The latest articles on Forem by Alejandro Velez (@avelez). https://forem.com/avelez https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg https://forem.com/avelez en Alejandro Velez Sun, 08 Mar 2026 22:59:16 +0000 https://forem.com/avelez/here-my-new-post-using-kiro-and-mcp-to-improve-and-modernize-my-current-workflow-for-authorization-29n2 https://forem.com/avelez/here-my-new-post-using-kiro-and-mcp-to-improve-and-modernize-my-current-workflow-for-authorization-29n2 <div class="ltag__link"> <a href="/aws-builders" class="ltag__link__link"> <div class="ltag__link__org__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F2794%2F88da75b6-aadd-4ea1-8083-ae2dfca8be94.png" alt="AWS Community Builders " width="350" height="350"> <div class="ltag__link__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" alt="" width="800" height="815"> </div> </div> </a> <a href="https://dev.to/aws-builders/re-imagine-devsecops-with-aws-cd-applied-to-authorization-with-iam-identity-center-and-aws-iam-3lk6" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Re-imagine DevSecOps with AWS - CD applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer</h2> <h3>Alejandro Velez for AWS Community Builders ・ Mar 7</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#security</span> <span class="ltag__link__tag">#aws</span> <span class="ltag__link__tag">#devsecops</span> <span class="ltag__link__tag">#genia</span> </div> </div> </a> </div> security aws devsecops genia Alejandro Velez Sat, 07 Mar 2026 02:37:42 +0000 https://forem.com/aws-builders/re-imagine-devsecops-with-aws-cd-applied-to-authorization-with-iam-identity-center-and-aws-iam-3lk6 https://forem.com/aws-builders/re-imagine-devsecops-with-aws-cd-applied-to-authorization-with-iam-identity-center-and-aws-iam-3lk6 <p><strong>Level 300</strong></p> <p>Before diving into the technical depths of permission sets and CDK pipelines, let’s take a brief journey through the story so far. Originally, our exploration began with the challenge of managing access in the cloud task that’s both critical and complex as organizations scale. In the first installment, we introduced the foundations: <a href="https://dev.to/aws-builders/continuous-deployment-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-1-7h6">using AWS IAM Identity Center as the central hub for managing user identities and permissions efficiently across multiple AWS accounts</a>. We looked at how a consistent and automated approach helps streamline authorization, reduce manual errors, and improve auditability.</p> <p><a href="https://dev.to/avelez/continuous-delivery-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-2-35lb">The next chapter followed with practical examples</a> illustrating how to create and deploy permission sets via Infrastructure-as-Code. Here, we learned to define reusable templates for permissions, enabling teams to replicate best practices and accelerate onboarding for new projects. Along the way, pitfalls emerged—like misconfigured policies or improper use of wildcards—which provided valuable lessons on the importance of policy validation and iterative testing in a DevSecOps environment.</p> <p>Reviewing recent news, in June 2025 AWS introduced internal access findings, which spot principals in an AWS organization with access to key resources like S3 buckets, DynamoDB tables, and RDS snapshots by analyzing various policy types. Results appear on a unified dashboard for fast response or automated notifications via Amazon EventBridge, improving compliance and data security.</p> <p>In February 2026, AWS added multi‑Region replication for Identity Center, allowing workforce identities and permission sets to sync across regions. This boosts resiliency, supports data residency requirements, and ensures consistent access control for global deployments.</p> <p>Additionally, the integration of generative AI solutions into authorization workflows is reshaping how policies are analyzed and managed. With the introduction of AWS <a href="https://kiro.dev/" rel="noopener noreferrer">Kiro</a> —an AI-powered assistant for access analysis—teams can now automatically detect policy anomalies, receive context-aware recommendations, and accelerate remediation efforts. This part will explore these innovations and demonstrate how they can be practically applied to build secure, efficient, and adaptive authorization pipelines in the modern enterprise.</p> <h2> The Challenge </h2> <p>As an AWS security specialist, you face the task of modernizing your organization's authorization management workflow. The goal is to enhance the provisioning and management of access controls across AWS environments while preserving robust multi-region replication capabilities, upholding DevSecOps best practices, and ensuring that human oversight remains integral to the process. At the same time, you must increase resiliency, proactively mitigate risks, and introduce AI-driven solutions to streamline operations and strengthen security posture.</p> <blockquote> <p>How can AI enhance this workflow? 🧐</p> </blockquote> <p>Integrating AI into authorization workflows—especially with tools like Kiro— dramatically enhances both efficiency and security. AI-powered assistants can automatically analyze complex IAM policies for anomalies or risky configurations, such as improper use of wildcards or misconfigured permissions, which are often the sources of failed pipeline executions and compliance gaps. By leveraging generative AI, organizations receive real-time, context-aware recommendations for policy corrections, reducing manual troubleshooting and accelerating remediation. AI solutions can also automate policy reviews, flag potential issues before deployment, and offer suggestions to align with best practices, thus minimizing human error and strengthening security posture. In addition, AI-driven analytics help teams continuously monitor and adapt policies to evolving threats, ensuring adaptive and resilient access control across global environments. Altogether, AI capabilities transform the workflow by making policy management more proactive, scalable, and responsive to both technical and regulatory demands.</p> <p>Let's start by enhancing our workflow from traditional CI/CD to incorporating an** Architect in the Loop approach**. </p> <blockquote> <p>In the Architect in the Loop (AITL) model, architects collaborate with AI systems, which generate options and analyze trade-offs. The architect reviews, contextualizes, and approves output based on technical and organizational needs. Here, AI performs most tasks but consults the architect for decisions and guidance when necessary.</p> </blockquote> <p>The diagram depicts a multi account AWS environment with a centralized management approach. It illustrates how various services, identity providers, and automation tools interact to enforce security, governance, and continuous deployment across multiple AWS accounts.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gyjjtvsznaf4mx3821.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gyjjtvsznaf4mx3821.png" alt="Reimagine Workflow" width="800" height="783"></a></p> <h3> Key Components </h3> <ol> <li><p>Accounts and Regions<br> • AWS Account – DevSecOps: This is the primary development and security operations account where IAM Idenity Center is delegate.<br> • AWS Account – Master: Acts as the central governance hub, managing permissions and policies across the organization for itself.<br> • AWS Account – Security Tooling Account: Hosts security focused tools and services for monitoring and analysis, managing permissions and policies across the organization for itself.</p></li> <li><p>Core Services<br> • Key Management Service (KMS): Provides encryption and key management for sensitive data.<br> • CloudWatch: Monitors system and application metrics.<br> • Secrets Manager: Stores and rotates secrets securely.<br> • AWS Chatbot: Enables chat based monitoring and alerts.<br> • Lambda: Runs serverless functions for custom automation.<br> • IAM Access Analyzer: Analyzes policies for unintended access.<br> • S3 Reports Bucket: Stores logs and reports for auditing.</p></li> <li><p>Identity and Access Management<br> • Identity Center and Third Party IdP icons are shown in the diagram, indicating that identity federation and centralized access management are part of the architecture.<br> • IAM Access Analyzer is highlighted, showing that policy analysis is performed to ensure least privilege access using <a href="https://pypi.org/project/validate-aws-policies/" rel="noopener noreferrer">validate-aws-policies</a> python package.</p></li> <li><p>CI/CD Pipeline<br> The CI/CD pipeline is visualized as a sequence of steps:<br> • CodeCommit/GitHub (source code repository)<br> • CodeBuild (build step, Synth,cdk pipelines self-mutate, management environment, Validate PermissionsSet))<br> • Manual Approval (human gate for critical deployments)</p></li> <li><p>Infrastructure Deployment<br> • CloudFormation templates are used for both Prepare and Deploy stages, indicating that the infrastructure is provisioned through IaC.<br> • The Permissions Set step shows that IAM permission sets are defined and applied as part of the deployment process.</p></li> <li><p>Model Context Protocol (MCP) Integration<br> • Kiro IDE – Agents is highlighted, indicating that an MCP compatible IDE is used to generate policies and manage custom agents.<br> • The AWS MCP Server provides the necessary endpoint for agents to interact with AWS services.<br> • The label mcproxy-for-aws@latest refers to a proxy that facilitates secure communication between agents and AWS APIs, ensuring that policy generation and SOPs (Standard Operating Procedures) are executed safely.</p></li> </ol> <h3> Workflow Summary </h3> <ol> <li> Source Control – Code is stored in CodeCommit/GitHub.</li> <li> Build – CodeBuild compiles the code and prepares the environment.</li> <li> Validation – Permissions sets are validated to ensure compliance.</li> <li> Manual Approval – A human reviewer authorizes the deployment.</li> <li> Deployment – CloudFormation templates are used to provision resources.</li> <li> Policy Generation – The Kiro IDE and AWS MCP Server generate policies based on requirements, leveraging the mcproxy for secure API calls.</li> </ol> <h3> Security and Governance Highlights </h3> <p>• Least privilege access is enforced through IAM Access Analyzer and Permissions Set validation.<br> • Centralized governance is maintained via the Master account and delegated account, which oversees permissions and policies across all accounts.<br> • Continuous monitoring is provided by CloudWatch and Secrets Manager, ensuring operational visibility and secure secret handling.</p> <h2> Hands On </h2> <blockquote> <p>It is time to create! </p> </blockquote> <p><strong>The first step is improving the security Engineer experience like builder or operator so enable the use of smart IDE like Kiro and custom agent for context.</strong></p> <p>Here is the agent specification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secops"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Specialized agent for managing AWS IAM Identity Center CDK project with permission sets, policies, and pipeline automation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"You are an expert in AWS IAM Identity Center, AWS CDK (Python), and CI/CD pipelines. Your expertise includes:</span><span class="se">\n\n</span><span class="s2">- IAM Identity Center permission sets and assignments</span><span class="se">\n</span><span class="s2">- IAM Access Analyzer policy validation</span><span class="se">\n</span><span class="s2">- AWS CDK infrastructure as code (Python)</span><span class="se">\n</span><span class="s2">- CodePipeline and CodeBuild automation</span><span class="se">\n</span><span class="s2">- Amazon Q Developer chatbot integrations (Slack/Teams)</span><span class="se">\n</span><span class="s2">- Policy validation and security best practices</span><span class="se">\n</span><span class="s2">- GitHub Actions and CodeCommit PR validation</span><span class="se">\n\n</span><span class="s2">You help with:</span><span class="se">\n</span><span class="s2">- Creating and managing permission sets</span><span class="se">\n</span><span class="s2">- Validating IAM policies with Access Analyzer</span><span class="se">\n</span><span class="s2">- Troubleshooting CDK deployments</span><span class="se">\n</span><span class="s2">- Configuring pipeline notifications</span><span class="se">\n</span><span class="s2">- Setting up PR validation workflows</span><span class="se">\n</span><span class="s2">- Implementing least privilege access</span><span class="se">\n\n</span><span class="s2">Always prioritize security, follow AWS best practices, and provide minimal, focused implementations."</span><span class="p">,</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"fs_write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"execute_bash"</span><span class="p">,</span><span class="w"> </span><span class="s2">"grep"</span><span class="p">,</span><span class="w"> </span><span class="s2">"glob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"code"</span><span class="p">,</span><span class="w"> </span><span class="s2">"use_aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws___search_documentation"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws___read_documentation"</span><span class="p">,</span><span class="w"> </span><span class="s2">"web_search"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"allowedTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"grep"</span><span class="p">,</span><span class="w"> </span><span class="s2">"glob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"code"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws___search_documentation"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"toolsSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"fs_write"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedPaths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"src/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"project_configs/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tests/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".github/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"scripts/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"docs/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".kiro/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yml"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"deniedPaths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"cdk.out/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".venv/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"node_modules/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"__pycache__/**"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"execute_bash"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedCommands"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"cdk synth"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cdk diff*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cdk deploy*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cdk ls"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pip install*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"python -m pytest*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"validate-aws-policies*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"git status"</span><span class="p">,</span><span class="w"> </span><span class="s2">"git diff"</span><span class="p">,</span><span class="w"> </span><span class="s2">"git log*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws iam*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws sso*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws identitystore*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws codepipeline*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws logs*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws s3 ls*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"autoAllowReadonly"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"use_aws"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedServices"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sso"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sso-admin"</span><span class="p">,</span><span class="w"> </span><span class="s2">"identitystore"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codepipeline"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codebuild"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cloudformation"</span><span class="p">,</span><span class="w"> </span><span class="s2">"accessanalyzer"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager"</span><span class="p">,</span><span class="w"> </span><span class="s2">"chatbot"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"autoAllowReadonly"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://project_configs/**/*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://cdk.json"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://requirements.txt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/**/SKILL.md"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"agentSpawn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"echo '📋 IAM Identity Center Project Context:' &amp;&amp; echo ' - CDK Version:' $(cdk --version 2&gt;/dev/null || echo 'Not installed') &amp;&amp; echo ' - Python:' $(python --version 2&gt;&amp;1) &amp;&amp; echo ' - AWS Profile:' ${AWS_PROFILE:-'default'} &amp;&amp; echo ' - Project:' $(basename $(pwd))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Show project environment info"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"if [ -d 'project_configs/policies' ]; then echo '🔍 Validating IAM policies...' &amp;&amp; validate-aws-policies -d project_configs/policies -c --quiet || echo '⚠️ Policy validation failed'; else echo 'ℹ️ No policies directory found'; fi"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Auto-validate IAM policies with Access Analyzer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws-mcp"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"mcp-proxy-for-aws@latest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"https://aws-mcp.us-east-1.api.aws/mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--metadata"</span><span class="p">,</span><span class="w"> </span><span class="s2">"AWS_REGION=us-east-2"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">100000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"keyboardShortcut"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ctrl+shift+i"</span><span class="p">,</span><span class="w"> </span><span class="nl">"welcomeMessage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"🔐 IAM Identity Center Manager ready! I can help with:</span><span class="se">\n</span><span class="s2"> • Permission sets and policy validation</span><span class="se">\n</span><span class="s2"> • CDK deployments and troubleshooting</span><span class="se">\n</span><span class="s2"> • Pipeline notifications (Slack/Teams)</span><span class="se">\n</span><span class="s2"> • PR validation workflows</span><span class="se">\n</span><span class="s2"> • Access Analyzer integration</span><span class="se">\n\n</span><span class="s2">What would you like to work on?"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The key point here is the prompt for a specialized agent designed to manage AWS IAM Identity Center projects using the AWS CDK (Cloud Development Kit) with a focus on permission sets, policies, and automation for CI/CD pipelines. This agent is described as an expert in several areas:}</p> <p>• AWS IAM Identity Center: Managing permission sets and assignments, which define what users and groups can access within AWS accounts.<br> • AWS CDK (Python): Using infrastructure-as-code techniques to automate the creation and management of AWS resources.<br> • CI/CD pipelines: Automating deployment workflows with CodePipeline and CodeBuild, ensuring reliable and repeatable processes.<br> • Policy validation: Leveraging IAM Access Analyzer to check and validate security policies, helping maintain least-privilege access and compliance.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F910u38889bnx0dep0103.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F910u38889bnx0dep0103.png" alt="Kiro Agent" width="800" height="564"></a></p> <blockquote> <p>Now the agent skills. Agent Skills</p> </blockquote> <p><strong><a href="https://agentskills.io/home" rel="noopener noreferrer">Skills are portable instruction packages that follow the open Agent Skills standard</a>.</strong> They bundle instructions, scripts, and templates into reusable packages that Kiro can activate when relevant to your task.<br> Kiro supports the Agent Skills standard, so you can import skills from the community or other compatible AI tools and share your own skills across the ecosystem.</p> <p>Here is an example of my skill:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">iam-identity-center-project</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Complete</span><span class="nv"> </span><span class="s">guide</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">Identity</span><span class="nv"> </span><span class="s">Center</span><span class="nv"> </span><span class="s">CDK</span><span class="nv"> </span><span class="s">project</span><span class="nv"> </span><span class="s">including</span><span class="nv"> </span><span class="s">permission</span><span class="nv"> </span><span class="s">sets,</span><span class="nv"> </span><span class="s">policy</span><span class="nv"> </span><span class="s">validation,</span><span class="nv"> </span><span class="s">pipeline</span><span class="nv"> </span><span class="s">automation,</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">chatbot</span><span class="nv"> </span><span class="s">notifications.</span><span class="nv"> </span><span class="s">Use</span><span class="nv"> </span><span class="s">when</span><span class="nv"> </span><span class="s">working</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">this</span><span class="nv"> </span><span class="s">project's</span><span class="nv"> </span><span class="s">architecture,</span><span class="nv"> </span><span class="s">deployment,</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">troubleshooting."</span> <span class="na">keywords</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">iam</span><span class="pi">,</span> <span class="nv">identity-center</span><span class="pi">,</span> <span class="nv">permission-sets</span><span class="pi">,</span> <span class="nv">cdk</span><span class="pi">,</span> <span class="nv">pipeline</span><span class="pi">,</span> <span class="nv">chatbot</span><span class="pi">,</span> <span class="nv">policy-validation</span><span class="pi">]</span> <span class="nn">---</span> <span class="c1"># IAM Identity Center CDK Project</span> <span class="c1">## Project Overview</span> <span class="s">This CDK project manages AWS IAM Identity Center permission sets with automated policy validation, CI/CD pipelines, and chatbot notifications.