-
Notifications
You must be signed in to change notification settings - Fork 0
Azure Community SaaS Deployment
This guide explains how to publish the public CAVRA Community service from GitHub to Azure.
The deployment creates a hosted Community experience:
- CAVRA FastAPI backend on Azure Container Apps.
- CAVRA static sandbox UI on Azure Static Web Apps.
- Container images through Azure Container Registry.
- GitHub Actions authentication through Azure OIDC.
This is a Community deployment path. It does not add Enterprise tenant isolation, private policy packs, live production connectors, SMTP or report provider delivery, license enforcement, or Enterprise AISPM production validation.
flowchart LR
repo[GitHub Repository] --> apiwf[Deploy Azure API Workflow]
repo --> uiwf[Deploy Azure Static UI Workflow]
apiwf --> acr[Azure Container Registry]
acr --> ca[Azure Container Apps API]
uiwf --> swa[Azure Static Web Apps UI]
swa -->|CAVRA_PUBLIC_API_BASE_URL| ca
ca -->|Community policy, evidence, AISPM samples| users[Community Users]
The deployment path uses these files:
docker/Dockerfile.azure-api.github/workflows/deploy-azure-api.yml.github/workflows/deploy-azure-static-ui.ymlapps/sandbox-ui/config.jssrc/cavra/api.py
The API container runs:
uvicorn cavra.api:app --host 0.0.0.0 --port 8000The static UI workflow copies apps/sandbox-ui, writes a deployment-specific
config.js, and publishes the folder to Azure Static Web Apps.
Create or provide:
- Resource group.
- Azure Container Registry.
- Azure Container Apps environment.
- Azure Container App for the API with external ingress on port
8000. - Azure Static Web App for the UI.
- Optional Azure Files volume for Community SQLite store persistence.
Example CLI skeleton:
az group create -n cavra-community-rg -l eastus
az acr create -g cavra-community-rg -n cavracommunityacr --sku Basic
az containerapp env create -g cavra-community-rg -n cavra-community-env -l eastus
az containerapp create \
-g cavra-community-rg \
-n cavra-community-api \
--environment cavra-community-env \
--image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
--ingress external \
--target-port 8000 \
--min-replicas 1 \
--max-replicas 3 \
--env-vars CAVRA_EDITION=communityAfter the first placeholder deployment, the GitHub workflow builds and deploys
the real CAVRA image from docker/Dockerfile.azure-api.
Create these GitHub repository variables:
| Variable | Purpose |
|---|---|
AZURE_DEPLOY_ENABLED |
Set to true to allow Azure deployment jobs to run. |
AZURE_CLIENT_ID |
Federated identity client ID for GitHub Actions OIDC. |
AZURE_TENANT_ID |
Azure tenant ID. |
AZURE_SUBSCRIPTION_ID |
Azure subscription ID. |
AZURE_RESOURCE_GROUP |
Resource group containing the Container App and ACR. |
AZURE_CONTAINER_REGISTRY_NAME |
ACR name without .azurecr.io. |
AZURE_CONTAINER_APP_NAME |
Container App name for the CAVRA API. |
CAVRA_PUBLIC_API_BASE_URL |
Public API URL consumed by the static UI. |
CAVRA_PUBLIC_TRIAL_API_URL |
Optional public trial URL exposed to the UI. |
CAVRA_CORS_ORIGINS |
Static UI origin allowed to call the API. |
Optional persistence variables:
| Variable | Example |
|---|---|
CAVRA_EVIDENCE_METADATA_DB |
/data/evidence.sqlite |
CAVRA_APPROVAL_DB |
/data/approvals.sqlite |
CAVRA_REGISTRY_DB |
/data/registry.sqlite |
CAVRA_ACTIVITY_DB |
/data/activity.sqlite |
CAVRA_INVENTORY_DB |
/data/inventory.sqlite |
CAVRA_INTEGRATION_DB |
/data/integrations.sqlite |
CAVRA_EVIDENCE_ARTIFACT_ROOT |
/data/evidence-artifacts |
Create this GitHub repository secret:
| Secret | Purpose |
|---|---|
AZURE_STATIC_WEB_APPS_API_TOKEN |
Azure Static Web Apps deployment token. |
Use Azure workload identity federation for GitHub Actions instead of storing an
Azure client secret. The Azure API workflow uses azure/login@v2 with OIDC.
- Configure Azure resources and GitHub variables/secrets.
- Set
AZURE_DEPLOY_ENABLED=true. - Run
Deploy Azure APIfrom GitHub Actions, or push changes to API paths. - Copy the emitted Container App URL into
CAVRA_PUBLIC_API_BASE_URL. - Set
CAVRA_CORS_ORIGINSto the Azure Static Web Apps origin. - Run
Deploy Azure Static UIfrom GitHub Actions, or push changes to UI paths. - Open the Static Web App and confirm
config.jspoints at the Container App. - Confirm API health:
curl https://<container-app-fqdn>/health
curl https://<container-app-fqdn>/deployment/production-readinessAzure Container Apps container filesystem storage is not a durable database. For a Community SaaS demo, use explicit SQLite paths mounted on Azure Files or accept that sample state is ephemeral. For production multi-tenant SaaS, replace file-backed stores with an Enterprise-managed database design.
This deployment exposes the public Community product surfaces:
- CLI/API decision and evidence contracts.
- Public-safe sandbox GUI.
- Public-safe AISPM sample and local posture views.
- Community policy and evidence workflows.
It does not claim Enterprise readiness. Enterprise readiness still requires real tenant isolation, live connectors, report delivery, private policy packs, runtime workflow validation, and final AISPM production gates.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion