Terraform CloudLab
Production-ready Azure backend API
CloudLab — Azure App Service API
Express on Azure · Terraform · Secure App SettingsInteraction Window
- Health : checks service health.
- Ping : quick reachability test.
- DB Check : verifies database connectivity.
$ connect https://app-mylab-dev-api.azurewebsites.net
Project Summary
- Backend: Node.js Express API with routes for
/api/health,/api/version, and telemetry endpoints for portfolio data. - Hosting: Azure App Service (Windows) managed through an App Service Plan. Environment variables define SQL connections and app secrets.
- Security: CORS allowlist + API key header for sensitive routes. App settings stored in Azure’s configuration, never in code.
- Infrastructure: Deployed via Terraform (AzureRM) — resource groups, plans, and apps are declared as code for full reproducibility.
- Monitoring & Maintenance: Azure Kudu for console access
and live log streaming with
az webapp log tail.
CI/CD AutoForge AI
self-deploying GPT backend built with FastAPI, Docker, and Azure automation
AutoForge — GPT Backend & Azure CI/CD
FastAPI on Azure · GitHub Actions · Service Principal Auth · DockerInteraction Window
$ connect https://autoforge-api-cqhebzf2dwh0cef7.centralus-01.azurewebsites.net
Type a question and hit Send. Requests route Astro → AutoForge API
(FastAPI) → Azure OpenAI.
For security and cost control, this demo is rate-limited to 3 requests per hour per IP.
Token limit is set to 6000, use for Short Reasoning only!
- Backend: FastAPI exposes
/ai/chatfor GPT-style replies. Config via env vars:AZURE_OPENAI_KEY,AZURE_OPENAI_ENDPOINT,AZURE_OPENAI_DEPLOYMENT,AZURE_OPENAI_API_VERSION. - Hosting: Azure App Service (Linux, F1 Free). Oryx auto-builds
from
requirements.txt; custom startup:python -m uvicorn app.main:app --host 0.0.0.0 --port $PORT. - CI/CD: GitHub Actions using Service Principal (token-based)
via
azure/login→azure/webapps-deploy, replacing publish-profile auth. SP is scoped to the resource group. - Local & Cloud Testing with Docker: The app is containerized
for parity between dev and CI. The workflow (
ci.yml) builds the image on every push (viadocker/build-push-action@v6), runs tests in-container (pytest with a mocked AI client), and on main merges can push to GHCR. Reproduce locally:docker build -t autoforge-ai .thendocker run -p 8000:8000 autoforge-ai→ openhttp://localhost:8000. - Security: CORS allowlist (
jeremygallardo.com,localhost:4321), secrets in Azure App Settings + GitHub Secrets. - Astro Integration: The site sends a POST to
/ai/chatwith a messages array, and renders the JSON reply in a chat UI — the terminal above uses the same flow.
BitLocker Enforcement
Hands-off device encryption with audit-ready reporting
Deployment Simulation
Encrypted12
Pending38
Failed 0
Total50
Plays Day 1 → Day 4.
Click Start to simulate Day 1 → Day 4 rollout. Data shown here
mirrors the
daily_counts.csv produced by aggregate.ps1 (Encrypted
/ Pending / Error).
BitLocker Enforcement Pipeline
Automated Device Encryption & ComplianceA fully automated PowerShell-driven system that enforces BitLocker encryption and collects telemetry across all domain-joined Windows computers. It ensures every endpoint is encrypted, recovery keys are securely backed up, and compliance metrics are automatically generated for dashboards.
- Enforcement Script (
Bitlocker-Enforcement.ps1) runs at startup via GPO or a SYSTEM-level task. It checks each drive’s BitLocker state and:- ✅ Encrypted → verifies recovery key exists
- 💤 Suspended → resumes protection
- ❌ Off → enables BitLocker (XTS-AES256, used-space-only)
\\fserver\Data\Chicago\IT\Private_IT\Bitlocker\keys\and telemetry JSON is written to\\fserver\...\telemetry\YYYY-MM\. - Aggregation Script (
aggregate.ps1) runs daily to summarize all telemetry JSONs. It counts Encrypted, Pending, and Error states, then updates adaily_counts.csvfor visualization. - Visualization is rendered above as a 4-day rollout chart. Each day shows system-wide encryption progress: Encrypted, Pending, and Error.
Together, these scripts form a self-healing, policy-driven encryption pipeline that maintains compliance across your Windows fleet while providing transparent encryption telemetry.
# Detect drive state and enable BitLocker if missing
$vol = Get-BitLockerVolume -MountPoint "C:"
if ($vol.ProtectionStatus -eq 'Off') {
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
Backup-BitLockerKeyProtector -MountPoint "C:" -RecoveryKeyPath $keyPath
}
ChatOps Agent
AI that explains failing builds and recommends fixes
ChatOps modal content will go here.