Infrastructure audit (2026-04-01)
info
This page is a historical audit snapshot. For current PostgreSQL configuration (servers, credentials, ORM, rotation), see PostgreSQL configuration.
Generated: 2026-04-01
Purpose: Pre-migration reconnaissance for RG restructuring
Audited by: Claude (automated, read-only)
Archived: 2026-04-13 into docs/internal/docs/infrastructure/ from an untracked file in a throwaway worktree. Content is preserved verbatim (other than the H1 case fix and this archival note) for point-in-time accuracy. Any divergence from current infra state is expected.
Quick reference (fill these into RG_Migration_Guide.md)
| Placeholder | Value |
|---|---|
<SUB_ID> | dae5d10c-2ab5-4b04-8201-ed5e6ba3400e |
<K8S_VERSION> | 1.32 (current: 1.32.11) |
<NODE_COUNT> | 2 |
<VM_SIZE> | Standard_D2s_v6 |
<STORAGE_ACCOUNT_NAME> | aucertdev41e0x5 |
<INTERNAL_PG_NAME> | aucertdev-internal-pg-41e0x5 |
<INTERNAL_PG_FQDN> | aucertdev-internal-pg-41e0x5.postgres.database.azure.com |
<PRODUCT_PG_NAME> | aucertdev-pg-41e0x5 |
<PRODUCT_PG_FQDN> | aucertdev-pg-41e0x5.postgres.database.azure.com |
<REDIS_NAME> | aucertdev-redis-41e0x5 |
<TF_STATE_STORAGE> | aucerttfstate (in aucert-tfstate-rg) |
<ACR_NAME> | aucertacr41e0x5 |
<ACR_LOGIN_SERVER> | aucertacr41e0x5.azurecr.io |
<KEY_VAULT_NAME> | aucertdev-kv-41e0x5 |
<KEY_VAULT_URI> | https://aucertdev-kv-41e0x5.vault.azure.net/ |
<VNET_NAME> | aucertdev-vnet |
<AKS_CLUSTER_NAME> | aucertdev-aks |
<AKS_FQDN> | aucertdev-57u0wp2m.hcp.westus.azmk8s.io |
<NODE_RESOURCE_GROUP> | MC_aucert-dev-rg_aucertdev-aks_westus |
<AKS_IDENTITY_PRINCIPAL_ID> | f4840d67-a0d2-443f-9b93-5593288af641 |
<TENANT_ID> | 0cd61d9a-5d63-4b96-9755-10896a905fe9 |
<OIDC_ISSUER_URL> | https://westus.oic.prod-aks.azure.com/0cd61d9a-5d63-4b96-9755-10896a905fe9/0697e01e-470d-40d0-90dc-79237b488935/ |
<RANDOM_SUFFIX> | 41e0x5 |
Resource classification
| # | Resource | Name | Type | Classification | Resource ID |
|---|---|---|---|---|---|
| 1 | VNet | aucertdev-vnet | Microsoft.Network/virtualNetworks | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/virtualNetworks/aucertdev-vnet |
| 2 | AKS Cluster | aucertdev-aks | Microsoft.ContainerService/managedClusters | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.ContainerService/managedClusters/aucertdev-aks |
| 3 | ACR | aucertacr41e0x5 | Microsoft.ContainerRegistry/registries | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.ContainerRegistry/registries/aucertacr41e0x5 |
| 4 | Key Vault | aucertdev-kv-41e0x5 | Microsoft.KeyVault/vaults | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.KeyVault/vaults/aucertdev-kv-41e0x5 |
| 5 | Storage Account | aucertdev41e0x5 | Microsoft.Storage/storageAccounts | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Storage/storageAccounts/aucertdev41e0x5 |
| 6 | Internal PG Server | aucertdev-internal-pg-41e0x5 | Microsoft.DBforPostgreSQL/flexibleServers | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.DBforPostgreSQL/flexibleServers/aucertdev-internal-pg-41e0x5 |
| 7 | Private DNS Zone (product PG) | aucertdev.postgres.database.azure.com | Microsoft.Network/privateDnsZones | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateDnsZones/aucertdev.postgres.database.azure.com |
| 8 | DNS VNet Link (product PG) | postgres-dns-link | Microsoft.Network/privateDnsZones/virtualNetworkLinks | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateDnsZones/aucertdev.postgres.database.azure.com/virtualNetworkLinks/postgres-dns-link |
| 9 | Private DNS Zone (internal PG) | aucert-internal.postgres.database.azure.com | Microsoft.Network/privateDnsZones | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateDnsZones/aucert-internal.postgres.database.azure.com |
| 10 | DNS VNet Link (internal PG) | internal-postgres-dns-link | Microsoft.Network/privateDnsZones/virtualNetworkLinks | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateDnsZones/aucert-internal.postgres.database.azure.com/virtualNetworkLinks/internal-postgres-dns-link |
| 11 | Private DNS Zone (Redis) | privatelink.redis.cache.windows.net | Microsoft.Network/privateDnsZones | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net |
| 12 | DNS VNet Link (Redis) | redis-dns-link | Microsoft.Network/privateDnsZones/virtualNetworkLinks | Foundation | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net/virtualNetworkLinks/redis-dns-link |
| 13 | Product PG Server | aucertdev-pg-41e0x5 | Microsoft.DBforPostgreSQL/flexibleServers | Dev-only | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.DBforPostgreSQL/flexibleServers/aucertdev-pg-41e0x5 |
| 14 | Redis Cache | aucertdev-redis-41e0x5 | Microsoft.Cache/Redis | Dev-only | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Cache/redis/aucertdev-redis-41e0x5 |
| 15 | Redis Private Endpoint | aucertdev-redis-pe-41e0x5 | Microsoft.Network/privateEndpoints | Dev-only | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/privateEndpoints/aucertdev-redis-pe-41e0x5 |
| 16 | Redis PE NIC | aucertdev-redis-pe-41e0x5.nic.8c4aa9ca-3217-4251-ad6e-095dc9c36a32 | Microsoft.Network/networkInterfaces | Dev-only | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/networkInterfaces/aucertdev-redis-pe-41e0x5.nic.8c4aa9ca-3217-4251-ad6e-095dc9c36a32 |
Classification notes:
- The Redis private endpoint (#15) and its NIC (#16) are tied to the Redis cache resource. If Redis moves, these must move with it.
