Forem: francotel The latest articles on Forem by francotel (@francotel). https://forem.com/francotel https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F349403%2F849c9efc-abad-4ba0-b34f-678403390dfd.png Forem: francotel https://forem.com/francotel en Building a Secure Serverless Upload Pattern on AWS with Terraform 🚀 francotel Sun, 08 Mar 2026 17:09:57 +0000 https://forem.com/francotel/building-a-secure-serverless-upload-pattern-on-aws-with-terraform-40f2 https://forem.com/francotel/building-a-secure-serverless-upload-pattern-on-aws-with-terraform-40f2 <h2> 𝗗𝗶𝗿𝗲𝗰𝘁 𝘂𝗜𝗹𝗌𝗮𝗱𝘀. 𝗭𝗲𝗿𝗌 𝗯𝗮𝗰𝗞𝗲𝗻𝗱 𝗯𝗌𝘁𝘁𝗹𝗲𝗻𝗲𝗰𝗞𝘀. 𝗘𝗻𝘁𝗲𝗿𝗜𝗿𝗶𝘀𝗲-𝗎𝗿𝗮𝗱𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆. </h2> <p>🧠 𝗔 𝗥𝗲𝗮𝗹-𝗪𝗌𝗿𝗹𝗱 𝗣𝗿𝗌𝗯𝗹𝗲𝗺 (𝗧𝗵𝗮𝘁 𝗜 𝗞𝗲𝗲𝗜 𝗊𝗲𝗲𝗶𝗻𝗎)</p> <p>A few weeks ago, I was reviewing a system where users were uploading files (some &gt;300MB).</p> <p>The original flow looked “reasonable”:</p> <ol> <li>Frontend uploads the file to the backend</li> <li>Backend processes the request</li> <li>Backend uploads the file to S3</li> <li>Backend responds</li> </ol> <p>But in practice, the system was 𝗳𝗮𝗹𝗹𝗶𝗻𝗎 𝗮𝗜𝗮𝗿𝘁:</p> <p>❌ Timeouts<br> ❌ Lambda memory spikes<br> ❌ High AWS bills<br> ❌ Angry users</p> <p>And the root cause was always the same:</p> <p>𝗧𝗵𝗲 𝗯𝗮𝗰𝗞𝗲𝗻𝗱 𝘀𝗵𝗌𝘂𝗹𝗱 𝗡𝗘𝗩𝗘𝗥 𝗵𝗮𝗻𝗱𝗹𝗲 𝗳𝗶𝗹𝗲 𝘂𝗜𝗹𝗌𝗮𝗱𝘀 𝗶𝗻 𝗮 𝘀𝗲𝗿𝘃𝗲𝗿𝗹𝗲𝘀𝘀 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExMm15NWoxYzdidDczN2MyZGVsYmZpdWxoZjUxMW03ZW16ZjY0aGk0ZiZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2FKajpERDjOpMcw%2Fgiphy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExMm15NWoxYzdidDczN2MyZGVsYmZpdWxoZjUxMW03ZW16ZjY0aGk0ZiZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2FKajpERDjOpMcw%2Fgiphy.gif" width="480" height="268"></a></p> <p>💡 𝗧𝗵𝗲 𝗣𝗮𝘁𝘁𝗲𝗿𝗻 𝗧𝗵𝗮𝘁 𝗙𝗶𝘅𝗲𝘀 𝗘𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗎<br> The solution is a 𝘄𝗲𝗹𝗹-𝗞𝗻𝗌𝘄𝗻 𝗯𝘂𝘁 𝗌𝗳𝘁𝗲𝗻 𝗺𝗶𝘀𝘂𝘀𝗲𝗱 𝗜𝗮𝘁𝘁𝗲𝗿𝗻:</p> <p>👉 𝗊𝟯 𝗣𝗿𝗲𝘀𝗶𝗎𝗻𝗲𝗱 𝗚𝗥𝗟𝘀</p> <p>Instead of uploading files 𝘵𝘩𝘳𝘰𝘶𝘚𝘩 your backend, you let the client upload 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝘁𝗌 𝗊𝟯, but in a 𝗰𝗌𝗻𝘁𝗿𝗌𝗹𝗹𝗲𝗱, 𝘁𝗲𝗺𝗜𝗌𝗿𝗮𝗿𝘆, 𝗮𝗻𝗱 𝘀𝗲𝗰𝘂𝗿𝗲 𝘄𝗮𝘆.</p> <p>This is the same pattern used by:<br> ● Fintech platforms<br> ● Healthcare systems<br> ● Large SaaS products</p> <p>🧩 𝗛𝗌𝘄 𝘁𝗵𝗲 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗪𝗌𝗿𝗞𝘀<br> 𝗛𝗶𝗎𝗵-𝗹𝗲𝘃𝗲𝗹 𝗳𝗹𝗌𝘄:</p> <p>1⃣ Client asks permission to upload a file<br> 2⃣ API Gateway → Lambda generates a 𝗣𝗿𝗲𝘀𝗶𝗎𝗻𝗲𝗱 𝗚𝗥𝗟<br> 3⃣ Client uploads 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝘁𝗌 𝗊𝟯 using PUT<br> 4⃣ Backend never touches the file</p> <p>🎯 Result:<br> ● Zero bottlenecks<br> ● Minimal Lambda execution time<br> ● Lower cost<br> ● Better UX</p> <p>🔐 𝗪𝗵𝗮𝘁 𝗜𝘀 𝗮 𝗣𝗿𝗲𝘀𝗶𝗎𝗻𝗲𝗱 𝗚𝗥𝗟 (𝗜𝗻 𝗊𝗶𝗺𝗜𝗹𝗲 𝗧𝗲𝗿𝗺𝘀)?</p> <p>Think of a presigned URL as:<br> 🎟 𝗔 𝘁𝗲𝗺𝗜𝗌𝗿𝗮𝗿𝘆, 𝘀𝗶𝗻𝗎𝗹𝗲-𝗜𝘂𝗿𝗜𝗌𝘀𝗲 𝘁𝗶𝗰𝗞𝗲𝘁<br> ● Valid only for a few minutes<br> ● Allows only one specific action (e.g. PUT)<br> ● Scoped to a single object<br> ● No AWS credentials exposed</p> <p>Once it expires → 𝗶𝘁’𝘀 𝘂𝘀𝗲𝗹𝗲𝘀𝘀.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg8shr36ouc6jkhtxmoz6.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg8shr36ouc6jkhtxmoz6.gif" width="980" height="772"></a></p> <p>⚙ 𝗟𝗮𝗺𝗯𝗱𝗮: 𝗚𝗲𝗻𝗲𝗿𝗮𝘁𝗶𝗻𝗎 𝘁𝗵𝗲 𝗣𝗿𝗲𝘀𝗶𝗎𝗻𝗲𝗱 𝗚𝗥𝗟 (𝗡𝗌𝗱𝗲.𝗷𝘀)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">S3Client</span><span class="p">,</span> <span class="nx">PutObjectCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-s3</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getSignedUrl</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/s3-request-presigner</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">s3</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">S3Client</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">fileName</span><span class="p">,</span> <span class="nx">contentType</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">uploads</span><span class="o">/</span><span class="nx">$</span><span class="p">{</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="o">-</span><span class="nx">$</span><span class="p">{</span><span class="nx">fileName</span><span class="p">};</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PutObjectCommand</span><span class="p">({</span> <span class="na">Bucket</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">BUCKET_NAME</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="nx">key</span><span class="p">,</span> <span class="na">ContentType</span><span class="p">:</span> <span class="nx">contentType</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">uploadUrl</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSignedUrl</span><span class="p">(</span><span class="nx">s3</span><span class="p">,</span> <span class="nx">command</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="c1">// 5 minutes</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">uploadUrl</span><span class="p">,</span> <span class="nx">key</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbnwzjzve2tqky27r2h5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbnwzjzve2tqky27r2h5.png" alt="flow-request" width="800" height="840"></a></p> <blockquote> <p>[!WARNING]<br> <strong>⚠ 𝗜𝗺𝗜𝗌𝗿𝘁𝗮𝗻𝘁:</strong><br> The Lambda never sees the file, it only authorizes the upload.</p> </blockquote> <p>🛡 𝗊𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗟𝗮𝘆𝗲𝗿𝘀 (𝗪𝗵𝗮𝘁 𝗠𝗮𝗞𝗲𝘀 𝗧𝗵𝗶𝘀 𝗣𝗿𝗌𝗱𝘂𝗰𝘁𝗶𝗌𝗻-𝗥𝗲𝗮𝗱𝘆)</p> <p>This PoC follows 𝗿𝗲𝗮𝗹 𝗲𝗻𝘁𝗲𝗿𝗜𝗿𝗶𝘀𝗲 𝗜𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀, not just demos.</p> <p>🔐 𝟭. 𝗊𝗵𝗌𝗿𝘁-𝗹𝗶𝘃𝗲𝗱 𝗚𝗥𝗟𝘀<br> ● 5–10 minutes max<br> ● Enough for upload, useless afterward</p> <p>🔐 𝟮. 𝗜𝗔𝗠 𝗟𝗲𝗮𝘀𝘁 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗎𝗲</p> <p>Lambda role can 𝗌𝗻𝗹𝘆 do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/uploads/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Nothing else.</p> <p>🔐 𝟯. 𝗣𝗿𝗶𝘃𝗮𝘁𝗲 𝗊𝟯 𝗕𝘂𝗰𝗞𝗲𝘁<br> ● No public access<br> ● No ACL tricks<br> ● Only presigned URLs work</p> <p>🔐 𝟰. 𝗊𝗮𝗻𝗶𝘁𝗶𝘇𝗲𝗱 𝗢𝗯𝗷𝗲𝗰𝘁 𝗡𝗮𝗺𝗲𝘀<br> ● UUID-based keys<br> ● No user-controlled paths<br> ● No path traversal risks</p> <p>🔐 𝟱. 