update flex-migration warning

Author: patelchandni

src/azure-cli/azure/cli/command_modules/appservice/_params.py

@@ -718,10 +718,10 @@ def load_arguments(self, _):
 
     # Add load_to_code parameter for functionapp SSL commands that create/update certificates (Flex Consumption only)
     with self.argument_context('functionapp config ssl upload') as c:
-        c.argument('load_to_code', arg_type=get_three_state_flag(), help='For Flex Consumption apps only. Make the certificate accessible to app code. When set to true, the certificate can be loaded via the WEBSITE_LOAD_CERTIFICATES app setting.')
+        c.argument('load_to_code', arg_type=get_three_state_flag(), help='For Flex Consumption apps only. When set to true, the certificate is accessible to app code.')
 
     with self.argument_context('functionapp config ssl import') as c:
-        c.argument('load_to_code', arg_type=get_three_state_flag(), help='For Flex Consumption apps only. Make the certificate accessible to app code. When set to true, the certificate can be loaded via the WEBSITE_LOAD_CERTIFICATES app setting.')
+        c.argument('load_to_code', arg_type=get_three_state_flag(), help='For Flex Consumption apps only. When set to true, the certificate is accessible to app code')
         c.argument('enable_using_msi', arg_type=get_three_state_flag(), help='For Flex Consumption apps only. Enable Key Vault access using Managed Service Identity. When set to true, the app will use its managed identity to access Key Vault instead of service principal.')
 
     with self.argument_context('webapp config connection-string list') as c:

src/azure-cli/azure/cli/command_modules/appservice/custom.py

@@ -1124,18 +1124,25 @@ def list_flex_migration_candidates(cmd):
             continue
 
         try:
-            if validate_flex_migration_eligibility_for_linux_consumption_app(cmd, site, flex_regions):
+            is_eligible, warnings = validate_flex_migration_eligibility_for_linux_consumption_app(cmd, site, flex_regions)
+            if is_eligible:
                 site_entry = {
                     'name': site.name,
                     'resource_group': site.resource_group,
                 }
 
+                notes = []
                 has_slots = len(list_slots(cmd, site.resource_group, site.name)) > 0
 
                 if has_slots:
-                    slots_warning = (f"The site '{site.name}' has slots configured. This will not block migration, "
-                                     f"but please note that slots are not supported in Flex Consumption.")
-                    site_entry['note'] = slots_warning
+                    notes.append(f"The site '{site.name}' has slots configured. This will not block migration, "
+                                 f"but please note that slots are not supported in Flex Consumption.")
+
+                # Add certificate-related warnings as notes
+                notes.extend(warnings)
+
+                if notes:
+                    site_entry['note'] = ' '.join(notes)
 
                 eligible_sites.append(site_entry)
 
@@ -1153,6 +1160,8 @@ def list_flex_migration_candidates(cmd):
 
 
 def validate_flex_migration_eligibility_for_linux_consumption_app(cmd, site, flex_regions):
+    warnings = []
+
     # Validating that the site is in a Flex Consumption-supported region
     normalized_site_location = _normalize_location(cmd, site.location)
     if normalized_site_location not in flex_regions:
@@ -1170,18 +1179,26 @@ def validate_flex_migration_eligibility_for_linux_consumption_app(cmd, site, fle
     runtime_helper = _FlexFunctionAppStackRuntimeHelper(cmd, normalized_site_location, runtime)
     runtime_helper.resolve(runtime, runtime_version)
 
-    # Validating that the site does not have SSL bindings configured
+    # Check for SSL bindings - warn but allow migration
     for ssl_state in site.host_name_ssl_states or []:
         if ssl_state.ssl_state != 'Disabled':
-            raise ValidationError("The site '{}' is using TSL/SSL certificates. "
-                                  "TSL/SSL certificates are not supported in Flex Consumption.".format(site.name))
+            warnings.append("The site '{}' is using TSL/SSL certificates. "
+                            "Site-scoped TSL/SSL certificates are supported in Flex Consumption in preview. "
+                            "Re-configure certificates after migration using the new site-scoped model. "
+                            "Help Link: https://aka.ms/flex-site-scoped-certs-docs."
+                            .format(site.name))
+            break
 
