Skip to content

feat: add Azure Function for authenticated dataset downloads#17

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1779168326-azure-function-download
Open

feat: add Azure Function for authenticated dataset downloads#17
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1779168326-azure-function-download

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a Python Azure Function (api/ directory) that serves as an authenticated download proxy for open-data datasets. The function:

  1. Sits behind Entra ID Easy Auth (configured in infra-azure)
  2. Validates the requested file against an allowlist of known datasets
  3. Uses its managed identity to generate a user delegation SAS token (5-minute TTL)
  4. Returns a 302 redirect to the SAS URL → browser downloads the file
File Purpose
api/function_app.py HTTP trigger — validate, generate SAS, redirect
api/requirements.txt azure-functions, azure-identity, azure-storage-blob
api/host.json Function runtime config
.github/workflows/deploy-function.yaml Zip deploy to Azure on push to main (api/ path filter)
.gitignore / .dockerignore Exclude function runtime artifacts; exclude api/ from Docker image build

Review & Testing Checklist for Human

This is a medium-risk change (new code + deployment workflow, but function is simple):

  • Review function_app.py — verify the SAS token generation logic and the ALLOWED_FILES set matches the current datasets
  • Verify deploy-function.yaml references the correct function app name (bcit-tlu-opendata-dl) matching the infra-azure Terraform
  • After merging the companion infra-azure PR and running terraform apply, configure GitHub secrets: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID (from terraform output github_oidc)
  • Create a production environment in the open-data repo settings (required by the deployment workflow)

Test plan:

  1. Merge companion infra-azure #14 first and run terraform apply
  2. Merge this PR — the deploy-function.yaml workflow triggers on push to main
  3. Test: curl -v "https://bcit-tlu-opendata-dl.azurewebsites.net/api/download?file=roledetails.zip"
  4. With Easy Auth enabled, test in browser with BCIT credentials

Notes

  • The local.settings.json is gitignored — it's only for local development with Azure Functions Core Tools.
  • datasets.json URL updates (pointing download links to the function endpoint) will be a follow-up PR once the function is deployed and tested.
  • Companion PR: infra-azure #14 — adds the Function App infrastructure, RBAC, and GitHub OIDC identity.

Link to Devin session: https://app.devin.ai/sessions/96d3707e572d4c968d5bfa32f62562e8
Requested by: @kphunter

Adds a Python Azure Function that authenticates BCIT users via
Entra ID Easy Auth and generates short-lived SAS URLs for dataset
downloads from Azure Blob Storage.

- api/function_app.py: HTTP trigger that validates file names,
  creates user delegation SAS tokens, and returns 302 redirect
- api/requirements.txt: azure-functions, azure-identity, azure-storage-blob
- deploy-function.yaml: GitHub Actions workflow for zip deployment
- .gitignore/.dockerignore: exclude function runtime artifacts

Co-Authored-By: kyle_hunter@bcit.ca <kyle_hunter@bcit.ca>
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant