Skip to content

feat: add Key Vault and GitHub Actions #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
richardamare wants to merge 3 commits into from
Closed

feat: add Key Vault and GitHub Actions #1

richardamare wants to merge 3 commits into from

Conversation

@richardamare
Copy link
Member

@richardamare richardamare commented Nov 22, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features

    • Automated CI/CD pipeline for infrastructure and application deployment to Azure with Docker image builds
    • Azure Key Vault integration for centralized secrets and configuration management
    • Support for Azure OpenAI and Document Intelligence services

  • Infrastructure Updates

    • Refactored deployment infrastructure with improved naming conventions
    • Enhanced secrets management through secure vault integration
    • Automated deployment workflow for multiple environments with manual override options

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Nov 22, 2025
edited
Loading

Walkthrough

This PR introduces a GitHub Actions workflow for Terraform-based infrastructure deployment to Azure, alongside Docker image building and App Service management. Infrastructure code is refactored to rename "api" references to "server" throughout, integrates Azure Key Vault for secrets management, transitions the AI module from a data source to a managed resource, and updates the server application to retrieve configuration from Key Vault instead of environment variables.

Changes

Cohort / File(s) Summary
CI/CD Automation
.github/workflows/terraform-deploy.yml		 New GitHub Actions workflow performing Terraform deployment to Azure with dynamic environment selection. Includes terraform job (checkout, Azure login, init, format, validate, plan, apply) and build-and-push job (Docker image building and pushing to ACR, Azure App Service restarts). Plan comments posted to PRs.
Terraform Core Configuration
infra/terraform.tf, infra/variables.tf, infra/outputs.tf		 Added required provider time (v0.11.1). Renamed ACR variables from api to server. Introduced backend configuration variables for remote state. Updated outputs: renamed app_api_url to app_server_url, added server_app_name and web_app_name, replaced acr_repository_api with acr_repository_server.
Terraform Root Module
infra/main.tf		 Renamed all api_app_* references to server_app_* throughout. Added AZURE_KEY_VAULT_URI to server app settings. Created multiple azurerm_key_vault_secret resources for AI, Document Intelligence, storage, and Entra configuration. Added azurerm_key_vault_access_policy for server app identity. Updated RBAC module references from api_app_identity_principal_id to server_app_identity_principal_id.
App Service Module
infra/modules/app-service/*		 Renamed azurerm_linux_web_app resource from "api" to "server". Updated variable references: api_app_name → server_app_name, acr_repository_api → acr_repository_server, acr_tag_api → acr_tag_server, api_health_check_path → server_health_check_path, api_app_settings → server_app_settings. Added http2_enabled = true. Updated all outputs to reference server app.
Key Vault Module
infra/modules/key-vault/main.tf, infra/modules/key-vault/variables.tf, infra/modules/key-vault/outputs.tf		 Added azurerm_key_vault_access_policy for current_user with broad secret permissions. Added 16 new azurerm_key_vault_secret resources for database, storage, OpenAI, Document Intelligence, Entra, and Content Understanding configurations. Added 16 input variables and 17 output expressions for secret URIs with try() fallback pattern. Added Key Vault URI output.
AI Module
infra/modules/ai/main.tf, infra/modules/ai/outputs.tf		 Replaced data source azurerm_cognitive_account.hub with managed resource azurerm_cognitive_account.openai. Updated cognitive deployments to reference new resource ID. Updated outputs: ai_foundry_endpoint and ai_foundry_api_key now source from managed OpenAI account instead of data source.
RBAC Module
infra/modules/rbac/main.tf, infra/modules/rbac/variables.tf		 Renamed azurerm_role_assignment "acr_pull_api" → "acr_pull_server" and "api_to_storage_reader" → "server_to_storage_reader". Updated principal_id from api_app_identity_principal_id to server_app_identity_principal_id. Removed azurerm_role_assignment "user_to_ai_foundry". Changed "user_to_storage" role from "Storage Blob Data Reader" to "Storage Blob Data Contributor".
Terraform Lock File
.terraform.lock.hcl		 Added provider lock entry for hashicorp/time v0.11.1 with full hash set.
Build Script
infra/build-push-server.sh		 Renamed from acr_repository_api to acr_repository_server. Added ACR_NAME validation with error handling. Introduced REGISTRY and IMAGE variable derivation. Added login, build, and push steps with user-facing progress messages.
Server Configuration
server/core/config.py		 Introduced Key Vault integration via _get_config_value helper function implementing priority: Key Vault → environment variable → default → "missing_env_var". Updated AppConfig field defaults to use Key Vault retrieval with fallback to environment variables. Added imports for azure-identity and azure-keyvault-secrets.
Server Dependencies
server/requirements.txt		 Added azure-keyvault-secrets==4.10.0 dependency for Key Vault client functionality.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant GHA as GitHub Actions
    participant Azure as Azure
    participant ACR as Azure Container<br/>Registry
    participant AppSvc as App Services

