What is this?
This form fires the Provision Infrastructure GitHub Actions workflow on this repository
via the repository_dispatch trigger. The workflow runs the full pipeline:
Terraform plan + apply against Azure, and — when an Application template repo is
provided — GitHub Environments + variables on the application repo, OIDC federated credentials on
the platform service principal, and (on first creation) observation of the application's CI workflow.
Leave Application template repo empty to run in infra-only mode: only Azure resources are provisioned; no application repository is created or configured. Useful for Landing Zones and foundational platform components.
Everything you fill below maps 1:1 to a workflow input. The page never persists your token; it stays in your browser memory only for the lifetime of the page.
What gets provisioned
Per environment requested, Terraform creates:
- Resource group
rg-<app>-<env> - Log Analytics workspace + Application Insights
- VNet, two subnets (integration + private endpoint), two NSGs, private DNS zone & link, VNet flow logs (90-day retention) + dedicated storage account
- User-assigned managed identity
- App Service Plan (P0v3 dev / P1v3 staging / P2v3 prod, zone-redundant in prod)
- Linux Web App (container) with HTTPS-only, TLS 1.3, FTP disabled, end-to-end TLS encryption, health check on
/health - Staging deployment slot (staging + prod environments)
- Private endpoint for inbound traffic (public endpoint also open in dev only, for runner smoke tests)
- Autoscale rules (1–3 staging, 3–10 prod)
- Diagnostic settings on Web App and App Service Plan
When an application template repo is provided: the app repo from the template, GitHub Environments + variables, the OIDC fed-cred per env, and a tracking issue summarising the run. This phase is skipped when no application template is given.
Configuration applied
- Security: HTTPS-only, TLS 1.3 minimum, FTP disabled, public network access disabled for staging/prod, end-to-end encryption inside App Service, managed-identity auth for ACR pull.
- Compliance (Checkov): all
CKV_AZURE_*checks pass; per-env strictness via.checkov.yaml(prod) and.checkov.nonprod.yaml(dev/staging). - Resilience: prod is zone-redundant with a 3-instance worker baseline; staging + prod have deployment slots for zero-downtime swaps.
- Observability: diagnostic settings stream all categories to Log Analytics; Application Insights wired via app settings.
- State: Terraform state in an Azure Storage Account per app, AAD-only auth (no shared keys), OIDC for the backend.
Request parameters
Preview — equivalent curl
# Fill the form above to see the curl preview