- The Redis private DNS zone (#11) and VNet link (#12) are shared networking infrastructure — classified as Foundation even though they serve the dev-only Redis. If production gets a dedicated Redis, this DNS zone will serve both.
- The product PG private DNS zone (#7) is Foundation because staging will share the same PG server and DNS zone.
- No user-assigned managed identities found — AKS uses SystemAssigned identity.
Terraform state mapping
Foundation tier (foundation.terraform.tfstate)
| Terraform Address | Azure Resource Name | Azure Resource ID |
|---|---|---|
azurerm_resource_group.main | aucert-dev-rg | /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg |
azurerm_virtual_network.main | aucertdev-vnet | .../Microsoft.Network/virtualNetworks/aucertdev-vnet |
azurerm_subnet.aks | aks-subnet | .../virtualNetworks/aucertdev-vnet/subnets/aks-subnet |
azurerm_subnet.postgres | postgres-subnet | .../virtualNetworks/aucertdev-vnet/subnets/postgres-subnet |
azurerm_subnet.redis | redis-subnet | .../virtualNetworks/aucertdev-vnet/subnets/redis-subnet |
azurerm_subnet.keyvault | keyvault-subnet | .../virtualNetworks/aucertdev-vnet/subnets/keyvault-subnet |
azurerm_subnet.internal_platform | internal-platform-subnet | .../virtualNetworks/aucertdev-vnet/subnets/internal-platform-subnet |
azurerm_kubernetes_cluster.main | aucertdev-aks | .../Microsoft.ContainerService/managedClusters/aucertdev-aks |
azurerm_postgresql_flexible_server.main | aucertdev-pg-41e0x5 | .../Microsoft.DBforPostgreSQL/flexibleServers/aucertdev-pg-41e0x5 |
azurerm_postgresql_flexible_server.internal | aucertdev-internal-pg-41e0x5 | .../Microsoft.DBforPostgreSQL/flexibleServers/aucertdev-internal-pg-41e0x5 |
azurerm_postgresql_flexible_server_database.aucert | aucert (on product PG) | — |
azurerm_postgresql_flexible_server_database.plane | plane_db (on internal PG) | — |
azurerm_redis_cache.main | aucertdev-redis-41e0x5 | .../Microsoft.Cache/redis/aucertdev-redis-41e0x5 |
azurerm_private_endpoint.redis | aucertdev-redis-pe-41e0x5 | .../Microsoft.Network/privateEndpoints/aucertdev-redis-pe-41e0x5 |
azurerm_container_registry.main | aucertacr41e0x5 | .../Microsoft.ContainerRegistry/registries/aucertacr41e0x5 |
azurerm_key_vault.main | aucertdev-kv-41e0x5 | .../Microsoft.KeyVault/vaults/aucertdev-kv-41e0x5 |
azurerm_storage_account.main | aucertdev41e0x5 | .../Microsoft.Storage/storageAccounts/aucertdev41e0x5 |
azurerm_storage_container.test_artifacts | test-artifacts | — |
azurerm_storage_container.screenshots | screenshots | — |
azurerm_private_dns_zone.postgres | aucertdev.postgres.database.azure.com | .../Microsoft.Network/privateDnsZones/aucertdev.postgres.database.azure.com |
azurerm_private_dns_zone.internal_postgres | aucert-internal.postgres.database.azure.com | .../Microsoft.Network/privateDnsZones/aucert-internal.postgres.database.azure.com |
azurerm_private_dns_zone.redis | privatelink.redis.cache.windows.net | .../Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net |
azurerm_private_dns_zone_virtual_network_link.postgres | postgres-dns-link | — |
azurerm_private_dns_zone_virtual_network_link.internal_postgres | internal-postgres-dns-link | — |
azurerm_private_dns_zone_virtual_network_link.redis | redis-dns-link | — |
azurerm_key_vault_secret.pg_password | pg-admin-password | — |
azurerm_key_vault_secret.pg_connection_string | pg-connection-string | — |
azurerm_key_vault_secret.internal_pg_password | internal-pg-admin-password | — |
azurerm_key_vault_secret.internal_pg_connection_string | internal-pg-connection-string | — |