    User->>GHA: Push to master/dev or manual dispatch
    
    rect rgb(200, 220, 255)
    Note over GHA,Azure: Terraform Job
    GHA->>Azure: Login with credentials
    GHA->>Azure: Init Terraform (backend config from secrets)
    GHA->>Azure: Format, validate, plan
    alt on PR
        GHA->>GHA: Comment plan on PR
    end
    alt on master push or apply action
        GHA->>Azure: Apply Terraform plan
    end
    end
    
    rect rgb(220, 255, 220)
    Note over GHA,AppSvc: Build & Push Job (depends on Terraform)
    GHA->>Azure: Re-login, init Terraform backend
    GHA->>Azure: Fetch outputs (acr_name, repo names, app names)
    GHA->>ACR: Login to Container Registry
    GHA->>ACR: Build & push server image
    GHA->>ACR: Build & push web image
    GHA->>AppSvc: Restart server App Service
    GHA->>AppSvc: Restart web App Service
    end
    
    AppSvc-->>User: Deployment complete
Loading 
sequenceDiagram
    participant App as Server App<br/>(startup)
    participant KV as Azure Key Vault
    participant Env as Environment<br/>Variables
    
    rect rgb(255, 240, 200)
    Note over App,Env: Config Resolution Priority
    end
    
    App->>App: Check AZURE_KEY_VAULT_URI set?
    alt Key Vault Available
        App->>KV: Fetch secret (e.g. database-url)
        KV-->>App: Secret value
    else Key Vault Not Available
        App->>Env: Check environment variable
        Env-->>App: Value or empty
        alt Has env value
            App->>App: Use env value
        else No env value
            App->>App: Use default or 'missing_env_var'
        end
    end
    
    App->>App: AppConfig initialized with resolved values
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Areas requiring extra attention:

  • .github/workflows/terraform-deploy.yml: Verify GitHub Actions syntax, environment variable wiring for Azure credentials, conditional logic for PR vs. push vs. manual dispatch, and job dependency ordering.
  • infra/main.tf: Review the 16 new azurerm_key_vault_secret resources for correctness of secret names, Key Vault references, and dependency declarations. Validate RBAC module input mapping changes.
  • infra/modules/ai/main.tf: Confirm the transition from data source to managed azurerm_cognitive_account resource doesn't break existing deployments and that deployment IDs are correctly updated.
  • server/core/config.py: Verify the Key Vault retrieval logic handles authentication via DefaultAzureCredential correctly, that secret names match Terraform outputs, and that the fallback chain (Key Vault → env → default → sentinel) handles all cases properly.
  • Consistency across renaming: Spot-check several files for complete api→server renaming consistency (particularly outputs, variable references in root module, and module input wiring).
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Free

📥 Commits

Reviewing files that changed from the base of the PR and between 002955c and 568762b.

📒 Files selected for processing (19)
  • .github/workflows/terraform-deploy.yml (1 hunks)
  • infra/.terraform.lock.hcl (1 hunks)
  • infra/build-push-server.sh (1 hunks)
  • infra/main.tf (5 hunks)
  • infra/modules/ai/main.tf (3 hunks)
  • infra/modules/ai/outputs.tf (1 hunks)
  • infra/modules/app-service/main.tf (2 hunks)
  • infra/modules/app-service/outputs.tf (1 hunks)
  • infra/modules/app-service/variables.tf (4 hunks)
  • infra/modules/key-vault/main.tf (1 hunks)
  • infra/modules/key-vault/outputs.tf (1 hunks)
  • infra/modules/key-vault/variables.tf (1 hunks)
  • infra/modules/rbac/main.tf (2 hunks)
  • infra/modules/rbac/variables.tf (1 hunks)
  • infra/outputs.tf (2 hunks)
  • infra/terraform.tf (1 hunks)
  • infra/variables.tf (2 hunks)
  • server/core/config.py (1 hunks)
  • server/requirements.txt (1 hunks)

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

  • Provide your own instructions using the high_level_summary_instructions setting.
  • Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
  • Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

  1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
  2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
  3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
  4. 📊 Contributor Summary — Include a Markdown table showing contributions:
    | Contributor | Lines Added | Lines Removed | Files Changed |
  5. ✔️ Additional Notes — Add any extra reviewer context.
    Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richardamare