Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/FUNDING.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# These are supported funding model platforms

github:, [Nano-Core]
34 changes: 34 additions & 0 deletions .github/workflows/build-and-deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Build and Deploy
on:
pull_request:
branches:
- master
push:
branches:
- master
env:
VERSION: 10.0.0-rc1
jobs:
build-and-deploy:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
concurrency:
group: ${{ github.repository }}
cancel-in-progress: false
steps:
- uses: actions/checkout@v6

- name: GitHub Release
if: github.ref == 'refs/heads/master'
uses: ncipollo/release-action@v1
with:
tag: v${{ env.VERSION }}.${{ github.run_number }}
name: "Release ${{ env.VERSION }}"
body: |
Version: ${{ env.VERSION }}
Commit: ${{ github.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
draft: false
prerelease: ${{ contains(env.VERSION, '-') }}
11 changes: 11 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
.vs
*.user
*.userprefs
*.suo
_ReSharper*
**/bin
**/obj
*.DotSettings.User
packages
.env
**/Properties/launchSettings.json
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2026 Nano-Core
Copyright (c) 2024 Nano Core

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
82 changes: 82 additions & 0 deletions Nano.Azure.Account/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Nano.Azure.Account

> _Azure account and environments, including tenant access, subscriptions, and deployment identities_

***

## Table of Contents
* **[Summary](#summary)**
* **[Registration](#registration)**
* **[Account And Subscription](#account-and-subscription)**
* **[Service Principal](#service-principal)**
* **[Dependencies](#dependencies)**

## Summary
This is the foundation of the Nano Azure infrastructure. It prepares the Azure environment required to host Nano applications, including.

- Azure tenant access
- Subscription setup for environments
- Deployment identity (service principal)
- Secure configuration of CI/CD secrets

This component must be deployed first, as all other **[Nano.Azure](https://github.com/Nano-Core/Nano.Azure/tree/master/README.md#nanoazure)** components depend on it.

> 📖 Learn more about **[Microsoft Azure](https://azure.microsoft.com)**.

## Registration
There are no prerequisites for registering Azure providers when setting up the Azure account.

> ⚠️ Ensure all required variables are specified in the PowerShell script before execution.

### Account
First, create an **[Azure account](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account)** if you do not already have one.

### Subscription
Next, create a _Pay-As-You-Go_ (or another suitable offer) subscription for each required environment, such as **Staging** and **Production**, as well as any additional
environments you may need. This must be done directly in the Azure Portal using the
**[Create Subscription](https://portal.azure.com/#view/Microsoft_Azure_Billing/CatalogBlade/appId/AddSubscriptionButton)** page.

> ⚠️ Subscription creation is not supported via Azure CLI and must be completed in the Azure Portal.

Next, to enable automated deployments, store the tenant id of the Azure account and the subscription ids, as GitHub organization secrets.

| Secret | Type | Description |
| ----------------------------------------- | -------- |---------------------------------------------------------- |
| `AZURE_TENANT_ID` | Secrets | The account identifier of the Azure account. |
| `{{environment}}_AZURE_SUBSCRIPTION_ID` | Secrets | The identifier of the subscription of the environment. |

Open PowerShell and sign in to your Azure account. Select the appropriate subscription depending on the environment you are setting up.

```powershell
az login;
```

You can also set the subscription using.

```powershell
az account set -s {{subscription-id}};
```

To verify that you are signed in and connected to the correct subscription, use the following command. It should then show you the tenant and subscription id.

```powershell
az account show;
```

### Service Principal
Last, execute `deploy.ps1` to create the `nano-deploy-service-principal`. This service principal is used for deploying additional resources to the subscriptions. From the output,
note down the `appId` and `password`.

Then create the GitHub secrets as shown below.

To ge the values to set for the variables use this command.

| Secret | Type | Description |
| ---------------------- | -------- | -------------------------------------------------------------------------- |
| `AZURE_CLIENT_ID` | Secrets | The app id of the service principal for use with deployments. |
| `AZURE_CLIENT_SECRET` | Secrets | The secret (password) used for authentication for the service-principal. |

> 💡 If you later need to retrieve information about the created service principal, you can find it in **[Azure App Registrations](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade)**.