</span> <span class="c1">## Key Components</span> <span class="c1">### 1. Permission Sets Management</span> <span class="pi">-</span> <span class="na">**Location**</span><span class="pi">:</span> <span class="err">`</span><span class="s">project_configs/environment_options/*.yaml`</span> <span class="pi">-</span> <span class="na">**Stack**</span><span class="pi">:</span> <span class="err">`</span><span class="s">src/cdkv2_manage_identity_center_stack.py`</span> <span class="pi">-</span> <span class="s">Define permission sets with inline policies and managed policies</span> <span class="pi">-</span> <span class="s">Support for principal_name (auto-resolved) or principal_id (direct)</span> <span class="c1">### 2. Policy Validation</span> <span class="pi">-</span> <span class="na">**Tool**</span><span class="pi">:</span> <span class="err">`</span><span class="s">validate-aws-policies` (IAM Access Analyzer)</span> <span class="pi">-</span> <span class="na">**Pipeline Step**</span><span class="pi">:</span> <span class="s">ValidatePermissionSet in CodeBuild</span> <span class="pi">-</span> <span class="na">**Formats**</span><span class="pi">:</span> <span class="s">JSON, HTML, Markdown reports</span> <span class="pi">-</span> <span class="na">**Storage**</span><span class="pi">:</span> <span class="s">S3 bucket (labvel-secure-reports)</span> <span class="c1">### 3. CI/CD Pipeline</span> <span class="pi">-</span> <span class="na">**Stack**</span><span class="pi">:</span> <span class="err">`</span><span class="s">src/cdkv2_manage_identity_center_pipeline.py`</span> <span class="pi">-</span> <span class="na">**Stages**</span><span class="pi">:</span> <span class="s">Source → Build → UpdatePipeline → ValidatePermissionSet → Deploy</span> <span class="pi">-</span> <span class="na">**PR Validation**</span><span class="pi">:</span> <span class="s">GitHub Actions + CodeCommit triggers</span> <span class="pi">-</span> <span class="na">**Notifications**</span><span class="pi">:</span> <span class="s">Amazon Q Chatbot (Slack/Teams)</span> <span class="c1">### 4. Chatbot Integration</span> <span class="pi">-</span> <span class="na">**Location**</span><span class="pi">:</span> <span class="err">`</span><span class="s">src/lib/chatbot/amazon_q_chatbot.py`</span> <span class="pi">-</span> <span class="na">**Features**</span><span class="pi">:</span> <span class="s">Native CodePipeline notifications + report summaries via webhook</span> <span class="pi">-</span> <span class="na">**Platforms**</span><span class="pi">:</span> <span class="s">Slack and Microsoft Teams</span> <span class="pi">-</span> <span class="na">**Reports**</span><span class="pi">:</span> <span class="s">Lambda posts validation summaries to chat</span> <span class="c1">## Source Code Structure</span> <span class="s">src/</span> <span class="s">├── cdkv2_manage_identity_center_stack.py</span> <span class="c1"># Main stack - permission sets</span> <span class="s">├── cdkv2_manage_identity_center_pipeline.py</span> <span class="c1"># Pipeline stack</span> <span class="s">└── lib/</span> <span class="s">├── chatbot/</span> <span class="s">│ ├── amazon_q_chatbot.py</span> <span class="c1"># Chatbot construct</span> <span class="s">│ └── lambda/notification_enricher.py</span> <span class="c1"># Lambda for reports</span> <span class="s">├── sns/sns_codestart_notifications.py</span> <span class="c1"># SNS notifications</span> <span class="s">└── custom_resources/</span> <span class="c1"># Custom resources</span> <span class="na">**Note**</span><span class="pi">:</span> <span class="s">Use `fs_read`, `code`, or `grep` tools to explore source files on-demand.</span> <span class="c1">## Quick Commands</span> <span class="nn">...</span> </code></pre> </div> <p>With this approach the security specialist can create friendly and secure policies and check before uploading </p> <h3> The results </h3> <p>Pipeline execution:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8lbh6apzmkyxrxtujr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8lbh6apzmkyxrxtujr.png" alt="Code Pipeline execution" width="800" height="278"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9oc350mpkr6nurro8b6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9oc350mpkr6nurro8b6.png" alt="CodeBuild Logs" width="800" height="344"></a></p> <p>The slack custom notification and amazon Q message </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulhdmtmbo5epd45v3u5f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulhdmtmbo5epd45v3u5f.png" alt="Slack Notifications" width="800" height="450"></a></p> <p>And the reports:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk6lvwbgn4i04oq8agevn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk6lvwbgn4i04oq8agevn.png" alt="Html Report Validation" width="800" height="508"></a></p> <h2> Conclusion </h2> <p>Leverage AWS's latest features—such as multi-region Identity Center replication and advanced IAM Access Analyzer tools—and integrate generative AI assistants like Kiro. This approach combines automated policy analysis, real-time anomaly detection, and context-aware remediation with architect-in-the-loop oversight, allowing AI to handle routine tasks while security professionals review and approve critical changes. The result is a resilient, adaptive, and scalable workflow that proactively reduces risk, enforces compliance, and empowers teams to respond rapidly to evolving security and regulatory demands.</p> <p>For more please contact us! </p> <p>✨ Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</p> security aws devsecops genia Alejandro Velez Thu, 20 Nov 2025 19:30:23 +0000 https://forem.com/aws-builders/agentic-ai-development-with-kiro-from-zero-to-saas-platform-30d6 https://forem.com/aws-builders/agentic-ai-development-with-kiro-from-zero-to-saas-platform-30d6 <p><em><strong>Level 300</strong></em></p> <p>Recently, I came up with an idea inspired by my personal experience. I am a professional calisthenics athlete and frequently organize events where a recurring challenge is providing users with a seamless way to track their results. As event managers, registering and publishing results, managing competition timing, scoring systems, and different modalities are also critical concerns. On the other hand, as an AWS solutions architect and Devsecops expert, my first thought was how I could combine both worlds to create a solution that is fast, secure, and modern—without sacrificing best practices.</p> <p>You're invited to explore how agentic AI development with Kiro can transform event management and SaaS platform creation. Whether you're an AWS developer, DevOps or DevSecOps engineer, SaaS architect, AI practitioner, platform engineer, technical product owner, or event manager, join us as we delve into modern cloud and AI technologies designed to streamline event management and result tracking. Discover best practices in secure, scalable, cloud-native SaaS solutions, and accelerate your development with serverless architecture and innovative AI workflows.</p> <h2> Prototyping with Kiro: Accelerating Development Through Serverless Best Practices </h2> <p>In my pursuit of <strong>optimizing both the software development lifecycle (SDLC) and platform engineering</strong>, I have been actively exploring a variety of AI workflows and practices. The goal is to enhance efficiency and innovation within the development process. However, <strong>the immediate need is to create a rapid prototype that supports my concept effectively while adhering to best practices</strong>.</p> <p>To achieve this, I prioritized serverless architectures for their speed, scalability, and cost-effectiveness, ensuring that the solution remains secure and can grow alongside user demand. Among the available options, I selected Kiro as the primary tool for development. Kiro stands out by bringing structure to AI coding through spec-driven development, enabling me to produce robust prototypes swiftly while maintaining high standards in both security and scalability.</p> <p>Some key features are: </p> <ul> <li>Natural prompts to structured requirements</li> <li>Architectural designs backed by best practices</li> <li>Discrete tasks that map to requirements</li> </ul> <h2> Laying the Foundation for a Reliable Prototype </h2> <p>Creating a reliable prototype is inherently complex, especially given the possibility that the idea may gain traction and eventually move into production. In such scenarios, it is essential to minimize technical debt from the outset, ensuring that the <strong>prototype is prepared for a seamless transition to production</strong>. Therefore, the process of selecting appropriate technologies and establishing solid foundational practices becomes a critical aspect of moving from prototyping to a Minimum Viable Product (MVP).</p> <h2> Technical Stack and Development Practices </h2> <p>For the front-end, I selected a React web application to ensure a responsive and interactive user experience. The application's architecture adheres to the Twelve-Factor App methodology, which provides a framework for building scalable and maintainable software-as-a-service solutions.<br> To maintain high standards of reliability and security, I strictly followed AWS best practices throughout the development process. The system is designed using event-driven architecture, allowing for efficient handling of asynchronous tasks and improved scalability.</p> <p>Infrastructure as Code (IaC) is implemented using the AWS Cloud Development Kit (CDK), streamlining the process of defining and managing cloud resources in a repeatable and version-controlled manner.</p> <p>For continuous integration and deployment, I integrated GitHub with self-hosted runners and AWS CodeBuild. This setup enables a seamless and automated flow from code committees to deployment, supporting rapid iteration and robust DevOps workflows.</p> <p>For testing purposes, I am utilizing Nova Act to facilitate the creation of UI tests with Playwright; however, further details on this topic will be covered in subsequent posts.</p> <p>I use both Kiro IDE and Kiro CLI to parallelize the project task, while the IDE works in spec tasks the CLI helps me to create some backend components for infrastructure, debugging and fixing errors.</p> <h2> Hands On </h2> <p>At the beginning of the development, I <strong>created a CDK scaffold project and inserted some files with basic project rules and deep knowledge about the system</strong>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw3tusi4wbmnuqqc19m7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw3tusi4wbmnuqqc19m7.png" alt="CDK Scaffold md product" width="649" height="891"></a></p> <p>First according to <a href="https://kiro.dev/docs/getting-started/first-project/" rel="noopener noreferrer">https://kiro.dev/docs/getting-started/first-project/</a> we create the project and setup the steering files: </p> <blockquote> <p>Steering files give Kiro project context, so it understands your codebase, conventions, and needs. Start by selecting Generate Steering Docs in the Kiro pane. Kiro then creates steering documents in <code>.kiro/steering/</code> that outline your <strong>product, tech stack, project structure</strong>, and conventions.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2b2bai2s5ecdae7m7ib.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2b2bai2s5ecdae7m7ib.png" alt="Steering files Data Kiro" width="678" height="946"></a></p> <p>Some examples for steering data files: </p> <ul> <li> <code>product.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">Athleon Platform</span> <span class="s">Multi-tenant calisthenics competition management platform with role-based access control (RBAC).</span> <span class="c1">## Core Functionality</span> <span class="pi">-</span> <span class="na">**Organizations**</span><span class="pi">:</span> <span class="s">Multi-tenant teams with owner/admin/member roles</span> <span class="pi">-</span> <span class="na">**Events**</span><span class="pi">:</span> <span class="s">Competition lifecycle management (draft → published → completed)</span> <span class="pi">-</span> <span class="na">**Athletes**</span><span class="pi">:</span> <span class="s">Profile management, event registration, score submission</span> <span class="pi">-</span> <span class="na">**Scoring**</span><span class="pi">:</span> <span class="s">Advanced calculation engine with multiple scoring systems</span> <span class="pi">-</span> <span class="na">**WODs**</span><span class="pi">:</span> <span class="s">Workout templates (event-scoped and global)</span> <span class="pi">-</span> <span class="na">**Categories**</span><span class="pi">:</span> <span class="s">Competition divisions (event-scoped and transversal)</span> <span class="pi">-</span> <span class="na">**Scheduling**</span><span class="pi">:</span> <span class="s">Tournament brackets and session management</span> <span class="c1">## User Roles</span> <span class="nn">...</span> </code></pre> </div> <ul> <li> <code>tech.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Tech Stack</span> <span class="c1">## Infrastructure</span> <span class="pi">-</span> <span class="na">**IaC**</span><span class="pi">:</span> <span class="s">AWS CDK (TypeScript)</span> <span class="pi">-</span> <span class="na">**Compute**</span><span class="pi">:</span> <span class="s">AWS Lambda (Node.js 18.x)</span> <span class="pi">-</span> <span class="na">**Database**</span><span class="pi">:</span> <span class="s">DynamoDB (single-table per domain)</span> <span class="pi">-</span> <span class="na">**API**</span><span class="pi">:</span> <span class="s">API Gateway REST API with Cognito authorizer</span> <span class="pi">-</span> <span class="na">**Auth**</span><span class="pi">:</span> <span class="s">Amazon Cognito User Pools</span> <span class="pi">-</span> <span class="na">**Storage**</span><span class="pi">:</span> <span class="s">S3 (event images)</span> <span class="pi">-</span> <span class="na">**Events**</span><span class="pi">:</span> <span class="s">EventBridge (domain event bus + central bus)</span> <span class="pi">-</span> <span class="na">**Deployment**</span><span class="pi">:</span> <span class="s">CDK deploy with esbuild bundling</span> <span class="c1">## Backend</span> <span class="pi">-</span> <span class="na">**Runtime**</span><span class="pi">:</span> <span class="s">Node.js 18.x</span> <span class="pi">-</span> <span class="na">**SDK**</span><span class="pi">:</span> <span class="s">AWS SDK v3 (@aws-sdk/client-*)</span> <span class="pi">-</span> <span class="na">**Testing**</span><span class="pi">:</span> <span class="s">Jest, Vitest, fast-check (property-based testing)</span> <span class="pi">-</span> <span class="na">**Shared Layer**</span><span class="pi">:</span> <span class="s">Lambda layer at `layers/athleon-shared/nodejs`</span> <span class="c1">## Frontend</span> <span class="pi">-</span> <span class="na">**Framework**</span><span class="pi">:</span> <span class="s">React 18 + Vite</span> <span class="pi">-</span> <span class="na">**Routing**</span><span class="pi">:</span> <span class="s">React Router v6</span> <span class="pi">-</span> <span class="na">**State**</span><span class="pi">:</span> <span class="s">Zustand + React Query (@tanstack/react-query)</span> <span class="pi">-</span> <span class="na">**Auth**</span><span class="pi">:</span> <span class="s">AWS Amplify v6</span> <span class="pi">-</span> <span class="na">**UI**</span><span class="pi">:</span> <span class="s">Custom components with @aws-amplify/ui-react</span> <span class="pi">-</span> <span class="na">**i18n**</span><span class="pi">:</span> <span class="s">i18next + react-i18next</span> <span class="pi">-</span> <span class="na">**Testing**</span><span class="pi">:</span> <span class="s">Vitest + React Testing Library</span> <span class="pi">-</span> <span class="na">**E2E**</span><span class="pi">:</span> <span class="s">Playwright (in e2e-tests/)</span> <span class="c1">## Common Commands</span> <span class="c1">### Infrastructure</span> <span class="nn">...</span> </code></pre> </div> <p>Now, build a feature with specs:<br> Specs transform high-level feature ideas into detailed implementation plans through three phases:</p> <ol> <li> <strong>Requirements</strong>- User stories with acceptance criteria in EARS notation</li> <li> <strong>Design</strong>- Technical architecture and implementation approach</li> <li> <strong>Tasks</strong>- Discrete, trackable implementation steps</li> </ol> <p>For example, one feature was: <strong>Create the RBAC system to keep the roles and responsibilities for different platform users (Super Admin, athletes, organizers and spectators)</strong>. This prompt generates a structure and consolidate workflow from requirements to the code:</p> <ul> <li> <code>requierements.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Requirements Document</span> <span class="c1">## Introduction</span> <span class="s">This specification defines a role-based user onboarding system for the Athleon platform using a single Amazon Cognito User Pool. The system must support three distinct user roles (athlete, organizer, and super admin) with different access levels and onboarding workflows. Athletes and organizers can self-register through the frontend with role selection, while super admins are created exclusively through backend scripts.</span> <span class="c1">## Glossary</span> <span class="pi">-</span> <span class="na">**Cognito User Pool**</span><span class="pi">:</span> <span class="s">AWS managed user directory service that handles user authentication and stores user attributes</span> <span class="pi">-</span> <span class="na">**Pre-signup Trigger**</span><span class="pi">:</span> <span class="s">AWS Lambda function invoked by Cognito before user registration is completed</span> <span class="pi">-</span> <span class="na">**Custom Attribute**</span><span class="pi">:</span> <span class="s">User-defined attribute stored in Cognito user profile (e.g., custom:role)</span> <span class="pi">-</span> <span class="na">**Athlete**</span><span class="pi">:</span> <span class="s">A user who competes in events and views leaderboards</span> <span class="pi">-</span> <span class="na">**Organizer**</span><span class="pi">:</span> <span class="s">A user who creates and manages events, categories, and WODs</span> <span class="pi">-</span> <span class="na">**Super Admin**</span><span class="pi">:</span> <span class="s">A platform administrator with full system access</span> <span class="pi">-</span> <span class="na">**Self-registration**</span><span class="pi">:</span> <span class="s">User-initiated signup process through the frontend application</span> <span class="pi">-</span> <span class="na">**RBAC**</span><span class="pi">:</span> <span class="s">Role-Based Access Control system that determines user permissions based on assigned roles</span> <span class="pi">-</span> <span class="na">**JWT Token**</span><span class="pi">:</span> <span class="s">JSON Web Token containing user claims including the custom:role attribute</span> <span class="pi">-</span> <span class="na">**Onboarding Flow**</span><span class="pi">:</span> <span class="s">The complete process from initial signup to authenticated access</span> </code></pre> </div> <ul> <li> <code>design.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">## Architecture</span> <span class="c1">### High-Level Components</span> <span class="s">┌─────────────────┐</span> <span class="s">│ Frontend App │</span> <span class="s">│ (React + AWS │</span> <span class="s">│ Amplify UI) │</span> <span class="s">└────────┬────────┘</span> <span class="s">│</span> <span class="s">│ 1. Signup with role selection</span> <span class="s">▼</span> <span class="s">┌─────────────────────────────────────────┐</span> <span class="s">│ Amazon Cognito User Pool │</span> <span class="s">│ ┌───────────────────────────────────┐ │</span> <span class="s">│ │ Pre-signup Lambda Trigger │ │</span> <span class="s">│ │ - Validates role selection │ │</span> <span class="s">│ │ - Sets custom:role attribute │ │</span> <span class="s">│ │ - Rejects super_admin attempts │ │</span> <span class="s">│ └───────────────────────────────────┘ │</span> <span class="s">│ ┌───────────────────────────────────┐ │</span> <span class="s">│ │ Pre-token Generation Trigger │ │</span> <span class="s">│ │ - Adds role to JWT claims │ │</span> <span class="s">│ └───────────────────────────────────┘ │</span> <span class="s">└─────────────────┬───────────────────────┘</span> <span class="s">│</span> <span class="s">│ 2. JWT with role claim</span> <span class="s">▼</span> <span class="s">┌─────────────────────────────────────────┐</span> <span class="s">│ API Gateway + Lambda Functions │</span> <span class="s">│ - Extract role from JWT token │</span> <span class="s">│ - Enforce role-based permissions │</span> <span class="s">│ - Route to appropriate services │</span> <span class="s">└─────────────────────────────────────────┘</span> <span class="nn">...</span> </code></pre> </div> <ul> <li> <code>tasks.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Implementation Plan</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">x</span><span class="pi">]</span> <span class="s">1. Update Pre-Signup Lambda Trigger</span> <span class="s">- Modify `lambda/auth/pre-signup-trigger.js` to extract and validate role from signup request</span> <span class="s">- Implement logic to accept 'athlete' or 'organizer' roles</span> <span class="s">- Implement logic to reject 'super_admin' role with error</span> <span class="s">- Default to 'athlete' for missing or invalid roles</span> <span class="s">- Add comprehensive CloudWatch logging for all role assignments</span> <span class="s">- _Requirements</span><span class="err">:</span> <span class="s">1.2, 1.3, 1.4, 1.5, 5.1, 5.2, 5.3, 5.4, 5.5, 8.1, 8.2_</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">x</span><span class="pi">]</span> <span class="s">1.1 Write property test for pre-signup trigger</span> <span class="s">- **Property 1</span><span class="err">:</span> <span class="s">Role assignment consistency**</span> <span class="s">- **Property 2</span><span class="err">:</span> <span class="s">Super admin rejection**</span> <span class="s">- **Property 3</span><span class="err">:</span> <span class="s">Default role assignment**</span> <span class="s">- **Validates</span><span class="err">:</span> <span class="s">Requirements 1.2, 1.3, 1.4, 1.5, 2.4, 5.1, 5.2, 5.3, 5.4**</span> <span class="nn">...</span> </code></pre> </div> <p>Here we need to extend the capabilities using Model Context Protocol (MCP) and add more context:</p> <p>• Access specialized knowledge bases and documentation<br> • Integrate with external APIs and services<br> • Use domain-specific tools and utilities<br> • Connect to databases and cloud services</p> <p>I initially integrate two MCP servers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslabs.core-mcp-server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uv"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"tool"</span><span class="p">,</span><span class="w"> </span><span class="s2">"run"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--from"</span><span class="p">,</span><span class="w"> </span><span class="s2">"awslabs.core-mcp-server@latest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"awslabs.core-mcp-server.exe"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FASTMCP_LOG_LEVEL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_PROFILE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"labvel-dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_REGION"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws-foundation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"solutions-architect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"disabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"disabledTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"aws_knowledge_aws___get_regional_availability"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws_knowledge_aws___list_regions"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pricing_get_bedrock_patterns"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cost_explorer_get_cost_comparison_drivers"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"playwright"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"@playwright/mcp@latest"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"disabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> The Results </h2> <blockquote> <p>I'm excited to share the outcomes from our hands-on experience building agentic AI solutions with Kiro! 😁</p> </blockquote> <p>The following section captures the valuable lessons I've learned, the best practices I've discovered, and how thoughtful choices have helped us grow from an initial idea to a polished SaaS platform for managing calisthenics events and athlete profiles. </p> <h3> The IDE Project setup </h3> <p>Here is the review of my project setup, as you can see there are MCP, steering project files and some specs. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnci5jsjlko9ry0my3gek.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnci5jsjlko9ry0my3gek.png" alt="KIRO IDE Project" width="800" height="448"></a></p> <h3> The Complete system architecture for tournament auto-advance </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq89q3t82tn95l7b4bk67.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq89q3t82tn95l7b4bk67.png" alt="Complete system Tournament Achitecture " width="800" height="446"></a></p> <h3> Scheduling Domain </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9ei1t7m254wqj4liasz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9ei1t7m254wqj4liasz.png" alt="Scheduling Domain" width="800" height="938"></a></p> <p>Watch here some exception to strict DDD and boundex contex domain patterns, in this scenario I choice make read data directly between context because use rest API or service integration increase the complexity for this use case. </p> <h3> Scoring domain Integration </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyidlkh4c8dxmnobxachg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyidlkh4c8dxmnobxachg.png" alt="Scoring domain Integration" width="800" height="708"></a></p> <h3> The landing page </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2y1e1v8xe8sgeuemsme.