OpenAI-compatible AI Gateway (LiteLLM) on Azure Container Apps. Routes /v1/responses and /v1/embeddings to Azure OpenAI.
Creates the shared resource group, storage account, and container for Terraform state.
Bash:
./scripts/bootstrap.sh <GITHUB_ORG> <GITHUB_REPO> [SCOPE]PowerShell:
.\scripts\bootstrap.ps1 -GITHUB_ORG <org> -GITHUB_REPO <repo> [-SCOPE <scope>]Add these secrets to each GitHub Environment (dev, staging, prod): Settings → Environments → <env> → Environment secrets.
| Secret | Description | Example |
|---|---|---|
| Infrastructure | ||
TF_BACKEND_RG |
Terraform state resource group | pvc-shared-tfstate-rg-san |
TF_BACKEND_SA |
Terraform state storage account | pvctfstatexxxxxxxx |
TF_BACKEND_CONTAINER |
Terraform state container | tfstate |
AZURE_CLIENT_ID |
OIDC app (from bootstrap) | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
AZURE_TENANT_ID |
Azure tenant ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
AZURE_SUBSCRIPTION_ID |
Azure subscription ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Application | ||
AZURE_OPENAI_ENDPOINT |
Azure OpenAI endpoint URL | https://mys-shared-ai-san.openai.azure.com/ |
AZURE_OPENAI_API_KEY |
Azure OpenAI API key | Your Azure OpenAI key |
AIGATEWAY_KEY |
Gateway auth key (from bootstrap) | Base64 string from bootstrap output |
Bootstrap prints these values. For local runs, copy infra/.env.local.example to infra/.env.local with the infrastructure values.
Key Vault firewall: Deployments from GitHub Actions require Key Vault to allow public network access. The Terraform module defaults
key_vault_network_default_actiontoAllowfor CI. If you seeForbiddenByFirewall, ensure thefix/key-vault-network-aclschanges are merged and applied.
Bash:
./infra/scripts/terraform-init.sh dev # or staging, prodPowerShell:
.\infra\scripts\terraform-init.ps1 -Env dev # or staging, prodValid environments: dev, staging, prod.
cd infra/env/dev
terraform plan
terraform apply| Env | Purpose |
|---|---|
| dev | Development |
| staging | Staging |
| prod | Production |
- CI/CD behavior, environment promotion rules, and smoke-test diagnostics are documented in docs/CI_CD.md.
This repo uses Prettier via pnpm for lightweight formatting checks.
pnpm install
pnpm check
pnpm lint
pnpm format:check
pnpm formatpnpm checkruns repo checks (lint+terraform fmt -check -recursive)pnpm lintcurrently maps to formatting checks (easy to expand later)pnpm formatapplies Prettier changes
- PRD – Product requirements
- Terraform Blueprint – Infrastructure design
- CI/CD Runbook – workflow behavior, staging toggle, smoke tests
- Azure OIDC Setup – GitHub Actions OIDC configuration
- Secrets Checklist – Copy/paste setup for GitHub environment secrets