SafeArmour
Blue-green deploys with canary smoke. New revision lands at weight=0 with a canary hostname behind Cloudflare Access, smoke runs against canary-safearmour.netlco.com, then atomic swap.
Azure cloud
Cloud infrastructure with the version-control of code.
Container Apps, Managed Identity, Postgres, Key Vault, Cloudflare. Zero secrets in code, principle-of-least-privilege by default, infrastructure that survives a fresh laptop.
What we deliver
Six layers. One Terraform discipline.
Container Apps
Multi-revision deployments with blue-green or canary labels. Scale-to-zero by default, with WAF and Cloudflare in front. Atomic traffic swaps, customer impact window of zero seconds.
Managed Identity
No client secrets in env vars. Postgres, Key Vault, and Storage all authenticated via DefaultAzureCredential. Token refresh handled by the singleton pool.
Postgres on Flex
Private-endpoint-only flex servers with Entra ID auth, per-app database, password fallback for local Docker dev. Atlas migrations apply identically locally and in prod.
Key Vault and secrets
Single Key Vault per environment, RBAC instead of access policies, secret refs in Container App definitions. Rotation is a deliberate operational step, not a side effect.
Cloudflare front door
Zone, tunnel, WAF rules, transform headers, Access service tokens for canary smoke. Cloudflare edge talks to ACA over a private tunnel.
Terraform discipline
Per-app stacks reading from foundation, platform, and global remote state. Plan, review, apply gated. Never destroy in anger.
Where this lives in our work
Running every NETLCO product right now.
Budget
Postgres with Managed Identity. No DATABASE_URL in prod. Token refresh handled in the pg pool with a five-minute safety margin.
NETLCO itself
The Terraform stack you would inherit on day one is the same one running this site. Modules at infrastructure/terraform/modules, stacks at infrastructure/terraform/stacks.