Skip to content

[App Service] Update functionapp config ssl commands for flex consumption and functionapp flex-migration commands#33443

Open
patelchandni wants to merge 2 commits into
Azure:devfrom
patelchandni:flexsitescopedcerts
Open

[App Service] Update functionapp config ssl commands for flex consumption and functionapp flex-migration commands#33443
patelchandni wants to merge 2 commits into
Azure:devfrom
patelchandni:flexsitescopedcerts

Conversation

@patelchandni
Copy link
Copy Markdown
Contributor

@patelchandni patelchandni commented May 26, 2026
edited
Loading

Related command

az functionapp config ssl
az functionapp flex-migration

Description

  • _params.py
    • Added optional --name/-n parameter for:
      • functionapp config ssl list
      • functionapp config ssl show
      • functionapp config ssl delete
    • Added --load-to-code parameter for functionapp config ssl upload and functionapp config ssl import (Flex Consumption only)
    • Added --enable-using-msi parameter for functionapp config ssl import (Flex Consumption only)
  • custom.py
    • For az functionapp config ssl - Updated the following functions to support Flex Consumption apps by using site-scoped certificates (client.site_certificates.) instead of resource group-scoped certificates (client.certificates.):
      • upload_ssl_cert - Uses client.site_certificates.create_or_update() for Flex apps; supports load_to_code parameter
      • list_ssl_certs - Added name param; uses client.site_certificates.list() for Flex
      • show_ssl_cert - Added name param; uses client.site_certificates.get() for Flex
      • delete_ssl_cert - Added name param; uses client.site_certificates.delete() for Flex
      • import_ssl_cert - Uses client.site_certificates.create_or_update() for Flex apps; supports load_to_code and enable_using_msi parameters; also added hasattr check for app_service_certificate_orders
      • create_managed_ssl_cert - Uses client.site_certificates.create_or_update() for Flex apps
      • _update_ssl_binding - Searches site-scoped certificates for Flex apps instead of resource group certificates
    • For az functionapp flex-migration
      • validate_flex_migration_eligibility_for_linux_consumption_app - Changed from raising ValidationError to returning warnings for SSL bindings and WEBSITE_LOAD_CERTIFICATES app setting (apps are now eligible with warnings instead of blocked)
      • list_flex_migration_candidates - Updated to collect and display warning notes in output
      • migrate_consumption_to_flex - Updated to print certificate-related warnings during migration
  • test_webapp_commands_thru_mock.py
    • Added is_flex_functionapp mock to test_create_managed_ssl_cert
  • test_functionapp_commands.py
    • Updated tests to reflect that apps with SSL bindings and WEBSITE_LOAD_CERTIFICATES are now eligible with warning notes instead of being blocked
    • Renamed test variables from noneligible_* to eligible_* to reflect the new behavior

Testing Guide

az functionapp config ssl create --resource-group <resource-group-name> --name <function-app-name> --hostname <hostname>
az functionapp config ssl list --resource-group <resource-group-name> --name <function-app-name>
az functionapp config ssl show --resource-group <resource-group-name> --name <function-app-name> --certificate-name <certificate-name>
az functionapp config ssl delete --resource-group <resource-group-name> --name <function-app-name> --certificate-thumbprint <thumbprint>
az functionapp config ssl bind --resource-group <resource-group-name> --name <function-app-name> --certificate-thumbprint <thumbprint> --ssl-type SNI
az functionapp config ssl unbind --resource-group <resource-group-name> --name <function-app-name> --certificate-thumbprint <thumbprint>
az functionapp config ssl upload --resource-group <resource-group-name> --name <function-app-name> --certificate-file <file-path> --certificate-password <password> --load-to-code true
az functionapp config ssl import --resource-group <resource-group-name> --name <function-app-name> --key-vault <key-vault-name> --key-vault-certificate-name <certificate-name> --load-to-code true --enable-using-msi true
az functionapp flex-migration list

History Notes

[App Service] az functionapp config ssl: Support site-scoped certificates for Flex consumption
[App Service] az functionapp flex-migration: Allow migrating Linux consumption apps with certificates

This checklist is used to make sure that common guidelines for a pull request are followed.