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2y1e1v8xe8sgeuemsme.png" alt=" " width="800" height="332"></a></p> <h2> Best Practices and lessons learned </h2> <ul> <li><p>Make sure that your scaffold project and product rules information are clear and clean.</p></li> <li><p>Runs in supervised way to avoid mistakes, Kiro makes many tasks correctly but sometimes I need reject some changes because violate some rules or use bad approach to solve a technical issue. </p></li> <li><p>Don’t integrate more than 50 MCP tools, this consumes context and could be slow. </p></li> <li><p>Use Kiro CLI for specific troubleshooting and parallel tasks that do not modify the current tasks or files while specs are running. </p></li> <li><p>Create specialized Kiro CLI agents for each SDLC domain and product domains after creating protype or MVP.</p></li> <li><p>Keep flexibility and tradeoff according to your use case. Sometimes apply deep practices like DDD add more complexity however hard guardrails and guidelines are security and operational excellent.</p></li> <li><p>Keep the repository clean, while prompting and refining many md files are created, some related to upgrading summaries or analysis to debug, if those files are added as context to the agent could generate confusion and reprocess.</p></li> </ul> <p>Thank you for your time and support. Please remember to follow us for additional updates.</p> <p>✨ <em><strong>Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</strong></em></p> aws ai development programming Alejandro Velez Wed, 17 Sep 2025 03:31:17 +0000 https://forem.com/avelez/using-amazon-q-and-custom-agents-for-iac-1i59 https://forem.com/avelez/using-amazon-q-and-custom-agents-for-iac-1i59 <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" class="crayons-story__hidden-navigation-link">Enhancing Infrastructure as Code Development and Operations with Amazon Q, MCP, and Thoth Framework</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a class="crayons-logo crayons-logo--l" href="/aws-builders"> <img alt="AWS Community Builders logo" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F2794%2F88da75b6-aadd-4ea1-8083-ae2dfca8be94.png" class="crayons-logo__image"> </a> <a href="/avelez" class="crayons-avatar crayons-avatar--s absolute -right-2 -bottom-2 border-solid border-2 border-base-inverted "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" alt="avelez profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/avelez" class="crayons-story__secondary fw-medium m:hidden"> Alejandro Velez </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Alejandro Velez <div id="story-author-preview-content-2840310" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/avelez" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Alejandro Velez</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> <span> <span class="crayons-story__tertiary fw-normal"> for </span><a href="/aws-builders" class="crayons-story__secondary fw-medium">AWS Community Builders </a> </span> </div> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" class="crayons-story__tertiary fs-xs"><time>Sep 17 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" id="article-link-2840310"> Enhancing Infrastructure as Code Development and Operations with Amazon Q, MCP, and Thoth Framework </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/ai"><span class="crayons-tag__prefix">#</span>ai</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/aws"><span class="crayons-tag__prefix">#</span>aws</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/iac"><span class="crayons-tag__prefix">#</span>iac</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">2<span class="hidden s:inline"> reactions</span></span> </div> </a> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments <span class="hidden s:inline">Add Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 5 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> devops ai aws iac Alejandro Velez Wed, 17 Sep 2025 03:23:41 +0000 https://forem.com/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1 https://forem.com/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1 <p><strong>Level 300</strong></p> <p>With each phase of digital transformation, new approaches are introduced for developing and implementing solutions. Beginning with scripting tools such as Ansible and Chef, and progressing through innovations like Terraform, CDK, Pulumi, and today’s AI-driven agentic and autonomous systems, methodologies continually evolve. Some practices become obsolete, while fresh strategies emerge—challenging engineers to adapt, innovate, and drive progress in solution creation and maintenance.</p> <p>It is common for DevOps professionals to upgrade Infrastructure as Code (IaC) regularly; maintaining clean infrastructure dependencies at scale can be challenging, but many processes are now automated. Thoth framework simplifies dependency management, automates template generation and integrates seamlessly with existing workflows, reducing manual effort and minimizing errors in large-scale infrastructure projects building and managing IaC templates created with tools such as Terraform or Tofu, leveraging wrappers like Terragrunt and Terramate.</p> <p>Let me show you how common tasks can be automatically accelerated using traditional approaches and modern practices with custom agents like <strong>Amazon Q</strong>.</p> <h2> The left side: Development </h2> <p>Things are constantly evolving; tasks like coding are being redefined by tools from developer assistants to agentic AI, moving us closer to fully autonomous development. Soon, writing code may seem as outdated as using an abacus, but human interaction is important and necessary for critical thinking, architecture decisions, continuous improvement and alignment with business strategies. As a cloud architect, developer, or engineer, it is essential to define the infrastructure composition with careful consideration of application-driven design and operational models. Adhering to best practice consistent with the well-architected framework and internal guidelines—is necessary to ensure optimal performance and reliability.</p> <p>So, How can I do this with minimal effort, time, and resources?</p> <p>Companies use internal developer platforms with blueprints and quick starts to reduce toil, lower the learning curve, and enable self-service through established paths. Developers must interact using the correct interfaces. AI agents now serve as intuitive interfaces, exposing platform capabilities via MCP and allowing for tailored agents for each SDLC task.</p> <blockquote> <p>Let’s begin with the code. 👽</p> </blockquote> <p>Start by creating a custom agent with Amazon Q for IaC, including platform context via MCP and a custom CLI. This approach manages tasks like infrastructure composition, compliance, scanning, and reporting, while maintaining traditional practices such as git best practices.</p> <p>The following picture depicts this setup.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F480pkh258uzuchuqjd2g.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F480pkh258uzuchuqjd2g.webp" alt="AmazonQ agent and local Environment"></a></p> <p>The system interfaces directly with AWS services via the AWS SDK and leverages OpenTofu for infrastructure provisioning, ensuring consistent and reproducible deployments across multiple environments.</p> <blockquote> <p>You can add any complementary MCP service from list but be careful verify the source: </p> </blockquote> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/awslabs" rel="noopener noreferrer"> awslabs </a> / <a href="https://github.com/awslabs/mcp" rel="noopener noreferrer"> mcp </a> </h2> <h3> Official MCP Servers for AWS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Open source MCP servers for AWS</h1> </div> <p>A suite of specialized MCP servers that help you get the most out of AWS, wherever you use MCP.</p> <p><a href="https://github.com/awslabs/mcp" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/7bef95b38a27f6f93d54756cbcc6c0836290979aac3dc4073c363d8415d4895a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6769746875622d6177736c6162732f6d63702d626c75652e7376673f7374796c653d666c6174266c6f676f3d676974687562" alt="GitHub"></a> <a href="https://github.com/awslabs/mcp/LICENSE" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/1ab15760a37e02017d01e83deb523ea4fcd0c2c1ff40582248e5993d4b4bdf8b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4170616368652d2d322e302d627269676874677265656e" alt="License"></a> <a href="https://app.codecov.io/gh/awslabs/mcp" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/a9f1209a67280570750b6567cf1a9f0bfe6b8608b366071a90f9ccce6c45f33e/68747470733a2f2f696d672e736869656c64732e696f2f636f6465636f762f632f6769746875622f6177736c6162732f6d6370" alt="Codecov"></a> <a href="https://scorecard.dev/viewer/?uri=github.com/awslabs/mcp" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/0ad45245621b0ec67a2ce434e53827983a300dab2b2175a11f8071e602526a6f/68747470733a2f2f696d672e736869656c64732e696f2f6f7373662d73636f7265636172642f6769746875622e636f6d2f6177736c6162732f6d6370" alt="OSSF-Scorecard Score"></a></p> <div class="markdown-heading"> <h2 class="heading-element">Table of Contents</h2> </div> <ul> <li> <a href="https://github.com/awslabs/mcp#open-source-mcp-servers-for-aws" rel="noopener noreferrer">Open source MCP servers for AWS</a> <ul> <li><a href="https://github.com/awslabs/mcp#table-of-contents" rel="noopener noreferrer">Table of Contents</a></li> <li><a href="https://github.com/awslabs/mcp#what-is-the-model-context-protocol-mcp-and-how-does-it-work-with-mcp-servers-for-aws" rel="noopener noreferrer">What is the Model Context Protocol (MCP) and how does it work with MCP Servers for AWS?</a></li> <li> <a href="https://github.com/awslabs/mcp#open-source-mcp-servers-for-aws-transport-mechanisms" rel="noopener noreferrer">Open source MCP servers for AWS Transport Mechanisms</a> <ul> <li><a href="https://github.com/awslabs/mcp#supported-transport-mechanisms" rel="noopener noreferrer">Supported transport mechanisms</a></li> <li><a href="https://github.com/awslabs/mcp#server-sent-events-support-removal" rel="noopener noreferrer">Server Sent Events Support Removal</a></li> </ul> </li> <li><a href="https://github.com/awslabs/mcp#why-mcp-servers-for-aws" rel="noopener noreferrer">Why MCP Servers for AWS?</a></li> <li> <a href="https://github.com/awslabs/mcp#available-mcp-servers-quick-installation" rel="noopener noreferrer">Available MCP Servers: Quick Installation</a> <ul> <li><a href="https://github.com/awslabs/mcp#-getting-started-with-aws" rel="noopener noreferrer">🚀Getting Started with AWS</a></li> <li> <a href="https://github.com/awslabs/mcp#browse-by-what-youre-building" rel="noopener noreferrer">Browse by What You're Building</a> <ul> <li><a href="https://github.com/awslabs/mcp#-real-time-access-to-official-aws-documentation" rel="noopener noreferrer">📚 Real-time access to official AWS documentation</a></li> <li> <a href="https://github.com/awslabs/mcp#%EF%B8%8F-infrastructure--deployment" rel="noopener noreferrer">🏗️ Infrastructure &amp; Deployment</a> <ul> <li><a href="https://github.com/awslabs/mcp#infrastructure-as-code" rel="noopener noreferrer">Infrastructure as Code</a></li> <li><a href="https://github.com/awslabs/mcp#container-platforms" rel="noopener noreferrer">Container Platforms</a></li> <li><a href="https://github.com/awslabs/mcp#serverless--functions" rel="noopener noreferrer">Serverless &amp; Functions</a></li> <li><a href="https://github.com/awslabs/mcp#support" rel="noopener noreferrer">Support</a></li> </ul> </li> <li><a href="https://github.com/awslabs/mcp#-ai--machine-learning" rel="noopener noreferrer">🤖 AI &amp; Machine Learning</a></li> <li> <a href="https://github.com/awslabs/mcp#-data--analytics" rel="noopener noreferrer">📊 Data &amp; Analytics</a> <ul> <li><a href="https://github.com/awslabs/mcp#sql--nosql-databases" rel="noopener noreferrer">SQL &amp; NoSQL Databases</a></li> <li><a href="https://github.com/awslabs/mcp#search--analytics" rel="noopener noreferrer">Search &amp; Analytics</a></li> <li><a href="https://github.com/awslabs/mcp#caching--performance" rel="noopener noreferrer">Caching &amp; Performance</a></li> </ul> </li> <li><a href="https://github.com/awslabs/mcp#%EF%B8%8F-developer-tools--support" rel="noopener noreferrer">🛠️ Developer Tools &amp; Support</a></li> <li><a href="https://github.com/awslabs/mcp#-integration--messaging" rel="noopener noreferrer">📡 Integration &amp; Messaging</a></li> <li><a href="https://github.com/awslabs/mcp#-cost--operations" rel="noopener noreferrer">💰 Cost &amp; Operations</a></li> <li><a href="https://github.com/awslabs/mcp#-healthcare--lifesciences" rel="noopener noreferrer">🧬 Healthcare &amp; Lifesciences</a></li> </ul> </li> <li> <a href="https://github.com/awslabs/mcp#browse-by-how-youre-working" rel="noopener noreferrer">Browse by How You're Working</a><ul><li>…</li></ul> </li> </ul> </li> </ul> </li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/awslabs/mcp" rel="noopener noreferrer">View on GitHub</a></div> </div> <br> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/modelcontextprotocol" rel="noopener noreferrer"> modelcontextprotocol </a> / <a href="https://github.com/modelcontextprotocol/servers" rel="noopener noreferrer"> servers </a> </h2> <h3> Model Context Protocol Servers </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Model Context Protocol servers</h1> </div> <p>This repository is a collection of <em>reference implementations</em> for the <a href="https://modelcontextprotocol.io/" rel="nofollow noopener noreferrer">Model Context Protocol</a> (MCP), as well as references to community-built servers and additional resources.</p> <div class="markdown-alert markdown-alert-important"> <p class="markdown-alert-title">Important</p> <p>If you are looking for a list of MCP servers, you can browse published servers on <a href="https://registry.modelcontextprotocol.io/" rel="nofollow noopener noreferrer">the MCP Registry</a>. The repository served by this README is dedicated to housing just the small number of reference servers maintained by the MCP steering group.</p> </div> <div class="markdown-alert markdown-alert-warning"> <p class="markdown-alert-title">Warning</p> <p>The servers in this repository are intended as <strong>reference implementations</strong> to demonstrate MCP features and SDK usage. They are meant to serve as educational examples for developers building their own MCP servers, not as production-ready solutions. Developers should evaluate their own security requirements and implement appropriate safeguards based on their specific threat model and use case.</p> </div> <p>The servers in this repository showcase the versatility and extensibility of MCP, demonstrating how it can be used to give Large…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/modelcontextprotocol/servers" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Hands On </h2> <h3> Requirements </h3> <ul> <li>WSL or ubuntu 24.04</li> <li>python &gt;= 3.12</li> <li>thothctl &gt;= 0.5.3</li> <li>opentofu &gt;= 1.10.6</li> <li>terragrunt &gt;= 0.88.0</li> </ul> <h3> Preparing the local environment </h3> <p>Bootstrap you environment with the necessary tools following the next steps:</p> <p>a. Download and install thothctl from pypi official repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pipx <span class="nb">install </span>thothcl </code></pre> </div> <p>b. Install amazon Q agent and Amazon Q for your IDE, terragrunt, tofu, uv, and pipx and other tools running or just runs the <strong>devtocontainers</strong> environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>thothctl init environment <span class="c">#environment for interactive mode</span> </code></pre> </div> <div class="ltag_asciinema"> </div> <p>Select the tools according to the recommended versions. If you already have the tools installed, please run.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>thothctl check environment </code></pre> </div> <div class="ltag_asciinema"> </div> <h3> Creating custom Amazon Q agent (thoth agent) </h3> <blockquote> <p>Please create the <a href="https://docs.aws.amazon.com/es_es/amazonq/latest/qdeveloper-ug/getting-started-builderid.html" rel="noopener noreferrer">AWS Builder Id</a></p> </blockquote> <p>a. Use thothctl to initialize the project with the scaffold template or clone the repository.</p> <p>The Custom agent configuration files are stored as JSON files in specific directories:</p> <p>Project-level custom agents <code>.amazonq/cli-agents/{agent-name}.json</code><br> Available only within the specific project directory and its subdirectories.</p> <p>The Amazon Q Developer CLI searches for a custom agent by following a defined order of precedence:<br> • <strong>Local custom agents first</strong> - Checks for custom agents in the current working directory<br> • <strong>Global custom agents second</strong> - Falls back to custom agents in your home directory<br> • <strong>Built-in default</strong> - Uses the default agent if no custom agent is found</p> <blockquote> <p>ℹ️ Please visit for best practices and deep knowledge: 👉 <a href="https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-custom-agents-management.html" rel="noopener noreferrer">Custom Agents Management</a> 👈 </p> </blockquote> <p>For this scenario the scaffold project template looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── LICENSE ├── README.md ├── common │   ├── common.hcl │   ├── common.tfvars │   └── variables.tf ├── docs │   └── catalog │   ├── catalog-info.yaml │   ├── docs │   │   ├── general │   │   ├── guidelines │   │   │   ├── architecture-definition.md │   │   │   └── iac-composition-guidelines.md │   │   ├── images │   │   │   ├── DiagramArchitecture.png │   │   │   └── graph.svg │   │   └── index.md │   └── mkdocs.yml ├── root.hcl └── stacks ├── application │   ├── compute │   │   ├── alb │   │   │   ├── README.md │   │   │   └── terragrunt.hcl │   │   └── asg │   └── storage │   ├── efs │   └── s3 ├── foundation │   ├── iam │   │   ├── policies │   │   └── roles │   │   └── terragrunt.hcl │   └── network │   ├── security-groups │   └── vpc │   ├── README.md │   └── terragrunt.hcl ├── observability │   └── monitoring │   ├── cloudwatch │   └── prometheus └── platform ├── containers │   ├── ecr │   ├── eks-control-plane │   │   └── terragrunt.hcl │   └── eks-nodegroups └── data ├── elasticache └── rds </code></pre> </div> <p>You can find it in: </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/thothforge" rel="noopener noreferrer"> thothforge </a> / <a href="https://github.com/thothforge/terragrunt_project_scaffold" rel="noopener noreferrer"> terragrunt_project_scaffold </a> </h2> <h3> Scaffold for terragrun projects using thoth framework </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Terragrunt Project Scaffold</h1> </div> <p>A production-ready Terragrunt template for AWS infrastructure deployment with GitOps integration and best practices.</p> <div class="markdown-heading"> <h2 class="heading-element">Overview</h2> </div> <p>This scaffold provides a standardized project structure for managing AWS infrastructure using Terragrunt, with built-in support for:</p> <ul> <li>Multi-environment deployments</li> <li>Remote state management with S3 and DynamoDB</li> <li>Code quality tools (TFLint, pre-commit hooks)</li> <li>GitOps workflows</li> <li>Modular architecture</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Project Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>#{project_name}#/ ├── .thothcf.toml # Template configuration ├── .gitignore # Git ignore rules ├── .tflint.hcl # TFLint configuration ├── .pre-commit-config.yaml # Pre-commit hooks ├── root.hcl # Root Terragrunt configuration ├── common/ │ ├── common.hcl # Common variables and provider config │ └── variables.tf # Shared variable definitions ├── stacks/ │ ├── foundation/ # Core infrastructure layer │ │ ├── network/vpc/ # VPC, subnets, routing │ │ └── iam/roles/ # Service roles and policies │ ├── platform/ # Shared services layer │ │ └── containers/ │ │ └── eks-control-plane/ # EKS cluster │ ├── application/ #</code></pre>…</div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/thothforge/terragrunt_project_scaffold" rel="noopener noreferrer">View on GitHub</a></div> </div> <div class="ltag_asciinema"> </div> <p>So, the custom agent provides the minimum mcp servers, context and tools. Agents can be created based on environment, technology, specialty or for specific projects for example when using a monorepo structure to store both application and infrastructure code.</p> <p>Here is the baseline agent setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"thoth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"IaC and GitOps specialist THOTH agent for IaC deployments"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"thothctl"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"thothctl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"server"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--stdio"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"git"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"mcp-server-git"</span><span class="p">],</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">30000</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"terraform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"docker"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"run"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-i"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--rm"</span><span class="p">,</span><span class="w"> </span><span class="s2">"hashicorp/terraform-mcp-server"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"awslabs.aws-diagram-mcp-server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"awslabs.aws-diagram-mcp-server"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FASTMCP_LOG_LEVEL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"autoApprove"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"disabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"fs_write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"execute_bash"</span><span class="p">,</span><span class="w"> </span><span class="s2">"use_aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@thothctl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@terraform"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"allowedTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"use_aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git/git_status"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git/git_log"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git/git_diff"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"toolAliases"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@git/git_status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"status"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@git/git_log"</span><span class="p">:</span><span class="w"> </span><span class="s2">"log"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@git/git_diff"</span><span class="p">:</span><span class="w"> </span><span class="s2">"diff"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"toolsSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"fs_write"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedPaths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"stacks/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"common/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"modules/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.tf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.tfvars"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.toml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"docs/**"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://LICENSE"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.thothcf.toml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://root.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://common/common.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://common/variables.tf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.tflint.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.pre-commit-config.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.gitignore"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://stacks/**/*.