𝗖𝗢𝗥𝗊 𝗖𝗌𝗿𝗿𝗲𝗰𝘁𝗹𝘆 𝗖𝗌𝗻𝗳𝗶𝗎𝘂𝗿𝗲𝗱</p> <p>Because 𝗖𝗢𝗥𝗊 𝗶𝘀 𝗮𝗹𝘄𝗮𝘆𝘀 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝘁𝗵𝗶𝗻𝗎 𝘁𝗵𝗮𝘁 𝗯𝗿𝗲𝗮𝗞𝘀 😅</p> <p>🧱 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗮𝘀 𝗖𝗌𝗱𝗲 𝘄𝗶𝘁𝗵 𝗧𝗲𝗿𝗿𝗮𝗳𝗌𝗿𝗺</p> <p>Everything is deployed using 𝗧𝗲𝗿𝗿𝗮𝗳𝗌𝗿𝗺, so the architecture is:<br> ● Reproducible<br> ● Auditable<br> ● Ready for CI/CD</p> <p>Core components:<br> ● S3 bucket<br> ● Lambda<br> ● IAM roles<br> ● API Gateway (HTTP API)</p> <p>📌 𝘐𝘯 𝘵𝘩𝘊 𝘱𝘰𝘎𝘵 𝘐 𝘧𝘰𝘀𝘶𝘎 𝘰𝘯 𝘵𝘩𝘊 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗮𝗻𝗱 𝗜𝗮𝘁𝘁𝗲𝗿𝗻.<br> 𝘛𝘩𝘊 𝗳𝘂𝗹𝗹 𝗧𝗲𝗿𝗿𝗮𝗳𝗌𝗿𝗺 𝗶𝗺𝗜𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗌𝗻 𝘭𝘪𝘷𝘊𝘎 𝘪𝘯 𝘵𝘩𝘊 𝘳𝘊𝘱𝘰𝘎𝘪𝘵𝘰𝘳𝘺.</p> <p>📂 𝗥𝗲𝗜𝗌𝘀𝗶𝘁𝗌𝗿𝘆 𝗊𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 (𝗊𝗶𝗺𝗜𝗹𝗲 𝗯𝘆 𝗗𝗲𝘀𝗶𝗎𝗻)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">aws</span><span class="o">-</span><span class="nx">s3</span><span class="o">-</span><span class="nx">presigned</span><span class="o">-</span><span class="nx">url</span><span class="o">-</span><span class="nx">lambda</span><span class="o">-</span><span class="nx">terraform</span><span class="o">/</span> <span class="err">├──</span> <span class="mi">01</span><span class="o">-</span><span class="nx">s3</span><span class="p">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="mi">02</span><span class="o">-</span><span class="nx">lambda</span><span class="p">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="mi">04</span><span class="o">-</span><span class="nx">api</span><span class="p">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">client</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">index</span><span class="p">.</span><span class="nx">html</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">index</span><span class="p">.</span><span class="nx">html</span><span class="p">.</span><span class="nx">tpl</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">logo</span><span class="o">-</span><span class="nx">client</span><span class="p">.</span><span class="nx">png</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">logo</span><span class="o">-</span><span class="nx">s3</span><span class="p">.</span><span class="nx">png</span> <span class="err">├──</span> <span class="nx">dev</span><span class="p">.</span><span class="nx">tfvars</span> <span class="err">├──</span> <span class="nx">drawio</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">aws</span><span class="o">-</span><span class="nx">s3</span><span class="o">-</span><span class="nx">presignend</span><span class="p">.</span><span class="nx">gif</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">aws</span><span class="o">-</span><span class="nx">s3</span><span class="o">-</span><span class="nx">url</span><span class="p">.</span><span class="nx">drawio</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">image</span><span class="o">-</span><span class="mi">2</span><span class="p">.</span><span class="nx">png</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">image</span><span class="p">.</span><span class="nx">png</span> <span class="err">├──</span> <span class="nx">lambda</span><span class="o">-</span><span class="kd">function</span><span class="p">.</span><span class="nx">zip</span> <span class="err">├──</span> <span class="nx">main</span><span class="p">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">Makefile</span> <span class="err">├──</span> <span class="nx">provider</span><span class="p">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">README</span><span class="p">.</span><span class="nx">md</span> <span class="err">├──</span> <span class="nx">security</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">checkov</span><span class="p">.</span><span class="nx">yaml</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">trivy</span><span class="p">.</span><span class="nx">yaml</span> <span class="err">├──</span> <span class="nx">src</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">index</span><span class="p">.</span><span class="nx">mjs</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">node_modules</span><span class="o">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="kr">package</span><span class="o">-</span><span class="nx">lock</span><span class="p">.</span><span class="nx">json</span> <span class="err">│</span> <span class="err">└──</span> <span class="kr">package</span><span class="p">.</span><span class="nx">json</span> <span class="err">├──</span> <span class="nx">terraform</span><span class="p">.</span><span class="nx">tfstate</span> <span class="err">├──</span> <span class="nx">terraform</span><span class="p">.</span><span class="nx">tfstate</span><span class="p">.</span><span class="nx">backup</span> <span class="err">├──</span> <span class="nx">tfplan</span> <span class="err">├──</span> <span class="nx">tfplan</span><span class="p">.</span><span class="nx">json</span> <span class="err">├──</span> <span class="nx">variables</span><span class="p">.</span><span class="nx">tf</span> <span class="err">└──</span> <span class="nx">versions</span><span class="p">.</span><span class="nx">tf</span> </code></pre> </div> <p>🎯 Minimal, readable, and focused on the pattern.</p> <p>🧪 𝗥𝗲𝗟𝘂𝗶𝗿𝗲𝗺𝗲𝗻𝘁𝘀 𝘁𝗌 𝗥𝘂𝗻 𝘁𝗵𝗲 𝗣𝗌𝗖</p> <p>This PoC assumes:</p> <p>✅ macOS<br> ✅ Terraform already installed<br> ✅ AWS CLI already authenticated</p> <p>No extra setup. No magic.</p> <p>🚀 𝗪𝗮𝗻𝘁 𝘁𝗵𝗲 𝗙𝘂𝗹𝗹 𝗪𝗌𝗿𝗞𝗶𝗻𝗎 𝗣𝗌𝗖?</p> <p>I published the complete implementation here:</p> <p>👉 𝗵𝘁𝘁𝗜𝘀://𝗎𝗶𝘁𝗵𝘂𝗯.𝗰𝗌𝗺/𝗳𝗿𝗮𝗻𝗰𝗌𝘁𝗲𝗹/𝗮𝘄𝘀-𝘀𝟯-𝗜𝗿𝗲𝘀𝗶𝗎𝗻𝗲𝗱-𝘂𝗿𝗹-𝗹𝗮𝗺𝗯𝗱𝗮-𝘁𝗲𝗿𝗿𝗮𝗳𝗌𝗿𝗺 (𝗵𝘁𝘁𝗜𝘀://𝗎𝗶𝘁𝗵𝘂𝗯.𝗰𝗌𝗺/𝗳𝗿𝗮𝗻𝗰𝗌𝘁𝗲𝗹/𝗮𝘄𝘀-𝘀𝟯-𝗜𝗿𝗲𝘀𝗶𝗎𝗻𝗲𝗱-𝘂𝗿𝗹-𝗹𝗮𝗺𝗯𝗱𝗮-𝘁𝗲𝗿𝗿𝗮𝗳𝗌𝗿𝗺)</p> <p>You’ll find:<br> ● Full Terraform code<br> ● Lambda (Node.js 20)<br> ● Test scripts<br> ● Architecture diagram</p> <p>Clone it, deploy it, break it, improve it.</p> <p>🎯 𝗙𝗶𝗻𝗮𝗹 𝗧𝗵𝗌𝘂𝗎𝗵𝘁</p> <p>If your backend is still handling file uploads, you’re paying more 𝗮𝗻𝗱 scaling less.