Refactor Azure Functions integration and enhance project structure

[spboyer]

Refactor the integration of Azure Functions and improve the project structure. Update the Dockerfile for Python 3.10, enhance the development environment, and expand the README with installation and security practices. Implement logging in function handlers, add new API routes, and update Bicep templates for better resource management. Introduce a security scan workflow and add a Code of Conduct and Security Policy. Update dependencies for better management.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[paulyuk]

I like what this PR is aiming to do, but I'd ask we collab on a few implementation details:

• this should use the Azure Functions Python v2 programming model, which would mean no function.json, having the right decorators, etc.
• we have a supported extension now for http streaming and fast API, as documented here. This can eliminate the whole wrapper and custom streams approach attempted currently in the sample and PR.
• this uses Consumption v1 Linux (Y1) plan which is headed towards deprecation. We should use Flex Consumption plan, MI, and optional VNET like in our other samples. Consider using 100% of the ./infra folder in this Python function http quickstart to obtain updated secure bicep for Flex.
• the dockerfile should be optional so this starts as a native Function. But if dockerfile is requirement, then I suppose this would turn into an ACA sample. I just dont want to make that fork in the road too complex.
• the codespaces folder should xcopy this updated improved one that works with Functions: https://github.com/Azure-Samples/functions-quickstart-python-http-azd/tree/main/.devcontainer
• the readme should be updated so azure-samples metadata is not visible. you can do this by surrounding the metadata in a comment, like this: https://github.com/Azure-Samples/functions-quickstart-python-http-azd/blob/main/README.md?plain=1#L1C1-L16C4.

@spboyer and @pamelafox could we collab and merge a rev of this with the points above handled?

[paulyuk]

@copilot please address my comments and Pamelafox's

[Copilot]

Pull Request Overview

Refactors Azure Functions integration with FastAPI, enhances infrastructure templates, updates the development container, and expands project documentation and security practices.

• Reworked function_app entrypoint using FunctionApp and ASGI middleware, removed previous wrapper approach
• Parameterized and improved Bicep templates (resource group logic, tags, role assignment, outputs)
• Updated devcontainer Dockerfile to Python 3.10, added security scan workflow, and expanded README/SECURITY docs

Reviewed Changes

Copilot reviewed 22 out of 24 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
startup.py	Added simple FastAPI test route
infra/main.bicep	Parameterized resource group, tags, module renames, outputs
infra/core/storage/storage-account.bicep	Added new storage account parameters and updated resource blocks
infra/core/host/functions.bicep	Enabled managed identity, skip role assignment logic, added roleAssignment
infra/core/host/appservice.bicep	Unified tags with azd-service-name
host.json	Expanded logging config, bumped extensionBundle version, set timeout
function_app.py	Defined FastAPI routes, created FunctionApp, applied ASGI middleware
SECURITY.md	Added security policy template
README.md	Expanded installation instructions, features, and security notice
.devcontainer/Dockerfile	Switched base image to Python 3.10, venv creation, updated tools
.github/workflows/security-scan.yml	Introduced weekly security scan workflow

Comments suppressed due to low confidence (3)

SECURITY.md:8

• Replace the placeholder '[SECURITY CONTACT EMAIL]' with an actual security contact email address.

2. Send details of the vulnerability to [SECURITY CONTACT EMAIL].

README.md:91

• [nitpick] There's a second '## Prerequisites' section here. Consider consolidating duplicate sections to improve the README's clarity.

## Prerequisites

infra/main.bicep:18

• Using uniqueString(name) reduces the uniqueness domain compared to the original uniqueString(subscription().id, name, location), which may cause name collisions across subscriptions or regions. Consider reverting to the original inputs for collision safety.

var prefix = '${name}-${uniqueString(name)}'

[paulyuk]

Please see comments and resolve.

[spboyer]

@paulyuk @pamelafox All review feedback has been addressed:

Python v2 Migration: Removed HttpTrigger/, WrapperFunction/, root function.json, startup.py, .azuredeployrc.json. Rewrote function_app.py to use func.AsgiFunctionApp.

Infra (AVM Bicep): Replaced entire infra/ with AVM-based Bicep from functions-quickstart-python-http-azd. Flex Consumption SKU (FC1), managed identity, VNet support.

README & DevContainer: Azure CLI → Azure Developer CLI (azd). Flex Consumption plan. Reverted devcontainer title. Fixed venv in postCreateCommand.

Security: Added top-level permissions to both workflow files (checkov CKV2_GHA_1).

Ready for re-review!