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://stacks/**/*.tf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://docs/**/*.md"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The agent has the resources definition block: </p> <blockquote> <p>In <code>docs/catalog/docs/guidelines</code> we include two guidelines, one for architecture definitions and other for IaC composition guidelines. </p> </blockquote> <p>b. Finally, start a chat with the agent in project folder and create some stacks :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ q chat <span class="nt">--agent</span> thoth ✓ terraform loaded <span class="k">in </span>1.05 s ✓ git loaded <span class="k">in </span>1.81 s ✓ awslabs.aws-diagram-mcp-server loaded <span class="k">in </span>2.02 s ✓ thothctl loaded <span class="k">in </span>2.12 s </code></pre> </div> <p>For example: </p> <div class="ltag_asciinema"> </div> <p>Thanks for reading and sharing! 🤠</p> <p>The next blogs offer more examples and explains how traditional and agentic AI can be combined for optimal results. 🥸</p> <p>✨ <em><strong>Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</strong></em></p> devops ai aws iac Alejandro Velez Mon, 04 Aug 2025 01:48:07 +0000 https://forem.com/avelez/here-the-3rd-part-of-this-series-1adm https://forem.com/avelez/here-the-3rd-part-of-this-series-1adm <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" class="crayons-story__hidden-navigation-link">GitOps and IaC at Scale – ArgoCD and Open Tofu – Part 3 – Hardening and Manage users</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a class="crayons-logo crayons-logo--l" href="/aws-builders"> <img alt="AWS Community Builders logo" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F2794%2F88da75b6-aadd-4ea1-8083-ae2dfca8be94.png" class="crayons-logo__image"> </a> <a href="/avelez" class="crayons-avatar crayons-avatar--s absolute -right-2 -bottom-2 border-solid border-2 border-base-inverted "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" alt="avelez profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/avelez" class="crayons-story__secondary fw-medium m:hidden"> Alejandro Velez </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Alejandro Velez <div id="story-author-preview-content-2707008" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/avelez" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Alejandro Velez</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> <span> <span class="crayons-story__tertiary fw-normal"> for </span><a href="/aws-builders" class="crayons-story__secondary fw-medium">AWS Community Builders </a> </span> </div> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" class="crayons-story__tertiary fs-xs"><time>Aug 3 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" id="article-link-2707008"> GitOps and IaC at Scale – ArgoCD and Open Tofu – Part 3 – Hardening and Manage users </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/aws"><span class="crayons-tag__prefix">#</span>aws</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/terraform"><span class="crayons-tag__prefix">#</span>terraform</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/gitops"><span class="crayons-tag__prefix">#</span>gitops</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/fire-f60e7a582391810302117f987b22a8ef04a2fe0df7e3258a5f49332df1cec71e.svg" width="18" height="18"> </span> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">4<span class="hidden s:inline"> reactions</span></span> </div> </a> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments 1<span class="hidden s:inline"> comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 7 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> devops aws terraform gitops Alejandro Velez Sun, 03 Aug 2025 23:40:39 +0000 https://forem.com/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m https://forem.com/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m <p><strong><em>Level 400</em></strong></p> <p><a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-2-creating-spoke-4c6p">Earlier blogs covered scalable delivery</a>,<a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9"> architecture patterns, and code samples</a>. This section provides additional production-ready examples and best practices using the Well Architected Framework and GitOps with ArgoCD.</p> <h2> Architecture Overview </h2> <p>Now, suppose that you must apply some custom addons for the environment, also enable on-boarding application developer’s teams and platform teams to manage their projects and applications with the least manual effort, integration with AWS ecosystem like IAM identity Center and apply best practices for ArgoCD setup. For accomplishing this the following image depicts the high-level reference architecture with the main services: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvvalw64rcawv11q85ul.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvvalw64rcawv11q85ul.png" alt="Final GitOps on AWS"></a></p> <p>Here the new resources are ALB as an ingress gateway for Argo server, Route 53 to enable a Hosted Zone for public Domain, AWS Certificate management for SSL trough the ALB, and IAM Identity Center for SSO capabilities. </p> <blockquote> <p>For production environments there could be a private hosted Zone and use PKI architecture internal to enable SSL access.</p> </blockquote> <p>For other hand, *<em>how can you be modeling the groups and access to the Argo projects and applications? *</em><br> There is not correct answer and depending on your operational model <a href="https://martinfowler.com/bliki/ConwaysLaw.html" rel="noopener noreferrer">(Conway’s Law)</a> for example, the following image depicts a simple group for each team around a workload. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv9oj3gs0ab3ideszb4sr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv9oj3gs0ab3ideszb4sr.png" alt="GitOps Groups"></a></p> <p>Assigning permissions should follow the principle of the least privilege, separating application and project actions. For example, the application engineering team can run all actions on Applications but only watch and update the platform and addon applications.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwjjccbcz8heybcm88h3z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwjjccbcz8heybcm88h3z.png" alt="GitOps Teams and permissions"></a></p> <h2> Hands On </h2> <p>It’s time to create code.</p> <p>First, we must modify the hub blueprint to enable argo cd best practices<br> ❌ Don’t use Default admin for management- Disable it.<br> ❌ Don’t use the default project<br> ❌ Don’t use local users just if it is completely necessary for CLI or external automatons.<br> ✅ Create Roles and assign to groups instead of individual assignments.</p> <p>Now, according to Argo cd documentation the SSO is configured with IAM Identity Center.</p> <p>A working Single Sign-On configuration using Identity Center (AWS SSO) has been achieved using <a href="https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/identity-center/" rel="noopener noreferrer">SAML (with Dex)</a></p> <blockquote> <p>To manage IAM Identity Center in AWS, applications must be created because the <code>CreateApplication</code>API only supports custom OAuth 2.0 apps. Third-party SAML or OAuth 2.0 apps must be set up via their respective services or the AWS console. Application creation cannot be automated with Terraform, but user assignments can still be handled through IaC.</p> </blockquote> <p>Initially, a custom Terraform module was developed to establish the ArgoCD hardening baseline. This module leverages the gitops bridge module as its foundation and incorporates SSO configuration, along with group and default role setup and baseline specifications.</p> <p>The module name is <strong>terraform-helm-hardening-gitops-bridge</strong> </p> <blockquote> <p>You can find the source code module here 👉 </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/thothforge" rel="noopener noreferrer"> thothforge </a> / <a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge" rel="noopener noreferrer"> terraform-helm-hardening-gitops-bridge </a> </h2> <h3> GitOps bridge extended module with hardennig practices and examples </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Terraform Hardening GitOps Bridge Module</h1> </div> <p><a href="https://www.terraform.io/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/8e858e3e21e02106973c29c03e9615d40ea641d008b0c1a2f1fe741c326dbdff/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7465727261666f726d2d2532333538333543432e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d7465727261666f726d266c6f676f436f6c6f723d7768697465" alt="Terraform"></a> <a href="https://aws.amazon.com/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/4dae474904a8c58fd1de6463cfa4692a7ef04064d976e5d6bbbee33131471da2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4157532d2532334646393930302e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d616d617a6f6e2d617773266c6f676f436f6c6f723d7768697465" alt="AWS"></a> <a href="https://kubernetes.io/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/a7dfef554afa4a384788bb87c246f094f7048362db9c835b50ac92e605ce4999/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6b756265726e657465732d2532333332366365352e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d6b756265726e65746573266c6f676f436f6c6f723d7768697465" alt="Kubernetes"></a> <a href="https://argoproj.github.io/cd/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/d3e321cce1a35554aebe109caca2d1cb830b7abdc3e575f1482fe35f626f7450/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6172676f2d4546374234443f7374796c653d666f722d7468652d6261646765266c6f676f3d6172676f266c6f676f436f6c6f723d7768697465" alt="ArgoCD"></a></p> <p>A comprehensive Terraform module that provides a hardened GitOps bridge for Amazon EKS clusters, implementing security best practices and enterprise-grade configurations for GitOps workflows using ArgoCD.</p> <div class="markdown-heading"> <h2 class="heading-element">📖 Table of Contents</h2> </div> <ul> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-features" rel="noopener noreferrer">Features</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-prerequisites" rel="noopener noreferrer">Prerequisites</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#%EF%B8%8F-architecture" rel="noopener noreferrer">Architecture</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-quick-start" rel="noopener noreferrer">Quick Start</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-examples" rel="noopener noreferrer">Examples</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-configuration-options" rel="noopener noreferrer">Configuration Options</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-security-best-practices" rel="noopener noreferrer">Security Best Practices</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#%EF%B8%8F-deployment-patterns" rel="noopener noreferrer">Deployment Patterns</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-monitoring-and-observability" rel="noopener noreferrer">Monitoring and Observability</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-performance-optimization" rel="noopener noreferrer">Performance Optimization</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-advanced-security-configuration" rel="noopener noreferrer">Advanced Security Configuration</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-dns-and-ingress-configuration" rel="noopener noreferrer">DNS and Ingress Configuration</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-customization-options" rel="noopener noreferrer">Customization Options</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-cost-optimization" rel="noopener noreferrer">Cost Optimization</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-best-practices" rel="noopener noreferrer">Best Practices</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-operational-procedures" rel="noopener noreferrer">Operational Procedures</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-faq" rel="noopener noreferrer">FAQ</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-additional-resources" rel="noopener noreferrer">Additional Resources</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-contributing" rel="noopener noreferrer">Contributing</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-license" rel="noopener noreferrer">License</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-support" rel="noopener noreferrer">Support</a></p> </li> </ul> <div class="markdown-heading"> <h2 class="heading-element">🚀 Features</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">Core Capabilities</h3> </div> <ul> <li> <strong>GitOps Integration</strong>: Seamless integration with ArgoCD for GitOps workflows</li> <li> <strong>Security Hardening</strong>: Enterprise-grade security configurations and best practices</li> <li> <strong>Multi-Repository Support</strong>: Support for addons, platform, and workloads repositories</li> <li> <strong>Flexible Deployment</strong>: Single cluster or hub-spoke architecture support</li> <li> <strong>Comprehensive Addons</strong>: Pre-configured essential Kubernetes addons</li> </ul> <div class="markdown-heading"> <h3 class="heading-element">Security Features</h3> </div> <ul> <li> <strong>RBAC Integration</strong>: Role-based access control with customizable permissions</li> <li> <strong>SSO Support</strong>: Microsoft Entra ID (Azure AD) integration</li> <li> <strong>Certificate Management</strong>: Automated SSL/TLS certificate provisioning</li> <li>…</li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge" rel="noopener noreferrer">View on GitHub</a></div> </div> </blockquote> <p>or 👉 </p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__body flex items-center justify-between"> <a href="https://registry.terraform.io/modules/thothforge/hardening-gitops-bridge/helm/latest?tab=outputs" rel="noopener noreferrer" class="c-link fw-bold flex items-center"> <span class="mr-2">registry.terraform.io</span> </a> </div> </div> </div> <p>The main files are: <code>bootstrap/argocd-values.yaml</code> where the default values are created and parser some parameters from terraform parameters like default project name, dns or argo host, kind of ingress, tags, subnets and more.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># bootstrap/argocd-values.yaml</span> <span class="na">global</span><span class="pi">:</span> <span class="na">topologySpreadConstraints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">maxSkew</span><span class="pi">:</span> <span class="m">1</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">topology.kubernetes.io/hostname"</span> <span class="na">whenUnsatisfiable</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ScheduleAnyway"</span> <span class="c1"># Default logging options used by all components</span> <span class="na">logging</span><span class="pi">:</span> <span class="c1"># -- Set the global logging format. Either: `text` or `json`</span> <span class="na">format</span><span class="pi">:</span> <span class="s">text</span> <span class="c1"># -- Set the global logging level. One of: `debug`, `info`, `warn` or `error`</span> <span class="na">level</span><span class="pi">:</span> <span class="s">debug</span> <span class="na">configs</span><span class="pi">:</span> <span class="na">params</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># SSO configuration with Entra ID</span> <span class="na">cm</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://${argo_host}</span> <span class="na">dex.config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">logger:</span> <span class="s">level: debug</span> <span class="s">format: json</span> <span class="s">connectors:</span> <span class="s">- type: saml</span> <span class="s">id: aws</span> <span class="s">name: "AWS IAM Identity Center"</span> <span class="s">config:</span> <span class="s"># You need value of Identity Center APP SAML (IAM Identity Center sign-in URL)</span> <span class="s">ssoURL: ${sso_assertion_url} #https://portal.sso.yourregion.amazonaws.com/saml/assertion/id</span> <span class="s"># You need `caData` _OR_ `ca`, but not both.</span> <span class="s">#&lt;CA cert (IAM Identity Center Certificate of Identity Center APP SAML) passed through base64 encoding&gt;</span> <span class="s">caData: ${ca_data_iam_app} </span> <span class="s"># Path to mount the secret to the dex container</span> <span class="s">entityIssuer: https://${argo_host}/api/dex/callback</span> <span class="s">redirectURI: https://${argo_host}/api/dex/callback</span> <span class="s">usernameAttr: email</span> <span class="s">emailAttr: email</span> <span class="s">groupsAttr: groups</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">policy.csv</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">p, role:platform-team, applications, *, */*, allow</span> <span class="s">p, role:platform-team, projects, *, */*, allow</span> <span class="s">p, role:platform-team, clusters, *, *, allow</span> <span class="s">p, role:platform-team, repositories, *, *, allow</span> <span class="s">p, role:platform-team, certificates, *, *, allow</span> <span class="s">p, role:platform-team, logs, get, */*, allow</span> <span class="s">p, role:platform-team, exec, create, */*, allow</span> <span class="s">p, role:platform-team, applicationsets, *, */*, allow</span> <span class="s">p, role:platform-team, accounts, get, */*, allow</span> <span class="s">p, role:platform-team, sessions, create, */*, allow</span> <span class="s">p, role:platform-team, sessions, delete, */*, allow</span> <span class="s">p, role:platform-team, projects, get, *, allow</span> <span class="s">p, role:platform-team, projects, list, *, allow</span> <span class="s">p, role:platform-team, projects, update, *, allow</span> <span class="s">p, role:platform-team, projects, create, *, allow</span> <span class="s">p, role:platform-team, actions, *, */*, allow</span> <span class="s">g, ${admin_idp_group_id}, role:platform-team</span> <span class="na">policy.default</span><span class="pi">:</span> <span class="s">role:deny</span> <span class="na">policy.matchMode</span><span class="pi">:</span> <span class="s">glob</span> <span class="na">scopes</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[groups,</span><span class="nv"> </span><span class="s">email]'</span> <span class="na">server</span><span class="pi">:</span> <span class="na">autoscaling</span><span class="pi">:</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">20</span> <span class="na">targetCPUUtilizationPercentage</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetMemoryUtilizationPercentage</span><span class="pi">:</span> <span class="m">80</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argocd_irsa_role_arn}"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NodePort"</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${enable_argo_ingress}"</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_host}"</span> <span class="na">controller</span><span class="pi">:</span> <span class="s2">"</span><span class="s">aws"</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">alb"</span> <span class="na">tls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">aws</span><span class="pi">:</span> <span class="na">backendProtocolVersion</span><span class="pi">:</span> <span class="s">GRPC</span> <span class="na">serviceType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NodePort"</span> <span class="c1">#"ClusterIP"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">alb.ingress.kubernetes.io/group.name</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">alb.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTP":80},{"HTTPS":443}]'</span> <span class="na">alb.ingress.kubernetes.io/scheme</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${aws_load_balancer_type}"</span> <span class="na">alb.ingress.kubernetes.io/security-groups</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_ingress_sg}"</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${acm_certificate_arn}"</span> <span class="na">alb.ingress.kubernetes.io/ssl-policy</span><span class="pi">:</span> <span class="s">ELBSecurityPolicy-TLS-1-2-2017-01</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">443"</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">alb.ingress.kubernetes.io/subnets</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${ingress_subnets}"</span> <span class="na">alb.ingress.kubernetes.io/tags</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${required_tags}"</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="c1">#extraRules:</span> <span class="c1">#- http:</span> <span class="c1"># paths:</span> <span class="c1"># - path: /argocd</span> <span class="c1"># pathType: Prefix</span> <span class="c1"># backend:</span> <span class="c1"># service:</span> <span class="c1"># name: 'argo-cd-argocd-server-grpc'</span> <span class="c1"># port:</span> <span class="c1"># name: 'https'</span> <span class="na">ingressGrpc</span><span class="pi">:</span> <span class="c1"># -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress]</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1">#"${enable_argo_ingress}"</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_host}"</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">alb"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">alb.ingress.kubernetes.io/group.name</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">alb.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">alb.ingress.kubernetes.io/backend-protocol-version</span><span class="pi">:</span> <span class="s">GRPC</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTP":80},{"HTTPS":443}]'</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">alb.ingress.kubernetes.io/target-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ip"</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">443"</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">alb.ingress.kubernetes.io/success-codes</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0-99"</span> <span class="na">alb.ingress.kubernetes.io/security-groups</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_ingress_sg}"</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${acm_certificate_arn}"</span> <span class="na">alb.ingress.kubernetes.io/ssl-policy</span><span class="pi">:</span> <span class="s">ELBSecurityPolicy-TLS-1-2-2017-01</span> <span class="na">alb.ingress.kubernetes.io/subnets</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${ingress_subnets}"</span> <span class="na">alb.ingress.kubernetes.io/tags</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${required_tags}"</span> <span class="na">controller</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argocd_irsa_role_arn}"</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">system-node-critical"</span> <span class="na">podAnnotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8082</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8082</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">repoServer</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argocd_irsa_role_arn}"</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">system-node-critical"</span> <span class="na">podAnnotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8084</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8084</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">notificationsController</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">redis-ha</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">waitForVotes</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">quorum</span><span class="pi">:</span> <span class="m">2</span> <span class="na">applicationSet</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">podAnnotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8085</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8085</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> </code></pre> </div> <p>For other hand, the argo project default template is: <code>bootstrap/default_argproj.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">${default_argoproj_name}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/instance</span><span class="pi">:</span> <span class="s">argoprojects-platform-team</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Team for TI to manage Argo projects and applications</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="s">${jsonencode(repositories)}</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> </div> <blockquote> <p>You can modify according to the baseline’s requirements; this is the platform project like default.</p> </blockquote> <p>The platform addons and platform appsets just receive the parameter for default project in argoCD but keep as the beginning of this series.</p> <p>Other kinds of resources for the module are security groups and default secrets, if the SSO is not enabled for platform, for admin, developers and view only users.</p> <p>For other hand, the module can create a certificate and CNAME in a public hosted zone. Is usual that these resources are managed from other team, but in this setup in the same account exists a delegate hosted zone for internal use. This allows use external DNS addon to enable easy integration and register additional services in your control plane.</p> <blockquote> <p>Sensitive data like ca data and group id could be loaded from parameter store provided for security team. Or save in secrets manager to mount the secret onto the dex container in the argocd-dex-server Deployment.</p> </blockquote> <p>The module can be utilized with Terragrunt as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1">#include "kubectl_provider" {</span> <span class="c1"># path = find_in_parent_folders("/common/additional_providers/provider_kubectl.hcl")</span> <span class="c1">#}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_helm.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="nx">node_security_group_id</span> <span class="p">=</span> <span class="s2">"sg-xasr18923d"</span> <span class="nx">cluster_primary_security_group_id</span> <span class="p">=</span> <span class="s2">"sg-xasr18923d"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks_role"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/iam/eks_role"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="s2">"arn::..."</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-04e3e1e302f8c8f06"</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda15"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">default_project</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">default_project</span> <span class="nx">enable_argo_ingress</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sso_assertion_url</span> <span class="p">=</span> <span class="s2">"https://portal.sso.&lt;SSO_REGION&gt;.amazonaws.com/saml/assertion/&lt;id&gt;"</span> <span class="nx">ca_data</span><span class="p">=</span> <span class="s2">"BASE 64 CA Data"</span> <span class="nx">argo_host_dns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"argocd.devsecops.labvel.io"</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"Z101221820UZWIPQ27722"</span> <span class="nx">aws_load_balancer_type</span> <span class="p">=</span> <span class="s2">"internet-facing"</span> <span class="nx">validation</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="p">}</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">addons_repos_properties</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Containers"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span><span class="s2">"tfr:///thothforge/hardening-gitops-bridge/helm?version=1.0.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">node_security_group</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_primary_security_group_id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">public_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">enable_argo_ingress</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"enable_argo_ingress"</span><span class="p">]</span> <span class="nx">argo_host_dns</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"argo_host_dns"</span><span class="p">]</span> <span class="c1">#external_dns_domain_filters = [local.workspace["argo_host_dns"]]</span> <span class="nx">sso_assertion_url</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"sso_assertion_url"</span><span class="p">]</span> <span class="nx">ca_data</span><span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"ca_data"</span><span class="p">]</span> <span class="nx">admin_idp_group_id</span> <span class="p">=</span><span class="s2">"318xx789-x071-70f5-63x6-xx21233xxx33"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Finally you can login into argocd hub control plane using the url or through AWS SSO login interface.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd85yf2r55dfnb0xxopaj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd85yf2r55dfnb0xxopaj.png" alt="Argo CD simple Access"></a><br> Or<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg91ptwz52ti2d649raar.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg91ptwz52ti2d649raar.png" alt="SSO Argo CD App"></a></p> <p>The upcoming post will include additional customization options and add-ons. <br> Thanks for reading and sharing.🙌 👽 😃</p> devops aws terraform gitops Alejandro Velez Sun, 20 Apr 2025 00:18:12 +0000 https://forem.com/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-2-creating-spoke-4c6p https://forem.com/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-2-creating-spoke-4c6p <p><em><em>Level 400</em></em></p> <p>Hi clouders, in the previous <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9">blog</a> you can explore the considerations to deploy at scale gitops and IaC, in this post you can learn more about <strong>how to deploy spokes cluster</strong> using the GitOps bridge framework and specific use cases with AWS enterprise capabilities and security best practices. </p> <h2> Architecture Overview </h2> <h3> Spoke clusters and Scenarios </h3> <p>According to the best practices there are many considerations and scenarios, for example:</p> <ul> <li><p>You can have <strong>one stack or IaC repository with the definitions for each account, team or squat</strong>. It depends on your internal organizations and share responsibility model. For this scenario suppose that the model is a <strong>decentralized DevOps Operational Model</strong>, and each squat has their custom IaC for each project. <strong>Consider keeping clear separation and isolation between environments and make match your platform strategy</strong>, for example, some organizations have a single hub for managing dev, QA and prod cluster, others have a hub to manage each environment cluster and other, and others have one hub for previous environments and another for production.</p></li> <li><p>Another key point to note is the <strong>capacity planning</strong> and applications by team, some organizations allow share the same cluster for an organizational unit and keep the applications grouped by namespaces in each environment, others prefer to <strong>have one environment and cluster by workload or application</strong>. Considering the networking and security considerations has main pain and challenges for both scenarios. In this series the main assumption is <strong>that each workload has a dedicated cluster and account by environment but there is a transversal platform team that manages the cluster configuration and control plane</strong>. The following table describe the relationship between scenario and AWS accounts: </p></li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>AWS Account</th> <th>Clusters</th> </tr> </thead> <tbody> <tr> <td>Single Hub – N Spokes</td> <td>1 for HUB – N account by environment</td> <td>1 cluster Hub, N Spoke Clusters by environment</td> </tr> <tr> <td>M Hub - N spokes</td> <td>M accounts By Hub environments – N account by environments</td> <td>M Hub Clusters, N Environment Clusters</td> </tr> </tbody> </table></div> <p>The Figure 1 depicts the architecture for this scenario.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbe2b1gncphe69gsd9qt4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbe2b1gncphe69gsd9qt4.png" alt="GitOps Final AWS EKS"></a><br> Figure 1. GitOps bridge Deployment architecture in AWS</p> <blockquote> <p>The FinOps practices are key point independent of your resources distribution you must consider what is the best strategy for track cost and shared resources. </p> </blockquote> <h2> Hands On </h2> <p>First, modify the hub infrastructure stacks to add the stack to manage the credentials cross account and allow the CI infrastructure agents to take them to register the cluster in the control plane. Also, create the role for Argocd to enable the authentication between Argocd hub and spoke cluster. </p> <h3> Updating Control Plane Infrastructure </h3> <p>So, let’s set up the credentials according to the best practices and the scenario described in the previous section, the cluster credentials are stored in parameter store and share with the organizational units for each team or business unit. </p> <blockquote> <p><strong>You must enable RAM as trusted service in your organization from Organizations management account and RAM Console</strong>. </p> </blockquote> <p>For this task, a local module <code>terraform-aws-parameter-store</code> was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>└── terraform-aws-ssm-parameter-sotre ├── README.md ├── data.tf ├── main.tf ├── outputs.tf └── variables.tf </code></pre> </div> <p>The module creates the parameter and shares with organization id, organizational unit, or account id principals. </p> <p>Now, using terragrunt the module is called to create a new stack or terragrunt unit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#parameter_store-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="nx">cluster_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks:us-east-2:105171185823:cluster/gitops-scale-dev-hub"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">parameter_name</span> <span class="p">=</span> <span class="s2">"/control_plane/${include.root.locals.environment.locals.workspace}/credentials"</span> <span class="nx">sharing_principals</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ou-w3ow-k24p2opx"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Operations"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../modules/terraform-aws-ssm-parameter-sotre"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">parameter_name</span> <span class="p">=</span> <span class="s2">"${local.workspace["</span><span class="nx">parameter_name</span><span class="s2">"]}"</span> <span class="nx">parameter_description</span> <span class="p">=</span> <span class="s2">"Control plane credentials"</span> <span class="nx">parameter_type</span> <span class="p">=</span> <span class="s2">"SecureString"</span> <span class="nx">parameter_tier</span> <span class="p">=</span> <span class="s2">"Advanced"</span> <span class="nx">create_kms</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_sharing</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sharing_principals</span><span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"sharing_principals"</span><span class="p">]</span> <span class="nx">parameter_value</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">,</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span><span class="p">,</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">,</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span><span class="p">,</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span><span class="p">,</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span><span class="p">,</span> <span class="nx">hub_account_id</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">":"</span><span class="p">,</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_arn</span><span class="p">)[</span><span class="mi">4</span><span class="p">]</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Now, another stack is necessary, the IAM role to enable service account for argocd use the IAM authentication with spoke clusters. The module terraform-aws-iam/iam-eks-role allows to create the IRSA role but also is necessary create a custom policy to allow assume role in the spoke accounts. The Figure 2 depicts in depth this setup.</p> <blockquote> <p>You can create simple stack for managing the role, or a module that supports the EKS definition and IAM role. </p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2ofwl7tffht6t6qdqmp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2ofwl7tffht6t6qdqmp.png" alt="GitOps Authentication"></a><br> Figure 2. GitOps authentication summary.</p> <p>So, the module is in <code>modules/terraform-aws-irsa-eks-hub</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">modules</span><span class="err">/</span> <span class="err">├──</span> <span class="nx">terraform-aws-irsa-eks-hub</span> <span class="err">│  </span> <span class="err">├──</span> <span class="nx">README</span><span class="err">.</span><span class="nx">md</span> <span class="err">│  </span> <span class="err">├──</span> <span class="nx">main</span><span class="err">.</span><span class="nx">tf</span> <span class="err">│  </span> <span class="err">├──</span> <span class="nx">outputs</span><span class="err">.</span><span class="nx">tf</span> <span class="err">│  </span> <span class="err">└──</span> <span class="nx">variables</span><span class="err">.</span><span class="nx">tf</span> <span class="err">└──</span> <span class="nx">terraform-aws-ssm-parameter-sotre</span> <span class="err">├──</span> <span class="nx">README</span><span class="err">.</span><span class="nx">md</span> <span class="err">├──</span> <span class="nx">data</span><span class="err">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">main</span><span class="err">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">outputs</span><span class="err">.</span><span class="nx">tf</span> <span class="err">└──</span> <span class="nx">variables</span><span class="err">.</span><span class="nx">tf</span> <span class="mi">3</span> <span class="nx">directories</span><span class="err">,</span> <span class="mi">9</span> <span class="nx">files</span> </code></pre> </div> <p>and the stack is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_role-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"eks-role-hub"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../modules/terraform-aws-irsa-eks-hub"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"${local.workspace["</span><span class="nx">role_name</span><span class="s2">"]}-${local.workspace["</span><span class="nx">environment</span><span class="s2">"]}"</span> <span class="nx">cluster_service_accounts</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${dependency.eks.outputs.cluster_name}"</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"argocd:argocd-application-controller"</span><span class="p">,</span> <span class="s2">"argocd:argo-cd-argocd-repo-server"</span><span class="p">,</span> <span class="s2">"argocd:argocd-server"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Finally, the gitops_bridge stack must look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_helm.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks_role"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/iam/eks_role"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="s2">"arn::..."</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">addons_repo_url</span> <span class="p">=</span> <span class="s2">"https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"</span> <span class="nx">addons_repo_basepath</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">addons_repo_path</span> <span class="p">=</span><span class="s2">"bootstrap/control-plane/addons"</span> <span class="nx">addons_repo_revision</span> <span class="p">=</span> <span class="s2">"HEAD"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">argocd_apps</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"./bootstrap/addons.yaml"</span><span class="p">)</span> <span class="c1">#workloads = file("./bootstrap/workloads.yaml")</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///gitops-bridge-dev/gitops-bridge/helm?version=0.1.0"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"environment"</span><span class="p">]</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"addons_metadata"</span><span class="p">]</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"oss_addons"</span><span class="p">],</span> <span class="p">{</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">apps</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"argocd_apps"</span><span class="p">]</span> <span class="nx">argocd</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="c1">#set = [</span> <span class="c1"># {</span> <span class="c1"># name = "server.service.type"</span> <span class="c1"># value = "LoadBalancer"</span> <span class="c1"># }</span> <span class="c1">#]</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">yamlencode</span><span class="p">(</span> <span class="p">{</span> <span class="nx">configs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"server.insecure"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">server</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"serviceAccount"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks_role</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"NodePort"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">controller</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">ingressClassName</span> <span class="err">:</span> <span class="s2">"alb"</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">serviceType</span> <span class="err">:</span> <span class="s2">"NodePort"</span> <span class="p">}</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="c1">#"alb.ingress.kubernetes.io/backend-protocol" = "HTTPS"</span> <span class="c1">#"alb.ingress.kubernetes.io/ssl-redirect" = "443"</span> <span class="c1">#"service.beta.kubernetes.io/aws-load-balancer-type" = "external"</span> <span class="c1">#"service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "ip"</span> <span class="c1">#"alb.ingress.kubernetes.io/listen-ports" : "[{\"HTTPS\":443}]"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">controller</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"serviceAccount"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks_role</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">repoServer</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"serviceAccount"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks_role</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Basically the main changes was the introduction to argocd map to setup the values for helm chart deployment to enable to use the IRSA role. </p> <p>When you are using cross account deployment the profile that creates the secrets in hub cluster must to have access and permissions, for example in the repository the eks_control_plane stack introduce a new access entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-04e3e1e302f8c8f06"</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda15"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"${include.root.locals.common_vars.locals.project}-${include.root.locals.environment.locals.workspace}-hub"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.32"</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">access_entries</span> <span class="p">=</span> <span class="p">{</span> <span class="c1">#####################################################################################################################</span> <span class="c1"># Admin installation and setup for spoke accounts - Demo purpose- must be the ci Agent Role</span> <span class="c1">####################################################################################################################</span> <span class="nx">admins_sso</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">kubernetes_groups</span> <span class="p">=</span> <span class="p">[]</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:sts::123456781234:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AWSAdministratorAccess_877fe9e4127a368d"</span> <span class="nx">user_name</span> <span class="p">=</span> <span class="s2">"arn:aws:sts::123456781234:assumed-role/AWSReservedSSO_AWSAdministratorAccess_877fe9e4127a368d/{{SessionName}}"</span> <span class="nx">policy_associations</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">single</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"</span> <span class="nx">access_scope</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cluster"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">node_pools</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"general-purpose"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///terraform-aws-modules/eks/aws?version=20.33.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"create"</span><span class="p">]</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_name"</span><span class="p">]</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_version"</span><span class="p">]</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_endpoint_public_access"</span><span class="p">]</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"enable_cluster_creator_admin_permissions"</span><span class="p">]</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_compute_config"</span><span class="p">]</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">access_entries</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"access_entries"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The final Hub infrastructure is: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuhg9z8kxa3isrwhdndid.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuhg9z8kxa3isrwhdndid.png" alt="Hub- infrasctructure"></a><br> Figure 3. Control Plane Infrastructure.</p> <p>👇 Get the code here.<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer"> terragrunt_aws_gitops_blueprint </a> </h2> <h3> Public demo for Gitops bridge using terragrunt, OpenTofu and EKS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">AWS GitOps Blueprint with Terragrunt</h1> </div> <p>This project provides a blueprint for implementing GitOps on AWS using Terragrunt and Argo CD. It offers a structured approach to managing infrastructure as code and deploying applications across multiple environments.</p> <p>The blueprint is designed to streamline the process of setting up a GitOps workflow on AWS, leveraging Terragrunt for managing Terraform configurations and Argo CD for continuous deployment. It includes configurations for essential AWS services such as EKS (Elastic Kubernetes Service) and VPC (Virtual Private Cloud), as well as GitOps components for managing cluster addons and platform-level resources.</p> <p>Key features of this blueprint include:</p> <ul> <li>Modular infrastructure setup using Terragrunt</li> <li>EKS cluster configuration for container orchestration</li> <li>VPC network setup for secure and isolated environments</li> <li>GitOps bridge for seamless integration between infrastructure and application deployments</li> <li>Argo CD ApplicationSets for managing cluster addons and platform resources</li> <li>Environment-specific configurations for multi-environment deployments</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Repository Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>terragrunt_aws_gitops_blueprint/ ├── common/ │</code></pre>…</div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer">View on GitHub</a></div> </div> <h3> Creating spoke Cluster Infrastructure </h3> <p>The second step is creating the spoke cluster infrastructure. 🧑🏾‍💻</p> <p>To manage a spoke cluster a <strong>single terragrunt or tofu project is created independently for each team from a template</strong>, so, infrastructure has an individual pipeline to manage it, and each team could have custom CI/CD agents, also more flexibility to add features and components to the infrastructure stacks. In some cases, you can have a single pipeline to manage the infrastructure setup and work with environment or parameters managed by the orchestration CI/CD tool. This approach is utilized when necessary to have central governance and control, but consider the changes rates, common tasks and environment setup and CI/CD workers capacity assigned to central ops.</p> <blockquote> <p>The code is like the hub repository; however, the main difference is in the stack GitOps bridge.</p> </blockquote> <p>Let’s watch it in depth. 