## Dependencies
The repository has no dependencies and must be the first component created when setting up the Nano infrastructure. All other deployments depend on it.
12 changes: 12 additions & 0 deletions Nano.Azure.Account/deploy.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
$env:AZURE_SUBSCRIPTION_ID_STAGING = "";
$env:AZURE_SUBSCRIPTION_ID_PRODUCTION = "";
$env:SERVICE_PRINCIPAL_NAME = "nano-deploy-service-principal";

## Service Principal
az ad sp create-for-rbac `
--name $env:SERVICE_PRINCIPAL_NAME `
--role Contributor `
--scope `
"/subscriptions/$env:AZURE_SUBSCRIPTION_ID_STAGING" `
"/subscriptions/$env:AZURE_SUBSCRIPTION_ID_PRODUCTION" `
--years 2;
38 changes: 38 additions & 0 deletions Nano.Azure.Backup/.diagnostic-settings/logs.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
[
{
"category": "AzureBackupReport",
"enabled": true
},
{
"category": "CoreAzureBackup",
"enabled": true
},
{
"category": "AddonAzureBackupJobs",
"enabled": true
},
{
"category": "AddonAzureBackupAlerts",
"enabled": true
},
{
"category": "AddonAzureBackupPolicy",
"enabled": true
},
{
"category": "AddonAzureBackupStorage",
"enabled": true
},
{
"category": "AddonAzureBackupProtectedInstance",
"enabled": true
},
{
"category": "ASRReplicatedItems",
"enabled": true
},
{
"category": "AzureBackupOperations",
"enabled": true
}
]
7 changes: 7 additions & 0 deletions Nano.Azure.Backup/.diagnostic-settings/metrics.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[
{
"category": "AllMetrics",
"enabled": true,
"timeGrain": "PT1M"
}
]
76 changes: 76 additions & 0 deletions Nano.Azure.Backup/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Nano.Azure.Backup

> _Centralized data backup and recovery for Nano._

***

## Table of Contents
* **[Summary](#summary)**
* **[Registration](#registration)**
* **[Backup Vault](#backup-vault)**
* **[Data Redundancy](#data-redundancy)**
* **[Immutability State](#immutability-state)**
* **[Diagnostics Settings](#diagnostics-settings)**
* **[Alerts](#alerts)**
* **[Dependencies](#dependencies)**

## Summary
Azure Backup Vault is a cloud-based service that securely stores backup data for Azure resources like virtual machines, storage accounts, databases, and more. It provides
centralized management, automated backup scheduling, and encryption for data protection. With flexible retention policies, it supports efficient disaster recovery and ensures
your data is protected and recoverable in the event of a failure or loss.

Create a Backup Vault used for file share and database backups, as well as other backup-enabled resources.

> 📖 Learn more about **[Azure Backup](https://learn.microsoft.com/azure/backup)**.

## Registration
Start by registering the required Azure providers and creating the resource group, by executing the top part of the `deploy.ps1`.

> ⚠️ Ensure all required variables are specified in the PowerShell script before execution.

Add the resource group name as GitHub organization variables.

| Secret | Type | Description |
| ------------------------------- | ------- |----------------------------------------------- |
| `AZURE_RESOURCE_GROUP_BACKUP` | vars | The Azure resource group of the backup vault. |

### Backup Vault
Execute the next part of the `deploy.ps1` to create the backup vault on Azure.

By default, the Backup Vault is configured with `--soft-delete-feature-state` enabled and `--soft-delete-duration` set to 14 days. Use `az backup vault backup-properties set` to
customize these settings. This also means that backup items created from protected Azure resources can prevent the vault from being deleted until the configured soft-delete
retention period has expired or the source has been unregistered.

### Data Redundancy
The `--backup-storage-redundancy` parameter defines how backup data is replicated for durability. In this case, it is set to `ZoneRedundant`, meaning data is replicated across
multiple availability zones within the same region to protect against zonal failures. Other options are `LocallyRedundant`, which stores copies within a single region, and
`GeoRedundant`, which replicates data to a secondary region for broader disaster recovery protection.

### Immutability State
By default, immutability is set to `Unlocked`, meaning it is enabled but can still be modified or disabled at a later stage. It is recommended to set the value to `Locked`. In
`Locked` mode, immutability is permanently enforced and cannot be reversed, ensuring that backup data is protected against deletion or modification for the configured
retention period.