@patelchandni patelchandni requested a review from NoriZC as a code owner May 26, 2026 19:12
Copilot AI review requested due to automatic review settings May 26, 2026 19:12
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented May 26, 2026
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented May 26, 2026
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️appservice
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd functionapp config ssl delete cmd functionapp config ssl delete added parameter name
⚠️ 1006 - ParaAdd functionapp config ssl import cmd functionapp config ssl import added parameter enable_using_msi
⚠️ 1006 - ParaAdd functionapp config ssl import cmd functionapp config ssl import added parameter load_to_code
⚠️ 1006 - ParaAdd functionapp config ssl list cmd functionapp config ssl list added parameter name
⚠️ 1006 - ParaAdd functionapp config ssl show cmd functionapp config ssl show added parameter name
⚠️ 1006 - ParaAdd functionapp config ssl upload cmd functionapp config ssl upload added parameter load_to_code
⚠️ 1006 - ParaAdd webapp config ssl delete cmd webapp config ssl delete added parameter name
⚠️ 1006 - ParaAdd webapp config ssl import cmd webapp config ssl import added parameter enable_using_msi
⚠️ 1006 - ParaAdd webapp config ssl import cmd webapp config ssl import added parameter load_to_code
⚠️ 1006 - ParaAdd webapp config ssl list cmd webapp config ssl list added parameter name
⚠️ 1006 - ParaAdd webapp config ssl show cmd webapp config ssl show added parameter name
⚠️ 1006 - ParaAdd webapp config ssl upload cmd webapp config ssl upload added parameter load_to_code

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented May 26, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service Bot added the Auto-Assign Auto assign by bot label May 26, 2026
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates App Service Function App SSL certificate flows and Flex migration behavior to better support Flex Consumption, primarily by switching Flex apps to site-scoped certificate operations and by allowing migration with certificate-related warnings instead of hard failures.

Changes:

  • Updated Flex migration eligibility checks to emit warning notes (SSL bindings / WEBSITE_LOAD_CERTIFICATES) rather than blocking migration.
  • Added Flex-specific SSL parameters and logic (e.g., --load-to-code, --enable-using-msi, optional --name for certain functionapp config ssl commands).
  • Adjusted tests and recordings to reflect the new behavior and API interactions.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/azure-cli/azure/cli/command_modules/appservice/custom.py Adds Flex-aware certificate handling (site-scoped cert APIs) and changes flex-migration eligibility to warnings; introduces new params support in certificate upload/import/bind logic.
src/azure-cli/azure/cli/command_modules/appservice/_params.py Adds/extends CLI arguments for Function App SSL commands to support Flex Consumption scenarios.
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands_thru_mock.py Updates a mock-based test to account for is_flex_functionapp usage.
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py Updates Flex migration live tests to expect eligibility-with-warning behavior for cert-related scenarios.
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_webapp_ssl_specify_hostname.yaml Updates recorded HTTP interactions for SSL upload/bind/unbind flows.
Comments suppressed due to low confidence (1)

src/azure-cli/azure/cli/command_modules/appservice/custom.py:6767

  • upload_ssl_cert opens the certificate file with open() but never closes it. Please use a context manager (with open(...) as f:) to avoid leaking file descriptors, especially in long-running CLI sessions/tests.
    webapp = _generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'get', slot)
    cert_file = open(certificate_file, 'rb')
    cert_contents = cert_file.read()

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/azure-cli/azure/cli/command_modules/appservice/custom.py
Comment on lines +1185 to +1186
warnings.append("The site '{}' is using TSL/SSL certificates. "
"Site-scoped TSL/SSL certificates are supported in Flex Consumption in preview. "
Comment thread src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py
self.assertTrue(eligible_ssl_functionapp_name in candidate_names)
ssl_candidate = next((c for c in candidates if c.get('name') == eligible_ssl_functionapp_name), None)
self.assertIsNotNone(ssl_candidate)
self.assertIn('TSL/SSL certificates', ssl_candidate.get('note', ''))
@yonzhan yonzhan assigned yanzhudd and unassigned zhoxing-ms May 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

At least 1 approving review is required to merge this pull request.

Assignees

@yanzhudd yanzhudd

Labels

act-observability-squad Auto-Assign Auto assign by bot Functions az functionapp

Projects

None yet

Milestone

July 2026 (2026-07-07)

Development

Successfully merging this pull request may close these issues.

5 participants

@patelchandni @yonzhan @zhoxing-ms @yanzhudd