-    # Validating that the site does not have WEBSITE_LOAD_CERTIFICATES app setting configured
+    # Check for WEBSITE_LOAD_CERTIFICATES app setting - warn but allow migration
     app_settings = get_app_settings(cmd, site.resource_group, site.name)
     for setting in app_settings:
         if setting['name'] == 'WEBSITE_LOAD_CERTIFICATES':
-            raise ValidationError("The site '{}' has the WEBSITE_LOAD_CERTIFICATES app setting configured. "
-                                  "Certificate loading is not supported in Flex Consumption.".format(site.name))
+            warnings.append("The site '{}' has the WEBSITE_LOAD_CERTIFICATES app setting configured. "
+                            "Site-scoped certificate loading is supported in Flex Consumption in preview. "
+                            "Re-configure certificates after migration using the new site-scoped model. "
+                            "Help Link: https://aka.ms/flex-site-scoped-certs-docs."
+                            .format(site.name))
+            break
 
     # Validating that the site has triggers supported in Flex Consumption
     functions = list_functions(cmd, site.resource_group, site.name)
@@ -1200,7 +1217,7 @@ def validate_flex_migration_eligibility_for_linux_consumption_app(cmd, site, fle
                               "Please convert these triggers to use Event Grid or replace them with Event Grid "
                               "triggers before migration.".format(site.name, function_list))
 
-    return True
+    return True, warnings
 
 
 def get_storage_account_from_functionapp(cmd, resource_group_name, name):
@@ -1260,11 +1277,16 @@ def migrate_consumption_to_flex(cmd, source_resource_group, source_name, resourc
                               "migration is only supported for Function Apps on Linux Consumption plans."
                               .format(source.name))
 
-    if validate_flex_migration_eligibility_for_linux_consumption_app(cmd, source, flex_regions):
+    is_eligible, warnings = validate_flex_migration_eligibility_for_linux_consumption_app(cmd, source, flex_regions)
+    if is_eligible:
         slots = list_slots(cmd, source_resource_group, source_name)
         if len(slots) > 0:
             print(f"The site '{source_name}' has slots configured. This will not block migration, "
                   f"but please note that slots are not supported in Flex Consumption.")
+
+        # Print certificate-related warnings
+        for warning in warnings:
+            logger.warning(warning)
         print(f"Source app '{source_name}' is eligible for Flex Consumption migration.")
 
     source_site_configs = get_site_configs(cmd, source_resource_group, source_name)

src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py

@@ -816,7 +816,8 @@ class FunctionAppFlexMigrationTest(LiveScenarioTest):
     def test_functionapp_flex_migration_list_candidates(self, resource_group, storage_account):
         eligible_functionapp_name = self.create_random_name('consumption-func', 24)
         noneligible_slots_functionapp_name = self.create_random_name('noneligible-slots-func', 40)
-        noneligible_cert_functionapp_name = self.create_random_name('noneligible-cert-func', 40)
+        eligible_cert_functionapp_name = self.create_random_name('eligible-cert-func', 40)
+
         slot_name = self.create_random_name(prefix='slotname', length=24)
 
         self.cmd('functionapp create -g {} -n {} -c {} -s {}  --os-type linux --runtime python --runtime-version 3.11 --functions-version 4'
@@ -828,31 +829,35 @@ def test_functionapp_flex_migration_list_candidates(self, resource_group, storag
         self.cmd('functionapp deployment slot create -g {} -n {} --slot {}'.format(resource_group, noneligible_slots_functionapp_name, slot_name))
 
         self.cmd('functionapp create -g {} -n {} -c {} -s {}  --os-type linux --runtime python --runtime-version 3.11 --functions-version 4'
-                .format(resource_group, noneligible_cert_functionapp_name, FLEX_ASP_LOCATION_FUNCTIONAPP, storage_account))
+                .format(resource_group, eligible_cert_functionapp_name, FLEX_ASP_LOCATION_FUNCTIONAPP, storage_account))
 
-        self.cmd('functionapp config appsettings set -g {} -n {} --settings WEBSITE_LOAD_CERTIFICATES=*'.format(resource_group, noneligible_cert_functionapp_name))
+        self.cmd('functionapp config appsettings set -g {} -n {} --settings WEBSITE_LOAD_CERTIFICATES=*'.format(resource_group, eligible_cert_functionapp_name))
 
         candidates = self.cmd('functionapp flex-migration list').get_output_in_json().get('eligible_apps', [])
 
         candidate_names = [candidate.get('name') for candidate in candidates if 'name' in candidate]
 
         self.assertTrue(eligible_functionapp_name in candidate_names)
         self.assertTrue(noneligible_slots_functionapp_name in candidate_names)
-        self.assertTrue(noneligible_cert_functionapp_name not in candidate_names)
+        # Apps with WEBSITE_LOAD_CERTIFICATES are now eligible with a warning note
+        self.assertTrue(eligible_cert_functionapp_name in candidate_names)
+        cert_candidate = next((c for c in candidates if c.get('name') == eligible_cert_functionapp_name), None)
+        self.assertIsNotNone(cert_candidate)
+        self.assertIn('WEBSITE_LOAD_CERTIFICATES', cert_candidate.get('note', ''))
 
