⚠️ Welcome to the Brew Bliss Experimental Zone™ ☕️
This repo is where code meets chaos — built live during a demo, powered by GitHub Copilot, caffeine, and good vibes. It’s an eCommerce site for a coffee shop (kind of), but let’s be honest: it hasn’t seen much testing outside of a conference Wi-Fi. Use this as a playground, a learning lab, or a starting point. Just maybe don’t try to run your production business on it… yet.
💡 Need something that actually works? Check out the intentionally vulnerable repo. Yes, it runs. Yes, it deploys to Azure. No, you shouldn't trust it with customer data. It's functional, containerized, and full of "teachable moments."
This repository contains specially prepared materials for demonstration purposes:
- Demo Scenarios: Step-by-step guides for different demo scenarios
- Presenter Notes: Talking points and tips for presenting demos
- Setup Scripts: Scripts to prepare your demo environment
To get started with the demos, see the Demo README.
BrewBliss is a modern e-commerce platform for premium coffee sourcing and delivery. This repository contains the application source code and infrastructure as code (IaC) templates for deploying the platform to Microsoft Azure.
The platform is designed with a modular architecture that supports both legacy IaaS and modern PaaS deployment options:
- Centralized logging via Azure Log Analytics
- Secrets management via Azure Key Vault
- Secure network connectivity options (Bastion, Firewall)
- Application Gateway for frontend routing
- Web Server VM for hosting the user interface
- SQL Server VM for database storage
- App Service for hosting the web frontend
- App Service for hosting the API backend
- Azure SQL Database for data storage (customers, orders, products, subscriptions)
- Configured for Microsoft Entra ID (formerly Entra ID) authentication only
- Application uses managed system identity for database access
- DBAs must use their Entra ID identity for management operations
- Application Insights for monitoring and observability
The infrastructure is defined using Azure Bicep templates:
-
Shared Services Layer (
shared.bicep):- Log Analytics Workspace
- Azure Key Vault
- Optional: Azure Bastion Host
- Optional: Azure Firewall
-
Legacy Workload (
legacy-v1.bicep):- Application Gateway
- Web Server VM
- SQL Server VM
- Network Security Groups
-
Modern Workload (
modern-v1.bicep):- App Service Plans
- Web App
- API App
- Azure SQL Database
-
Monitoring & Cost Management (
monitoring.bicep):- Azure Cost Management Budgets with threshold alerts
- Resource Health Alerts for service availability
- Action Groups for centralized notifications
- Application Insights for application telemetry
- Customizable monitoring dashboards
- Modularity: Each resource type has its own reusable module
- Parameterization: Flexible configuration through parameters
- Security: Follows Zero Trust security principles
- Observability: Comprehensive monitoring and logging
- Cost Management: Budget thresholds and cost optimization
- CI/CD Ready: Supports automated deployment pipelines
├── assets/ # Project assets (images, documentation)
├── docs/ # Project documentation
│ ├── architecture-overview.md # Solution architecture documentation
│ ├── deployment-guide.md # Deployment instructions
│ ├── monitoring-guide.md # Monitoring and alerting documentation
│ └── security-architecture.md # Security implementation details
├── infra/ # Infrastructure as Code (Bicep)
│ ├── modules/ # Reusable Bicep modules
│ │ ├── compute/ # VM-related modules
│ │ ├── database/ # Database-related modules
│ │ ├── kvModules/ # Key Vault-related modules
│ │ ├── logAnalytics/ # Log Analytics modules
│ │ ├── monitoring/ # Monitoring and alerting modules
│ │ ├── network/ # Networking modules
│ │ └── webApps/ # App Service-related modules
│ ├── shared.bicep # Shared services deployment
│ ├── legacy-v1.bicep # Legacy IaaS deployment
│ ├── modern-v1.bicep # Modern PaaS deployment
│ ├── monitoring.bicep # Monitoring and cost management orchestrator
│ └── main.bicep # Main deployment orchestrator
├── monitoring/ # Monitoring templates and dashboards
├── scripts/ # Deployment scripts
│ └── deployment/ # Deployment scripts including:
│ └── 5-deploy-database-schema.ps1 # SQL schema deployment
│ └── 7-enable-sql-entra-id-and-grant-api.ps1 # Entra ID auth config
└── src/ # Application source code
├── BrewBliss.App/ # Unified application (frontend + API)
│ ├── Controllers/ # API endpoints
│ ├── Models/ # Data models (customers, products, orders)
│ ├── Services/ # Business logic
│ └── Data/ # EF Core DbContext for SQL access
└── database_schema/ # SQL database schema
- Azure subscription
- Azure CLI installed
- Azure PowerShell Module (Az version 10.0.0 or higher)
- PowerShell 7+ installed
- Bicep CLI installed
The deploy-infrastructure.ps1 script provides the following capabilities:
- Interactive Credential Collection: Securely prompts for VM and SQL administrator credentials
- Key Vault Integration: Always deploys a Key Vault as part of shared services for secure credential storage
- Template Validation: Validates Bicep templates before deployment
- WhatIf Deployment: Preview changes without deploying resources
- Detailed Logging: Comprehensive console output and deployment summary
- Post-Deployment Verification: Validates resource deployment and provides next steps
- Error Handling: Improved error messages with troubleshooting guidance
- Environment Support: Deployment to dev, test, staging, or production environments
The deployment script accepts the following parameters:
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
SubscriptionName |
String | ✅ | - | Name of your Azure subscription (user-friendly alternative to GUID) |
Environment |
String | ✅ | - | Environment designation: dev, test, staging, prod |
Location |
String | ❌ | swedencentral |
Azure region for deployment |
ResourcePrefix |
String | ❌ | brew |
Prefix for resource naming (2-5 characters) |
EnableBastion |
Switch | ❌ | false |
Deploy Azure Bastion for secure VM access |
EnableFirewall |
Switch | ❌ | false |
Deploy Azure Firewall for network security |
EnableLegacy |
Switch | ❌ | false |
Deploy legacy IaaS architecture |
EnableMonitoring |
Switch | ❌ | false |
Deploy monitoring and cost management |
MonthlyBudget |
Integer | ❌ | 1000 |
Monthly budget amount for cost alerts |
WhatIf |
Switch | ❌ | false |
Preview changes without deploying |
ValidateOnly |
Switch | ❌ | false |
Validate templates without deploying |
Note: The script uses subscription names instead of GUIDs for better usability. If multiple subscriptions have the same name, the script will list them and use the first one found.
-
Clone the repository:
git clone https://github.com/jonathan-vella/brewbliss.git cd brewbliss
-
List your Azure subscriptions to find the correct name:
Get-AzSubscription | Select-Object Name, Id
-
Basic deployment (Key Vault included automatically):
.\scripts\deployment\deploy-infrastructure.ps1 ` -SubscriptionName "<subscription-name>" ` -Environment "dev"
-
Full production deployment with all options:
.\scripts\deployment\deploy-infrastructure.ps1 ` -SubscriptionName "<subscription-name>" ` -Environment "prod" ` -Location "swedencentral" ` -ResourcePrefix "brew" `-EnableBastion ` -EnableFirewall ` -EnableLegacy ` -EnableMonitoring ` -MonthlyBudget 2000
-
Validation and testing options:
.\scripts\deployment\deploy-infrastructure.ps1 ` -SubscriptionName "<subscription-name>" ` -Environment "test" ` -ValidateOnly # Preview changes without deploying (WhatIf mode) .\scripts\deployment\deploy-infrastructure.ps1 ` -SubscriptionName "<subscription-name>" ` -Environment "dev" ` -WhatIf
Note: The script will prompt you to enter required administrator credentials:
- VM Administrator Username and Password
- SQL Server Administrator Username and Password
Key Vault is always deployed as part of the shared services infrastructure and will be automatically configured for secure credential storage.
- Managed Identities for service authentication
- App Services use system-assigned managed identities to access Azure SQL Database
- No connection strings with credentials stored in code
- Microsoft Entra ID (Entra ID) authentication for database access
- SQL authentication is disabled for maximum security
- DBAs must authenticate using their Entra ID credentials
- Application uses its managed identity for database operations
- Key Vault integration for secrets management
- Network Security Groups for traffic control
- TLS 1.2+ enforcement on all endpoints
- Diagnostics and audit logging
The platform includes comprehensive monitoring and cost management capabilities:
- Budget Configuration: Set monthly budget thresholds with configurable alerts
- Email Notifications: Receive notifications when spending reaches defined thresholds (50%, 75%, 90%)
- Subscription Scope: Budget tracking across all project resource groups
- Service Health Alerts: Automated notifications for Azure service incidents affecting your resources
- Resource Health: Monitoring of individual resources for availability and performance issues
- Application Insights: End-to-end monitoring of application performance and usage
- Custom Dashboards: Pre-configured monitoring dashboards for platform health
- Log Analytics: Centralized log collection and querying
- Metrics Visualization: Real-time performance metrics and trends
For detailed information on monitoring setup and configuration, see the Monitoring Guide.
The application uses Azure SQL Database with Entra ID (Entra ID) authentication only:
- SQL Authentication: Disabled for security reasons
- Entra ID Authentication: Required for all database access
- Application uses managed identity
- DBAs must use their Entra ID credentials
- No password-based access is allowed
If you're having trouble finding data in the database:
- Check Authentication: Ensure you're connecting with Entra ID credentials, not SQL authentication
- Verify Schema Deployment: Run
scripts\deployment\5-deploy-database-schema.ps1to deploy the schema - Check Firewall Rules: Your IP must be allowed in the Azure SQL firewall rules
- Run Diagnostics: Use
tests\query-tables.ps1to verify table existence - Verify Data Population: The application may need to create initial data
For more detailed SQL queries and database information, refer to src\database_schema\coffee-schema-with-go.sql
- Enhanced Deployment Script: Complete overhaul of the infrastructure deployment script with credential prompting, Key Vault creation, and improved error handling
- Streamlined JSON Management: Removed unnecessary JSON template files to simplify repository management
- Enhanced Monitoring: Added comprehensive monitoring solution with cost management, resource health alerts, and centralized notifications
- Dashboard Templates: Added customizable monitoring dashboards
- Deployment Improvements: Fixed path issues in deployment scripts for reliable infrastructure provisioning
- Documentation Updates: Updated README with detailed deployment instructions and improved monitoring guide
- Database Security: Implemented Entra ID-only authentication for Azure SQL Database
For complete details on recent changes, please refer to the commit history.
This repository is primarily for demonstration purposes. However, if you have improvements to suggest:
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
For anyone forking or cloning this demo repository, here are some recommended clean-up steps:
-
Remove build artifacts:
- Delete any bin/ and obj/ folders
- Remove any compiled outputs
-
Clear sensitive data:
- Check for and remove any cached credentials
- Regenerate any demo secrets if needed
-
Remove demo-specific files if not needed:
- Presenter notes
- Demo scripts that aren't relevant to your use case
This project is licensed under the MIT License - see the LICENSE file for details.