architecture-beta
group github(internet)[GitHub]
service repo(server)[Github repo] in github
service build_run(server)[Github Actions] in github
group gcp(cloud)[Google Cloud Platform]
service secret_manager(disk)[Secret Manager] in gcp
service vpc(internet)[VPC] in gcp
service cloud_run(server)[Cloud Run Instance] in gcp
service gcs_bucket_teen(disk)[GCS Bucket<br/>Teenager] in gcp
service gcs_bucket_parent(disk)[GCS Bucket<br/>Parent] in gcp
group external(cloud)[External Services]
service ovh_postgres(database)[PostgresSQL DB Datalayer] in external
group stopcyber(internet)[StopCyber website]
service iframe(internet)[Embedded App] in stopcyber
service auth(test)[Authentication<br/>(Consent-aware)]
%% Define the relationships
repo:T -- B:build_run
secret_manager:L -- R:cloud_run
build_run:T -- B:cloud_run
cloud_run:T -- B:vpc
cloud_run:R -- L:gcs_bucket_teen
cloud_run:R -- L:gcs_bucket_parent
iframe:R -- L:auth
auth:R -- L:cloud_run
vpc:T -- B:ovh_postgres
Cloud configuration and architecture
Last updated: 2026-05-08
Secret manager
All necessary keys and environment variables are stored in the Google Cloud secret manager. For access contact Valentin, Heiner or Daniel.
App deployment
The Google Cloud Build/Run is configured with the repository. For the time being, its resources are scaled down to zero depending on demand. This induces a startup delay, when the app is requested after a longer pause.
Each variant (teenager / parent) is deployed to its own Cloud Run service and GCS bucket with distinct URLs. The FRONTEND_TEENAGER_URL and FRONTEND_PARENT_URL environment variables enable cross-origin authorization links (e.g., the teenager authorization page hosted on the parent frontend). The container runs alembic upgrade head on startup to ensure the database schema is current before accepting traffic.
Network (implementation currently pending)
In order to enable secure communication with the PostgresSQL database of the data layer (which in the future will be hosted on OVH by Centres Relier), the Cloud Run instance is connected to a VPC through which all traffic is routed. The VPC is configured with a static IP address that is authorised for database access.
Datalayer
For proof-of-concept the app was connected to a serverless PostgresSQL database on neon. This configuration is currently intact but will be subject to change.