### Diagnostics Settings
Next, execute the script section that configures diagnostic settings for the backup vault.

The diagnostic settings for backup metrics are configured to `AllMetrics` with a 1-minute aggregation interval, which can be adjusted if required. This ensures high-resolution
monitoring of backup performance data. The logs configuration includes all Backup-related logs, while Site Recovery logs are excluded as they are not used by Nano. The full list
of supported metric categories for the backup resource can be retrieved using the following command.

```powershell
az monitor diagnostic-settings categories list --resource $env:BACKUP_ID;
```

### Alerts
The alerts used are the default Azure Backup alerts.

An Alert Processing Rule is configured to route these alert notifications through the Action Group created as part of
**[Nano.Azure.Monitoring](https://github.com/Nano-Core/Nano.Azure/tree/master/Nano.Azure.Monitoring/README.md#nanoazuremonitoring)**.

## Dependencies
Backup has the following dependencies that must be deployed or otherwise satisfied prior to setup.

| Dependency | Description |
| ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
| **[Nano.Azure.Monitoring](https://github.com/Nano-Core/Nano.Azure/tree/master/Nano.Azure.Monitoring/README.md#nanoazuremonitoring)** | Components for centralized monitoring and logging |
62 changes: 62 additions & 0 deletions Nano.Azure.Backup/deploy.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
$env:ENVIRONMENT = "";
$env:AZURE_LOCATION = "Sweden Central";
$env:AZURE_RESOURCE_GROUP = "Nano-Backup";
$env:AZURE_RESOURCE_GROUP_LOGS = "Nano-Logs";
$env:APP_NAME = "nano-backup-vault-" + $env:ENVIRONMENT.ToLower();

# Register Providers
az provider register --namespace Microsoft.RecoveryServices;

# Resource Group
az group create `
-n $env:AZURE_RESOURCE_GROUP `
-l $env:AZURE_LOCATION;

# Backup Vault
az backup vault create `
-n $env:APP_NAME `
-g $env:AZURE_RESOURCE_GROUP `
-l $env:AZURE_LOCATION `
--immutability-state Unlocked `
--job-failure-alerts Enable `
--cross-subscription-restore-state Enable `
--classic-alerts Disable `
--public-network-access Disable;

# Data Redundancy
az backup vault backup-properties set `
-n $env:APP_NAME `
-g $env:AZURE_RESOURCE_GROUP `
--backup-storage-redundancy ZoneRedundant;

# Immutability State (Optional)
az backup vault update `
-n $env:APP_NAME `
-g $env:AZURE_RESOURCE_GROUP `
--immutability-state Locked;

# Diagnostics Settings
$env:BACKUP_ID = az backup vault show -g $env:AZURE_RESOURCE_GROUP -n $env:APP_NAME --query id -o tsv;
$env:DIAGNOSTIC_SETTINGS_NAME = "diagnostics-" + $env:APP_NAME;
$env:WORKSPACE_ID = az monitor log-analytics workspace list -g $env:AZURE_RESOURCE_GROUP_LOGS --query [0].[id] -o tsv;

az monitor diagnostic-settings create `
--name $env:DIAGNOSTIC_SETTINGS_NAME `
--workspace $env:WORKSPACE_ID `
--resource $env:BACKUP_ID `
--logs '@.diagnostic-settings/logs.json' `
--metrics '@.diagnostic-settings/metrics.json';

# Alerts
$env:BACKUP_ID = az backup vault show -g $env:AZURE_RESOURCE_GROUP -n $env:APP_NAME --query id -o tsv;
$env:AZURE_RESOURCE_GROUP_ID = az group show -n $env:AZURE_RESOURCE_GROUP --query id -o tsv;
$env:ACTION_GROUP = az monitor action-group list -g $env:AZURE_RESOURCE_GROUP_LOGS --query [0].[id] -o tsv;
$env:WORKSPACE_ID = az monitor log-analytics workspace list -g $env:AZURE_RESOURCE_GROUP_LOGS --query [0].[id] -o tsv;

az monitor alert-processing-rule create `
--name 'Backup Alert Processing Rule ' `
--resource-group $env:AZURE_RESOURCE_GROUP `
--scope $env:BACKUP_ID `
--rule-type AddActionGroups `
--action-groups $env:ACTION_GROUP `
--enabled true;
Loading