This document defines the Azure reference topology for meeting-action-extractor.
- Web: Azure Static Web Apps (SPA hosting)
- API: Azure App Service (Linux)
- Worker: Azure Functions (Linux)
- Storage: Azure Cosmos DB for NoSQL
- Secrets: Azure Key Vault
- Identity: User-assigned Managed Identities for API and Worker
- Observability: Application Insights + Log Analytics
Database: meeting_action_extractor
Containers (partition key /tenantId):
notesjobstasksauditmembershipsusers
Design notes:
- Co-locate tenant data by partition key for query efficiency
- Keep idempotency key and processing metadata in
jobs - Keep audit trail immutable-style append in
audit
- No credentials stored in repository
- No plaintext connection strings in app settings
- Use Key Vault secret references when a secret is required
api-mi(user-assigned identity) attached to API App Serviceworker-mi(user-assigned identity) attached to Function App
RBAC assignments:
api-mi-> Key Vault secrets read (Key Vault Secrets User)worker-mi-> Key Vault secrets read (Key Vault Secrets User)api-miandworker-mi-> Cosmos DB data access role (documented equivalent in IaC)
API app settings (examples):
COSMOS_ACCOUNT_ENDPOINTCOSMOS_DATABASE_NAMEKEY_VAULT_URIAZURE_CLIENT_ID(API identity client id)APPLICATIONINSIGHTS_CONNECTION_STRING
Worker app settings (examples):
COSMOS_ACCOUNT_ENDPOINTCOSMOS_DATABASE_NAMEKEY_VAULT_URIAZURE_CLIENT_ID(Worker identity client id)AzureWebJobsStoragevia Key Vault referenceAPPLICATIONINSIGHTS_CONNECTION_STRING
- Pull request pipeline:
pnpm lintpnpm typecheckpnpm test
- Main branch deployment pipeline (future):
- Provision/update infra via IaC
- Deploy API and Worker
- Deploy Web static assets
- Run post-deploy smoke checks
- API: scale out by App Service instance count
- Worker: scale by Function concurrency and plan settings
- Cosmos DB: scale RU/s based on partition heat; isolate large tenants when needed
Azure reference artifacts do not alter Local Mode behavior. Local demo/test workflow remains cloud-independent.