azurerm_key_vault_secret.redis_primary_key | redis-primary-key | — |
azurerm_key_vault_secret.redis_connection_string | redis-connection-string | — |
azurerm_key_vault_secret.storage_key | storage-account-key | — |
azurerm_role_assignment.aks_acr_pull | AKS → ACR AcrPull | — |
azurerm_role_assignment.aks_kv_crypto_user | AKS → KV Crypto User | — |
azurerm_role_assignment.aks_kv_reader | AKS → KV Reader | — |
azurerm_role_assignment.kv_admin | KV Admin | — |
azurerm_role_assignment.kv_crypto_officer | KV Crypto Officer | — |
random_string.suffix | 41e0x5 | — |
random_password.pg_password | — (sensitive) | — |
random_password.internal_pg_password | — (sensitive) | — |
time_sleep.wait_for_rbac | — (timing resource) | — |
data.azurerm_client_config.current | — (data source) | — |
Internal-platform tier (internal-platform.terraform.tfstate)
| Terraform Address | Azure Resource Name | Notes |
|---|---|---|
data.terraform_remote_state.foundation | — | References foundation state (read-only) |
data.azurerm_key_vault.main | aucertdev-kv-41e0x5 | Data source, reads from foundation |
azurerm_key_vault_key.astra_token_encryption | astra-token-encryption | RSA 2048 key for Astra agent tokens |
azurerm_postgresql_flexible_server_database.astra | astra_db | On internal PG server |
azurerm_postgresql_flexible_server_database.internal_shared | internal_shared_db | On internal PG server |
Dev environment tier (env-dev.terraform.tfstate)
Status: Not initialized (terraform init required). No resources tracked.
Files requiring updates
| File | Line(s) | Current Reference | Needed Change |
|---|---|---|---|
infra/terraform/foundation/variables.tf | 19 | default = "aucert-dev-rg" | Update default to aucert-foundation-rg for foundation resources |
tools/scripts/astra-deploy.sh | 25 | AKS_RG="aucert-dev-rg" | Update to new RG name if AKS moves |
tools/scripts/astra-deploy.sh | 26 | AKS_CLUSTER="aucertdev-aks" | Verify cluster name unchanged |
tools/scripts/setup-dev.sh | 55 | --resource-group aucert-dev-rg --name aucertdev-aks | Update RG reference |
.github/workflows/deploy-astra.yml | 12 | Comment: aucert-dev-rg | Update comment |
.github/workflows/deploy-astra.yml | 138 | 'aucert-dev-rg' (fallback) | Update fallback RG value |
.github/workflows/deploy-astra.yml | 181 | 'aucert-dev-rg' (fallback) | Update fallback RG value |
infra/.context/CLOUD.md | 4, 23, 26, 42 | Multiple references to aucert-dev-rg, aucertdev-aks, aucertdev-vnet | Update context file post-migration |
.context/drift/infra-current-state.md | 14, 22, 45 | aucert-dev-rg, aucertdev-vnet, aucertdev-aks | Update or archive drift doc |
.context/drift/2026-03-24-infra-dev-environment.md | 43-45 | aucert-dev-rg, aucertdev-vnet, aucertdev-aks | Update or archive drift doc |
infra/k8s/internal-platform/plane/SETUP.md | 10 | --resource-group aucert-dev-rg | Update RG reference |
infra/terraform/foundation/README.md | 6 | aucert-dev-rg | Update README |
.init/bootstrap.sh | 396 | aucert-dev-rg | Update bootstrap script |
infra/terraform/foundation/main.tf | 17 | aucert-tfstate-rg (backend) | No change needed (tfstate RG stays) |
infra/terraform/internal-platform/main.tf | 19 | aucert-tfstate-rg (backend) | No change needed (tfstate RG stays) |
infra/terraform/environments/dev/main.tf | 14 | aucert-tfstate-rg (backend) | No change needed (tfstate RG stays) |
Note: No files reference MC_aucert-dev-rg directly — this auto-generated node resource group name will change automatically when/if AKS is recreated in the new RG.