</p> <p>This pattern:<br> ● Reduces cost<br> ● Improves reliability<br> ● Scales naturally<br> ● Matches real-world cloud architectures</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia1.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExcHY3N2pqMHlmZG15aGJjdG8xdW5kNnVpOTh0c2hrN2ViZXZ2endvdyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2Fkd9BlRovbPOykLBMqX%2Fgiphy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia1.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExcHY3N2pqMHlmZG15aGJjdG8xdW5kNnVpOTh0c2hrN2ViZXZ2endvdyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2Fkd9BlRovbPOykLBMqX%2Fgiphy.gif" width="480" height="480"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdyrnid303a4yvtnx28d6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdyrnid303a4yvtnx28d6.png" alt="demo" width="800" height="1005"></a></p> <h3> Inspiration and References </h3> <p>This project was inspired by the AWS blog post:</p> <ul> <li>Securing Amazon S3 presigned URLs for serverless applications <a href="https://aws.amazon.com/blogs/compute/securing-amazon-s3-presigned-urls-for-serverless-applications/" rel="noopener noreferrer">https://aws.amazon.com/blogs/compute/securing-amazon-s3-presigned-urls-for-serverless-applications/</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>The article explores several best practices <span class="k">for </span>securing presigned URLs <span class="k">in </span>serverless architectures, including checksum validation, expiration strategies, and least-privilege IAM policies. </code></pre> </div> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> devops aws terraform crosscloudx NestJS in Production: 20 Default Configurations That Can Break Your Kubernetes Cluster (A DevOps Story) francotel Thu, 26 Feb 2026 02:15:16 +0000 https://forem.com/francotel/nestjs-in-production-20-default-configurations-that-can-break-your-kubernetes-cluster-a-devops-3d2g https://forem.com/francotel/nestjs-in-production-20-default-configurations-that-can-break-your-kubernetes-cluster-a-devops-3d2g <h3> 😱 Production went down
 because of a default setting </h3> <p>Have you ever seen this?</p> <p>The dev team ships a new feature using a modern, elegant, <strong>enterprise-ready</strong> framework like <strong>NestJS</strong>.Everything works perfectly on local.QA passes.Production deploys.</p> <p>And suddenly
</p> <ul> <li> 500 errors everywhere</li> <li> Kubernetes pods restarting</li> <li> Logs that tell you absolutely nothing</li> </ul> <p>The root cause?</p> <p>👉 <strong>A 100kb default request body limit that nobody knew existed.</strong></p> <p>Yes. That <em>tiny</em> default almost ruined our Friday night. 😅</p> <p>As a DevOps engineer working with Kubernetes and Azure, this was a wake-up call. NestJS is an amazing framework—but <strong>defaults are not production-ready by magic</strong>.</p> <p>This post is not about blaming developers.It’s about <strong>shared responsibility</strong>.</p> <p>Framework defaults are convenient.Production environments are not.</p> <p>Below are <strong>20 NestJS defaults and behaviors that every DevOps engineer should be aware of when NestJS lands in a Kubernetes cluster.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia0.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExZThkeHJ0dmdzYWl2OG1va3JvMGl1aWM3OWYzcHNza3IwMXdvcmR4bSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2F1LYS8RmnsFwg8%2Fgiphy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia0.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExZThkeHJ0dmdzYWl2OG1va3JvMGl1aWM3OWYzcHNza3IwMXdvcmR4bSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2F1LYS8RmnsFwg8%2Fgiphy.gif" width="468" height="347"></a></p> <h2> 1⃣ The 100kb That Almost Killed PROD (Body Parser) </h2> <p>NestJS (with Express under the hood) uses body-parser.By default, it only accepts <strong>100kb</strong> for JSON payloads.</p> <p>If your API handles file uploads, base64 payloads, or large requests, you’ll get a PayloadTooLargeError that often becomes a silent 500.</p> <p>👉 Fix it explicitly in main.ts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">bodyParser</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10mb</span><span class="dl">'</span> <span class="p">}));</span> </code></pre> </div> <p><strong>Lesson:</strong> defaults are optimized for demos, not real traffic.</p> <h2> 2⃣ HTTP Timeouts Are Not Infinite </h2> <p>Node’s HTTP server does not wait forever.</p> <p>Long-running requests, slow downstream services, or blocked connections can slowly exhaust your pod resources.</p> <p>Configure:</p> <ul> <li> server.timeout</li> <li> keepAliveTimeout</li> <li> Or enforce limits at the Ingress / Load Balancer level</li> </ul> <p><strong>DevOps takeaway:</strong> timeouts are part of capacity planning.</p> <h2> 3⃣ The Logger That Doesn’t Log (in Production) </h2> <p>console.log is fine
 until it isn’t.</p> <p>In production you want:</p> <ul> <li> Structured logs (JSON)</li> <li> Correlation IDs</li> <li> Compatibility with ELK, Datadog, Azure Monitor</li> </ul> <p>Use app.useLogger() with <strong>pino</strong> or <strong>winston</strong>.</p> <p>Logs are not for developers.They are for <strong>incident response</strong>.</p> <h2> 4⃣ Shutdown Hooks: Kubernetes Is Not Polite </h2> <p>When Kubernetes terminates a pod, it sends SIGTERM.<br> If your app ignores it:</p> <ul> <li> In-flight requests are dropped</li> <li> Users see 5xx errors</li> <li> You lose trust</li> </ul> <p>Enable graceful shutdown:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">enableShutdownHooks</span><span class="p">();</span> </code></pre> </div> <p>And drain traffic properly.</p> <h2> 5⃣ Environment Variables: .env Is Not Production </h2> <p>@nestjs/config looks for .env files by default.