string
param location string = resourceGroup().location
param tags object = {}
param identityName string
param containerAppsEnvironmentName string
param containerRegistryName string
param serviceName string = 'func'
param exists bool
param keyVaultName string
param authClientSecretName string
param authClientId string
param authAuthority string
param environmentVariables array = []
param serverAppId string
param serverAppSecretName string
param authTenantId string

@secure()
param secrets object

resource funcIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: identityName
  location: location
}


module app '../container-app-upsert.bicep' = {
  name: '${serviceName}-function-app-module'
  params: {
    name: name
    location: location
    tags: union(tags, { 'azd-service-name': serviceName })
    identityName: funcIdentity.name
    exists: exists
    containerAppsEnvironmentName: containerAppsEnvironmentName
    containerRegistryName: containerRegistryName
    env: union(
      environmentVariables,
      [
      {
        name: 'RUNNING_IN_PRODUCTION'
        value: 'true'
      }
      {
        name: 'AZURE_CLIENT_ID'
        value: funcIdentity.properties.clientId
      }
      {
        name: 'AZURE_AUTH_CLIENT_SECRET_NAME'
        value: authClientSecretName
      }
      {
        name: 'AZURE_AUTH_CLIENT_ID'
        value: authClientId
      }
      {
        name: 'AZURE_AUTH_AUTHORITY'
        value: authAuthority
      }
      {
        name: 'AZURE_KEY_VAULT_NAME'
        value: keyVaultName
      }
      {
        name: 'AZURE_SERVER_APP_ID'
        value: serverAppId
      }
      {
        name: 'AZURE_SERVER_APP_SECRET_NAME'
        value: serverAppSecretName
      }
      {
        name: 'FUNCTIONS_EXTENSION_VERSION'
        value: '~4'
      }
      {
        name: 'AZURE_AUTH_TENANT_ID'
        value: authTenantId
      }

      
    ]
    )
    
    secrets: secrets
    targetPort: 80
  }
}

output SERVICE_FUNC_IDENTITY_PRINCIPAL_ID string = funcIdentity.properties.principalId
output SERVICE_FUNC_IDENTITY_NAME string = funcIdentity.name
output SERVICE_FUNC_NAME string = app.outputs.name
output SERVICE_FUNC_URI string = app.outputs.uri
output SERVICE_FUNC_IMAGE_NAME string = app.outputs.imageName

output uri string = app.outputs.uri
output name string = app.outputs.name
output imageName string = app.outputs.imageName

output AZURE_CLIENT_ID string = funcIdentity.properties.clientId

output functionEndpoint string = '${app.outputs.uri}/runtime/webhooks/eventgrid?functionName=myblobtrigger'

output functionAppId string = app.outputs.containerAppId

eventgrid.bicep

param name string
param functionEndpoint string
param systemTopicName string

resource systemTopic 'Microsoft.EventGrid/systemTopics@2024-12-15-preview' existing = {
  name: systemTopicName
}



resource EventSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2024-12-15-preview' = {
  parent: systemTopic
  name: '${name}-systemtopic-subscription'
  properties: {
    destination: {
      endpointType: 'WebHook'
      properties: {
        endpointUrl: functionEndpoint
        maxEventsPerBatch: 1
        preferredBatchSizeInKilobytes: 64
      }
    }
    eventDeliverySchema: 'EventGridSchema'
    filter: {
      includedEventTypes: [
        'Microsoft.Storage.BlobCreated'
        'Microsoft.Storage.BlobDeleted'
      ]
      isSubjectCaseSensitive: false
    }
    retryPolicy: {
      eventTimeToLiveInMinutes: 1440
      maxDeliveryAttempts: 30
    }
  }
}

output AZURE_EVENTGRID_SUBSCRIPTION_NAME string = EventSubscription.name

is the approach to provision the function app in a containerapp then using a webhook for the function endpoint correct? what is the correct endpoint url (for validation and handshake)?
PLEASE NOTE THAT THE FUNCTION APP IS RUNNING IN A CONTAINER APP CONTAINER.

Thank you for your help.
Kind regards
Adrian

VenkateshDodda-MSFT 25,186 Reputation points Microsoft Employee Moderator

2025-01-03T03:46:28.9133333+00:00

@Adrian Ruchti Following up to see if you have a chance to check my previous response and helped. Do let me know if you have any further questions on this.

2 answers

Your answer

VenkateshDodda-MSFT 25,186 Reputation points Microsoft Employee Moderator

2025-01-03T03:46:28.9133333+00:00

@Adrian Ruchti Following up to see if you have a chance to check my previous response and helped. Do let me know if you have any further questions on this.