Section 1: Azure account
{
"id": "dae5d10c-2ab5-4b04-8201-ed5e6ba3400e",
"name": "Aucert Enterprise",
"state": "Enabled",
"tenantId": "0cd61d9a-5d63-4b96-9755-10896a905fe9"
}
Section 2: Resource inventory
Table format
Name Location
---------------------------------------------------------------------- ----------
aucertdev41e0x5 westus
aucertdev.postgres.database.azure.com global
aucertdev-redis-41e0x5 westus
aucertdev-kv-41e0x5 westus
aucertdev-vnet westus
aucertacr41e0x5 westus
aucertdev.postgres.database.azure.com/postgres-dns-link global
aucertdev-pg-41e0x5 westus
aucertdev-aks westus
aucert-internal.postgres.database.azure.com global
aucert-internal.postgres.database.azure.com/internal-postgres-dns-link global
aucertdev-internal-pg-41e0x5 westus
privatelink.redis.cache.windows.net global
aucertdev-redis-pe-41e0x5 westus
privatelink.redis.cache.windows.net/redis-dns-link global
aucertdev-redis-pe-41e0x5.nic.8c4aa9ca-3217-4251-ad6e-095dc9c36a32 westus
Total: 16 resources in aucert-dev-rg
Resource type breakdown
| Type | Count | Resources |
|---|---|---|
| Microsoft.Network/virtualNetworks | 1 | aucertdev-vnet |
| Microsoft.ContainerService/managedClusters | 1 | aucertdev-aks |
| Microsoft.ContainerRegistry/registries | 1 | aucertacr41e0x5 |
| Microsoft.KeyVault/vaults | 1 | aucertdev-kv-41e0x5 |
| Microsoft.Storage/storageAccounts | 1 | aucertdev41e0x5 |
| Microsoft.DBforPostgreSQL/flexibleServers | 2 | aucertdev-pg-41e0x5, aucertdev-internal-pg-41e0x5 |
| Microsoft.Cache/Redis | 1 | aucertdev-redis-41e0x5 |
| Microsoft.Network/privateDnsZones | 3 | aucertdev.postgres.database.azure.com, aucert-internal.postgres.database.azure.com, privatelink.redis.cache.windows.net |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks | 3 | postgres-dns-link, internal-postgres-dns-link, redis-dns-link |
| Microsoft.Network/privateEndpoints | 1 | aucertdev-redis-pe-41e0x5 |
| Microsoft.Network/networkInterfaces | 1 | aucertdev-redis-pe-41e0x5.nic.* |
All resources tagged: environment=dev, managed_by=terraform, project=aucert
Section 3: AKS cluster details
{
"dnsServiceIP": null,
"enableRBAC": true,
"identityPrincipalId": "f4840d67-a0d2-443f-9b93-5593288af641",
"identityType": "SystemAssigned",
"kubernetesVersion": "1.32",
"location": "westus",
"name": "aucertdev-aks",
"networkPlugin": "azure",
"networkPolicy": "none",
"nodePoolCount": 2,
"nodePoolMaxPods": 30,
"nodePoolName": "system",
"nodePoolOsDiskSizeGB": null,
"nodePoolSubnetId": "/subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg/providers/Microsoft.Network/virtualNetworks/aucertdev-vnet/subnets/aks-subnet",
"nodePoolVmSize": "Standard_D2s_v6",
"nodeResourceGroup": "MC_aucert-dev-rg_aucertdev-aks_westus",
"podCidr": null,
"serviceCidr": "10.0.128.0/17",
"skuTier": "Free"
}
Additional details from Terraform state:
- FQDN:
aucertdev-57u0wp2m.hcp.westus.azmk8s.io - DNS prefix:
aucertdev - Current K8s version:
1.32.11 - OIDC issuer enabled:
true - OIDC issuer URL:
https://westus.oic.prod-aks.azure.com/0cd61d9a-5d63-4b96-9755-10896a905fe9/0697e01e-470d-40d0-90dc-79237b488935/ - Workload identity enabled:
true - OS disk: 50 GB Managed
- OS SKU: Ubuntu
- Auto-scaling: disabled
- Private cluster: disabled
Section 4: VNet and subnet details
VNet
{
"addressSpace": ["10.0.0.0/16"],
"location": "westus",
"name": "aucertdev-vnet"
}
Subnets
Name AddressPrefix PrivateEndpointNetworkPolicies Delegations
------------------------ --------------- -------------------------------- -----------------------------------------
keyvault-subnet 10.0.6.0/24 Disabled
aks-subnet 10.0.0.0/22 Disabled
redis-subnet 10.0.5.0/24 Disabled
postgres-subnet 10.0.4.0/24 Disabled Microsoft.DBforPostgreSQL/flexibleServers
internal-platform-subnet 10.0.7.0/24 Disabled Microsoft.DBforPostgreSQL/flexibleServers
Notes:
aks-subnetis /22 (1024 IPs) — large enough for pod networking with Azure CNIpostgres-subnetandinternal-platform-subnetare delegated to PostgreSQL Flexible Serversredis-subnethosts the Redis private endpoint (not delegated)keyvault-subnetcurrently unused for private endpoints (Key Vault uses public access)
Section 5: PostgreSQL servers
Server listing
[
{
"backupRetention": 7,
"delegatedSubnetId": ".../subnets/postgres-subnet",
"fqdn": "aucertdev-pg-41e0x5.postgres.database.azure.com",
"haEnabled": "Disabled",
"name": "aucertdev-pg-41e0x5",
"privateDnsZoneId": ".../privateDnsZones/aucertdev.postgres.database.azure.com",
