← Back to Projects
The Cloud Resume Challenge
Azure Infrastructure Case Study
This page provides a comprehensive technical overview for my implementation of The Cloud Resume Challenge, a hands-on initiative designed by Forest Brazeal to demonstrate production-ready cloud proficiencies. It highlights the architectural trade-offs, security controls, and automation implemented to treat a personal portfolio website with the operational standards of enterprise infrastructure.
The complete source code, deployment workflows, and Terraform modules are in the public GitHub Repository.
The Motivation & Strategy
I wanted to dive headfirst into the Azure ecosystem to expand my multi-cloud competency, building on my existing working experience with AWS and GCP. While the vast majority of candidates complete this challenge using AWS, I chose to focus on implementing the process within Azure.
While I had conversational AI tools available to review my work, I explicitly chose not to utilize any agentic AI tooling for this project. I wanted to personally experience the raw process of building the dev env by hand and then automating it in prod through Terraform and GitHub Actions.
Architecture & Governance
-
Cost Control & Guardrails: Provisioned an Azure budget with automated trigger alerts on both actual and forecasted spending trends to eliminate run-away consumption costs.
-
Environment Isolation: Split the project architecture into three distinct Resource Groups to isolate resource lifecycles:
rg-cloudresume-dev: Initially used for POC and ClickOps verification.
rg-cloudresume-prod: Reserved for automated Terraform deployments.
rg-cloudresume-tfstate: Reserved for Terraform state files.
-
Enterprise Tagging: All resources received resource tags (owner, env, project, cost_center) to emulate expected tagging in an enterprise environment.
-
Routing: Shifted routing to Cloudflare to bypass Azure CDN pricing requirements, manage DNS records, and handle custom routing behavior.
-
IAM: Configured an App Registration in Microsoft Entra ID with OpenID Connect (OIDC) Federated Trust to execute secure, passwordless workflows.
Serverless Backend & API
- Provisioned an Azure Cosmos DB for NoSQL database engine running in serverless capacity mode.
- Adjusted database firewall to limit network traffic exclusively to traffic originating from Azure datacenter blocks.
- Housed database connection strings inside Azure Function environment variables to be utilized at runtime.
- Provisioned Azure Function App model on Windows with the PowerShell 7.4 runtime.
- Built an HTTP Trigger function to retrieve items from the database before execution and update the state immediately after execution.
- Constructed a local Pester unit test to automate verification checks of the HTTP trigger function.
CORS Policy & Troubleshooting
- Troubleshot CORS errors and resolved them within Azure infrastructure.
- Configured the platform API CORS policies on the Function App to explicitly whitelist
https://bradtoulson.com.
CD Pipeline Automation & IaC
- Configured a Microsoft Entra ID app registration with OIDC federation to eliminate static deployment secrets and allow passwordless authentication from GitHub.
- Wrote GitHub continuous deployment workflows to trigger for all commits and incoming pull requests.
- Stored Terraform state in a separate Azure resource group and dedicated Storage Account. This ensures that Terraform state remains intact even if an entire dev/prod resource group is purged during dev iterations.
- Implemented an ignore_changes lifecycle policy for a resource that auto-generated a tag on deployment to prevent infrastructure state disruptions.