</p> <p>In Kubernetes, configuration comes from:</p> <ul> <li> Environment variables</li> <li> ConfigMaps</li> <li> Secrets</li> </ul> <p>Avoid filesystem dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">ConfigModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">ignoreEnvFile</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,});</span> </code></pre> </div> <h2> 6⃣ Global Modules: Convenience vs Control </h2> <p><a class="mentioned-user" href="https://dev.to/global">@global</a>() modules feel nice.</p> <p>They also:</p> <ul> <li> Hide dependencies</li> <li> Increase coupling</li> <li> Complicate testing</li> <li> Make scaling harder</li> </ul> <p>What’s convenient for development can be painful in production.</p> <h2> 7⃣ Dependency Injection Can Betray You </h2> <p>Custom providers and factories can introduce:</p> <ul> <li> Circular dependencies</li> <li> Runtime undefined errors</li> </ul> <p>These issues often appear <strong>only under load</strong>.<br> Use dependency graphs and be suspicious of “magic”.</p> <h2> 8⃣ Global Exception Filters Are Mandatory </h2> <p>Without a global exception filter:</p> <ul> <li> Errors are inconsistent</li> <li> Stack traces may leak</li> <li> Logs are unstructured</li> </ul> <p>Always normalize errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">useGlobalFilters</span><span class="p">(...)</span> </code></pre> </div> <p>Predictable errors = predictable operations.</p> <h2> 9⃣ Guards Can Kill Performance </h2> <p>Guards run <strong>before</strong> interceptors and pipes.<br> Heavy logic here (rate limiting, DB calls) affects <strong>every request</strong>.<br> Security ≠ expensive execution.</p> <h2> 🔟 Shipping start:dev to Kubernetes (Yes, It Happens) </h2> <p>Always:</p> <ul> <li> Build with npm run build</li> <li> Run node dist/main.js</li> </ul> <p>Otherwise you get:</p> <ul> <li> Huge images</li> <li> Dev dependencies in prod</li> <li> Slower startups</li> </ul> <p>I’ve seen <strong>2GB images</strong> because of this.</p> <h2> 1⃣1⃣ CacheModule Is Not Shared </h2> <p>In-memory cache:</p> <ul> <li> Is pod-local</li> <li> Is volatile</li> <li> Breaks consistency in clusters</li> </ul> <p>For real workloads, use Redis or another external store.</p> <h2> 1⃣2⃣ Scheduled Tasks Can Block the Event Loop </h2> <p>@nestjs/schedule runs inside the same process.</p> <p>Long-running jobs = slower APIs.</p> <p>Move heavy work out or make it truly async.</p> <h2> 1⃣3⃣ Correlation Headers Belong to Middleware </h2> <p>Headers like:</p> <ul> <li> X-Request-ID</li> <li> X-Correlation-ID</li> </ul> <p>Should be:</p> <ul> <li> Global</li> <li> Mandatory</li> <li> Documented</li> </ul> <p>Not copy-pasted across controllers.</p> <h2> 1⃣4⃣ Health Checks Must Be Honest </h2> <p>Kubernetes doesn’t care if port 3000 responds.</p> <p>It cares if:</p> <ul> <li> DB is reachable</li> <li> Queues are alive</li> <li> Dependencies are healthy</li> </ul> <p>Liveness ≠ Readiness.</p> <h2> 1⃣5⃣ Response Size Is a Memory Problem </h2> <p>Large payloads = memory pressure.</p> <p>Pagination is not optional.It’s a survival mechanism.</p> <h2> 1⃣6⃣ API Versioning Is a Day-One Decision </h2> <p>No versioning = broken clients later.</p> <p>NestJS supports:</p> <ul> <li> URI versioning</li> <li> Header versioning</li> </ul> <p>Pick one early.</p> <h2> 1⃣7⃣ WebSockets Don’t Scale by Default </h2> <p>WebSocket connections stick to a pod.</p> <p>For horizontal scaling, you need:</p> <ul> <li> Redis adapters</li> <li> Message brokers</li> </ul> <p>Stateful connections break stateless assumptions.</p> <h2> 1⃣8⃣ Database Connection Pools Matter </h2> <p>Default pool sizes are usually small.</p> <p>Multiply that by pod replicas and you’ll hit DB limits fast.</p> <p>Tune pools intentionally.</p> <h2> 1⃣9⃣ Axios Has No Timeout (Yes, Really) </h2> <p>NestJS HttpModule uses Axios.<br> Axios defaults:</p> <ul> <li> <strong>No timeout</strong> </li> </ul> <p>One hanging dependency can block your service forever.</p> <p>Always set timeouts.</p> <h2> 2⃣0⃣ Swagger Is Not Decoration </h2> <p>Outdated Swagger docs cause:</p> <ul> <li> Misuse</li> <li> Invalid payloads</li> <li> Production incidents</li> </ul> <p>Automate updates. Treat docs as code.</p> <h2> 🧠 Final Thought: DevOps Is Not Just YAML </h2> <p>NestJS is <strong>enterprise-ready</strong>, but enterprises are messy.</p> <p>Scalability doesn’t come from frameworks alone.It comes from <strong>Dev and Ops understanding how software behaves under pressure</strong>.</p> <p>So next time NestJS lands in your cluster, don’t just review Kubernetes manifests.</p> <p>👉 <strong>Open main.ts.</strong></p> <p>It might save your weekend.</p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> devops nestjs crosscloudx k8s 🧠 Cómo Sobrevivir a Múltiples Cuentas de GitHub sin Perder Tu Sanidad Mental (y Tu Trabajo) francotel Wed, 18 Feb 2026 15:10:34 +0000 https://forem.com/francotel/como-sobrevivir-a-multiples-cuentas-de-github-sin-perder-tu-sanidad-mental-y-tu-trabajo-4lol https://forem.com/francotel/como-sobrevivir-a-multiples-cuentas-de-github-sin-perder-tu-sanidad-mental-y-tu-trabajo-4lol <p>🌅 𝗘𝗹 𝗠𝗌𝗺𝗲𝗻𝘁𝗌 𝗱𝗲𝗹 𝗣á𝗻𝗶𝗰𝗌: 𝟮 𝗔𝗠, 𝗩𝗶𝗲𝗿𝗻𝗲𝘀 𝗜𝗌𝗿 𝗹𝗮 𝗡𝗌𝗰𝗵𝗲<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>𝘚𝘪𝘵 𝘱𝘶𝘎𝘩 𝘰𝘳𝘪𝘚𝘪𝘯 𝘮𝘢𝘪𝘯 </code></pre> </div> <p>𝗘𝗥𝗥𝗢𝗥: 𝗣𝗲𝗿𝗺𝗶𝘀𝘀𝗶𝗌𝗻 𝗱𝗲𝗻𝗶𝗲𝗱 (𝗜𝘂𝗯𝗹𝗶𝗰𝗞𝗲𝘆). ❌</p> <p>Mi corazón se detuvo por 3 segundos.</p> <p>Eran las 2 de la madrugada. Mi jefe necesitaba el <em>hotfix</em> para la demo con el cliente en Asia en 6 horas. Y yo, desde mi laptop personal, estaba viendo cómo el universo conspiraba contra mi fin de semana.</p> <p>El problema: 𝗚𝗶𝘁𝗛𝘂𝗯 𝗻𝗌 𝘀𝗮𝗯í𝗮 𝘀𝗶 𝗲𝗿𝗮 "𝗗𝗲𝘃 𝗣𝗲𝗿𝘀𝗌𝗻𝗮𝗹" 𝗌 "𝗗𝗲𝘃 𝗖𝗌𝗿𝗜𝗌𝗿𝗮𝘁𝗶𝘃𝗌". Y estaba usando la identidad equivocada.</p> <p>𝘚𝘶𝘊𝘯𝘢 𝘧𝘢𝘮𝘪𝘭𝘪𝘢𝘳? 🥲</p> <p>Si alguna vez has:<br> ● Trabajado en una startup y tenido tu proyecto personal 🏠<br> ● Sido contratista para múltiples clientes 💌<br> ● Entrado a una empresa que te exige cuenta corporativa de GitHub 🏢<br> ● Tenido que hacer un commit urgente desde tu laptop personal 🔥</p> <p>...este post es para ti.