"sku": "Standard_B2s",
"skuTier": "Burstable",
"state": "Ready",
"storage": 32,
"version": "16"
},
{
"backupRetention": 7,
"delegatedSubnetId": ".../subnets/internal-platform-subnet",
"fqdn": "aucertdev-internal-pg-41e0x5.postgres.database.azure.com",
"haEnabled": "Disabled",
"name": "aucertdev-internal-pg-41e0x5",
"privateDnsZoneId": ".../privateDnsZones/aucert-internal.postgres.database.azure.com",
"sku": "Standard_B2s",
"skuTier": "Burstable",
"state": "Ready",
"storage": 32,
"version": "16"
}
]
Databases on product PG (aucertdev-pg-41e0x5)
Name Charset Collation
----------------- --------- -----------
azure_maintenance UTF8 en_US.utf8
postgres UTF8 en_US.utf8
azure_sys UTF8 en_US.utf8
aucert UTF8 en_US.utf8
Databases on internal PG (aucertdev-internal-pg-41e0x5)
Name Charset Collation
------------------ --------- -----------
azure_maintenance UTF8 en_US.utf8
postgres UTF8 en_US.utf8
azure_sys UTF8 en_US.utf8
plane_db UTF8 en_US.utf8
astra_db UTF8 en_US.utf8
internal_shared_db UTF8 en_US.utf8
Additional TF state details:
- Product PG admin login:
aucertadmin - Internal PG admin login:
internaladmin - Both:
public_network_access_enabled = false,auto_grow_enabled = false - Internal PG tagged:
destroyable=false,tier=internal-platform
Section 6: Redis cache
[
{
"enableNonSslPort": false,
"hostName": "aucertdev-redis-41e0x5.redis.cache.windows.net",
"minimumTlsVersion": "1.2",
"name": "aucertdev-redis-41e0x5",
"port": 6379,
"sku": "Basic",
"skuCapacity": 0,
"skuFamily": "C",
"sslPort": 6380,
"subnetId": null
}
]
Additional TF state details:
- Redis version:
6.0 public_network_access_enabled = false(accessible only via private endpoint)- Access keys authentication enabled
Section 7: ACR
{
"adminUserEnabled": false,
"loginServer": "aucertacr41e0x5.azurecr.io",
"name": "aucertacr41e0x5",
"publicNetworkAccess": "Enabled",
"sku": "Basic"
}
Section 8: Key Vault
Vault properties
{
"name": "aucertdev-kv-41e0x5",
"publicNetworkAccess": "Enabled",
"purgeProtection": null,
"sku": "standard",
"softDeleteEnabled": true,
"softDeleteRetention": 7,
"uri": "https://aucertdev-kv-41e0x5.vault.azure.net/"
}
Secrets (names only)
Name Enabled
----------------------------- ---------
internal-pg-admin-password True
internal-pg-connection-string True
pg-admin-password True
pg-connection-string True
redis-connection-string True
redis-primary-key True
storage-account-key True
Total: 7 secrets, all enabled. No disabled/expired secrets.
Section 9: Storage account
[
{
"accessTier": "Hot",
"httpsOnly": true,
"kind": "StorageV2",
"name": "aucertdev41e0x5",
"publicAccess": true,
"sku": "Standard_LRS"
}
]
Containers (from TF state): test-artifacts, screenshots
Section 10: Resource locks
No locks found. az lock list --resource-group aucert-dev-rg returned empty output.
This is expected for a dev environment. Consider adding a CanNotDelete lock to the internal PG server in aucert-foundation-rg after migration.
Section 11: DNS zones
Public DNS zones
No public DNS zones found in aucert-dev-rg.
Private DNS zones
ZoneName ResourceGroup RecordSets VirtualNetworkLinks
------------------------------------------- --------------- ------------ ---------------------
aucert-internal.postgres.database.azure.com aucert-dev-rg 2 1
aucertdev.postgres.database.azure.com aucert-dev-rg 2 1
privatelink.redis.cache.windows.net aucert-dev-rg 2 1
All three private DNS zones have 1 VNet link each (to aucertdev-vnet) and 2 record sets (SOA + the A record).
Section 12: Managed identities
No user-assigned managed identities found in aucert-dev-rg.
AKS uses a SystemAssigned managed identity (principal ID: f4840d67-a0d2-443f-9b93-5593288af641). This is managed automatically by Azure — it lives with the AKS resource, not as a separate resource.
Section 13: Role assignments on aucert-dev-rg
PrincipalName RoleDefinition Scope
------------------------------------ ---------------- ----------------------------------------------------------------------
2524de9f-c128-42ee-bdf8-14793078a004 Contributor /subscriptions/dae5d10c-2ab5-4b04-8201-ed5e6ba3400e/resourceGroups/aucert-dev-rg
Only 1 explicit role assignment at the RG scope. The principal 2524de9f-... is likely the CI/CD service principal.
Note: Additional role assignments managed via Terraform (AKS → ACR pull, AKS → KV reader/crypto) are scoped to individual resources, not the RG. These are tracked in the foundation Terraform state.