 
     @ResourceGroupPreparer(location=WINDOWS_ASP_LOCATION_FUNCTIONAPP)
     @StorageAccountPreparer()
     def test_functionapp_flex_migration_private_cert_list_candidates(self, resource_group, storage_account):
-        noneligible_privatekey_functionapp_name = self.create_random_name('noneligible-privatekey-func', 40)
+        eligible_ssl_functionapp_name = self.create_random_name('eligible-ssl-func', 40)
         pfx_file = os.path.join(TEST_DIR, 'server.pfx')
         cert_password = 'test'
         cert_thumbprint = '9E9735C45C792B03B3FFCCA614852B32EE71AD6B'
 
         self.cmd('functionapp create -g {} -n {} -c {} -s {}  --os-type linux --runtime python --runtime-version 3.11 --functions-version 4'
-                .format(resource_group, noneligible_privatekey_functionapp_name, WINDOWS_ASP_LOCATION_FUNCTIONAPP, storage_account))
+                .format(resource_group, eligible_ssl_functionapp_name, WINDOWS_ASP_LOCATION_FUNCTIONAPP, storage_account))
 
-        self.cmd('webapp config ssl upload -g {} -n {} --certificate-file "{}" --certificate-password {} --certificate-name {}'.format(resource_group, noneligible_privatekey_functionapp_name, pfx_file, cert_password, "test123"), checks=[
+        self.cmd('webapp config ssl upload -g {} -n {} --certificate-file "{}" --certificate-password {} --certificate-name {}'.format(resource_group, eligible_ssl_functionapp_name, pfx_file, cert_password, "test123"), checks=[
             JMESPathCheck('thumbprint', cert_thumbprint),
             JMESPathCheck('name', 'test123')
         ])
@@ -861,20 +866,24 @@ def test_functionapp_flex_migration_private_cert_list_candidates(self, resource_
 
         candidate_names = [candidate.get('name') for candidate in candidates if 'name' in candidate]
 
-        self.assertTrue(noneligible_privatekey_functionapp_name in candidate_names)
+        self.assertTrue(eligible_ssl_functionapp_name in candidate_names)
 
-        self.cmd('webapp config ssl bind -g {} -n {} --certificate-thumbprint {} --ssl-type {}'.format(resource_group, noneligible_privatekey_functionapp_name, cert_thumbprint, 'SNI'), checks=[
+        self.cmd('webapp config ssl bind -g {} -n {} --certificate-thumbprint {} --ssl-type {}'.format(resource_group, eligible_ssl_functionapp_name, cert_thumbprint, 'SNI'), checks=[
             JMESPathCheck("hostNameSslStates|[?name=='{}.azurewebsites.net']|[0].sslState".format(
-                noneligible_privatekey_functionapp_name), 'SniEnabled'),
+                eligible_ssl_functionapp_name), 'SniEnabled'),
             JMESPathCheck("hostNameSslStates|[?name=='{}.azurewebsites.net']|[0].thumbprint".format(
-                noneligible_privatekey_functionapp_name), cert_thumbprint)
+                eligible_ssl_functionapp_name), cert_thumbprint)
         ])
 
         candidates = self.cmd('functionapp flex-migration list').get_output_in_json().get('eligible_apps', [])
 
         candidate_names = [candidate.get('name') for candidate in candidates if 'name' in candidate]
 
-        self.assertTrue(noneligible_privatekey_functionapp_name not in candidate_names)
+        # Apps with SSL bindings are now eligible with a warning note
+        self.assertTrue(eligible_ssl_functionapp_name in candidate_names)
+        ssl_candidate = next((c for c in candidates if c.get('name') == eligible_ssl_functionapp_name), None)
+        self.assertIsNotNone(ssl_candidate)
+        self.assertIn('TSL/SSL certificates', ssl_candidate.get('note', ''))
 
 
     @ResourceGroupPreparer(location=FLEX_ASP_LOCATION_FUNCTIONAPP)