</p> <p>📖 𝗟𝗮 𝗛𝗶𝘀𝘁𝗌𝗿𝗶𝗮 𝗥𝗲𝗮𝗹: 𝗖ó𝗺𝗌 𝘂𝗻𝗮 𝗘𝗺𝗜𝗿𝗲𝘀𝗮 𝗖𝗮𝘀𝗶 𝗣𝗶𝗲𝗿𝗱𝗲 𝘂𝗻 𝗖𝗹𝗶𝗲𝗻𝘁𝗲 𝗜𝗌𝗿 𝗊𝗊𝗛-𝗞𝗲𝘆𝘀 𝗠𝗮𝗹 𝗖𝗌𝗻𝗳𝗶𝗎𝘂𝗿𝗮𝗱𝗮𝘀</p> <p>Trabajo en 𝗧𝗲𝗰𝗵𝗖𝗌𝗿𝗜, una consultora que maneja proyectos para 15+ clientes diferentes. Cada cliente requiere:</p> <p>● Cuenta separada de GitHub 🔐<br> ● SSH-keys diferentes 🗝<br> ● Repos privados aislados 📊</p> <p>𝗘𝗹 𝗰𝗮𝗌𝘀 𝗱𝗶𝗮𝗿𝗶𝗌:<br> ● Devs haciendo commits con identidad equivocada 😱<br> ● CI/CD pipelines fallando por permisos 🔥<br> ● 3 horas semanales de soporte técnico resolviendo estos problemas ⏰</p> <p>𝗘𝗹 𝗰𝗌𝘀𝘁𝗌: $15,000 USD/año en productividad perdida. 💞</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdf9z2axwsgf64afje1nw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdf9z2axwsgf64afje1nw.png" alt="mul-keys" width="800" height="483"></a></p> <p><strong>🎯 La Solución que Cambió Todo: Multi-SSH Keys como un Pro</strong></p> <p>Paso 1: El Diagnóstico (Entendiendo el Problema)</p> <p>¿𝗀𝘂é 𝗞𝗲𝘆𝘀 𝘁𝗶𝗲𝗻𝗲𝘀 𝗮𝗰𝘁𝘂𝗮𝗹𝗺𝗲𝗻𝘁𝗲?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> <span class="nt">-la</span> ~/.ssh/ </code></pre> </div> <p>¿𝗀𝘂é 𝘂𝘀𝘂𝗮𝗿𝗶𝗌 𝗲𝘀𝘁á 𝘂𝘀𝗮𝗻𝗱𝗌 𝗚𝗶𝘁 𝗮𝗵𝗌𝗿𝗮?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config user.email </code></pre> </div> <p>Paso 2: La Cirugía - Crear Keys Separadas<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 𝗞𝗲𝘆 𝗜𝗲𝗿𝘀𝗌𝗻𝗮𝗹 (𝗹𝗮 𝗟𝘂𝗲 𝘆𝗮 𝘁𝗶𝗲𝗻𝗲𝘀)</span> ~/.ssh/id_rsa </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 𝗞𝗲𝘆 𝗜𝗮𝗿𝗮 𝗲𝗹 𝘁𝗿𝗮𝗯𝗮𝗷𝗌 𝗲𝗻 𝗙𝗶𝗻𝗧𝗲𝗰𝗵𝗖𝗌𝗿𝗜</span> ssh-keygen <span class="nt">-t</span> rsa <span class="nt">-b</span> 4096 <span class="nt">-C</span> <span class="s2">"tu@fintechcorp.com"</span> <span class="nt">-f</span> ~/.ssh/fintech_rsa </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 𝗞𝗲𝘆 𝗜𝗮𝗿𝗮 𝗲𝗹 𝗰𝗹𝗶𝗲𝗻𝘁𝗲 𝗘-𝗰𝗌𝗺𝗺𝗲𝗿𝗰𝗲 </span> ssh-keygen <span class="nt">-t</span> rsa <span class="nt">-b</span> 4096 <span class="nt">-C</span> <span class="s2">"tu@ecomcliente.com"</span> <span class="nt">-f</span> ~/.ssh/ecom_rsa </code></pre> </div> <p>🎚 Imagina que cada key es una llave física diferente para oficinas distintas.</p> <p><strong>Paso 3: El Archivo Mágico (~/.ssh/config)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 👀 𝗬𝗢 (𝗣𝗲𝗿𝘀𝗌𝗻𝗮𝗹) - 𝗠𝗶 𝗶𝗱𝗲𝗻𝘁𝗶𝗱𝗮𝗱 𝘀𝗲𝗰𝗿𝗲𝘁𝗮</span> Host github.com HostName github.com User git IdentityFile ~/.ssh/id_rsa AddKeysToAgent <span class="nb">yes</span> <span class="c"># 💌 𝗙𝗶𝗻𝗧𝗲𝗰𝗵𝗖𝗌𝗿𝗜 - 𝗠𝗶 𝘆𝗌 𝗰𝗌𝗿𝗜𝗌𝗿𝗮𝘁𝗶𝘃𝗌</span> Host github.com-fintech HostName github.com User git IdentityFile ~/.ssh/fintech_rsa AddKeysToAgent <span class="nb">yes</span> <span class="c"># 🛒 𝗘𝗰𝗌𝗺𝗖𝗹𝗶𝗲𝗻𝘁𝗲 - 𝗘𝗹 𝗜𝗿𝗌𝘆𝗲𝗰𝘁𝗌 𝗟𝘂𝗲 𝗜𝗮𝗎𝗮 𝗹𝗮𝘀 𝘃𝗮𝗰𝗮𝗰𝗶𝗌𝗻𝗲𝘀</span> Host github.com-ecom HostName github.com User git IdentityFile ~/.ssh/ecom_rsa AddKeysToAgent <span class="nb">yes</span> </code></pre> </div> <p>💡 Tip Pro: Piensa en esto como rutas de enrutamiento en una red compleja - cada host alias dirige el tráfico al destino correcto con las credenciales apropiadas.</p> <h2> 🔑 Paso 4: El Registro en GitHub (El Paso que Nadie Debe Saltarse) </h2> <h3> 4.1 Copia tu llave pública al portapapeles </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Para macOS (pbcopy)</span> <span class="nb">cat</span> ~/.ssh/ecom_rsa.pub | pbcopy <span class="c"># Para Linux (xclip)</span> <span class="nb">cat</span> ~/.ssh/ecom_rsa.pub | xclip <span class="nt">-selection</span> clipboard <span class="c"># Para Windows (PowerShell)</span> Get-Content ~/.ssh/ecom_rsa.pub | Set-Clipboard </code></pre> </div> <p><strong>4.𝟮 𝗔𝗎𝗿é𝗎𝗮𝗹𝗮 𝗮 𝘁𝘂 𝗰𝘂𝗲𝗻𝘁𝗮 𝗱𝗲 𝗚𝗶𝘁𝗛𝘂𝗯</strong></p> <ol> <li>Ve a 𝗚𝗶𝘁𝗛𝘂𝗯.𝗰𝗌𝗺 (𝗵𝘁𝘁𝗜𝘀://𝗎𝗶𝘁𝗵𝘂𝗯.𝗰𝗌𝗺/) → 𝗊𝗲𝘁𝘁𝗶𝗻𝗎𝘀 (tu foto de perfil) ⚙</li> <li>En el menú lateral, haz clic en "𝗊𝗊𝗛 𝗮𝗻𝗱 𝗚𝗣𝗚 𝗞𝗲𝘆𝘀" 🔑</li> <li>Haz clic en el botón verde "𝗡𝗲𝘄 𝗊𝗊𝗛 𝗞𝗲𝘆" o "𝗔𝗱𝗱 𝗊𝗊𝗛 𝗞𝗲𝘆" ➕</li> <li>En el formulario:</li> </ol> <ul> <li>𝗧𝗶𝘁𝗹𝗲: Un nombre descriptivo (ej: "MacBook Pro Work", "Personal Laptop", "Franco - Work")</li> <li>𝗞𝗲𝘆 𝘁𝘆𝗜𝗲: "Authentication Key" (mantén el default)</li> <li>𝗞𝗲𝘆: Pega el contenido de tu portapapeles (la llave pública)</li> </ul> <ol> <li>Haz clic en "𝗔𝗱𝗱 𝗊𝗊𝗛 𝗞𝗲𝘆" ✅</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mvrlm1is1sc0mtfb52x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mvrlm1is1sc0mtfb52x.png" alt="github-ssh" width="509" height="478"></a></p> <p><strong>Paso 5: El Truco del Clonado Inteligente</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❌ 𝗔𝗻𝘁𝗲𝘀 <span class="o">(</span>𝗳𝗮𝗹𝗹𝗮𝗯𝗮 𝘀𝗶𝗲𝗺𝗜𝗿𝗲<span class="o">)</span> git clone git@github.com:fintechcorp/proyecto-secreto.git ✅ 𝗗𝗲𝘀𝗜𝘂é𝘀 <span class="o">(</span>𝗳𝘂𝗻𝗰𝗶𝗌𝗻𝗮 𝗜𝗲𝗿𝗳𝗲𝗰𝘁𝗌<span class="o">)</span> git clone git@github.com-fintech:fintechcorp/proyecto-secreto.git </code></pre> </div> <p>📊 𝗥𝗲𝘀𝘂𝗹𝘁𝗮𝗱𝗌𝘀 𝗥𝗲𝗮𝗹𝗲𝘀 𝗲𝗻 𝗺𝗶 𝗘𝗺𝗜𝗿𝗲𝘀𝗮 (𝗠é𝘁𝗿𝗶𝗰𝗮 𝗟𝘂𝗲 𝗜𝗺𝗜𝗌𝗿𝘁𝗮)</p> <p>𝗔𝗻𝘁𝗲𝘀 𝗱𝗲 𝗹𝗮 𝗶𝗺𝗜𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝗰𝗶ó𝗻 (𝗘𝗻𝗲 𝟮𝟬𝟮𝟱):<br> 🔎 12 incidentes/mes por credenciales incorrectas<br> 🔎 8 horas/mes de soporte DevOps<br> 🔎 3 devs frustrados renunciaron (ok, esto no fue solo por SSH, pero ayudó)</p> <p>𝗗𝗲𝘀𝗜𝘂é𝘀 (𝗝𝘂𝗻 𝟮𝟬𝟮𝟱):<br> 🟢 0 incidentes por credenciales<br> 🟢 0 horas de soporte (autogestionado)<br> 🟢 Devs pueden cambiar de contexto en &lt;1 minuto</p> <p>𝗜𝗺𝗜𝗮𝗰𝘁𝗌 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗲𝗿𝗌:</p> <p>"𝘈𝘩𝘰𝘳𝘳𝘢𝘮𝘰𝘎 $12,000 𝘢𝘭 𝘢ñ𝘰 𝘎𝘰𝘭𝘰 𝘊𝘯 𝘵𝘪𝘊𝘮𝘱𝘰 𝘥𝘊 𝘵𝘳𝘰𝘶𝘣𝘭𝘊𝘎𝘩𝘰𝘰𝘵𝘪𝘯𝘚" - 𝘊𝘛𝘖 𝘥𝘊 𝘛𝘊𝘀𝘩𝘊𝘰𝘳𝘱</p> <h3> 🎮 Bonus: El Debugging Mode (Cuando Algo Sale Mal) </h3> <p>Comandos de Diagnóstico Rápido:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ¿𝗀𝘂é 𝗞𝗲𝘆 𝗲𝘀𝘁á 𝘂𝘀𝗮𝗻𝗱𝗌 𝗊𝗊𝗛?</span> ssh <span class="nt">-T</span> git@github.com-fintech </code></pre> </div> <p>𝗗𝗲𝗯𝗲𝗿í𝗮𝘀 𝘃𝗲𝗿: "𝗛𝗶 @𝘂𝘀𝘂𝗮𝗿𝗶𝗌-𝗳𝗶𝗻𝘁𝗲𝗰𝗵! 𝗬𝗌𝘂'𝘃𝗲 𝘀𝘂𝗰𝗰𝗲𝘀𝘀𝗳𝘂𝗹𝗹𝘆 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗲𝗱..."<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ¿𝗀𝘂é 𝘂𝘀𝘂𝗮𝗿𝗶𝗌 𝘁𝗶𝗲𝗻𝗲 𝗚𝗶𝘁 𝗰𝗌𝗻𝗳𝗶𝗎𝘂𝗿𝗮𝗱𝗌?