Section 14: Kubernetes state
Namespaces
NAME STATUS
aucert-dev Active
default Active
ingress Active
internal-platform Active
kube-node-lease Active
kube-public Active
kube-system Active
Pods (all namespaces)
NAMESPACE NAME READY STATUS RESTARTS AGE
internal-platform astra-backend-68f75f554b-q67gv 0/1 ImagePullBackOff 0 ~2m
internal-platform astra-backend-fc5bf57c5-l489w 0/1 ImagePullBackOff 0 ~2m
internal-platform astra-frontend-55897c479-kkzrp 0/1 ImagePullBackOff 0 ~2m
internal-platform astra-frontend-646d45cbc6-bk58h 0/1 ImagePullBackOff 0 ~2m
internal-platform astra-proxy-79679bbddf-w4jkb 1/1 Running 0 ~2m
internal-platform cloudflared-5c7c7cd749-rlcrn 1/1 Running 0 ~2m
internal-platform plane-admin-wl-749cb95ccf-jn5kz 1/1 Running 0 5h17m
internal-platform plane-api-wl-98dd7c77c-f9vlg 1/1 Running 1 5h17m
internal-platform plane-beat-worker-wl-74cbf4c7db-6npc5 1/1 Running 0 5h24m
internal-platform plane-live-wl-594b9d5585-7ghpm 1/1 Running 0 5h24m
internal-platform plane-minio-wl-0 1/1 Running 0 5h17m
internal-platform plane-proxy-6d8d5bd6dd-mhql6 1/1 Running 0 5h24m
internal-platform plane-rabbitmq-wl-0 1/1 Running 0 5h17m
internal-platform plane-space-wl-69d64bbf55-nxvkb 1/1 Running 0 5h24m
internal-platform plane-web-wl-577bb7f76-tfqnj 1/1 Running 0 5h24m
internal-platform plane-worker-wl-767bc64f8b-5n4sx 1/1 Running 3 5h17m
kube-system (22 system pods — all Running)
Notable findings:
- Astra backend/frontend pods are in
ImagePullBackOff— images not yet available in ACR - Plane CE components all running (9 components: web, api, admin, space, live, worker, beat-worker, minio, rabbitmq)
- Cloudflared tunnel running
- No pods in
aucert-devnamespace (product not yet deployed) - No pods in
ingressnamespace
Services
NAMESPACE NAME TYPE CLUSTER-IP PORT(S)
default kubernetes ClusterIP 10.0.128.1 443/TCP
internal-platform astra-backend ClusterIP 10.0.162.12 8081/TCP
internal-platform astra-frontend ClusterIP 10.0.208.184 3000/TCP
internal-platform astra-proxy ClusterIP 10.0.231.215 80/TCP
internal-platform plane-admin ClusterIP None 3000/TCP
internal-platform plane-api ClusterIP None 8000/TCP
internal-platform plane-live ClusterIP None 3000/TCP
internal-platform plane-minio ClusterIP None 9000/TCP,9090/TCP
internal-platform plane-proxy ClusterIP 10.0.150.123 80/TCP
internal-platform plane-rabbitmq ClusterIP None 5672/TCP,15672/TCP
internal-platform plane-space ClusterIP None 3000/TCP
internal-platform plane-web ClusterIP None 3000/TCP
kube-system azure-wi-webhook-webhook-service ClusterIP 10.0.184.161 443/TCP
kube-system kube-dns ClusterIP 10.0.128.10 53/UDP,53/TCP
kube-system metrics-server ClusterIP 10.0.234.127 443/TCP
All services are ClusterIP (no LoadBalancer or NodePort). External access via Cloudflare Tunnel only.
Secrets (names and types only)
NAMESPACE NAME TYPE
internal-platform astra-db-credentials Opaque
internal-platform astra-secrets Opaque
internal-platform cloudflared-tunnel-credentials Opaque
internal-platform plane-app-secrets Opaque
internal-platform plane-db-credentials Opaque
internal-platform plane-doc-store-secrets Opaque
internal-platform plane-live-secrets Opaque
internal-platform plane-rabbitmq-secrets Opaque
internal-platform plane-redis-credentials Opaque
internal-platform sh.helm.release.v1.plane.v{1-5} helm.sh/release.v1
kube-system azure-wi-webhook-server-cert Opaque
kube-system bootstrap-token-2t9gjq bootstrap.kubernetes.io/token
kube-system konnectivity-certs Opaque
kube-system sh.helm.release.v1.aks-managed-overlay-upgrade-data.v{...} helm.sh/release.v1
kube-system sh.helm.release.v1.aks-managed-workload-identity.v{...} helm.sh/release.v1
ConfigMaps
NAMESPACE NAME
aucert-dev kube-root-ca.crt
internal-platform astra-config
internal-platform astra-proxy-config
internal-platform cloudflared-config
internal-platform plane-app-vars
internal-platform plane-live-vars
internal-platform plane-proxy-config
kube-system (system configmaps)
Helm releases
NAME NAMESPACE REVISION STATUS CHART APP VERSION
aks-managed-overlay-upgrade-data kube-system 6687 deployed overlay-upgrade-data-addon-0.1.0-v20260317-addon-260321-1
aks-managed-workload-identity kube-system 6669 deployed workload-identity-addon-0.1.0-v20260317-addon-260321-1
plane internal-platform 5 deployed plane-ce-1.4.1 1.2.0
Resource quotas
# aucert-dev namespace
apiVersion: v1
kind: ResourceQuota
metadata:
name: aucert-dev-quota
namespace: aucert-dev
spec:
hard:
limits.cpu: "8"
