Appearance
0025 — Infrastructure Location, Naming, and Hosting ​
Status: Accepted (2026-06-21)
Date: 2026-06-21
ADO work item: AB#3675
Deciders: Kristopher Turner (platform owner)
Context ​
Heritage Community Hub must be hosted on Azure. Hybrid Cloud Solutions LLC (HCS) already operates an Azure tenant (kris@hybridsolutions.cloud) used for all HCS workloads. Two questions were left implicit across earlier ADRs and must be settled before any infrastructure code is written:
Tenant placement — use the existing HCS tenant or provision a dedicated Heritage Virginia tenant? A separate tenant adds an administrative burden (new billing account, separate identity plane, separate Key Vault secrets rotation) with no technical benefit at the current scale of ~200 members and a single owner. Staying in the HCS tenant lets the platform reuse established service connections, GitHub App credentials, and Key Vault access policies.
Resource naming — earlier design documents and Bicep stubs used both
hchandheritagevaas workload prefixes inconsistently. The Cloud Adoption Framework (CAF) and Well-Architected Framework (WAF) both require a consistent workload identifier throughout the resource hierarchy (resource group, resources, tags).heritagevais the canonical identifier: it is meaningful, unique within the tenant, and matches the primary domain (heritageva.app). The shorterhchprefix is retired.
Region selection is also settled here. East US (eastus) is the HCS tenant's default region and carries the lowest latency for the US East Coast congregation. Azure Static Web Apps has a more limited regional footprint than Container Apps; East US 2 (eastus2) is the nearest SWA-supported region and is used only for that resource.
This is a naming and placement decision. It introduces no application code.
Decision ​
Host Heritage Community Hub in the existing HCS Azure tenant (
kris@hybridsolutions.cloud). Create a single resource group namedrg-heritageva-prod-euswithin that tenant. All Azure resources useheritagevaas the CAF workload prefix. Primary region is East US (eastus); Azure Static Web Apps deploys to East US 2 (eastus2) due to SWA regional availability. Every resource carries a mandatory tag set.
Tenant and subscription ​
- Tenant: existing HCS Azure tenant (
kris@hybridsolutions.cloud). - Subscription: the active HCS subscription used for all HCS workloads.
- No new tenant is provisioned for Heritage Virginia.
Resource group ​
| Attribute | Value |
|---|---|
| Name | rg-heritageva-prod-eus |
| CAF pattern | rg-{workload}-{env}-{region-short} |
| Region | East US (eastus) |
| Subscription | HCS production subscription |
Workload prefix ​
heritageva replaces hch everywhere. No resource name, Bicep parameter, or pipeline variable uses hch after this ADR.
Region assignments ​
| Resource type | Region | Reason |
|---|---|---|
| All resources except SWA | East US (eastus) | HCS tenant default; lowest US East Coast latency |
| Static Web App | East US 2 (eastus2) | SWA region availability; nearest to primary region |
CAF resource names ​
| Resource | Name | CAF abbreviation |
|---|---|---|
| Resource group | rg-heritageva-prod-eus | rg |
| Container Apps Environment | cae-heritageva-prod-eus | cae |
| Container App (API) | ca-heritageva-api-prod-eus | ca |
| Azure DB for PostgreSQL Flexible Server | psql-heritageva-prod-eus | psql |
| Key Vault | kv-heritageva-prod-eus | kv |
| Log Analytics Workspace | log-heritageva-prod-eus | log |
| Application Insights | appi-heritageva-prod-eus | appi |
| Static Web App | swa-heritageva-prod-eus2 | swa |
Required tags ​
Every resource and the resource group itself must carry all four tags. Bicep modules enforce this via the tags parameter at the module level; a missing tag is a linting error in CI.
| Tag key | Value |
|---|---|
project | heritage-community-hub |
environment | production |
workload | heritageva |
managedBy | bicep |
Alternatives considered ​
| Option | Pros | Cons | Why not chosen |
|---|---|---|---|
Existing HCS tenant, heritageva prefix (chosen) | No new tenant overhead; reuses service connections, KV, GitHub App credentials; consistent naming across all resources | Comingles Heritage workloads with other HCS resources at the subscription level (mitigated by resource group isolation) | — chosen |
| Dedicated Heritage Virginia Azure tenant | Clean separation from HCS workloads; independent billing and identity plane | New tenant provisioning cost and overhead; separate GitHub App registration; separate Key Vault; extra administrative burden for a solo owner at ~200 members | Rejected — overhead not justified at current scale; resource group isolation is sufficient |
Keep hch prefix | No rename work | Not meaningful to external readers; conflicts with heritageva.app domain identity; inconsistent with existing design docs that already use heritageva | Rejected — consistency across domain, design docs, and infra names is required before any resources are provisioned |
| Single region for all resources (including SWA) | Simplest region model | SWA is not available in East US; forcing it there would require a different primary region or accepting an unsupported configuration | Rejected — East US 2 for SWA only is a minimal and well-understood exception |
Consequences ​
Positive ​
- All infrastructure code, CI/CD variables, Bicep parameters, and runbooks share one naming convention from day one. No post-hoc rename migrations after resources are provisioned.
- Staying in the HCS tenant eliminates tenant provisioning, identity plane setup, and the GitHub App re-registration that a new tenant would require.
- The
heritagevaprefix matches the primary domain (heritageva.app), making resource discovery intuitive in the Azure Portal and in cost reports. - The mandatory tag set enables cost filtering by
workload=heritagevaacross all resources in a shared subscription, satisfying basic cost governance without a dedicated subscription. - East US is the HCS tenant's established default; no region-migration work is required for existing tenant-level resources (Key Vault, Log Analytics) that may be shared.
Negative / trade-offs ​
- Shared subscription cost attribution. Resources share a subscription with other HCS workloads. Cost isolation is tag-based (
workload=heritageva), not subscription-based. Tag compliance is enforced at the Bicep level but cannot prevent manually created resources from missing tags. Mitigation: Azure Policyrequire-tagassignments on the resource group. - SWA region split. East US 2 for Static Web Apps introduces a minor two-region footprint. In practice, SWA serves a CDN-backed static frontend; the region of the SWA resource itself has minimal latency impact on end users. The API and database remain co-located in East US.
- No environment separation. Per the project decision (see deleted AB#3080), there is one environment: production. There is no dev or staging resource group. This simplifies naming but means any destructive infrastructure test must be performed against production resources or in a local/ephemeral environment.
Risks ​
- Name collisions. Some Azure resource types (Key Vault, PostgreSQL server) require globally unique names.
kv-heritageva-prod-eusandpsql-heritageva-prod-eusmust be verified as available before provisioning. Mitigation: Bicepwhat-ifand portal availability check before the first deployment. - Tag drift. Manually provisioned resources (e.g., created via Portal for a quick test) may miss required tags. Mitigation: Azure Policy
denyon missing tags scoped torg-heritageva-prod-eus; document in the deployment runbook.
References ​
- ADR 0004 — Cloud/hosting stack, CI/CD, and free-tier path — established Azure as the hosting provider; this ADR adds tenant, resource group, and naming detail
- ADR 0024 — Cloud portability & provider abstraction — established Container Apps, PostgreSQL Flexible Server, Blob Storage, and Key Vault as the active Azure resource types named in this ADR
- Platform strategy
- ADO: Story AB#3675 (heritageva naming, HCS tenant, domain — under Feature AB#3079)