</span> <span class="nb">cat</span> .git/config | <span class="nb">grep </span>email </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 𝗩𝗲𝗿 𝘁𝗌𝗱𝗮𝘀 𝗹𝗮𝘀 𝗞𝗲𝘆𝘀 𝗰𝗮𝗿𝗎𝗮𝗱𝗮𝘀</span> ssh-add <span class="nt">-l</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 𝗧𝗲𝘀𝘁 𝗱𝗲 𝗰𝗌𝗻𝗲𝘅𝗶ó𝗻 𝘃𝗲𝗿𝗯𝗌𝘀𝗲 (𝗰𝘂𝗮𝗻𝗱𝗌 𝘁𝗌𝗱𝗌 𝗳𝗮𝗹𝗹𝗮)</span> ssh <span class="nt">-vT</span> git@github.com-fintech </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 🔥 LIMPIAR TODO Y EMPEZAR DE CERO (cuando hay caos)</span> ssh-add <span class="nt">-D</span> <span class="c"># Esto elimina TODAS las llaves del agente SSH</span> <span class="c"># Útil cuando tienes conflictos de keys o credenciales mezcladas</span> </code></pre> </div> <h3> Errores Comunes y Soluciones: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Error</th> <th>Causa</th> <th>Solución Mágica</th> </tr> </thead> <tbody> <tr> <td><code>Permission denied</code></td> <td>Key incorrecta</td> <td>Verifica <code>~/.ssh/config</code> </td> </tr> <tr> <td><code>Could not open connection</code></td> <td>Alias mal escrito</td> <td> <code>github.com-empresa</code> vs <code>github.com_empresa</code> </td> </tr> <tr> <td><code>User email incorrecto</code></td> <td>Git local mal config</td> <td><code>git config user.email</code></td> </tr> </tbody> </table></div> <h2> 🧭 ¿Y si trabajamos juntos? </h2> <p>Este proyecto es una base.En <strong>CrossCloudX</strong>, diseñamos pipelines a la medida para empresas financieras, consultoras o startups con visión.<br> ¿Te interesa un piloto en tu empresa?</p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> ssh github devops crosscloudx GitHub Actions + Security Scanning: Cómo Integrar Trivy y Checkov en tu Pipeline francotel Mon, 19 Jan 2026 02:06:04 +0000 https://forem.com/francotel/github-actions-security-scanning-como-integrar-trivy-y-checkov-en-tu-pipeline-3klg https://forem.com/francotel/github-actions-security-scanning-como-integrar-trivy-y-checkov-en-tu-pipeline-3klg <h2> 🚚 La Pesadilla que Todos los DevOps Tememos </h2> <p>Era un martes cualquiera cuando recibí la alerta: <strong>"Vulnerabilidad CRÍTICA detectada en producción"</strong>. Nuestra aplicación, que servía a miles de usuarios, tenía una vulnerabilidad de día cero que alguien había logrado explotar.</p> <p>¿El culpable? Una imagen Docker que habíamos desplegado la semana anterior.</p> <p><strong>La peor parte</strong>: ¡La vulnerabilidad ya existía cuando publicamos la imagen! Había pasado por nuestro pipeline CI/CD sin que nadie la notara.</p> <p>En ese momento entendí algo crucial: <strong>si tu pipeline no valida seguridad, estás desplegando ciegamente</strong>.</p> <h2> 🛡 La Solución: Integrar Security Scanning en GitHub Actions </h2> <p>Después de esa experiencia, me propuse crear un pipeline que <strong>nunca más</strong> permitiera que vulnerabilidades llegaran a producción. Así nació este proyecto que hoy comparto contigo.</p> <h3> 🔍 El Problema que Resolvemos </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Así era nuestro workflow ANTES:</span> - name: Build Docker Image run: docker build <span class="nt">-t</span> mi-app <span class="nb">.</span> - name: Push to Registry run: docker push mi-app:latest <span class="c"># ¡Sin validaciones de seguridad!</span> </code></pre> </div> <p><strong>Resultado</strong>: Vulnerabilidades, secretos expuestos, configuraciones inseguras... todo llegando a producción.</p> <h2> 🚀 La Arquitectura de Nuestro Pipeline Seguro </h2> <p>Nuestro nuevo pipeline tiene 4 fases críticas:</p> <h3> 1. <strong>🐳 Construcción con Etiquetas Inteligentes</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Tags únicos por commit + ambiente</span> IMAGE_TAG_SHA: "sha-${GITHUB_SHA::7}" IMAGE_TAG_ENV: "${{ inputs.target_env }}-latest" </code></pre> </div> <ol> <li>🔍 Escaneo de Vulnerabilidades con Trivy </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Security Scan con Trivy</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run --rm \</span> <span class="s">-v $(pwd):/src \</span> <span class="s">aquasec/trivy:latest \</span> <span class="s">image --severity CRITICAL,HIGH \</span> <span class="s">mi-imagen:${TAG}</span> </code></pre> </div> <p>Trivy nos ayuda a encontrar:</p> <ul> <li><p>Vulnerabilidades en paquetes del sistema</p></li> <li><p>Dependencias con CVEs conocidos</p></li> <li><p>Secretos expuestos accidentalmente</p></li> <li><p>Configuraciones inseguras</p></li> </ul> <h3> 3. <strong>🏗 Validación de Dockerfile con Checkov</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">IaC Security con Checkov</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run --rm \</span> <span class="s">bridgecrew/checkov \</span> <span class="s">--file Dockerfile \</span> <span class="s">--framework dockerfile</span> </code></pre> </div> <p>Checkov revisa que nuestro Dockerfile siga mejores prácticas:</p> <ul> <li><p>¿Usuario root? ❌</p></li> <li><p>¿Paquetes sin actualizar? ❌</p></li> <li><p>¿Secretos hardcodeados? ❌</p></li> </ul> <h3> 4. <strong>🚫 Bloqueo Automático en Fallos</strong> </h3> <p>La magia está aquí: <strong>si hay vulnerabilidades CRÍTICAS o ALTAS, el pipeline SE DETIENE</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">if [ "$VULNERABILIDADES" -gt 0 ]; then</span> <span class="s">echo "❌ WORKFLOW BLOQUEADO"</span> <span class="s">echo "Hay $VULNERABILIDADES problemas de seguridad"</span> <span class="s">exit </span><span class="m">1</span> <span class="s">fi</span> </code></pre> </div> <h3> 📊 Dashboard de Seguridad en Tiempo Real </h3> <p>Lo mejor de todo: <strong>todo aparece automáticamente en GitHub Actions Summary</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>🐳 Reporte de Escaneo - Trivy ══════════════════════════════ 📊 Resumen General ────────────────── | Tipo | Severidad | Cantidad | |-------------------|------------|----------| | Vulnerabilidades | 🔎 CRÍTICA | 2 | | Vulnerabilidades | 🟠 ALTA | 9 | | Total | | 11 | 🏗 Checkov Security Scan ══════════════════════════ ✅ Todos los checks pasaron <span class="o">(</span>22 passed, 0 failed<span class="o">)</span> </code></pre> </div> <h3> 🎯 El Resultado: Confianza Automatizada </h3> <p><strong>Antes</strong>:</p> <ul> <li><p>"Ojalá no haya vulnerabilidades"</p></li> <li><p>Auditorías manuales cada 3 meses</p></li> <li><p>Incidentes de seguridad recurrentes</p></li> </ul> <p><strong>Después</strong>:</p> <ul> <li><p>✅ <strong>Cada