🕵️‍♀️</p> <p>First, a new provider configuration is necessary, the cluster hub provider, in the <code>terragrunt_aws_gitops_spoke_blueprint/common/additional_providers</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">get_env</span><span class="p">(</span><span class="s2">"TF_VAR_env"</span><span class="p">,</span> <span class="s2">"dev"</span><span class="p">)</span> <span class="nx">pipeline</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="nx">hub_account_id</span> <span class="p">=</span> <span class="s2">"105171185823"</span> <span class="p">}</span> <span class="nx">generate</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"k8s_helm_provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> ################################################################################ # Kubernetes Access for Spoke Cluster ################################################################################ # First, define the parameter store data source data "aws_ssm_parameter" "hub_cluster_config" { count = 1 with_decryption = true name = "arn:aws:ssm:us-east-2:${local.hub_account_id}:parameter/control_plane/${local.workspace}/credentials" #"/control_plane/${local.workspace}/credentials" # Adjust the parameter path as needed } provider "kubernetes" { host = try(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_endpoint, var.cluster_endpoint) cluster_ca_certificate = try(base64decode(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_certificate_authority_data), var.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" args = [ "eks", "get-token", "--cluster-name", try(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_name, var.cluster_name), "--region", try(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_region, data.aws_region.current.name), "--profile", var.profile["${local.workspace}"]["profile"] ] } alias = "hub" } </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>The gitops_bridge stack is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_hub.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_spoke"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">addons_repo_url</span> <span class="p">=</span> <span class="s2">"https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"</span> <span class="nx">addons_repo_basepath</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">addons_repo_path</span> <span class="p">=</span><span class="s2">"bootstrap/control-plane/addons"</span> <span class="nx">addons_repo_revision</span> <span class="p">=</span> <span class="s2">"HEAD"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../modules/terraform-aws-gitops-bridge-spoke"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">create_kubernetes_resources</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"environment"</span><span class="p">]</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"addons_metadata"</span><span class="p">]</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"oss_addons"</span><span class="p">],</span> <span class="p">{</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">hub_account_id</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">common_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">hub_account_id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This stacks defines the data for cluster secret in hub cluster and metadata information for addons, the local module <code>terraform-aws-gitops-bridge-spoke</code> creates the access entry and for enable hub access using spoke role according to Figure 2 and reuse <code>gitops-bridge-dev/gitops-bridge/helm</code> with parameters to deploy the secret but not the argocd installation in spoke clusters. So the infrastructure composition for spokes IaC is: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgare4ps1gb0xcb174m0d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgare4ps1gb0xcb174m0d.png" alt="Infrastructure Composition"></a><br> Figure 4. Infrastructure composition.</p> <blockquote> <p>An alternative approach is to manage the external secrets Operator and secrets manager, let a comment if you want to know how do it. </p> </blockquote> <p>Finally, after runs the spoke stacks in Argocd Hub Server you can watch the clusters and metadata information: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F927ifs8um1hl7vtybu70.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F927ifs8um1hl7vtybu70.png" alt="Cluster and metadata Information"></a><br> Figure 5. Cluster and metadata Information. </p> <p>For example some addons was deployed in spoke cluster using applications Set.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwnuc4yappfzsnnun0ev.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwnuc4yappfzsnnun0ev.png" alt="Applications Set in spoke clusters"></a><br> Figure 6. Applications Set in spoke clusters.</p> <p><strong>In the next post, you can learn how to custom addons and add advance setups.</strong> 🦸🦸</p> <p>👇 Get the code here.<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/terragrunt_aws_gitops_spoke_blueprint" rel="noopener noreferrer"> terragrunt_aws_gitops_spoke_blueprint </a> </h2> <h3> Infrastructure for Spoke clusters blueprint for GitOps Bridge </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">AWS GitOps Scale Infrastructure with EKS Spoke Clusters</h1> </div> <p>A comprehensive Infrastructure as Code (IaC) solution that enables scalable GitOps deployments on AWS using EKS clusters in a hub-spoke architecture with automated infrastructure provisioning and configuration management.</p> <p>This project provides a complete infrastructure setup using Terragrunt and Terraform to create and manage AWS resources including VPC networking, EKS clusters, and GitOps tooling. It implements a hub-spoke architecture where a central hub cluster manages multiple spoke clusters through GitOps practices, enabling consistent and automated application deployments at scale.</p> <p>The solution includes automated VPC creation with proper network segmentation, EKS cluster provisioning with secure configurations, and integration with GitOps tools through a bridge component that enables declarative infrastructure and application management.</p> <div class="markdown-heading"> <h2 class="heading-element">Repository Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code> ├── common/ # Common configuration and variable definitions │ ├── additional_providers/ # Provider configurations for Kubernetes, Helm, etc. │ ├── common.hcl # Common Terragrunt configuration │ ├── common.tfvars #</code></pre>…</div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/terragrunt_aws_gitops_spoke_blueprint" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Thanks for reading and sharing! 🫶</p> devops aws gitops terraform Alejandro Velez Thu, 13 Feb 2025 17:18:53 +0000 https://forem.com/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9 https://forem.com/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9 <p><em><strong>level 400</strong></em></p> <p>Welcome, builders! In this blog series, we will explore the exciting world of GitOps and Infrastructure as Code (IaC) at scale, focusing on the powerful combination of ArgoCD and Open Tofu and how those tools and frameworks can live together for improving your deployments and reduce the TOIL. The main purpose is to learn some patterns and considerations for increasing efficiency, improving the automation infrastructure provisioning without loss compliance and security requirements</p> <h2> Scenario </h2> <p>Suppose that you are a Cloud Engineer or DevOps engineer, and you have a mission, deploy a cloud native infrastructure to support a modern e-commerce application that offers the possibility to any buy and sell gems. You must implement a system to allow the operations at scale, keep the governance, use IaC and consider the least manual tasks for the setup and onboarding for the developers. The cloud provider for the organization is AWS and the main infrastructure services are EKS, RDS, VPC. Don’t forget that availability, security, and cost efficiency requirements.</p> <p>In the <a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-1-1j87">previous blogs about IaC at scale</a> the main questions and base guidelines was answered to apply the best practices, however, when talking about Kubernetes and cloud native apps many questions emerge from the shadows and suppose al challenge for the technical skills, for example:</p> <ul> <li>What are the best practices to manage the cluster configuration at scale?</li> <li>How can you connect both layers IaC and GitOps?</li> <li>What are the GitOps topologies?</li> <li>What are the best tools?</li> <li>How can you improve developer experience?</li> </ul> <p>Of course, with an AI assistant you can find pretty answers for those questions and some guides. But, we are builders and here we put a real-life example based on experiences and some challenges in a productive environment.</p> <blockquote> <p>First, some theory and good practices 😎</p> </blockquote> <h2> The deployment patterns and GitOps Topology </h2> <p>If you want to know more about gitops, patterns, courses and more please visit <a href="https://opengitops.dev/" rel="noopener noreferrer">opengitops</a> </p> <p>Key points based on the requirements: <br> • You must have multiple environments.<br> • Each environment must isolate from others.<br> • You must manage the cluster configuration at scale.</p> <p>There are tree main Gitops topologies: <br> • <strong>Standalone topology</strong><br> • <strong>Hub-Spoke Push Model</strong><br> • <strong>Hub-Spoke Push and Pull model</strong></p> <p>For this scenario, the <strong>hub-spoke push model is the best solution</strong>. This setup involves deploying GitOps tools on a central "Hub" cluster. The Hub cluster acts as the control plane for GitOps, managing deployments to various clusters dedicated to different environments or workloads.</p> <p>So, <strong>how can you deploy this topology in AWS using EKS</strong>? </p> <p>First, let’s get some assumptions:<br> • Your accounts are in the same AWS organization.<br> • There is already a Networking layer configured.<br> • ArgoCD is the gitops tool.<br> • Github the VSC. <br> • There is no CI tool predefined, in this blog series Codepipeline and <a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-2-ci-for-iac-275c">previous blog posts will be use</a>.</p> <h2> Security considerations: </h2> <p>• The IAM roles and policies for your agents must be clear and apply the least privileged principle. Sometimes the infrastructure deployment role is different from orchestration deployment role. <br> • Use secrets manager to share the credentials between accounts using solid resource policy or use parameters store secure string with RAM. Both must be encrypted using KMS.<br> • Don’t expose your cluster endpoints to the internet, if it is necessary then restrict the access by IP range. <br> • The security of the pipeline must be a priority, the deployment agents can assume many privileged roles, so keep in mind to avoid security breaches.</p> <h2> Solution overview </h2> <ul> <li>Open-Source projects and tools:</li> <li>Open Tofu</li> <li>GitOps bridge</li> <li>ArgoCD</li> </ul> <h2> AWS Services: </h2> <ul> <li>EKS</li> <li>KMS</li> <li>RAM</li> <li>Parameter Store</li> <li>ECR</li> <li>IAM</li> </ul> <p>The following diagrams shows the solution: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoxd9akt6y3biv944pku.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoxd9akt6y3biv944pku.png" alt="Hub-spoke argocd in aws" width="800" height="649"></a></p> <p>1- The code is versioned in git system, usually you have tree main kind of repositories: Infrastructure as code repositories, Argocd applications Set definitions, and app or microservices repositories. Many teams keep separated the Kubernetes manifests from code applications. This is a good practice due the code application and infrastructure definitions don’t follow the same lifecycle but other factors as mono repositories or multiple repositories are key factors. Just keep in different folders 😊.</p> <p>2- The CI/CD service deploys the infrastructure components: the CI/CD agents deploy the control plane cluster, create shared resources to spoke AWS accounts, and create the argocd secret for hub cluster with the metadata to allow operations and bootstrapping configurations.</p> <blockquote> <p>The agent’s role must be part of an access entry in EKS to allow this operation. </p> </blockquote> <p>3- The shared resources are created are common practices that use secure string in parameter store and share it with RAM is more cost effective and practical for this setup, however, you could use secrets manager with resource policies.</p> <p>4- The CI/CD service deploys the spoke resources: the agent deploys the spoke cluster and other resources. Here the agent can access the Hub Kubernetes cluster to create a secret for spoke cluster with the metadata to allow operations and bootstrapping configuration. </p> <p>5- ArgoCD detects new cluster metadata and prepare to deploy de addons: Once the metadata is loaded the applications are deployed in the spoke or hub cluster, to accomplish this the Argocd application controller must assume the role in the spoke account.</p> <blockquote> <p>In ArgoCD, the limit for metadata annotations is 262,144 characters (or 256 KB)</p> </blockquote> <p>6- The application are created: here the deployments al created into the spoken cluster and Argocd sync with the desired state.</p> <p>7- The cluster are ready to workloads.</p> <p>It sounds pretty, but <strong>how can integrate both layers without overhead or manual operations?</strong></p> <p>The answer is to use the <a href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer">GitOps bridge framework</a>: Is a community project that aims to showcase best practices and patterns for bridging the process of creating a Kubernetes cluster to subsequently managing everything through GitOps. It focuses on using ArgoCD or FluxCD, both of which are CNN-graduated projects.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhs66v0wc38bx17cb45bc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhs66v0wc38bx17cb45bc.png" alt="GitOps Bridge" width="800" height="398"></a></p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/gitops-bridge-dev" rel="noopener noreferrer"> gitops-bridge-dev </a> / <a href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer"> gitops-bridge </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">GitOps Bridge</h1> </div> <p>The <a href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer">GitOps Bridge</a> is a community project that aims to showcase best practices and patterns for bridging the process of creating a Kubernetes cluster to subsequently managing everything through GitOps. It focuses on using <a href="https://www.cncf.io/projects/argo/" rel="nofollow noopener noreferrer">ArgoCD</a> or <a href="https://www.cncf.io/projects/flux/" rel="nofollow noopener noreferrer">FluxCD</a>, both of which are CNCF-graduated projects.</p> <p>For an example template on bootstrapping ArgoCD, see the GitHub repository <a href="https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template" rel="noopener noreferrer">GitOps Control Plane</a>.</p> <p>There are many tools available for creating Kubernetes clusters. These include "roll-your-own" solutions like <code>kubeadm</code>, <code>minikube</code>, and <code>kind</code>, as well as cloud-managed services like Amazon EKS. The method of cluster creation should not impact GitOps compatibility; GitOps engines should work with any tool that the user chooses for cluster creation. This includes scenarios where Kubernetes is used to create other Kubernetes clusters, such as with CAPI/CAPA, Crossplane, ACK, or any tool running inside Kubernetes to deploy Kubernetes.</p> <p>The GitOps Bridge becomes extremely important in the context…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Hands On </h2> <h3> Creating a control plane </h3> <p>So, let’s hand in to the code for building a control plane.</p> <p>1- The terragrunt project is created with the following structure: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9owuks0h7r5tynlg9b69.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9owuks0h7r5tynlg9b69.png" alt="The terragrunt project" width="224" height="385"></a></p> <p>The project also can be created with OpenTofu but here is an example using terragrunt a wrapper for opentofu and a powerful tool to keep DRY and manage IaC at scale.</p> <p>In the infrastructure folder you can find two major stacks: network and containers. In containers stacks the cluster for control plane is deployed using the public aws modules and gitops bridge is deployed into the account using the official terraform module.</p> <p>For example, the content for eks_control_plane stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-04e3e1e302f8c8f06"</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda15"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"${include.root.locals.common_vars.locals.project}-${include.root.locals.environment.locals.workspace}-hub"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">node_pools</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"general-purpose"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///terraform-aws-modules/eks/aws?version=20.33.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">create</span><span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"create"</span><span class="p">]</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_name"</span><span class="p">]</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_version"</span><span class="p">]</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_endpoint_public_access"</span><span class="p">]</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"enable_cluster_creator_admin_permissions"</span><span class="p">]</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_compute_config"</span><span class="p">]</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Watch that the main properties for this stack are the cluster version and in this case the auto mode for EKS is enabled.</p> </blockquote> <p>In the next blogs you can learn more about this!</p> <p>For other hand, for gitops_bridge stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_helm.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">addons_repo_url</span> <span class="p">=</span> <span class="s2">"https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"</span> <span class="nx">addons_repo_basepath</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">addons_repo_path</span> <span class="p">=</span><span class="s2">"bootstrap/control-plane/addons"</span> <span class="nx">addons_repo_revision</span> <span class="p">=</span> <span class="s2">"HEAD"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">argocd_apps</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"./bootstrap/addons.yaml"</span><span class="p">)</span> <span class="c1">#workloads = file("./bootstrap/workloads.yaml")</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///gitops-bridge-dev/gitops-bridge/helm?version=0.1.0"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"environment"</span><span class="p">]</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"addons_metadata"</span><span class="p">]</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"oss_addons"</span><span class="p">],</span> <span class="p">{</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">apps</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"argocd_apps"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Here the <code>addons</code>are enabled or disable using flags, in <code>oss_addons</code>map also you can and the ArgoCD application Set to bootstrap the cluster.</p> </blockquote> <p>2- Create the application set for addons:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-addons</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">preserveResourcesOnDeletion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">clusters</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cluster-addons'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{metadata.annotations.addons_repo_url}}'</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{metadata.annotations.addons_repo_basepath}}{{metadata.annotations.addons_repo_path}}'</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{metadata.annotations.addons_repo_revision}}'</span> <span class="na">directory</span><span class="pi">:</span> <span class="na">recurse</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">argocd'</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{name}}'</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">allowEmpty</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <blockquote> <p>The key point here is the generators, where the cluster selector is just deploy the application in the clusters that have the label environment equal to control plane.<br> The source for de applications is the addons_repo_url defined in gitops bridge stack <code>terragrunt_aws_gitops_blueprint/infrastructure/containers/gitops_bridge/terragrunt.hcl</code>. </p> </blockquote> <p>3- Connect to the cluster using a k8s client. <br> Setup the <code>kube context</code> using aws cli:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> my-cluster <span class="nt">--region</span> us-east-1 <span class="nt">--alias</span> my-cluster-alias </code></pre> </div> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> gitops-scale-dev-hub <span class="nt">--region</span> us-east-2 <span class="nt">--alias</span> labvel-devsecops-hub <span class="nt">--profile</span> labvel-dev </code></pre> </div> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k9s <span class="nt">--context</span> labvel-devsecops-hub </code></pre> </div> <p>for interactive mode or just find the default ArgoCD server admin secret and run kubectl to create a forwarding to connect with the argocd server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> <span class="nt">--context</span> labvel-devsecops-hub | <span class="nb">base64</span> <span class="nt">-d</span><span class="p">;</span> <span class="nb">echo </span>kubectl port-forward svc/argo-cd-argocd-server <span class="nt">-n</span> argocd 8080:443 <span class="nt">--context</span> labvel-devsecops-hub </code></pre> </div> <p>Finally through the web browser you can find the argo apps: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpw2xm1e0nq0wlpq51i5p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpw2xm1e0nq0wlpq51i5p.png" alt="The argocd apps" width="800" height="434"></a></p> <p>The application Set: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcl0a3w0vvnjn2tpoy3mq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcl0a3w0vvnjn2tpoy3mq.png" alt="ApplicationSet ArgoCD" width="800" height="402"></a></p> <p>And the cluster metadata:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjda03c70sayhd35572c9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjda03c70sayhd35572c9.png" alt="The cluster label metadata" width="800" height="351"></a></p> <p>In the next part you can learn more about enable and disable <code>addons</code> and apps and go deeper using AWS controllers. </p> <p>You can find the public code here: </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer"> terragrunt_aws_gitops_blueprint </a> </h2> <h3> Public demo for Gitops bridge using terragrunt, OpenTofu and EKS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">AWS GitOps Blueprint with Terragrunt</h1> </div> <p>This project provides a blueprint for implementing GitOps on AWS using Terragrunt and Argo CD. It offers a structured approach to managing infrastructure as code and deploying applications across multiple environments.</p> <p>The blueprint is designed to streamline the process of setting up a GitOps workflow on AWS, leveraging Terragrunt for managing Terraform configurations and Argo CD for continuous deployment. It includes configurations for essential AWS services such as EKS (Elastic Kubernetes Service) and VPC (Virtual Private Cloud), as well as GitOps components for managing cluster addons and platform-level resources.</p> <p>Key features of this blueprint include:</p> <ul> <li>Modular infrastructure setup using Terragrunt</li> <li>EKS cluster configuration for container orchestration</li> <li>VPC network setup for secure and isolated environments</li> <li>GitOps bridge for seamless integration between infrastructure and application deployments</li> <li>Argo CD ApplicationSets for managing cluster addons and platform resources</li> <li>Environment-specific configurations for multi-environment deployments</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Repository Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>terragrunt_aws_gitops_blueprint/ ├── common/ │</code></pre>…</div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Thanks for reading and sharing! ☺️⭐</p> devops aws terraform gitops Alejandro Velez Sat, 30 Nov 2024 23:30:51 +0000 https://forem.com/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-3-enable-self-service-5b38 https://forem.com/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-3-enable-self-service-5b38 <p><em><em>Level 300</em></em></p> <p>In the previous post for this series,<a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-1-1j87">DevSecOps with AWS- IaC at scale - Building your own platform - Part 1 </a> and <a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-2-ci-for-iac-275c">DevSecOps with AWS- IaC at scale - Building your own platform - Part 2 - CI for IaC </a> you could learn more about creating the CI pipeline, key questions and practices to enable the self-service capabilities to reuse this pipeline. In the following example, you will learn a use case to allow self-services capabilities using the pipeline of pipeline approach and combine the service Catalog capabilities to get a Pipeline as a Service. </p> <p>So, let’s create as Platform engineer. But first a little overview about the solution:</p> <h2> Solution Overview </h2> <p>Now review the solution exposed in the previous blog post. And focus on creating a SaaS model to deploy your standard pipelines in other DevSecOps accounts. Using CDK Pipelines for this approach. In the future post you can enable the self-service capabilities for now just focusing on the platform’s bases.