PSI Knowledge Base

egnyte-stp-sync

4 min readEdit this page

Egnyte STP Batch Report Sync

Automated upload of approved STP batch reports from PSI’s S: drive to Bloom Energy’s Egnyte Daily Batch Reports folder. Replaces a manual shipping-clerk step.

  • Repo: egnyte-stp-sync
  • Type: Azure Logic App (Consumption) in PS-RG-01
  • Trigger: Every 5 minutes
  • Source: S:\Dept\JobShop\IC Production\0-batch reporting files\STP\APPROVED STP batch reports\
  • Destination: /Shared/Daily Batch Reports/ on bloomenergy.egnyte.com
  • Owner: IT

What it does

Every five minutes the Logic App:

  1. Lists *.xls? files in APPROVED STP batch reports\ via the existing PSI on-prem data gateway.
  2. Skips files still being written (lock files, anything modified in the last 60 seconds).
  3. Uploads each remaining file to Bloom Energy’s Daily Batch Reports/ folder using the Microsoft-published Egnyte connector.
  4. On a successful upload (or if the file already exists in Egnyte — treated as success for idempotency), copies the source to 0-moved to sugarsync\ and deletes the original.
  5. If any file failed to upload, posts a single alert to the IT Critical Notifications Teams chat via the PSI Notify Bot.

Why a Logic App and not a PowerShell scheduled task

The PSI user has standard-user (non-admin) role on Bloom Energy’s Egnyte tenant and cannot register an OAuth app. The Microsoft-published Egnyte connector sidesteps this: Microsoft owns the OAuth app, and PSI just needs to OAuth-consent the API connection once. The connector then operates under the consenting user’s standard-user permissions.

Logic Apps Consumption (not Power Automate Cloud) was chosen so the workflow definition is JSON that lives in GHE, deploys via Bicep, and is code-reviewable.

Architecture

APPROVED STP batch reports\<file.xlsm>
        |
        | (5-min schedule)
        v
[Logic App: egnyte-stp-sync]
   |
   +-- File System connector (via on-prem gateway)
   |        list / get-content / copy / delete
   |
   +-- Egnyte connector
   |        upload to /Shared/Daily Batch Reports/
   |
   +-- HTTP -> PSI Notify Bot
            (only on per-file upload failure)

Three API Connection resources are wired in via Bicep parameters — they’re created once interactively in the portal because OAuth consent / gateway binding can’t be expressed in ARM. See the repo’s docs/connections.md for the one-time setup.

Operations

Reading logs

Azure Portal → Resource Group PS-RG-01 → Logic App egnyte-stp-syncRuns history. Each row is one 5-minute firing. The same data flows to the shared Log Analytics workspace under category WorkflowRuntime.

Run outputs include uploaded_count, failed_count, and skipped_count.

Alerts

All operational alerts land in the IT Critical Notifications Teams chat via the PSI Notify Bot. Alert fires once per run when one or more files failed to upload, listing each failure with status code and error message.

Rotating the Egnyte consenting user

The Egnyte connection is OAuth-consented under whichever user authorized it. Initially that is adevereaux@progressivesurface.com. If Bloom Energy later provisions a PSI service account, re-authorize the connection in the portal — the connection resource ID doesn’t change.

See the repo’s docs/connections.md for steps.

Gotcha: the File System connection needs a real Windows account

The File System API connection must be authorized with an explicit Windows account that holds Modify rights on the STP folder tree. If the connection is left without an account, the on-prem gateway falls back to its NT SERVICE\PBIEgwService virtual identity, which only resolves to Everyone (Read) on the DFS share. The symptom is subtle: Get file content (a read) succeeds, but Copy file into 0-moved to sugarsync\ (a write) fails with Access Denied.

The account currently in use is a member of PTI_DOMAIN\Dept Modify. Any account with Modify on …\APPROVED STP batch reports\ (and its inherited subfolders) works — PTI_DOMAIN\Jobshop Group and PTI_DOMAIN\Dept Modify are the relevant groups.

Connection resource names

The three API connections were authorized through the Logic App designer, which auto-named them. The actual ARM resource names are filesystem-1, egnyte-2, and keyvault-1 (not the cleaner names the original design doc anticipated). The workflow’s internal logical names remain filesystem, egnyte, keyvault. infra/parameters.prod.json maps the logical names to those resource IDs.

Disabling temporarily

az logic workflow update --resource-group PS-RG-01 --name egnyte-stp-sync --state Disabled

Re-enable with --state Enabled.

Dependencies

  • PSI Notify Bot — alert channel
  • ps-certificates-kv in PS-RG-01 — holds the psi-notify--* secrets the Logic App reads at runtime
  • PSI on-prem data gateway — bridges the Logic App to the S: drive
  • PSI Azure subscription — Logic App runs in PS-RG-01
  • Bloom Energy Egnyte tenant — destination of uploaded files
  • PSISync — unrelated customer-backup product (do not confuse).
  • Source folder lives on the PSI IC Production file share.

Graph View