Skip to content

HarvtechUK/harvtech-site

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.github
.github
 
 
bootstrap
bootstrap
 
 
dns
dns
 
 
infra
infra
 
 
site
site
 
 
.checkov.yaml
.checkov.yaml
 
 
.gitignore
.gitignore
 
 
.tflint.hcl
.tflint.hcl
 
 
.trivyignore
.trivyignore
 
 
README.md
README.md
 
 

Repository files navigation

harvtech-site

Source for HarvTech.co.uk — a portfolio site showcasing secure Azure platform engineering for AI and data workloads.

Architecture

  • Static site (placeholder HTML now, Astro later) hosted on Azure Storage $web
  • Infrastructure as code: Terraform, state in Azure Storage backend
  • CI/CD: GitHub Actions, federated to Azure via OIDC (no stored secrets)
  • Coming next: Azure Front Door + WAF, custom domain, Astro build pipeline

Repo layout

Path Purpose State key
bootstrap/ One-off shell script + docs for the manually-managed platform layer (state SA, Entra app, federated creds)
infra/ Terraform for the site's Azure resources (RG, storage, Front Door, WAF) site.tfstate
dns/ Terraform for the harvtech.co.uk DNS zone + records dns.tfstate
site/ Static site content (currently placeholder HTML)
.github/workflows/ CI/CD pipeline

All Terraform state lives in stplatformtfstateuks01 (rg-platform-prd-uks-01). Application stacks consume the platform layer; the platform layer itself is maintained out of band — see bootstrap/README.md.

Pipeline security

Two workflows run on every push, PR, and daily on a schedule:

  • deploy.ymlterraform plan/apply for both stacks, then upload site content
  • security.yml — three scanners running in parallel, all emitting SARIF into the Security tab:
    • Checkov — IaC policy and misconfiguration
    • Trivy — IaC misconfig from a different ruleset (deliberate overlap with Checkov; disagreements between them tend to surface findings worth investigating)
    • tflint + tflint-ruleset-azurerm — Terraform linting, dead-code detection, Azure SKU validation

All three start in soft-fail mode so we get visibility on what's there before we decide what to enforce. Deliberate suppressions live in .checkov.yaml / .tflint.hcl with a one-line reason for each, so the trade-offs are reviewable.

Dependabot watches GitHub Actions versions and Terraform providers/modules weekly (/.github/dependabot.yml).

Branching and merge policy

main is the only long-lived branch and is protected. All changes land via pull request — no direct pushes (admin bypass exists for emergencies but should be rare and reviewable in audit log).

Required to merge a PR into main:

  • All six CI jobs pass: Terraform site, Terraform DNS, Checkov (IaC policy), Trivy (IaC misconfig), tflint (infra), tflint (dns)
  • Branch is up to date with main (strict mode)
  • All review conversations resolved
  • Linear history (squash or rebase merge only — no merge commits)

CODEOWNERS declares review ownership; for a solo project @HarvtechUK owns everything by default.

Stale approvals are dismissed on new commits, and force-pushes / deletions of main are blocked outright. Auto-merge is enabled at the repo level so Dependabot PRs (and any human PR with gh pr merge --auto) merge as soon as CI is green.

Deploy

Pushes to main run terraform apply and upload site/ to the storage account.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages