Recently I had to make a few changes as I had some demos using the storage SFTP capability and the roll out by Microsoft of additional costs for the SFTP capability was going to eat up my MSDN credits quickly.
I ran the below kusto query to check which storage accounts might have had sftp enabled.
resources | where type contains "storage" | extend sftpEnabled = properties.isSftpEnabled | where isnotnull(sftpEnabled) | project name, sftpEnabled, resourceGroup | where sftpEnabled == "true"
I only had one of them so that was good.
Microsoft have set the pricing so you only pay per hour when the SFTP service is enabled so I decided to see if I could only enable sftp when my demo is running and disable it at other times.
I wanted to see if I could use a Logic App to automate the enabling and disabling of my sftp service to reduce cost.
Creating the Logic App
I created a blank logic app and then set it to use a managed identity. In my case I chose a user assigned one which I already have, but you could also use a system assigned one just as easily.
The reason we need the managed identity is so that we can connect to the Azure management API using the managed identity and we will give the managed identity permission to modify the storage account.
Setting IAM on the Storage Account
I need permission to modify the storage account. As mine was just a demo I could assign the Contributor RBAC permission at the scope of the Storage Account to the managed identity used by the Logic App.
I think you could probably use the Storage Account Contributor role if you wanted to be a little more fine grained – (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-contributor)
I want to start my SFTP service on the storage account at 1am each day and then wait for an hour while the demo runs and the disable the SFTP service. The Logic App provides scheduling and will then call Azure to enable the SFTP service.
Below is the logic in my workflow.
Its really easy to call the management API on Azure once you have a managed identity configured with the right permissions.
Below is the call to enable the SFTP service.
Below is the call to disable the SFTP service
If I want to check the status of the storage account I can run the below action.
Hopefully you can see how easy it is to use a Logic App to automate the storage account changes which can result in an easy cost saving. These are awesome use cases for Logic App Consumption for these adhoc automations.