limits.memory: 16Gi
requests.cpu: "4"
requests.memory: 8Gi
status:
used:
limits.cpu: "0" # nothing deployed yet
limits.memory: "0"
requests.cpu: "0"
requests.memory: "0"
Cloudflare Tunnel
DEPLOYMENT: cloudflared (internal-platform)
Image: cloudflare/cloudflared:2024.12.2
Replicas: 1/1
Pod: cloudflared-5c7c7cd749-rlcrn — Running
Section 15: Terraform state
Foundation tier
State key: foundation.terraform.tfstate
Backend: aucerttfstate in aucert-tfstate-rg
Resources tracked: 42
data.azurerm_client_config.current
azurerm_container_registry.main
azurerm_key_vault.main
azurerm_key_vault_secret.internal_pg_connection_string
azurerm_key_vault_secret.internal_pg_password
azurerm_key_vault_secret.pg_connection_string
azurerm_key_vault_secret.pg_password
azurerm_key_vault_secret.redis_connection_string
azurerm_key_vault_secret.redis_primary_key
azurerm_key_vault_secret.storage_key
azurerm_kubernetes_cluster.main
azurerm_postgresql_flexible_server.internal
azurerm_postgresql_flexible_server.main
azurerm_postgresql_flexible_server_database.aucert
azurerm_postgresql_flexible_server_database.plane
azurerm_private_dns_zone.internal_postgres
azurerm_private_dns_zone.postgres
azurerm_private_dns_zone.redis
azurerm_private_dns_zone_virtual_network_link.internal_postgres
azurerm_private_dns_zone_virtual_network_link.postgres
azurerm_private_dns_zone_virtual_network_link.redis
azurerm_private_endpoint.redis
azurerm_redis_cache.main
azurerm_resource_group.main
azurerm_role_assignment.aks_acr_pull
azurerm_role_assignment.aks_kv_crypto_user
azurerm_role_assignment.aks_kv_reader
azurerm_role_assignment.kv_admin
azurerm_role_assignment.kv_crypto_officer
azurerm_storage_account.main
azurerm_storage_container.screenshots
azurerm_storage_container.test_artifacts
azurerm_subnet.aks
azurerm_subnet.internal_platform
azurerm_subnet.keyvault
azurerm_subnet.postgres
azurerm_subnet.redis
azurerm_virtual_network.main
random_password.internal_pg_password
random_password.pg_password
random_string.suffix
time_sleep.wait_for_rbac
Internal-platform tier
State key: internal-platform.terraform.tfstate
Resources tracked: 5
data.azurerm_key_vault.main
data.terraform_remote_state.foundation
azurerm_key_vault_key.astra_token_encryption
azurerm_postgresql_flexible_server_database.astra
azurerm_postgresql_flexible_server_database.internal_shared
Dev environment tier
State key: env-dev.terraform.tfstate
Status: Not initialized — terraform init has not been run in this directory.
Error: Backend initialization required, please run "terraform init"
Section 16: Terraform directory structure
.tf files
infra/terraform/environments/dev/main.tf
infra/terraform/foundation/acr.tf
infra/terraform/foundation/aks.tf
infra/terraform/foundation/database.tf
infra/terraform/foundation/keyvault.tf
infra/terraform/foundation/main.tf
infra/terraform/foundation/network.tf
infra/terraform/foundation/outputs.tf
infra/terraform/foundation/redis.tf
infra/terraform/foundation/storage.tf
infra/terraform/foundation/variables.tf
infra/terraform/internal-platform/_shared.tf
infra/terraform/internal-platform/databases.tf
infra/terraform/internal-platform/keyvault.tf
infra/terraform/internal-platform/main.tf
infra/terraform/internal-platform/plane/database.tf
infra/terraform/internal-platform/plane/variables.tf
infra/terraform/internal-platform/variables.tf
.tfvars files
infra/terraform/environments/dev/terraform.tfvars
infra/terraform/foundation/terraform.tfvars
infra/terraform/internal-platform/terraform.tfvars
Backend configurations
Foundation (infra/terraform/foundation/main.tf):
backend "azurerm" {
resource_group_name = "aucert-tfstate-rg"
storage_account_name = "aucerttfstate"
container_name = "tfstate"
key = "foundation.terraform.tfstate"
}
Internal-platform (infra/terraform/internal-platform/main.tf):
backend "azurerm" {
resource_group_name = "aucert-tfstate-rg"
storage_account_name = "aucerttfstate"
container_name = "tfstate"
key = "internal-platform.terraform.tfstate"
}
Dev environment (infra/terraform/environments/dev/main.tf):
backend "azurerm" {
resource_group_name = "aucert-tfstate-rg"
storage_account_name = "aucerttfstate"
container_name = "tfstate"
key = "env-dev.terraform.tfstate"
}
Section 17: File references to old names
References to aucert-dev-rg (14 hits across 11 files)
.github/workflows/deploy-astra.yml:12:# AKS_RESOURCE_GROUP — e.g. aucert-dev-rg
.github/workflows/deploy-astra.yml:138: resource-group: ${{ vars.AKS_RESOURCE_GROUP || 'aucert-dev-rg' }}
