Platform Engineering — Self-Service Provisioning

What is this?

This form fires the Provision Infrastructure GitHub Actions workflow on this repository via the repository_dispatch trigger. The workflow then runs the full pipeline: Terraform plan + apply against Azure, GitHub Environments + variables on the application repo, OIDC federated credentials on the platform service principal, and (on first creation) observation of the application's CI workflow.

Everything you fill below maps 1:1 to a workflow input. The page never persists your token; it stays in your browser memory only for the lifetime of the page.

What gets provisioned

Per environment requested, Terraform creates:

Resource group rg-<app>-<env>
Log Analytics workspace + Application Insights
VNet, two subnets (integration + private endpoint), two NSGs, private DNS zone & link, VNet flow logs (90-day retention) + dedicated storage account
User-assigned managed identity
App Service Plan (P0v3 dev / P1v3 staging / P2v3 prod, zone-redundant in prod)
Linux Web App (container) with HTTPS-only, TLS 1.3, FTP disabled, end-to-end TLS encryption, health check on /health
Staging deployment slot (staging + prod environments)
Private endpoint for inbound traffic (public endpoint also open in dev only, for runner smoke tests)
Autoscale rules (1–3 staging, 3–10 prod)
Diagnostic settings on Web App and App Service Plan

And on the app repo side (first run): the repo from the template, environments + variables, the OIDC fed-cred per env, and a tracking issue summarising the run.

Configuration applied

Security: HTTPS-only, TLS 1.3 minimum, FTP disabled, public network access disabled for staging/prod, end-to-end encryption inside App Service, managed-identity auth for ACR pull.
Compliance (Checkov): all CKV_AZURE_* checks pass; per-env strictness via .checkov.yaml (prod) and .checkov.nonprod.yaml (dev/staging).
Resilience: prod is zone-redundant with a 3-instance worker baseline; staging + prod have deployment slots for zero-downtime swaps.
Observability: diagnostic settings stream all categories to Log Analytics; Application Insights wired via app settings.
State: Terraform state in an Azure Storage Account per app, AAD-only auth (no shared keys), OIDC for the backend.

Request parameters

Environment * Which environment(s) to provision/reconcile in this run.

Required.

Application name * 3–22 chars, lowercase + digits + hyphens, no leading/trailing hyphen.

Must match ^[a-z0-9][a-z0-9-]{1,20}[a-z0-9]$.

Azure Subscription ID * GUID, 8-4-4-4-12 hex.

Must be a GUID.

Azure Client ID (SP) * Application (client) ID of the platform service principal.

Must be a GUID.

Azure Tenant ID * Entra tenant GUID.

Must be a GUID.

Template repo * Source for the new application repo. owner/name.

Format must be owner/name.

Container image (optional) Ignored on reconcile runs. Default placeholder used if blank.

Container registry URL (optional) Leave empty for public images / GHCR.

CI workflow file (optional) Filename inside the application repo. Default ci.yml.

Event type Both are accepted by the workflow's repository_dispatch trigger.

Platform repo * This repo (auto-detected from the page URL).

Format must be owner/name.

GitHub token * Fine-grained PAT with Contents: write on this repo (or classic repo scope). Kept in browser memory only.

Required.

Preview — equivalent `curl`

# Fill the form above to see the curl preview

What is this?

What gets provisioned

Configuration applied

Request parameters

Preview — equivalent curl

Preview — equivalent `curl`