SAS is a Storage-as-a-Service platform designed to automate storage allocation in EDU institutions. Its main goal is to provide agility to stakeholders on having access to object storage infrastructure in Microsoft Azure.
Some of the capabilities currently provided by the system are:
- Dynamic creation of top level folder and file systems in Azure Data Lake Storage (ADLS) Gen 2.
- Dynamic addition of object owner as "Execute" in File System's ACL.
- Automatic creation of initial folder under the File System.
- Dynamic addition of folder's owner under initial folder.
- Exposure of "how to use" the storage infrastructure through Web UI.
In order to deploy this solution to your environment, you'll need to setup some variables in the build process and create a static web app in Azure. To accomplish this, do the following:
- Fork the code
- Create a Static Web App
- Create an application registration
- Prepare the storage accounts
- Add a GitHub secret
- Configure the Static Web App
- Build
Fork this repo into your GitHub account. You can name the repo whatever you like.
- Navigate to the Azure Portal and create a new Static Web App.
- Name the app according to your organization's naming convention.
- Choose the Standard hosting plan, which is required to enable custom authentication.
- Select your preferred region.
- Select Other as the deployment source.
- Select Review + create and Create.
When the Static Web App is created, copy the Static Web App's URL for use later.
Select Manage deployment token and copy the token for use later.
Follow these steps to create a new Application Registration in Azure Active Directory:
-
In the Azure Portal, navigate to Azure Active Directory.
-
Select App registrations.
-
Select + New registration.
-
Provide an application name of your choice. Your users might need to consent, so make the application name descriptive.
You can grant admin consent for the entire organization.
-
Choose the single tenant option.
-
For Redirect URI, select Web and paste the URL of your Static Web App followed by
/.auth/login/aad/callback.For example, the redirect URI might be
https://awesome-sauce-1234abcd.azurestaticapps.net/.auth/login/aad/callback. -
Select Register to create the application registration.
When the application registration is created, copy the Directory (tenant) ID and Application (client) ID for use later.
- Select Authentication in the menu bar of the application registration.
- In the Implicit grant and hybrid flows section, select ID tokens (used for implicit and hybrid flows).
- Select Save.
- Go to the Azure AD app registration and add a URL to the Front-channel logout URL. Paste the URL of your Static Web App followed by
/.auth/logout/aad/callback.
-
Select Certificates & secrets in the menu bar of the application registration.
-
In the Client secrets section, select + New client secret.
-
Enter a name for the client secret. For example, MyStaticWebApp.
-
Choose an appropriate expiration timeframe for the secret.
Note
You must rotate the secret before the expiration date by generating a new secret and updating the application settings with the new value.
-
Select Add.
Copy the value of the client secret for use later.
The App Registration requires a Admin level permission to be granted. Navigate to the app registration and select the API Permissions. Select Add a permision and choose the Microsoft Graph. Select Application Permissions and search for User.Read.All. Select User.Read.All and then add permissions.
When done, select the button that says Grant admin consent for (your tenant name). You will need to have the correct Azure AD permissions to do so, such as Global Admin.
In order to allow this application to modify storage accounts, you need to assign two permissions, Storage Blob Data Owner and User Access Administrator, roles to the application registration for each of the storage accounts to be managed.
If you named the application Storage-as-a-Service, the RBAC entry would look like this:
The GitHub workflow has a required secret that enables it to deploy the code to the app in Azure. Create the following repository secrets by going to Settings -> Secrets.
| Secret | Value | Notes |
|---|---|---|
| SAS_DEPLOYMENT_TOKEN | The deployment token of your Static Web App. | |
| AZURE_TENANT_ID | Your Azure AD tenant ID. |
Add the following application settings to the Static Web App using the Configuration pane.
| Name | Value |
|---|---|
| AZURE_CLIENT_ID | The application ID from the app registration. |
| AZURE_CLIENT_SECRET | The application secret from the app registration. |
| AZURE_TENANT_ID | The tenant ID of your Azure AD. |
| COST_PER_TB | A numeric value for your monthly cost per terabyte of storage. |
| DATALAKE_STORAGE_ACCOUNTS | A comma-separated list of one or more ADLS Gen2 storage account names that have been prepared following the instructions above. |
| FILESYSTEMS_API_KEY | The shared API key to POST to the FileSystems API to create new containers. We recommend retrieving this secret from Key Vault. |
| CONFIGURATION_API_KEY | The shared API key to call the Configuration API. We recommend retrieving this secret from Key Vault. |
Run the Azure Static Web Apps CI/CD workflow.
Optional, but recommended.
Go back to the Static Web App and select Application Insights. Enable Application Insights and select the instance to wish to use or create new from this location.