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx6vjghdi8as195tm5brj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx6vjghdi8as195tm5brj.png" alt="DevSecOps IaC pipeline of pipelines using CDK Pipelines" width="800" height="442"></a></p> <p>You need to follow the next steps:<br> 1- Construct pipeline of pipelines using CDK Pipelines.<br> 2- Test the pipeline of pipelines to create a pipeline for deployment in sandbox account.<br> 3- Approve changes to pass to production environments.<br> 4- Enable self service capabilities to add new project to the pipelines of pipelines.<br> 5- Out the box, create self service portal according to IDP (Internal Developer Portal).</p> <h3> Requirements </h3> <p>• cdk &gt;= 2.167.1<br> • AWS CLI &gt;= 2.7.0<br> • Python &gt;= 3.10.4</p> <h3> AWS Services </h3> <ul> <li> <a href="https://aws.amazon.com/cdk/" rel="noopener noreferrer">AWS Cloud Development Kit (CDK)</a>: is an open-source software development framework to define your cloud application resources using familiar programming languages.</li> <li> <a href="https://aws.amazon.com/iam/?nc2=h_ql_prod_se_iam" rel="noopener noreferrer">AWS Identity and Access Management (IAM)</a>: Securely manage identities and access to AWS services and resources.</li> <li> <a href="https://aws.amazon.com/iam/identity-center/" rel="noopener noreferrer">AWS IAM Identity Center (Successor to AWS Single Sign-On)</a>: helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.</li> <li> <a href="https://aws.amazon.com/codebuild/" rel="noopener noreferrer">AWS CodeBuild</a>: fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.</li> <li> <a href="https://aws.amazon.com/codepipeline/" rel="noopener noreferrer">AWS CodePipeline</a>: fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.</li> <li> <a href="https://aws.amazon.com/kms/" rel="noopener noreferrer">AWS Key Management Service (AWS KMS)</a>: lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.</li> <li> <a href="https://aws.amazon.com/cloudformation/" rel="noopener noreferrer">AWS CloudFormation</a>: Speed up cloud provisioning with infrastructure as code.</li> <li> <a href="https://aws.amazon.com/ram/" rel="noopener noreferrer">AWS Resource Access Manager</a>: Simply and securely share your AWS resources across multiple accounts.</li> </ul> <h3> Hands On ☺️ </h3> <p>First create a CDK pipelines Stack and deployment stage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stage</span><span class="p">,</span> <span class="n">Environment</span><span class="p">,</span> <span class="n">Tags</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="n">...cdkv2_dev_sec_ops_ia_c_terraform_stack</span> <span class="kn">import</span> <span class="n">Cdkv2DevSecOpsIaCTerraformStack</span> <span class="k">class</span> <span class="nc">PipelineStageProd</span><span class="p">(</span><span class="n">Stage</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">props</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">compliance_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">terra_plan_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">kics_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">tfsec_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">checkov_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">testing_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">deployment_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">env_devsecops_account</span><span class="p">:</span> <span class="n">Environment</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">environments</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">tags</span><span class="p">:</span><span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">core_stack</span> <span class="o">=</span> <span class="nc">Cdkv2DevSecOpsIaCTerraformStack</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">CoreDevSecOpsIaCTerraformStack-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">project_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">stack_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">CoreDevSecOpsIaCTerraformStack-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">project_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">props</span><span class="o">=</span><span class="n">props</span><span class="p">,</span> <span class="n">compliance_buildef</span><span class="o">=</span><span class="n">compliance_buildef</span><span class="p">,</span> <span class="n">tfsec_buildef</span><span class="o">=</span><span class="n">tfsec_buildef</span><span class="p">,</span> <span class="n">checkov_buildef</span><span class="o">=</span><span class="n">checkov_buildef</span><span class="p">,</span> <span class="n">testing_buildef</span><span class="o">=</span><span class="n">testing_buildef</span><span class="p">,</span> <span class="n">terra_plan_buildef</span><span class="o">=</span><span class="n">terra_plan_buildef</span><span class="p">,</span> <span class="n">kics_buildef</span><span class="o">=</span><span class="n">kics_buildef</span><span class="p">,</span> <span class="n">deployment_buildef</span><span class="o">=</span><span class="n">deployment_buildef</span><span class="p">,</span> <span class="n">env_devsecops_account</span><span class="o">=</span><span class="n">env_devsecops_account</span><span class="p">,</span> <span class="n">environments</span><span class="o">=</span><span class="n">environments</span> <span class="p">)</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">tags</span><span class="p">.</span><span class="nf">keys</span><span class="p">():</span> <span class="n">Tags</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">core_stack</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">t</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">tags</span><span class="p">[</span><span class="n">t</span><span class="p">])</span> </code></pre> </div> <p>Now, from main stack add the stages based on the project properties in yaml files, here a common question for manage parallel deployments and projects with this approach.</p> <p><strong>How can we deploy many stacks parallel when we have many projects?</strong></p> <p>The answer is using the <strong>CDK Pipelines waves</strong> capability, this capability is useful in several scenarios:</p> <ol> <li><p>Parallel Deployments:<br> • Deploy multiple stages simultaneously to different regions or accounts.<br> • Reduce overall pipeline execution time by running independent deployments in parallel.<br> • Deploy the same application to multiple environments concurrently.</p></li> <li><p>Deployment Organization:<br> • Group related deployments logically.<br> • Create deployment waves for different environments (dev, test, prod).<br> • Organize deployments by business units or applications.</p></li> <li><p>Controlled Progressive Rollouts:<br> • Deploy to a subset of regions/accounts first.<br> • Implement progressive deployment patterns.<br> • Add validation steps between waves for safety.</p></li> <li><p>Resource Optimization:<br> • Control concurrent deployments to manage resource usage.<br> • Balance deployment speed with system load.<br> • Optimize pipeline execution costs.</p></li> <li><p>Dependency Management:<br> • Group stages that can run independently.<br> • Separate dependent deployments into sequential waves.<br> • Manage complex deployment orchestration.</p></li> </ol> <blockquote> <p>While stages within a wave run in parallel, the waves themselves execute sequentially. This allows for controlled progression through your deployment pipeline while maximizing efficiency where parallel execution is beneficial.</p> </blockquote> <p>Second, test the stack with the parameters, in this case all definitions in a folder project configs are loaded, and one pipeline is created for each parameters set (team or project definitions).<br><br> Each project properties are loaded with a python function and create a custom class to abstract the project configurations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Optional</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">Environment</span> <span class="kn">from</span> <span class="n">.utils</span> <span class="kn">import</span> <span class="n">load_yamls</span><span class="p">,</span> <span class="n">load_yamls_to_dict</span><span class="p">,</span> <span class="n">load_tags</span><span class="p">,</span> <span class="n">find_yaml_files</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">ProjectConfiguration</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Class to manage project configuration and environments</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">props_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">dirname</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Initialize ProjectConfiguration Args: props_path (str): Path to the properties file dirname (str, optional): Base directory path. If None, uses the directory of this class </span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="n">dirname</span> <span class="o">=</span> <span class="n">dirname</span> <span class="k">if</span> <span class="n">dirname</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="n">__file__</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">props_path</span> <span class="o">=</span> <span class="n">props_path</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_load_properties</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">self</span><span class="p">.</span><span class="n">build_definitions</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">self</span><span class="p">.</span><span class="nf">_setup_environments</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">_load_tags</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">_load_build_definitions</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_load_properties</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Load main properties from YAML file</span><span class="sh">"""</span> <span class="n">full_path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">props_path</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="nf">load_yamls</span><span class="p">(</span><span class="n">full_path</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">_setup_environments</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Setup environment configurations</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="n">devsecops_env</span> <span class="o">=</span> <span class="nc">Environment</span><span class="p">(</span> <span class="n">account</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">account_devsecops</span><span class="sh">'</span><span class="p">],</span> <span class="n">region</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">region_devsecops</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">env_config</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">environments</span><span class="sh">"</span><span class="p">]:</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_environment</span><span class="p">(</span><span class="n">env_config</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">environments</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span> <span class="k">def</span> <span class="nf">_process_environment</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">env_config</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Process individual environment configuration</span><span class="sh">"""</span> <span class="n">env_name</span> <span class="o">=</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">environment</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Create CDK Environment </span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span><span class="p">[</span><span class="n">env_name</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Environment</span><span class="p">(</span> <span class="n">account</span><span class="o">=</span><span class="n">env_config</span><span class="p">[</span><span class="sh">'</span><span class="s">deployment_account</span><span class="sh">'</span><span class="p">],</span> <span class="n">region</span><span class="o">=</span><span class="n">env_config</span><span class="p">[</span><span class="sh">'</span><span class="s">deployment_region</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Basic environment configuration </span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">][</span><span class="n">env_name</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">deployment_region</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_region</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">deployment_account</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_account</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">enable</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">enable</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">manual_approval</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">manual_approval</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">peer_review_approval</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">peer_review_approval</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Test environment specific configuration </span> <span class="k">if</span> <span class="n">env_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">][</span><span class="n">env_name</span><span class="p">].</span><span class="nf">update</span><span class="p">({</span> <span class="sh">"</span><span class="s">automate_testing</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">automate_testing</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">test_workspace</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">test_workspace</span><span class="sh">"</span><span class="p">]</span> <span class="p">})</span> <span class="c1"># Optional partner review email </span> <span class="k">if</span> <span class="sh">"</span><span class="s">partner_review_email</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">env_config</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">][</span><span class="n">env_name</span><span class="p">][</span><span class="sh">"</span><span class="s">partner_review_email</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">partner_review_email</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">_load_tags</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Load tags from YAML file</span><span class="sh">"""</span> <span class="n">tags</span> <span class="o">=</span> <span class="p">(</span><span class="nf">load_yamls</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">props_path</span><span class="p">)))[</span><span class="mi">1</span><span class="p">][</span><span class="sh">'</span><span class="s">tags</span><span class="sh">'</span><span class="p">]</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">tags</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">load_tags</span><span class="p">(</span><span class="n">tags</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_load_build_definitions</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Load all build definitions</span><span class="sh">"""</span> <span class="n">definition_mappings</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">compliance</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_compliance</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">terra_plan</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_create_artifacts</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">tfsec</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_tfsec</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">checkov</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_checkov</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">kics</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_kics</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">testing</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_testing</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">pipeline_cd</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_deploy</span><span class="sh">'</span> <span class="p">}</span> <span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">path_key</span> <span class="ow">in</span> <span class="n">definition_mappings</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">self</span><span class="p">.</span><span class="n">build_definitions</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="nf">load_yamls_to_dict</span><span class="p">(</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">dirname</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="n">path_key</span><span class="p">])</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">get_environment</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">env_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Environment</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Get specific environment configuration</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">env_name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_build_definition</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">definition_type</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Get specific build definition</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">build_definitions</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">definition_type</span><span class="p">,</span> <span class="p">{})</span> <span class="c1"># Example usage with different configuration files </span><span class="k">def</span> <span class="nf">get_project_configs</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Loading project configs ...</span><span class="sh">"</span><span class="p">)</span> <span class="n">dirname</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="sh">"</span><span class="s">./project_configs/environment_options/</span><span class="sh">"</span><span class="p">)</span> <span class="n">dirname_pipes</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="sh">"</span><span class="s">./project_configs/pipeline_definitions</span><span class="sh">"</span><span class="p">)</span> <span class="n">projects</span> <span class="o">=</span> <span class="nf">find_yaml_files</span><span class="p">(</span><span class="n">dirname</span><span class="p">,</span> <span class="sh">"</span><span class="s">environment_options_terragrunt</span><span class="sh">"</span><span class="p">)</span> <span class="n">project_configs</span><span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">projects</span><span class="p">:</span> <span class="c1"># Create instances for different environments or configurations </span> <span class="n">conf</span><span class="o">=</span><span class="nc">ProjectConfiguration</span><span class="p">(</span><span class="n">dirname</span><span class="o">=</span> <span class="n">dirname_pipes</span><span class="p">,</span><span class="n">props_path</span><span class="o">=</span><span class="n">p</span><span class="p">)</span> <span class="n">project_configs</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">conf</span><span class="p">)</span> <span class="k">return</span> <span class="n">project_configs</span> </code></pre> </div> <p>Third, test in sandbox and add the appropriate approval steps.</p> <p>Here code fragment for this deployment, here two waves are created according to reference diagram, the first deploy a sandbox template and after pass to production environments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stack</span><span class="p">,</span> <span class="n">Environment</span><span class="p">,</span> <span class="n">Aws</span><span class="p">,</span> <span class="n">aws_codecommit</span> <span class="k">as</span> <span class="n">codecommit</span><span class="p">,</span> <span class="n">pipelines</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="n">.load_project_configs</span> <span class="kn">import</span> <span class="n">get_project_configs</span> <span class="kn">from</span> <span class="n">.stages.deploy_pipeline_stack</span> <span class="kn">import</span> <span class="n">PipelineStageProd</span> <span class="k">class</span> <span class="nc">Cdkv2DSOTerraformPipelineStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">props</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">repo</span> <span class="o">=</span> <span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="n">synth</span> <span class="o">=</span> <span class="n">pipelines</span><span class="p">.</span><span class="nc">ShellStep</span><span class="p">(</span> <span class="sh">"</span><span class="s">Synth</span><span class="sh">"</span><span class="p">,</span> <span class="nb">input</span><span class="o">=</span><span class="n">pipelines</span><span class="p">.</span><span class="n">CodePipelineSource</span><span class="p">.</span><span class="nf">connection</span><span class="p">(</span><span class="n">repo_string</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">owner</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">repo</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">code_build_clone_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">branch</span><span class="o">=</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">branch</span><span class="sh">'</span><span class="p">],</span> <span class="n">connection_arn</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:codestar-connections:</span><span class="si">{</span><span class="n">Aws</span><span class="p">.</span><span class="n">REGION</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">Aws</span><span class="p">.</span><span class="n">ACCOUNT_ID</span><span class="si">}</span><span class="s">:connection/</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">connection_id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="p">),</span> <span class="n">commands</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">npm install -g aws-cdk</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Installs the cdk cli on Codebuild </span> <span class="sh">"</span><span class="s">pip install -r requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pip install checkov</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Instructs Codebuild to install required packages </span> <span class="sh">"</span><span class="s">npx cdk synth</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="p">)</span> <span class="n">pipeline</span> <span class="o">=</span> <span class="n">pipelines</span><span class="p">.</span><span class="nc">CodePipeline</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">CDKPipeline-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">project_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">self_mutation</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">cross_account_keys</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">synth</span><span class="o">=</span><span class="n">synth</span><span class="p">,</span> <span class="n">pipeline_name</span><span class="o">=</span><span class="n">repo</span><span class="p">,</span> <span class="p">)</span> <span class="n">sandbox_wave</span> <span class="o">=</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">add_wave</span><span class="p">(</span><span class="sh">"</span><span class="s">DeploySandbox</span><span class="sh">"</span><span class="p">)</span> <span class="n">prod_wave</span> <span class="o">=</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">add_wave</span><span class="p">(</span><span class="sh">"</span><span class="s">DeployProd</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># add manual approval for prod wave </span> <span class="n">sandbox_wave</span><span class="p">.