fix: align Terraform DB config and reorganize docs#33
Merged
Conversation
…tate Backup was disabled on the real instance; syncing so terraform plan is clean with no spurious diff on next apply. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
README trimmed to a lean landing page. Detailed content moved to: - docs/ARCHITECTURE.md (BFF pattern, ReAct agent, security model) - docs/INFRASTRUCTURE.md (Cloud topology, Terraform, Secret Manager, CI/CD) - docs/AZURE_SETUP.md (Entra ID registration, Cosmos DB, frontend config) - docs/DEVELOPMENT.md (local setup, testing, code style) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
8 tasks
ChingEnLin
added a commit
that referenced
this pull request
May 17, 2026
* feat: harden Cloud Run security with Secret Manager, VPC connector, and private backend - Secret Manager: move all sensitive env vars (Azure credentials, Gemini key, DB credentials) out of GitHub Secrets and into GCP Secret Manager; Cloud Run reads them at runtime via --set-secrets, so secrets are never exposed in workflow logs or build args. - VPC Connector: add Serverless VPC Access connector (terraform/network.tf) so Cloud Run services can reach Cloud SQL and each other over the private VPC network. - Private backend: set backend Cloud Run ingress to 'internal', blocking all public internet access. Frontend nginx now proxies /api/* to the backend's internal URL (with BACKEND_URL injected as a runtime env var), so the browser never needs a direct connection to the backend. - Terraform IaC: terraform/ directory manages the VPC connector, Secret Manager secrets, Cloud Run service account, and Cloud SQL (importable via import.sh). CI continues to own image builds and Cloud Run deployments. - Data migration script: scripts/migrate_db.sh migrates PostgreSQL data between Cloud SQL instances via Cloud SQL Auth Proxy if the database ever needs to be rebuilt. https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m * fix: construct Cloud Run SA email inline to use PROJECT_ID, clarify VITE_API_BASE_URL GitHub Actions does not interpolate ${{ env.X }} inside the top-level env: block, so the full SA email could not reference PROJECT_ID there. Replaced CLOUD_RUN_SA with CLOUD_RUN_SA_NAME and build the email inline in the flags blocks where expression context is available. Added a comment explaining VITE_API_BASE_URL=/api — it is the nginx location prefix, not a full URL, because the browser calls the frontend's own origin and nginx proxies /api/* to the internal backend. https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m * docs: add infrastructure documentation with architecture diagrams to README - Add production architecture Mermaid diagram showing Cloud Run services, VPC connector, Secret Manager, Cloud SQL, and external dependencies - Add network security model table (frontend public / backend internal) - Add secret management table listing all Secret Manager secrets - Add IaC ownership table (Terraform vs CI pipeline) - Add CI/CD pipeline Mermaid flowchart showing Workload Identity auth, image build/push, and deploy steps with secret injection - Add Terraform to technology stack table Also remove overly broad github_actions_secret_accessor IAM binding from terraform/iam.tf — the GitHub Actions SA never reads secret values directly; Cloud Run reads them at startup using the Cloud Run SA identity. https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m * fix: align Terraform DB config and reorganize docs (#33) * fix: align database.tf backup config with actual Cloud SQL instance state Backup was disabled on the real instance; syncing so terraform plan is clean with no spurious diff on next apply. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: reorganize README into focused docs/ files README trimmed to a lean landing page. Detailed content moved to: - docs/ARCHITECTURE.md (BFF pattern, ReAct agent, security model) - docs/INFRASTRUCTURE.md (Cloud topology, Terraform, Secret Manager, CI/CD) - docs/AZURE_SETUP.md (Entra ID registration, Cosmos DB, frontend config) - docs/DEVELOPMENT.md (local setup, testing, code style) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
terraform/database.tfbackup configuration with the actual Cloud SQL instance state (backup was disabled in prod; the config had it enabled, which would cause a spurious diff on every plan)docs/files to reduce length and improve navigabilityChanges
terraform/database.tf— backup config corrected to match real instance:enabled: true → falsestart_time: "02:00" → "03:00"point_in_time_recovery_enabled: true → falsedocs/— new files extracted from README:ARCHITECTURE.md— BFF pattern, auth flow, ReAct agent loop, security modelINFRASTRUCTURE.md— Cloud topology, network security, Secret Manager, Terraform setup, CI/CDAZURE_SETUP.md— Entra ID app registrations, Cosmos DB permissions, frontend auth configDEVELOPMENT.md— local setup, testing commands, code styleREADME.md— trimmed to a lean landing page (~60 lines) with a docs reference table.Test plan
terraform planshows no changes on Cloud SQL (backup config aligned)🤖 Generated with Claude Code