.github/workflows/deploy-astra.yml:181: resource-group: ${{ vars.AKS_RESOURCE_GROUP || 'aucert-dev-rg' }}
.init/bootstrap.sh:396:Deploy now. aucert-dev-rg, East US 2, VNet 10.0.0.0/16
.context/drift/2026-03-24-infra-dev-environment.md:43:| Resource Group | `aucert-dev-rg` | West US |
.context/drift/infra-current-state.md:14:| Resource group | `aucert-dev-rg` (all resources) |
tools/scripts/setup-dev.sh:55: echo " ✗ Cannot reach AKS. Run: az aks get-credentials --resource-group aucert-dev-rg --name aucertdev-aks"
infra/.context/CLOUD.md:4:Verify command: `az resource list -g aucert-dev-rg -o table`
infra/.context/CLOUD.md:23:| aucert-dev-rg | All infrastructure (VNet, AKS, databases, shared services) | foundation/ |
tools/scripts/astra-deploy.sh:25:AKS_RG="aucert-dev-rg"
infra/terraform/foundation/variables.tf:19: default = "aucert-dev-rg"
infra/k8s/internal-platform/plane/SETUP.md:10: --resource-group aucert-dev-rg \
infra/terraform/foundation/README.md:6:- Resource Group: aucert-dev-rg (West US)
References to aucertdev-aks (9 hits across 6 files)
.github/workflows/deploy-astra.yml:11:# AKS_CLUSTER — e.g. aucertdev-aks
.github/workflows/deploy-astra.yml:139: cluster-name: ${{ vars.AKS_CLUSTER || 'aucertdev-aks' }}
.github/workflows/deploy-astra.yml:182: cluster-name: ${{ vars.AKS_CLUSTER || 'aucertdev-aks' }}
tools/scripts/setup-dev.sh:55: echo " ✗ Cannot reach AKS. Run: az aks get-credentials --resource-group aucert-dev-rg --name aucertdev-aks"
tools/scripts/astra-deploy.sh:7:# - kubectl configured for aucertdev-aks
tools/scripts/astra-deploy.sh:26:AKS_CLUSTER="aucertdev-aks"
.context/drift/2026-03-24-infra-dev-environment.md:45:| AKS | `aucertdev-aks` | ...
.context/drift/infra-current-state.md:45:| Cluster name | `aucertdev-aks` |
infra/.context/CLOUD.md:42:- AKS cluster: aucertdev-aks
References to aucertdev-vnet (3 hits across 3 files)
.context/drift/2026-03-24-infra-dev-environment.md:44:| VNet | `aucertdev-vnet` | ...
infra/.context/CLOUD.md:26:## Network (VNet: aucertdev-vnet, 10.0.0.0/16)
.context/drift/infra-current-state.md:22:**VNet:** `aucertdev-vnet` — `10.0.0.0/16`
References to MC_aucert-dev-rg
No matches found. The AKS node resource group name is not hardcoded anywhere.
Section 18: Other resource groups
Name Location State
------------------------------------- ---------- ---------
aucert-dev-rg westus Succeeded
MC_aucert-dev-rg_aucertdev-aks_westus westus Succeeded
aucert-tfstate-rg westus Succeeded
Key finding: aucert-foundation-rg does NOT exist yet. It must be created before the migration.
Three RGs currently exist:
aucert-dev-rg— all user-deployed resources (target of migration)MC_aucert-dev-rg_aucertdev-aks_westus— AKS-managed node RG (auto-created by Azure, not directly manageable)aucert-tfstate-rg— Terraform state storage (separate, not affected by migration)
Migration considerations
Critical warnings
-
PostgreSQL Flexible Servers cannot be moved between resource groups via
az resource move. They must be handled through Terraform state manipulation (remove + import) or recreated. This is the hardest part of the migration. -
AKS node resource group (
MC_aucert-dev-rg_aucertdev-aks_westus) is auto-named from the parent RG. If AKS moves toaucert-foundation-rg, the node RG would be renamed on cluster recreation only — it cannot be renamed in place. -
Private DNS zones and VNet links are currently in
aucert-dev-rg. If foundation resources (VNet, internal PG) move toaucert-foundation-rg, the DNS zones should move with them to maintain the VNet link integrity. -
Terraform state for foundation contains dev-only resources (product PG, Redis). The migration must also split the Terraform state — some resources should be re-homed to the dev environment state.
-
Redis private endpoint depends on both the Redis cache (dev-only) and the VNet subnet (foundation). If Redis stays in dev-rg, the PE and its NIC should stay too.
-
Key Vault secrets reference resources across both RGs (product PG secrets + internal PG secrets + Redis secrets). The Key Vault itself should be in foundation.
-
Role assignments — the Contributor assignment on
aucert-dev-rgwill need a corresponding assignment onaucert-foundation-rg.
Resources NOT in aucert-dev-rg but relevant
- Terraform state storage (
aucerttfstateinaucert-tfstate-rg) — unaffected - AKS node resources in
MC_aucert-dev-rg_aucertdev-aks_westus— cannot be moved independently