Answer 1

VenkateshDodda-MSFT 25,186 Microsoft Employee Moderator

@Adrian Ruchti Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

From the error message, it looks like your bicep template deployment failed to create event gird event subscription. In your bicep template you are trying to create the Webhook based endpoint type which required authentication to validate the event which is missing in your template.

As you are creating the Event Grid trigger function you can create Azure Function Endpoint in which underlying infrastructure will take of the event validation and you can ignore the #handle event block in function code as well.

Hope this helps, let me know if you have any further questions on this.

Adrian Ruchti 20 Reputation points

2024-12-31T10:05:26.6833333+00:00

Thank you for your answer. I I am using Azure Function as Endpoint type, what would be the resourceId for a Azure Function App running on container apps? It has to be Microsoft.Web/sites I guess. Right now I am in the process of trying to integrate a real Function App into my Container Apps Env not only a Function Apps Image in a Container. I hope this is gonna be successful. I guess there is no resourceId type for Microsoft.App right?
Thank you and kind regards Adrian
VenkateshDodda-MSFT 25,186 Reputation points Microsoft Employee Moderator

2025-01-02T03:53:35.68+00:00

@Adrian Ruchti Thanks for your follow up questions. If you function app is hosted on container app environment plan, then the resourceId type will be the same Microsoft.Web/sites and the resourceId type Microsoft.App is for Container Apps & Container Apps environments.
Adrian Ruchti 20 Reputation points

2025-01-03T11:30:13.9733333+00:00
@VenkateshDodda-MSFT Thank you, I solved it for now. Technically it is working but commercially I am not sure if it is the right solution for us.

creating a containerapp with the functions image, then postdeploz the functionapp with az functionapp create. like this I can get the image from the containerapp into the functionapp>

func``:

``project: ./src/azure_functions

language``: py

module``: func

host``: containerapp

hooks``:

postdeploy``:

posix``:

shell``: sh

run``: |

../../scripts/create_functionapp.sh

../../scripts/deploy_eventgrid.sh

windows``:

shell``: pwsh

run``: |

..\..\scripts\create_functionapp.ps1

..\..\scripts\deploy_eventgrid.ps1

az functionapp create ``` ``

``` --name $functionAppName ``

--``` storage-account $storageAccount ``

--``` environment $environmentName ``

--``` app-insights $appInsightsName ``

--``` workload-profile-name "Consumption" ``

--``` resource-group $resourceGroupName ``

--``` functions-version 4 ``

--``` runtime python ``

--``` image $serviceImageName ``

--``assign-identity

Deploying the eventgrid Subscription with bicep>
param`` name string

param`` systemTopicName string

param`` functionAppName string = 'functionapp'

resource`` systemTopic 'Microsoft.EventGrid/systemTopics@2024-12-15-preview' existing = {

name``: systemTopicName

}

resource`` EventSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2024-12-15-preview' = {

name``: '${name}-subscription'

parent``: systemTopic

properties``: {

destination``: {

endpointType``: 'AzureFunction'

properties``: {

resourceId``:resourceId('Microsoft.Web/sites/functions',functionAppName, 'myblobtrigger')

maxEventsPerBatch``: 1

preferredBatchSizeInKilobytes``: 64

}

}

eventDeliverySchema``: 'EventGridSchema'

filter``: {

includedEventTypes``: [

'Microsoft.Storage.BlobCreated'

'Microsoft.Storage.BlobDeleted'

]

isSubjectCaseSensitive``: false

}

retryPolicy``: {

eventTimeToLiveInMinutes``: 1440

maxDeliveryAttempts``: 30

}

}

}

The Microsoft documentation says that you have to create the functionapp with az functionapp create, I guess there is now way to directly do it with azd deploy if you want to deploy in a containerapps environment. I know there is the option with appservice but and using the containerapps environment but I do not really like to manually assign the image name with the acr. So basically The solution works for me now but it might not be the most efficient one as I am running one additional container in containerapps just for the image. Thank you for your help.
VenkateshDodda-MSFT 25,186 Reputation points Microsoft Employee Moderator

2025-01-07T04:21:59.2+00:00

@Adrian Ruchti Thanks for your response and glad to know that your problem has been resolved. I have converted my comment to answer.

If you still have any further questions, I would suggest you raise a support ticket.

Answer 2

@VenkateshDodda-MSFT
we ran azure functions on containerapps for the Eventgrid using below bicep. it worked well as you suggested above. But now MSFT recommends transferring to the native Functionsapp on containerapps.

param name string
param systemTopicName string
param functionAppName string
resource systemTopic 'Microsoft.EventGrid/systemTopics@2024-12-15-preview' existing = {
  name: systemTopicName
}


resource EventSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2024-12-15-preview' = {

  name: '${name}-subscription'
  parent: systemTopic
  properties: {
    destination: {
      endpointType: 'AzureFunction'
      properties: {
        resourceId:resourceId('Microsoft.Web/sites/functions',functionAppName,  'myblobtrigger')
        maxEventsPerBatch: 1
        preferredBatchSizeInKilobytes: 64
      }
    }
    eventDeliverySchema: 'EventGridSchema'
    filter: {
      includedEventTypes: [
        'Microsoft.Storage.BlobCreated'
        'Microsoft.Storage.BlobDeleted'
      ]
      isSubjectCaseSensitive: false
    }
    retryPolicy: {
      eventTimeToLiveInMinutes: 1440
      maxDeliveryAttempts: 30
    }
  }
}

new bicep eventgrid sub>

param name string
param systemTopicName string
param functionAppName string
param storageAccountName string
resource systemTopic 'Microsoft.EventGrid/systemTopics@2025-04-01-preview' existing = {
  name: systemTopicName
}


resource EventSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2025-04-01-preview' = {

  name: '${name}-subscription'
  parent: systemTopic
  properties: {
    destination: {
      endpointType: 'AzureFunction'
      properties: {
        resourceId: '${resourceId('Microsoft.App/containerApps', functionAppName)}/functions/myblobtrigger'
        maxEventsPerBatch: 1
        preferredBatchSizeInKilobytes: 64
      }
    }
    eventDeliverySchema: 'CloudEventSchemaV1_0'
    
    filter: {
      includedEventTypes: [
        'Microsoft.Storage.BlobCreated'
        'Microsoft.Storage.BlobDeleted'
      ]
      isSubjectCaseSensitive: false
      subjectBeginsWith: '/blobServices/default/containers/in/' 
    }
    retryPolicy: {
      eventTimeToLiveInMinutes: 1440
      maxDeliveryAttempts: 30
    }
    deadLetterDestination: {
      endpointType: 'StorageBlob'
      properties: {
        resourceId: resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', storageAccountName, 'default', 'deadletter')
        blobContainerName: 'deadletter'
      }
    }
  }
  
}

Bash(az eventgrid system-topic event-subscription create \

--name blop-trigger-subscription \…)

⎿ Error: ERROR: unrecognized arguments: --azure-function-resource-id /subscriptions/041e3b12-1c32-468a-8386-53833397e791/resourceGroups/rg-lentinis-cms/provide

rs/Microsoft.App/containerApps/lentinis-cms-dvpc56-fn/functions/myblobtrigger

Examples from AI knowledge base:

az eventgrid system-topic event-subscription create --endpoint

/subscriptions/{SubID}/resourceGroups/{RG}/providers/Microsoft.Web/sites/{functionappname}/functions/{functionname} --endpoint-type webhook

--included-event-types Microsoft.Storage.BlobCreated Microsoft.Storage.BlobDeleted --name es1 --resource-group rg1 --system-topic-name systemtopic1

Create a new event subscription for a system topic (autogenerated)

az eventgrid system-topic event-subscription create --endpoint

/subscriptions/{SubID}/resourceGroups/{RG}/providers/Microsoft.Web/sites/{functionappname}/functions/{functionname} --endpoint-type webhook

--event-delivery-schema eventgridschema --included-event-types Microsoft.Storage.BlobCreated Microsoft.Storage.BlobDeleted --name es1 --resource-group rg1

--system-topic-name systemtopic1

Create a new event subscription for a system topic (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/eventgrid/system-topic/event-subscription#az_eventgrid_system_topic_event_subscription_create This confirms that while Container Apps supports kind: functionapp and can run Functions code, the Azure ARM API doesn't yet expose individual functions as sub-resources under Container Apps. This explains why EventGrid can't validate the resource ID.

Can you confirm this?:
Status: The EventGrid service itself hasn't been updated to support Container Apps with native Functions, even though Container Apps can run Functions code.

At this point, our options are:

Use webhook endpoint type with manual validation - Convert to HTTP trigger that handles EventGrid validation
Use blob storage triggers directly - Skip EventGrid entirely
File a feature request/support ticket with Microsoft about EventGrid + Container Apps native Functions integration
Wait for the integration to be completed - This appears to be a work-in-progress

Thank you.

Share via

Azure Function in Container App Webhook validation handshake fails

2 answers

Your answer