</span><span class="nf">add_post</span><span class="p">(</span><span class="n">pipelines</span><span class="p">.</span><span class="nc">ManualApprovalStep</span><span class="p">(</span><span class="sh">"</span><span class="s">PromoteToProd</span><span class="sh">"</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">Ready to apply to prod deployments</span><span class="sh">"</span><span class="p">))</span> <span class="n">projects</span> <span class="o">=</span> <span class="nf">get_project_configs</span><span class="p">()</span> <span class="k">for</span> <span class="n">project</span> <span class="ow">in</span> <span class="n">projects</span><span class="p">:</span> <span class="n">project_name</span> <span class="o">=</span> <span class="n">project</span><span class="p">.</span><span class="n">props</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">project_name</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">project_name</span><span class="p">)</span> <span class="n">stage_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Deploy-</span><span class="si">{</span><span class="n">project_name</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># create wave </span> <span class="n">deploy_stage</span> <span class="o">=</span> <span class="nc">PipelineStageProd</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">stage_id</span><span class="p">,</span> <span class="n">stage_name</span><span class="o">=</span><span class="n">stage_id</span><span class="p">,</span> <span class="n">props</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">props</span><span class="p">,</span> <span class="n">compliance_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">compliance</span><span class="sh">"</span><span class="p">),</span> <span class="n">tfsec_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">tfsec</span><span class="sh">"</span><span class="p">),</span> <span class="n">checkov_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">checkov</span><span class="sh">"</span><span class="p">),</span> <span class="n">testing_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">testing</span><span class="sh">"</span><span class="p">),</span> <span class="n">terra_plan_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">terra_plan</span><span class="sh">"</span><span class="p">),</span> <span class="n">kics_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">kics</span><span class="sh">"</span><span class="p">),</span> <span class="n">deployment_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">pipeline_cd</span><span class="sh">"</span><span class="p">),</span> <span class="n">env</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">devsecops_env</span><span class="p">,</span> <span class="c1"># env_client_prd_account, </span> <span class="n">env_devsecops_account</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">devsecops_env</span><span class="p">,</span> <span class="n">environments</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">environments</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">props</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tags</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># env=env_client_prd_account) </span> <span class="k">if</span> <span class="n">project_name</span><span class="p">.</span><span class="nf">endswith</span><span class="p">(</span><span class="sh">"</span><span class="s">sandbox</span><span class="sh">"</span><span class="p">):</span> <span class="n">sandbox_wave</span><span class="p">.</span><span class="nf">add_stage</span><span class="p">(</span> <span class="n">deploy_stage</span><span class="p">,</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">prod_wave</span><span class="p">.</span><span class="nf">add_stage</span><span class="p">(</span> <span class="n">deploy_stage</span> <span class="p">)</span> </code></pre> </div> <p>You can modify it according to your requirements. </p> <p>The AWS console view is something like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gspkg1amgbx8jd6qg2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gspkg1amgbx8jd6qg2.png" alt="Pipeline of pipelines AWS 1" width="800" height="648"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm78yhjia9i9so7mx6pim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm78yhjia9i9so7mx6pim.png" alt="Pipeline of pipelines AWS 2" width="800" height="539"></a></p> <p>Finally, you are ready to deploy more projects, in this case the project structure allow put a file for each project in the path and the cdk app automatically extend and create new pipelines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> tree project_configs/environment_options/ project_configs/environment_options/ ├── environment_options_advanceiac_v2.yaml ├── environment_options_ecs_fargate_pattern.yaml ├── environment_options_project_1.yaml ├── environment_options_project_2.yaml ├── environment_options_project_3_networking.yaml ├── environment_options_project_4_shared.yaml ├── environment_options_terragrunt_blueprint.yaml ├── environment_options_terragrunt_sandbox.yaml └── environment_options_another_project.yaml 1 directory, 9 files </code></pre> </div> <p>Thanks for reading and sharing. If you want to know more and get the code please follow me and at the end of this series I will share the final project version as opensource project.</p> devops aws terraform cdk Alejandro Velez Sun, 22 Sep 2024 01:01:16 +0000 https://forem.com/avelez/continuous-delivery-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-2-35lb https://forem.com/avelez/continuous-delivery-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-2-35lb <p><strong><em>level: 300</em></strong></p> <p>According to part 1 let’s continue with the pipeline creation. In this scenario, CDK pipelines will be the preferred tool to make this possible. But in the third part, you can explore this with Terraform and Codecatalyst project.</p> <h2> Solution Overview </h2> <h3> Requirements </h3> <p>validate-aws-policies<br> Python &gt;= 3.10.4<br> CDK &gt;= 2.158.0<br> cdk_nag &gt;= 2.28.195</p> <h3> AWS Services </h3> <ul> <li><p><a href="https://aws.amazon.com/iam/access-analyzer/" rel="noopener noreferrer">AWS IAM Access Analyzer</a>: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.</p></li> <li><p><a href="https://aws.amazon.com/cdk/" rel="noopener noreferrer">AWS Cloud Development Kit (CDK)</a>: is an open-source software development framework to define your cloud application resources using familiar programming languages.</p></li> <li><p><a href="https://aws.amazon.com/iam/?nc2=h_ql_prod_se_iam" rel="noopener noreferrer">AWS Identity and Access Management (IAM)</a>: Securely manage identities and access to AWS services and resources.</p></li> <li><p><a href="https://aws.amazon.com/iam/identity-center/" rel="noopener noreferrer">AWS IAM Identity Center (Successor to AWS Single Sign-On)</a>: helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.</p></li> <li><p><a href="https://aws.amazon.com/codebuild/" rel="noopener noreferrer">AWS CodeBuild</a>: fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.</p></li> <li><p><a href="https://aws.amazon.com/codepipeline/" rel="noopener noreferrer">AWS CodePipeline</a>: fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.</p></li> <li><p><a href="https://aws.amazon.com/kms/" rel="noopener noreferrer">AWS Key Management Service (AWS KMS)</a>: lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.</p></li> <li><p><a href="https://aws.amazon.com/cloudformation/" rel="noopener noreferrer">AWS CloudFormation</a>: Speed up cloud provisioning with infrastructure as code as code.</p></li> <li><p><a href="https://aws.amazon.com/lambda/?nc2=h_ql_prod_cp_lbd" rel="noopener noreferrer">AWS Lambda</a>: A serverless compute service that lets you run code without provisioning or managing servers, build workload-based cluster scaling logic, maintain event integrations, or manage runtimes.</p></li> <li><p><a href="https://aws.amazon.com/chatbot/" rel="noopener noreferrer">AWS Chatbot</a>: Monitor, operate, and troubleshoot your AWS resources with interactive ChatOps.</p></li> </ul> <p>The Figure 1 depicts the solution architecture according to best practices:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbonr74yvzg7ujiul5h5j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbonr74yvzg7ujiul5h5j.png" alt="Image description" width="800" height="651"></a><br> Figure 1. Continuous authorization using AWS Developer Tools</p> <p>1- The IaC is hosted in github private repository. <br> 2- The first stage for CDK pipelines synth and apply self mutation.<br> 3- The policies are scanned by validate_aws_policies tool and push the reports into S3 bucket. <br> 4- After the DevSecOps Adm, SecOps Engineer review the findings accept or reject the changes. <br> 5- The permissions sets changes are provisioned in both accounts. You can modify to only apply the changes to one account but keep in mind that in this case the same team manage both accounts. </p> <p>Keep in mind: </p> <ul> <li> The IAM Identity Center could be delegated administration to an administrator account. <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html" rel="noopener noreferrer">https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html</a> </li> <li> The delegated administrator can’t modify or alter permissions set provisioned in the management account. </li> <li> You must manage IAM Identity Center for both account instances. (Delegated and management Account).</li> </ul> <h2> Hands On </h2> <p>It’s time to create some code. 😃</p> <p>First, delegate the IAM Identity Center administration using the AWS console or through the API. </p> <ol> <li> Sign in to the AWS Management Console using the credentials of your management account in AWS Organizations. Management account credentials are required to run the RegisterDelegatedAdministrator API.</li> <li> Select the Region where IAM Identity Center is enabled, and then open the IAM Identity Center console.</li> <li> Choose Settings, and then select the Management tab.</li> <li> In the Delegated administrator section, choose Register account.</li> <li> On the Register delegated administrator page, select the AWS account you want to register, and then choose Register account.</li> </ol> <p>Now, parametrize the project properties according to template as a follow:</p> <ol> <li> Get the values from IAM Identity Center settings, you need the instance ID and the instance ARN.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq080djj1ec3e2ahcenop.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq080djj1ec3e2ahcenop.png" alt="Image description" width="800" height="351"></a><br> Figure 2. SSO instance information.</p> <ol> <li> Get the group’s principal ID from the console or run a tool like <a href="https://pypi.org/project/reverse-diagrams/" rel="noopener noreferrer">reverse_diagrams</a> to get this information. For example: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>reverse_diagrams <span class="nt">-o</span> <span class="nt">-i</span> <span class="nt">--profile</span> labvel-master <span class="nt">--region</span> us-east-2 </code></pre> </div> <p>The json output for the reverse_diagrams cli in file <code>diagrams/json/groups.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">...</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWSLogArchiveAdmins"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"group_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9a672b3314-c481fbee-8062-432a-8b87-xxxx36b763a8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"group_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWSLogArchiveAdmins"</span><span class="p">,</span><span class="w"> </span><span class="nl">"members"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="w"> </span></code></pre> </div> <ol> <li> Now, parametrize the project properties according to your environment, create the permission set block in project properties according to the manage or custom policies for permissions set, for example: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">…</span> <span class="na">permissions_set</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWSLogArchiveAdmins'</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Permissions</span><span class="nv"> </span><span class="s">Set</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">DevSecOps</span><span class="nv"> </span><span class="s">Admins'</span> <span class="na">policies_file</span><span class="pi">:</span> <span class="s1">'</span><span class="s">policies/policy_allow_all_access_dev_sandbox_users.json'</span> <span class="na">managed_policies</span><span class="pi">:</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">arn:aws:iam::aws:policy/AdministratorAccess'</span> <span class="pi">]</span> <span class="na">session_duration</span><span class="pi">:</span> <span class="s1">'</span><span class="s">8'</span> <span class="na">assing_to</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Grp-AWS-DevSecOps-Productos'</span> <span class="na">principal_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">9a672b3314-c481fbee-8062-432a-8b87-xxxx36b763a8"</span> <span class="na">principal_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GROUP"</span> <span class="na">target_ids</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">123462754109"</span> <span class="na">target_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS_ACCOUNT"</span> <span class="s">…</span> </code></pre> </div> <p>For deploying, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cdk deploy <span class="nt">-e</span> ManageIAMIdentityCenterPipelineStack <span class="nt">--profile</span> labvel-devsecops </code></pre> </div> <blockquote> <p>⚠️ The Github connection is disable by default, you must enable through the console. </p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58igs7vjialnjl7d43ug.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58igs7vjialnjl7d43ug.png" alt="SSO Instance" width="800" height="351"></a><br> Figure 3. Github connection in AWS Console.</p> <ol> <li> Finally push the changes and wait for approving the pipeline. </li> </ol> <p>Here an example for failed execution:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsdtqqaxxwsa9g48i2z1e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsdtqqaxxwsa9g48i2z1e.png" alt="Code pipeline execution failed" width="800" height="433"></a><br> Figure 4. Failed execution in Code Pipeline.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdlpyuyvktodledhyk719.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdlpyuyvktodledhyk719.png" alt="Notification in Microsoft teams" width="800" height="609"></a><br> Figure 5. Execution Notification in Microsoft Teams.</p> <p>The Figure 4. Depicts the failed execution due case a custom policy is malformed and has a wildcard without like operator. </p> <p>After clean up the repository and pass the correct policies the Figure 6. depicts the outputs in Microsoft Teams and the pipeline steps.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis79dc4h5e99tl1yyzkm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis79dc4h5e99tl1yyzkm.png" alt="Execution Succesful" width="800" height="703"></a><br> Figure 6. Successful execution.</p> <p>You can find the example code for this pipeline. </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/cdkv2_manage_identity_center_template" rel="noopener noreferrer"> cdkv2_manage_identity_center_template </a> </h2> <h3> Template example for manage identity center authorization using aws cdk and validate_aws_policies cli </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Welcome to Manage Identity Center Authorization with AWS Developer tools.</h1> </div> <p>This is a project for CDK development with Python.</p> <div class="markdown-heading"> <h2 class="heading-element">Architecture Diagram</h2> </div> <p><a rel="noopener noreferrer" href="https://github.com/velez94/cdkv2_manage_identity_center_templatedocs/img/continuous-deployment-validate-policies.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fvelez94%2Fcdkv2_manage_identity_center_templatedocs%2Fimg%2Fcontinuous-deployment-validate-policies.png" alt="architecture diagram"></a></p> <blockquote> <p>Please read: <a href="https://dev.to/avelez/continuous-delivery-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-2-35lb" rel="nofollow">Continuous Delivery applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer – Part 2</a></p> </blockquote> <div class="markdown-heading"> <h2 class="heading-element">The CDK instructions</h2> </div> <p>The <code>cdk.json</code> file tells the CDK Toolkit how to execute your app.</p> <p>This project is set up like a standard Python project. The initialization process also creates a virtualenv within this project, stored under the <code>.venv</code> directory. To create the virtualenv it assumes that there is a <code>python3</code> (or <code>python</code> for Windows) executable in your path with access to the <code>venv</code> package. If for any reason the automatic creation of the virtualenv fails, you can create the virtualenv manually.</p> <p>To manually create a virtualenv on MacOS and Linux:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>$ python3 -m venv .venv </code></pre></div> <p>After the init process completes and the virtualenv is created, you can use the…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/cdkv2_manage_identity_center_template" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Thanks for reading and sharing. 💻 👽</p> aws security devops cdk Alejandro Velez Sun, 04 Aug 2024 21:14:55 +0000 https://forem.com/aws-builders/continuous-deployment-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-1-7h6 https://forem.com/aws-builders/continuous-deployment-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-1-7h6 <p><strong>Level 200</strong></p> <p>A common task for security engineers is to grant the correct permissions set around the AWS environments applying the least privilege, keeping a central review access, continuous refinement, continuous policy validation. AWS IAM access analyzer provides these capabilities and allows you automate the process. <br> In this series you can learn how to apply the best practices and automate the process using IAM Access Analyzer and Amazon Boto3 SDK to automate the validation process with AWS Developer tools.</p> <h2> Use case </h2> <p>Imagine that you are a security engineer and must validate the IAM policies documents for IAM identity policies and Inline policies for permissions set. At the beginning a lot of these policies are defined in <code>json</code> format in source code and you must include the validation steps into the CD pipeline to manage the authorization as code. </p> <h2> Solution Overview </h2> <h3> Requirements </h3> <ul> <li>validate-aws-policies</li> <li>Python &gt;= 3.10.4</li> </ul> <h3> AWS Services </h3> <ul> <li><p><a href="https://aws.amazon.com/iam/access-analyzer/" rel="noopener noreferrer">AWS IAM Access Analyzer</a>: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.</p></li> <li><p><a href="https://aws.amazon.com/sdk-for-python/" rel="noopener noreferrer">AWS SDK for Python (Boto3)</a>: Boto3 makes it easy to integrate your Python application, library, or script with AWS services including Amazon S3, Amazon EC2, Amazon DynamoDB, and more.</p></li> </ul> <h3> Hands On </h3> <p>First, explore the command line tool <a href="https://pypi.org/project/validate-aws-policies/" rel="noopener noreferrer">validate-aws-policies</a>, this allows you to validate a set of policies defined into a folder in simple json format. <strong>This tool also allows to create the html report or pdf and also publish the results into a bucket in zip format</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>validate-aws-policies <span class="nt">-h</span> usage: validate-aws-policies <span class="o">[</span><span class="nt">-h</span><span class="o">]</span> <span class="o">[</span><span class="nt">-c</span><span class="o">]</span> <span class="o">[</span><span class="nt">-u</span> UPLOAD_REPORT] <span class="o">[</span><span class="nt">-b</span><span class="o">]</span> <span class="o">[</span><span class="nt">-d</span> DIRECTORY_POLICIES_PATH] <span class="o">[</span><span class="nt">-p</span> PROFILE] <span class="o">[</span><span class="nt">-z</span><span class="o">]</span> <span class="o">[</span><span class="nt">-cp</span><span class="o">]</span> <span class="o">[</span><span class="nt">-v</span><span class="o">]</span> options: <span class="nt">-h</span>, <span class="nt">--help</span> show this <span class="nb">help </span>message and <span class="nb">exit</span> <span class="nt">-c</span>, <span class="nt">--ci</span> Run into pipeline <span class="k">if </span>it<span class="s1">'s present -u UPLOAD_REPORT, --upload_report UPLOAD_REPORT Upload reports to s3 bucket -b, --bucket_name Use this flag for setting the bucket tool if --upload_report is present. -d DIRECTORY_POLICIES_PATH, --directory_policies_path DIRECTORY_POLICIES_PATH Path where Policies are defined in json format -p PROFILE, --profile PROFILE AWS cli profile for Access Analyzer Api -z, --zip_reports Set in True if you want to create a zip file for reports -cp, --create_pdf_reports Set it if you want to create a pdf report, this need wkhtmltopdf file for reports -v, --version Print the package version </span></code></pre> </div> <p>For example:</p> <blockquote> <p>You must have a session with an AWS Profile, for this example the profile name is labvel-devsecops.</p> </blockquote> <div class="ltag_asciinema"> </div> <p>Finally, you can watch the html report in your browser or in the terminal output. </p> <blockquote> <p>The report is created in the same path where you run the command with the date and in html report by default for example: <code>AccessAnalyzerReport_2024-08-04 13:12:07.285648.html</code>.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbq3i7aulp60cyd8zn8v8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbq3i7aulp60cyd8zn8v8.png" alt="HTML report for Access Analyzer" width="800" height="381"></a></p> <p>You can find the source code here: </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/validate-aws-policies" rel="noopener noreferrer"> validate-aws-policies </a> </h2> <h3> Python CLI to validate aws policies using boto3 and Access Analyzer API </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Validate AWS policies</h1> </div> <p>This package scan <strong>AWS SCP</strong> policies and create report in HTML and PDF format.</p> <div class="markdown-heading"> <h1 class="heading-element">Pre-Requirements</h1> </div> <p>Setup AWS Cli profile for interacting with IAM access analyzer API using IAM or SSO credentials.</p> <div class="markdown-heading"> <h1 class="heading-element">Requirements</h1> </div> <ul> <li>python &gt;= 3.8</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Install</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>$ pip install --upgrade validate-aws-policies </code></pre></div> <div class="markdown-heading"> <h3 class="heading-element">From AWS CodeArtifacts repository</h3> </div> <blockquote> <p>You must have a user into AWS account Sophos Organization, it could be for projects, products, or IT internal Organizations. Before create AWS CLI profile using <a href="https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html" rel="nofollow noopener noreferrer">AWS IAM Identity Center (SSO)</a> or IAM.</p> </blockquote> <ol> <li>Configure your pip cli for download package from private CodeArtifacts repository</li> </ol> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code> $ aws codeartifact login --tool pip --repository &lt;repository_name&gt; --domain &lt;domain&gt; --domain-owner &lt;123456789012&gt; --profile &lt;profile_name&gt; --region &lt;repository_region&gt; $ pip install --upgrade validate-aws-policies </code></pre></div> <div class="markdown-heading"> <h3 class="heading-element">From Azure Artifacts repository</h3> </div> <div class="markdown-heading"> <h4 class="heading-element">Project setup</h4> </div> <p>Ensure you have installed the latest version of the Azure Artifacts keyring from the "Get the tools" menu.</p> <p>If you don't already have one, create a virtualenv using <a href="https://go.microsoft.com/fwlink/?linkid=2103878" rel="nofollow noopener noreferrer">these instructions</a> from…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/validate-aws-policies" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Thanks for reading and sharing!! 🤓🤓</p> aws devops security tooling