Azure insurance agent platform — ALZ, policy-as-code, low-code connectors#2
Open
realjkg wants to merge 6 commits into
Open
Azure insurance agent platform — ALZ, policy-as-code, low-code connectors#2realjkg wants to merge 6 commits into
realjkg wants to merge 6 commits into
Conversation
…nectors Implements a low-code-first insurance application governed per the Microsoft CAF "Govern and secure AI agents across your organization" guidance: - landing-zones/application-platform: creates the Application Platform management group if absent, vends the insurance-app Application landing zone, spoke network peered to the hub, central Log Analytics + Sentinel + Defender for Cloud AI threat protection, platform identities and the ai-agents Conditional Access group. - policy-as-code: Azure Policy definitions + the ai-agent-governance initiative (allowed regions/models, deny public network access, disable local auth, managed identity on agent hosts, diagnostics to central workspace, ownership/classification tags) assigned at the Application Platform MG. - workloads/insurance-app: per-agent Entra Agent ID / user-assigned managed identities (no secrets, scoped RBAC, CA group), Power Platform managed environments + tenant/environment DLP classifying the widest certified connector set, internal-VNet APIM fronting bespoke insurance APIs as governed custom connectors, Azure AI Foundry + Azure OpenAI (approved models, Entra-only, private), AI Search, Content Safety, Key Vault, per-agent Application Insights, and private endpoints. - docs/caf-ai-agent-governance-mapping.md: control-by-control traceability. https://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
- .github/workflows/azure-iac.yml: PR + push CI for azure/ — terraform fmt -check, tflint (terraform + azurerm rulesets) per module, terraform init -backend=false + validate per module, Azure Policy JSON structural lint, and Spectral OpenAPI lint of the connector specs. - .tflint.hcl: terraform "recommended" preset + azurerm ruleset plugin. - .spectral.yaml: spectral:oas ruleset, relaxed for template connector specs. - Reformatted all azure/ Terraform with `terraform fmt -recursive` (whitespace/alignment only; no behavioural change). Verified tflint passes on all three modules with the bundled terraform ruleset. https://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
azure/QUICKSTART-portal.md: click-by-click path (Azure portal, Power Platform admin center, Copilot Studio, AI Foundry, APIM, Purview) to stand up a governed agent, with each step mapped back to the corresponding Terraform file. Linked from azure/README.md. https://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
- azure/COSTS.md: monthly cost breakdown (per-component pricing models, the five
knobs that move the needle, model token pricing, Power Platform licensing) and
a teardown guide (soft-delete/purge-protection gotchas, MG/subscription
behaviour, what actually stops billing, cheapest create-demo-delete loop).
- azure/profiles/{dev-demo,prod}/{application-platform,insurance-app}.tfvars +
profiles/README.md: a ~$80-150/mo demo posture (public endpoints, Consumption
APIM, basic/free AI Search, no purge protection, 1 env/1 agent, policies in
Audit) and a production posture (private endpoints, Internal-VNet Premium APIM,
S1 search 1x3, dev/test/prod, 4 agents, policies enforced).
- New workload variables wired through: enable_private_endpoints,
enable_vnet_injection, apim_sku_name, ai_search_replica_count/partition_count,
key_vault_purge_protection; spoke_subnet_ids now optional. Private endpoints
and the Power Platform VNet enterprise policy are count-gated; APIM VNet config
is a dynamic block; AI/PaaS public-network-access derives from the toggle.
- terraform fmt clean; tflint passes on all three modules.
https://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
Sweeps the in-repo identifiers: aptumcloud -> adaptcloud, Aptum Cloud -> Adapt Cloud, "Aptum Insurance Platform" -> "Adapt Insurance Platform", APTUMCLOUD_DEV -> ADAPTCLOUD_DEV, aptum-k8s -> adapt-k8s, @aptum.example -> @adapt.example, aptumcloud.com -> adaptcloud.com, realjkg/aptumcloud -> realjkg/adaptcloud (CI/CD repo + workload-identity-federation subjects). The GitHub repo rename itself (realjkg/aptumcloud -> realjkg/adaptcloud) must be done in repo Settings; remotes / OIDC subjects / the tooling allow-list need repointing afterwards. Note: adaptcloud.com is a domain and the GCS bucket name adaptcloud-k8s-docker-registry is globally unique — both need to actually exist. terraform fmt -check (azure/) clean; tflint passes on all three azure modules; policy JSON valid. (gke/main.tf has a pre-existing parse error at line 108 that predates this change and is out of scope.) https://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
Line ~108 had an unterminated resource block (`resource "kubernetes_namespace" "logging` with no closing quote/brace) that made the whole file unparseable. Completed it as a valid kubernetes_namespace resource. gke/main.tf now parses (`terraform fmt -check` no longer errors); the rest of that file's pre-existing WIP issues are left untouched. azure/ fmt + tflint unaffected. https://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an
azure/directory implementing a low-code-first insurance application(Power Platform + Copilot Studio) plus API connectors, deployed inside an Azure
Landing Zone with policy-as-code governance and secure, traceable,
governed AI agent identities — built to the Microsoft Cloud Adoption
Framework guidance "Govern and secure AI agents across your organization".
Creates an Application Platform landing zone if the tenant doesn't have one.
What's in it
azure/landing-zones/application-platform/— creates the ApplicationPlatform management group if absent, vends/associates the
insurance-appApplication landing zone subscription, spoke network peered to the connectivity
hub, central Log Analytics + Microsoft Sentinel + Defender for Cloud AI threat
protection, platform identities, and the
ai-agentsConditional Access group.azure/policy-as-code/— 7 Azure Policy definitions (allowed regions,approved models only, deny public network access, disable local auth, audit
managed identity on agent hosts, diagnostics → central workspace, require
ownership/classification tags) + the
ai-agent-governanceinitiative + aTerraform assignment at the Application Platform MG.
azure/workloads/insurance-app/— per-agent Entra Agent ID / user-assignedmanaged identities (no secrets, scoped RBAC, CA-group membership), Power
Platform managed environments + tenant/environment DLP classifying the widest
certified connector set, internal-VNet API Management fronting bespoke
insurance APIs as governed custom connectors, Azure AI Foundry + Azure OpenAI
(approved models, Entra-only, private), AI Search, Content Safety, Key Vault,
per-agent Application Insights, private endpoints — all behind cost/network
posture toggles (
enable_private_endpoints,enable_vnet_injection,apim_sku_name,ai_search_*,key_vault_purge_protection).azure/docs/caf-ai-agent-governance-mapping.md— control-by-controltraceability to the CAF article.
azure/QUICKSTART-portal.md— click-by-click portal path, mapped to eachTerraform file.
azure/COSTS.md+azure/profiles/{dev-demo,prod}/— monthly costbreakdown + teardown guide, and ready-made variable sets: a ~$80–150/mo demo
posture (public endpoints, Consumption APIM, basic/free AI Search, policies in
Audit) and a production posture (private endpoints, Internal-VNet Premium APIM,
S1 search, policies enforced).
.github/workflows/azure-iac.yml+.tflint.hcl+.spectral.yaml— PR/push CI:
terraform fmt -check,tflint(terraform + azurerm rulesets)per module,
terraform init -backend=false+validateper module, AzurePolicy JSON structural lint, Spectral OpenAPI lint.
Sample connector specs,
terraform.tfvars.examplefiles, andazure/README.mdtying it together are included.
gke/and the Go webhooks are untouched.Lint / checks run locally
terraform fmt -check -recursive azure— cleantflint(bundled terraform ruleset) — passes on all three modulesterraform validate/ the azurerm tflint plugin couldn't run here (theTerraform Registry is firewalled in this environment) — those steps run in the
GitHub Actions workflow
Test plan
azure-iac) green: fmt, tflint (+azurerm),terraform validateper module, policy JSON lint, Spectralterraform planforlanding-zones/application-platformagainst a sandbox subscription (with real hub/MG IDs)terraform planforpolicy-as-code/initiativeat the Application Platform MG scopeterraform planforworkloads/insurance-appusingprofiles/dev-demo/insurance-app.tfvarsterraform destroyof the dev-demo stack leaves nothing lingering (no purge-protected Key Vault, Consumption APIM, basic AI Search)ai-agent-governanceinitiative reports compliant after a workload applyazurerm~4.x,azuread~3.x,microsoft/power-platform~3.x) — bump if neededhttps://claude.ai/code/session_019dW7abpVbYmhfiLdTtBLki
Generated by Claude Code