chore: merge dev into production#34
Merged
Merged
Conversation
…nd private backend - Secret Manager: move all sensitive env vars (Azure credentials, Gemini key, DB credentials) out of GitHub Secrets and into GCP Secret Manager; Cloud Run reads them at runtime via --set-secrets, so secrets are never exposed in workflow logs or build args. - VPC Connector: add Serverless VPC Access connector (terraform/network.tf) so Cloud Run services can reach Cloud SQL and each other over the private VPC network. - Private backend: set backend Cloud Run ingress to 'internal', blocking all public internet access. Frontend nginx now proxies /api/* to the backend's internal URL (with BACKEND_URL injected as a runtime env var), so the browser never needs a direct connection to the backend. - Terraform IaC: terraform/ directory manages the VPC connector, Secret Manager secrets, Cloud Run service account, and Cloud SQL (importable via import.sh). CI continues to own image builds and Cloud Run deployments. - Data migration script: scripts/migrate_db.sh migrates PostgreSQL data between Cloud SQL instances via Cloud SQL Auth Proxy if the database ever needs to be rebuilt. https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m
…ITE_API_BASE_URL
GitHub Actions does not interpolate ${{ env.X }} inside the top-level env:
block, so the full SA email could not reference PROJECT_ID there. Replaced
CLOUD_RUN_SA with CLOUD_RUN_SA_NAME and build the email inline in the flags
blocks where expression context is available.
Added a comment explaining VITE_API_BASE_URL=/api — it is the nginx location
prefix, not a full URL, because the browser calls the frontend's own origin
and nginx proxies /api/* to the internal backend.
https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m
…README - Add production architecture Mermaid diagram showing Cloud Run services, VPC connector, Secret Manager, Cloud SQL, and external dependencies - Add network security model table (frontend public / backend internal) - Add secret management table listing all Secret Manager secrets - Add IaC ownership table (Terraform vs CI pipeline) - Add CI/CD pipeline Mermaid flowchart showing Workload Identity auth, image build/push, and deploy steps with secret injection - Add Terraform to technology stack table Also remove overly broad github_actions_secret_accessor IAM binding from terraform/iam.tf — the GitHub Actions SA never reads secret values directly; Cloud Run reads them at startup using the Cloud Run SA identity. https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m
feat: harden Cloud Run security with Secret Manager, VPC connector, and private backend
* fix: align database.tf backup config with actual Cloud SQL instance state Backup was disabled on the real instance; syncing so terraform plan is clean with no spurious diff on next apply. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: reorganize README into focused docs/ files README trimmed to a lean landing page. Detailed content moved to: - docs/ARCHITECTURE.md (BFF pattern, ReAct agent, security model) - docs/INFRASTRUCTURE.md (Cloud topology, Terraform, Secret Manager, CI/CD) - docs/AZURE_SETUP.md (Entra ID registration, Cosmos DB, frontend config) - docs/DEVELOPMENT.md (local setup, testing, code style) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
|
🎉 This PR is included in version 2.10.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes all changes from
devtoproduction. Includes the full IaC migration completed in PR #32 plus the follow-up fixes:database.tfbackup config with real instance; reorganize README intodocs/Pre-deploy checklist
devbranch manually deployed and verified (frontend 200, backend 403 from public internet)Test plan
/api/healthreturns 200 through nginx proxy🤖 Generated with Claude Code