feat(infra): add Azure Terraform skeleton (mirror of gcp)#240
Merged
Conversation
Adds infra/terraform/azure/ provisioning the AiSOC api/web/ingest
services on Azure Container Apps, mirroring the GCP Cloud Run skeleton
file-for-file:
- main.tf resource group, VNet (ACA + Postgres-delegated + PE
subnets), Log Analytics, Container Apps env, ACR
- database.tf PostgreSQL Flexible Server, private DNS, logical db
- redis.tf Azure Cache for Redis behind a private endpoint
- secrets.tf Key Vault (RBAC) + generated SECRET_KEY / credential key
- iam.tf user-assigned managed identities + AcrPull / KV roles
- container_apps.tf api/web/ingest apps, KV-backed secret injection
- variables.tf / outputs.tf / versions.tf / terraform.tfvars.example
- README.md architecture, quickstart, state backend, cost notes
Sensitive values are generated and stored in Key Vault and consumed by
the apps via managed identity (no secrets in tfvars). Emits the same
env-var contract as the AWS/GCP stacks.
Also documents the alternate cloud skeletons in infra/terraform/README.md.
Closes #237
Co-authored-by: Cursor <cursoragent@cursor.com>
beenuar
pushed a commit
that referenced
this pull request
May 31, 2026
The Azure Container Apps + Postgres Flexible Server skeleton landed in #240 (mirror of the GCP skeleton), but the README's "Stage 2 / Stage 3 platform additions" sections and the Docusaurus deployment docs were never updated to mention it. Visitors comparing cloud options see only AWS (top-level infra/terraform) and GCP (infra/terraform/gcp + a docs page) and assume Azure isn't supported. - README.md: add an Azure bullet directly after the existing GCP bullet in both the recent-additions section and the older changelog block, noting Container Apps, VNet-private Postgres + Redis, Key Vault, ACR, and per-service managed identities. - apps/docs/docs/deployment/azure.md: new page that mirrors gcp.md section-for-section (overview, prerequisites, quick start, container images, connecting to Postgres, secrets, costs, limitations, tear-down, see-also). Content is grounded in the actual files under infra/terraform/azure/ — same `terraform.tfvars.example` keys, same output names, the real Key Vault soft-delete-with-purge behaviour. - apps/docs/sidebars.ts: add deployment/azure right after deployment/gcp so it appears in the docs sidebar. - apps/docs/docs/deployment/gcp.md: add a reciprocal "Azure skeleton" link in the See-also section for symmetry. No Terraform code changes — this is documentation only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
infra/terraform/azure/— a serverless-container deployment skeleton for AiSOC on Azure, mirroring the existinginfra/terraform/gcp/Cloud Run stack file-for-file. Closes #237.The stack provisions the
api,web, andingestservices on Azure Container Apps (no Kubernetes), backed by managed Azure data + secret services on a private VNet:api/web/ingest)Files
main.tf— resource group, VNet (ACA + Postgres-delegated + PE subnets), Log Analytics, Container Apps environment, ACRdatabase.tf— PostgreSQL Flexible Server, private DNS zone, logical databaseredis.tf— Azure Cache for Redis behind a private endpointsecrets.tf— Key Vault (RBAC) + generatedSECRET_KEY/AISOC_CREDENTIAL_KEYiam.tf— user-assigned managed identities +AcrPull/Key Vault Secrets Userrolescontainer_apps.tf— the three apps, Key-Vault-backed secret injection via managed identityvariables.tf/outputs.tf/versions.tf/terraform.tfvars.exampleREADME.md— architecture, quickstart, state backend, container image, cost notes, known limitsSecurity notes
SECRET_KEY, credential key, Postgres password, Redis key, optionalOPENAI_API_KEY) are generated by Terraform and stored in Key Vault; apps read them at runtime via managed identity. No secrets land intfvarsor env blocks.apps/docs/docs/deployment/env-vars.md).Also adds an Alternate cloud skeletons section to
infra/terraform/README.mdpointing at the GCP and Azure options.Test plan
terraform fmtcleanterraform validate->Success! The configuration is valid.terraform planagainst a real subscription (requiresaz login+subscription_id)api/web/ingestboot and resolve Key Vault secrets via managed identityMade with Cursor