Cloud (Azure)¶

The Consystence cloud tier runs on Microsoft Azure in the australiaeast region. It hosts the auth service, platform API, fleet analytics, and the type marketplace.

Resource layout¶

Network architecture¶

The VNet is divided into purpose-specific subnets:

Database access¶

PostgreSQL is VNet-integrated with no public access. All connections go through the private VNet. The Container Apps environment is peered with the database subnet.

Container images¶

Services are packaged as container images and pushed to ACR:

CI/CD¶

Deployments are automated through GitHub Actions with OIDC federated credentials — no stored secrets for Azure authentication.

graph LR
    GH[GitHub Push] --> GA[GitHub Actions]
    GA -->|OIDC| Azure[Azure]
    GA -->|Build & Push| ACR[Container Registry]
    ACR -->|Deploy| CA[Container Apps]

Pipeline steps¶

1. Build — dotnet build and dotnet test for the service.
2. Container — docker build and push to ACR.
3. Deploy — update the Container App revision to the new image tag.
4. Verify — health check against the deployed service.

OIDC federation¶

GitHub Actions authenticate to Azure using OIDC federated credentials configured on an Azure AD app registration. No AZURE_CLIENT_SECRET is stored in GitHub — the Actions runner exchanges its GitHub-issued OIDC token for an Azure access token.

Infrastructure as code¶

All Azure infrastructure is defined using Azure Bicep templates in the consystence-infra repository:

consystence-infra/
├── main.bicep              # Orchestrator
├── modules/
│   ├── container-apps.bicep
│   ├── postgres.bicep
│   ├── acr.bicep
│   ├── vnet.bicep
│   └── keyvault.bicep
└── parameters/
    ├── dev.bicepparam
    └── prod.bicepparam

Deploy with:

az deployment group create \
  --resource-group rg-consystence-dev-aue \
  --template-file main.bicep \
  --parameters parameters/dev.bicepparam