← colinshanahan.dev / architecture

How this site actually works

Every box below is a real, running resource. Traffic, deploys, and monitoring are animated as they flow — click a filter to isolate one story.

azure · rg-portfolio azure · rg-portfolio-status github apex + www · https index.html · status.html resume download (public blob) fetch /api/status (CORS) git push deploy site (SWA token) publish resume (OIDC) deploy api (OIDC) OIDC token exchange federated credentials · repo:main only HTTPS ping · 5 min · SSL check results KQL via queryResource (managed identity) deploy history (REST) Visitor browser · any device DNS colinshanahan.dev · ALIAS + CNAME Azure Static Web Apps index.html · status.html free tier · managed SSL · global edge Blob Storage resume container · public read stcolinshanahanresume Availability test 3 US regions · every 5 min Application Insights + Log Analytics availabilityResults · 30-day retention Azure Function /api/status · Node 20 managed identity · 60s cache Deploy identities id-github-portfolio-deploy → blob writer only id-github-status-deploy → rg-status only least privilege · no secrets Developer VS Code · Terraform · git Repos (public) colinshanahan.dev-portfolio portfolio-status site + resume + IaC + api the code IS the exhibit GitHub Actions deploy workflows zero stored cloud secrets Entra ID token issuer terraform apply (provisions everything in both RGs)
visitor traffic

DNS (apex + www) resolves to Azure Static Web Apps, which serves the site from a global edge with managed SSL. The resume downloads straight from public-read Blob Storage, and the status page calls the Function API cross-origin — CORS locked to this domain.

ci/cd

A git push triggers GitHub Actions, which exchanges a short-lived OIDC token with Entra ID for access — no cloud credentials are stored anywhere. Each workflow deploys its own piece: site to SWA, resume to Blob, API to the Function.

monitoring

An Application Insights availability test pings the site every 5 minutes from three US regions, validating the response and the SSL certificate. Results land in the telemetry store — the monitoring caught a real unbound-apex-domain defect on day one.

identity & queries

The Function reads telemetry as itself: a system-assigned managed identity with read-only rights on one resource, querying with KQL. Deploy identities are federated to exact repo + branch and scoped to the minimum they deploy. Zero keys, zero rotation.

provisioned by terraform · deployed by github actions (oidc) · monitored by itself · site source · status source · live status →