Azure functions deploy from github actions results in "Error: failed to fetch Kudu App Settings.Bad Request (CODE: 400)"

Question

I'm getting an error when trying to deploy an Azure Function app from a GitHub Action.

The error is

##[Initialize]
##[ValidateParameter]
##[ValidateAzureResource]
Using SCM credential for authentication, GitHub Action will not perform resource validation.

Error: Execution Exception (state: ValidateAzureResource) (step: Invocation)
Error: When request Azure resource at ValidateAzureResource, Get Function App Settings : Failed to acquire app settings (SCM)
Error: Failed to fetch Kudu App Settings.
Bad Request (CODE: 400)
Error: failed to fetch Kudu App Settings.
Bad Request (CODE: 400)

at Kudu. (D:\a_actions\Azure\functions-action\v1\node_modules\azure-actions-appservice-rest\Kudu\azure-app-kudu-service.js:62:23)
at Generator.next ()
at fulfilled (D:\a_actions\Azure\functions-action\v1\node_modules\azure-actions-appservice-rest\Kudu\azure-app-kudu-service.js:5:58)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
Error: Deployment Failed!

This has been working in exactly the same way for months - I have made 100s of deployments using it, but over the last couple of days its started failing (across multiple repos).

It's very similar to this question, but when I added my 'variant' of that problem I got trampled on and told to add as a new question - so here we are.

The difference in my case is that I'm not using a publish profile (at least not explicitly), instead I am using a service principal credential. It wouldn't surprise me int he least if this isn't using a publish profile under the covers (which is why I think my question is a variant of the one above).

Its very important that I don't have any manual steps in my deployment process - so I really need to find a fully automated workaround for this. I'm off to trawl through the code of the GitHub action, but in the meantime, does anyone happen to know how to fix this straight off?

Answer 1

For anyone looking into this, in my case this was due to IP Access Restrictions in my function - there was a limited set of allowed IP addresses.

There is an easy solution to this instead of manually adding Github Actions' Azure IP addresses - you can go to your function on Azure > Networking > Access Restriction

Once on that screen, when adding a rule instead of IPv4 address, choose Service Tag and search for AzureCloud service tag, which according to this opens all datacenter public IP addresses: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Initially I thought selecting ActionGroup service tag would work, but then had to revert to AzureCloud tag.

If anyone knows of a more restrictive tag to address this Kudo Github Actions issue instead of allowing all with AzureCloud, please comment.