Final: live fleet monitoring + Azure Monitor (App Insights)

.github/workflows/AdminWebpage-Deploy-WF.yml

@@ -50,7 +50,23 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      # ── 2. Build the SPA with upstream URLs baked in ──────────────────────
+      # ── 2. Fetch the App Insights connection string (Azure Monitor) ───────
+      # The resource is provisioned by the IaC workflow (iac.yml). This read is
+      # tolerant: if it doesn't exist yet, telemetry is simply disabled in the
+      # build and the next deploy picks it up. The connection string is a client
+      # ingestion key, not a secret — masked here as good practice.
+      - name: Get App Insights connection string
+        id: appinsights
+        run: |
+          CS=$(az resource show \
+            --resource-group "$RESOURCE_GROUP" \
+            --name appi-deliverybot-admin \
+            --resource-type microsoft.insights/components \
+            --query properties.ConnectionString -o tsv 2>/dev/null || true)
+          if [ -n "$CS" ]; then echo "::add-mask::$CS"; fi
+          echo "connection_string=$CS" >> "$GITHUB_OUTPUT"
+
+      # ── 3. Build the SPA with upstream URLs baked in ──────────────────────
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -75,6 +91,7 @@ jobs:
           VITE_ENTRA_CLIENT_ID: ${{ env.ENTRA_CLIENT_ID }}
           VITE_ENTRA_TENANT_ID: ${{ env.ENTRA_TENANT_ID }}
           VITE_ENTRA_ADMIN_GROUP_ID: ${{ env.ENTRA_ADMIN_GROUP_ID }}
+          VITE_APPINSIGHTS_CONNECTION_STRING: ${{ steps.appinsights.outputs.connection_string }}
         run: npm run build
 
       # ── 3. Deploy the build to the App Service ─────────────────────────────

Iac/admin-webapp/main.tf

@@ -14,3 +14,26 @@ module "admin_webapp" {
   simulator_api_url     = var.simulator_api_url
   tags                  = var.tags
 }
+
+# ── Observability (final feature: Azure Monitor) ────────────────────────────
+# Dedicated Log Analytics workspace + Application Insights for the admin app.
+# The App Insights connection string is a client ingestion key (not a secret),
+# baked into the SPA at build time — so no data-plane role assignment is needed
+# and this stays fully self-service (no portal/RBAC work).
+resource "azurerm_log_analytics_workspace" "admin" {
+  name                = "law-deliverybot-admin"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  sku                 = "PerGB2018"
+  retention_in_days   = 30
+  tags                = var.tags
+}
+
+resource "azurerm_application_insights" "admin" {
+  name                = "appi-deliverybot-admin"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  workspace_id        = azurerm_log_analytics_workspace.admin.id
+  application_type    = "web"
+  tags                = var.tags
+}

Iac/admin-webapp/outputs.tf

@@ -12,3 +12,14 @@ output "app_url" {
   description = "HTTPS URL of the Admin Web App."
   value       = module.admin_webapp.app_url
 }
+
+output "admin_app_insights_name" {
+  description = "Name of the admin app's Application Insights resource."
+  value       = azurerm_application_insights.admin.name
+}
+
+output "admin_app_insights_connection_string" {
+  description = "App Insights connection string (client ingestion key) for the admin SPA."
+  value       = azurerm_application_insights.admin.connection_string
+  sensitive   = true
+}

admin-webapp/.env.example

@@ -21,3 +21,8 @@ VITE_ENTRA_CLIENT_ID=b5a029c3-d046-4005-9497-23ba18df70b2
 VITE_ENTRA_TENANT_ID=37321907-14a5-4390-987d-ec0c66c655cd
 # Object ID of the DeliveryBot-Admin security group (gates who can sign in).
 VITE_ENTRA_ADMIN_GROUP_ID=14fcd995-e89f-4020-b5ff-4a9b48a5824e
+
+# Azure Monitor / Application Insights (final feature). Client ingestion key
+# (not a secret). When unset, telemetry is disabled. In CI the deploy workflow
+# fetches this from the IaC-provisioned `appi-deliverybot-admin` resource.
+VITE_APPINSIGHTS_CONNECTION_STRING=