SAS for EDU

SAS is a Storage-as-a-Service platform designed to automate storage allocation in EDU institutions. Its main goal is to provide agility to stakeholders on having access to object storage infrastructure in Microsoft Azure.

Some of the capabilities currently provided by the system are:

• Dynamic creation of top level folder and file systems in Azure Data Lake Storage (ADLS) Gen 2.
• Dynamic addition of object owner as "Execute" in File System's ACL.
• Automatic creation of initial folder under the File System.
• Dynamic addition of folder's owner under initial folder.
• Exposure of "how to use" the storage infrastructure through Web UI.

Deploy SAS for EDU

In order to deploy this solution to your environment, you'll need to setup some variables in the build process and create a static web app in Azure. To accomplish this, do the following:

1. Fork the code
2. Create a Static Web App
3. Create an application registration
4. Prepare the storage accounts
5. Add a GitHub secret
6. Configure the Static Web App
7. Configure Custom Authentication
8. Build

Fork the code

Fork this repo into your GitHub account. You can name the repo whatever you like.

Create a Static Web App

1. Navigate to the Azure Portal and create a new Static Web App.
2. Name the app according to your organization's naming convention.
3. Choose the Standard hosting plan, which is required to enable custom authentication.
4. Select your preferred region.
5. Select Other as the deployment source.
6. Select Review + create and Create.

When the Static Web App is created, copy the Static Web App's URL for use later.

Select Manage deployment token and copy the token for use later.

Create an Application Registration

Follow these steps to create a new Application Registration in Azure Active Directory:

1. In the Azure Portal, navigate to Azure Active Directory.

2. Select App registrations.

3. Select + New registration.

4. Provide an application name of your choice. Your users might need to consent, so make the application name descriptive.

   You can grant admin consent for the entire organization.

5. Choose the single tenant option.

6. For Redirect URI, select Web and paste the URL of your Static Web App followed by /.auth/login/aad/callback.

   For example, the redirect URI might be https://awesome-sauce-1234abcd.azurestaticapps.net/.auth/login/aad/callback.

7. Select Register to create the application registration.

When the application registration is created, copy the Directory (tenant) ID and Application (client) ID for use later.

Create a client secret

1. Select Certificates & secrets in the menu bar of the application registration.

2. In the Client secrets section, select + New client secret.

3. Enter a name for the client secret. For example, MyStaticWebApp.

4. Choose an appropriate expiration timeframe for the secret.

   Note

   You must rotate the secret before the expiration date by generating a new secret and updating the application settings with the new value.

5. Select Add.

Copy the value of the client secret for use later.

Enable ID tokens

1. Select Authentication in the menu bar of the application registration.
2. In the Implicit grant and hybrid flows section, select ID tokens (used for implicit and hybrid flows).
3. Select Save.

Add logout URL

Required

TODO: pending

Prepare the storage accounts

In order to allow this application to modify storage accounts, you need to assign the Storage Blob Data Owner role to the application registration for each of the storage accounts to be managed.

If you named the application Storage-as-a-Service, the RBAC entry would look like this:

Add a GitHub secret

The GitHub workflow has a required secret that enables it to deploy the code to the app in Azure. Create the following repository secrets by going to Settings -> Secrets.

Secret	Value	Notes
SAS_DEPLOYMENT_TOKEN		The deployment token of your Static Web App.

Configure the Static Web App

Add the following application settings to the Static Web App using the Configuration pane.

Name	Value
AZURE_CLIENT_ID	The application ID from the app registration.
AZURE_CLIENT_SECRET	The application secret from the app registration.
AZURE_TENANT_ID	The tenant ID of your Azure AD.
COST_PER_TB	A numeric value for your monthly cost per terabyte of storage.
DATALAKE_STORAGE_ACCOUNTS	A comma-separated list of one or more ADLS Gen2 storage account names that have been prepared following the instructions above.

Configure Custom Authentication

On GitHub, modify the fragment from src/sas.front/staticwebapp.config.json shown below:

{
  "auth": {
    "rolesSource": "/api/Roles",
    "identityProviders": {
      "azureActiveDirectory": {
        "registration": {
          "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
          "clientIdSettingName": "AZURE_CLIENT_ID",
          "clientSecretSettingName": "AZURE_CLIENT_SECRET"
        }
      }
    }
  }
}

Replace <TENANT_ID> with your Azure AD tenant ID that you copied earlier.

Commit the change directly to the main branch.

Build

Go to Actions in GitHub and review the workflow. It should have run automatically when your configuration change above was committed.

If it didn't, run the Azure Static Web Apps CI/CD workflow.

Monitor the application with Application Insights

Optional, but recommended.

TODO: Provide instructions to create a Log Analytics Workspace and Application Insights instance.