commit</strong> validado automáticamente</p></li> <li><p>✅ <strong>Cada imagen</strong> escaneada antes de publicar</p></li> <li><p>✅ <strong>Cada despliegue</strong> con reporte de seguridad</p></li> <li><p>✅ <strong>Cero</strong> vulnerabilidades en producción desde la implementación</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlxdftv5dtqruyupzv4n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlxdftv5dtqruyupzv4n.png" alt="trivy-1" width="514" height="525"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbhapixrmd2s0zvhd0faq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbhapixrmd2s0zvhd0faq.png" alt="trivy-2" width="542" height="558"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05067r6jveg5eh9yvwvp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05067r6jveg5eh9yvwvp.png" alt="checkov-1" width="800" height="246"></a></p> <h3> 💡 Lecciones Aprendidas </h3> <h4> 1. <strong>Seguridad ≠ Lentitud</strong> </h4> <p>Muchos piensan que agregar security scanning hará lento el pipeline. ¡Falso! Nuestros escaneos agregan solo 2-3 minutos.</p> <h4> 2. <strong>Fail Fast es Mejor que Fail in Production</strong> </h4> <p>Preferimos que falle el pipeline (y notifique al desarrollador) a que falle en producción (y afecte a usuarios).</p> <h4> 3. <strong>Los Reportes Son Tu Mejor Aliado</strong> </h4> <p>Un reporte claro y automático hace que los equipos <strong>entiendan y arreglen</strong> los problemas, no solo los "parcheen".</p> <h3> 🚀 Implementa en 3 Pasos Sencillos </h3> <p>==================================</p> <h3> Paso 1: Clona y explora </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/francotel/docker-image-security-scan <span class="nb">cd </span>docker-image-security-scan </code></pre> </div> <h3> Paso 2: Examina el workflow </h3> <p>Revisa .github/workflows/publish-nginx-image.yml - ¡todo está listo para usar!</p> <h3> Paso 3: Adapta a tu caso </h3> <p>Modifica nombres de imágenes, registros y políticas según tu stack.</p> <h2> 📈 Impacto Inmediato </h2> <ul> <li><p><strong>Detección</strong>: De trimestral a <strong>en cada commit</strong></p></li> <li><p><strong>Cobertura</strong>: De muestras a <strong>100% de imágenes</strong></p></li> <li><p><strong>Confianza</strong>: De "espero" a <strong>"sé que está validado"</strong></p></li> </ul> <h2> 🀝 ¿Cómo Contribuir? </h2> <p>El proyecto está activo en <a href="https://github.com/francotel/docker-image-security-scan" rel="noopener noreferrer"><strong>github.com/francotel/docker-image-security-scan</strong></a></p> <p><strong>¿Ideas para mejorar?</strong></p> <ul> <li><p>Notificaciones en Slack/Teams</p></li> <li><p>Dashboard histórico</p></li> <li><p>Escaneo automático de imágenes base</p></li> <li><p>Policy as Code personalizado</p></li> </ul> <h2> 🎯 ¡Hazlo Hoy! </h2> <p><strong>Ventajas clave:</strong></p> <ul> <li><p>✅ <strong>Gratuito</strong> (open source)</p></li> <li><p>✅ <strong>Simple</strong> (un archivo YAML)</p></li> <li><p>✅ <strong>Efectivo</strong> (bloquea problemas reales)</p></li> </ul> <p><strong>Acción inmediata:</strong></p> <ol> <li><p>⭐ <strong>Dale estrella</strong> al repo</p></li> <li><p>🐑 <strong>Haz fork y adapta</strong></p></li> <li><p>💬 <strong>Comenta en issues</strong></p></li> </ol> <p><strong>¿Listo para seguridad automatizada?</strong>👉 <a href="https://github.com/francotel/docker-image-security-scan" rel="noopener noreferrer"><strong>github.com/francotel/docker-image-security-scan</strong></a></p> <p><strong>#DevSecOps #GitHubActions #DockerSecurity</strong></p> <p>¡No te lo pierdas! Sígueme en LinkedIn para estar al tanto de todas las actualizaciones y futuros artículos:</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <h3> ☕ Apóyame con un café </h3> <p>Si este contenido te ha sido útil y quieres apoyarme para seguir creando más, considera invitarme un café. ¡Tu apoyo hace la diferencia! 🥰</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>¡Gracias por leer y hasta la próxima! 👋</p> docker crosscloudx devops github 🚀 ¡Despídete del Caos de Configs! Mi Viaje con Azure App Configuration: Escalabilidad, Seguridad y 0 Downtimes en Microservicios francotel Thu, 13 Nov 2025 03:04:45 +0000 https://forem.com/francotel/despidete-del-caos-de-configs-mi-viaje-con-azure-app-configuration-escalabilidad-seguridad-y-52g7 https://forem.com/francotel/despidete-del-caos-de-configs-mi-viaje-con-azure-app-configuration-escalabilidad-seguridad-y-52g7 <p>💭 <strong>Imagina esto:</strong><br><br> Eres un desarrollador apasionado (como yo 😅) que lleva semanas lidiando con configs dispersos entre YAMLs, repositorios Git y variables de entorno olvidadas.<br><br> Tus microservicios en <strong>Node.js</strong>, <strong>Python</strong> y <strong>Go</strong> crecen rápido, pero cada cambio —por mínimo que sea, como actualizar un <code>db.host</code>— termina en <strong>reinicios manuales</strong>, <strong>merge conflicts</strong> y <strong>noches sin dormir</strong> tratando de entender por qué algo rompió en producción. 😵‍💫 </p> <p>Un viernes (sí, <em>otro viernes de deploys peligrosos</em>), decidí que ya era suficiente. Ese día conocí a <strong>Azure App Configuration</strong>, y fue como pasar del caos al control total.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExbGhlNjdwMXhxd3dqYWN2ZnZsYWVjNDd1N3pqd2NwbDdiYmNseG9iZyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2Fy9DIEU4LhCizDUzE5o%2Fgiphy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExbGhlNjdwMXhxd3dqYWN2ZnZsYWVjNDd1N3pqd2NwbDdiYmNseG9iZyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2Fy9DIEU4LhCizDUzE5o%2Fgiphy.gif" width="480" height="400"></a></p> <h2> ☁ El Giro de la Historia: Cómo App Configuration Salvó Mi Proyecto </h2> <p>Primero, abrí el Portal de Azure y creé mi <strong>App Configuration Store</strong> — literalmente un par de clics.<br><br> De pronto tenía un <strong>repositorio centralizado</strong> de configuraciones donde podía definir:</p> <ul> <li>🔑 Key-Value pairs (<code>app.name=MiServicio</code>)</li> <li>🚊 Feature flags para rollouts dinámicos</li> <li>🔐 Referencias a secretos en <strong>Key Vault</strong> </li> </ul> <p>Mi código cambió de esto:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// El viejo infierno 😅</span> <span class="kd">const</span> <span class="nx">dbHost</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_HOST</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>a esto:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// El nuevo orden ⚡</span> <span class="kd">const</span> <span class="nx">dbHost</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getConfigurationSetting</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">db.host</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <p>Y sin reiniciar nada.<br> Los SDKs de Azure cachean los valores localmente, así que ni latencia ni downtime.</p> <p>Cada microservicio —desde mi clúster de Kubernetes hasta mis pipelines— empezó a hablar el mismo idioma de configuración.</p> <h2> 💎 Ventajas que Brillaron en Mis Entrevistas </h2> <p>Cuando comencé a implementar <strong>Azure App Configuration</strong>, no solo resolví problemas técnicos: también logré destacar en entrevistas de arquitectura y DevOps. Cada punto fuerte del servicio se transformó en una historia concreta que demostraba control, escalabilidad y visión de futuro. </p> <h3> 🌍 Escalabilidad sin límites </h3> <p>Azure maneja miles de requests con un <strong>99.9% de disponibilidad garantizada</strong>.<br><br> En mi demo, App Configuration procesó más de <strong>10,000 lecturas diarias</strong> sin una sola caída — ideal para entornos híbridos con microservicios distribuidos en <strong>Kubernetes</strong> o <strong>AKS</strong>. </p> <blockquote> <p>💡 <em>Ejemplo que compartí en una entrevista:</em> “Gracias al cacheo local del SDK, mis servicios siguieron operando incluso durante una breve desconexión del Portal de Azure.” </p> </blockquote> <h3> 🔐 Seguridad empresarial </h3> <p>La integración con <strong>Azure Key Vault</strong> fue un cambio de juego.<br><br> En lugar de almacenar contraseñas o tokens directamente, App Configuration <strong>solo guarda la referencia segura</strong> del secreto.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://myvault.vault.azure.net/secrets/db-password"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 🧩 Demo en Acción: App Configuration + Node.js + Terraform </h2> <p>Para llevar esta historia más allá del papel, preparé una <strong>demo funcional</strong> que combina <strong>Azure App Configuration</strong>, <strong>Terraform</strong> y <strong>Node.js</strong> en un entorno totalmente automatizado. </p> <p>El servidor <strong>Node.js</strong> renderiza en tiempo real los valores definidos en <strong>App Configuration</strong> — título, color de fondo y tamaño de fuente — <strong>sin necesidad de reiniciar el contenedor</strong>. </p> <blockquote> <p>🧠 <em>Cada cambio que hagas desde el Portal de Azure se refleja automáticamente en la UI del servidor.</em> </p> </blockquote> <p>📊 Puedes revisar el código completo y probarlo tú mismo en mi repositorio:<br><br> 👉 <a href="https://github.com/francotel/azure-app-config-terraform-demo" rel="noopener noreferrer">https://github.com/francotel/azure-app-config-terraform-demo</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx8ptnusq71bg8ytkyx5g.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx8ptnusq71bg8ytkyx5g.gif" width="" height=""></a></p> <h2> 🧭 ¿Y si trabajamos juntos? </h2> <p>Este proyecto es una base.En <strong>CrossCloudX</strong>, diseñamos pipelines a la medida para empresas financieras, consultoras o startups con visión.<br> ¿Te interesa un piloto en tu empresa?</p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> devops azure crosscloudx terraform 🛡 Elimina secretos, escanea dependencias y duerme tranquilo: Así funciona un pipeline moderno DevSecOps francotel Thu, 24 Jul 2025 22:56:00 +0000 https://forem.com/francotel/elimina-secretos-escanea-dependencias-y-duerme-tranquilo-asi-funciona-un-pipeline-moderno-27d3 https://forem.com/francotel/elimina-secretos-escanea-dependencias-y-duerme-tranquilo-asi-funciona-un-pipeline-moderno-27d3 <blockquote> <p>🔍 “¿Y si hoy tu build revelara una clave secreta en producción?”</p> <p>💣 “¿Y si una librería obsoleta estuviera exponiendo tu app bancaria sin que lo sepas?”</p> <p>Esta es la historia real de cómo un pipeline bien diseñado salvó a un equipo de infraestructura de un incidente de seguridad mayor.</p> </blockquote> <h2> ☁ El dilema: Seguridad vs Velocidad </h2> <p>Muchos equipos de desarrollo y DevOps se enfrentan al mismo conflicto:<strong>“¿Cómo integramos seguridad sin frenar nuestros despliegues?”</strong></p> <p>En consultorías, bancos y empresas tech, he visto pipelines que usan hojas de Excel para reportar vulnerabilidades. Sí, <strong>Excel</strong> en pleno 2025. 🧟‍♂</p> <p>La consecuencia:</p> <ul> <li><p>Secretos hardcodeados en el código fuente 😱</p></li> <li><p>Dependencias con vulnerabilidades críticas 🐛</p></li> <li><p>Mala visibilidad en auditorías 🔍</p></li> </ul> <h2> 💡 La solución: Un pipeline CI con visión DevSecOps </h2> <p>He creado una PoC que <strong>automatiza seguridad desde el primer push</strong>, sin sacrificar la velocidad.<br> 🔗 <strong>Repositorio público</strong>: <a href="https://github.com/francotel/gitsecops-cicd-poc" rel="noopener noreferrer">gitsecops-cicd-poc</a></p> <h3> 👇 ¿Qué incluye esta primera fase CI? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmt2zoagwrar2bgrncjfx.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmt2zoagwrar2bgrncjfx.gif" alt="ci-devsecops" width="1048" height="318"></a></p> <h3> Etapas del pipeline: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Etapa</th> <th>Herramienta</th> <th>Qué detecta 🕵</th> </tr> </thead> <tbody> <tr> <td><code>Checkout Code</code></td> <td>GitHub Actions</td> <td>Descarga del código</td> </tr> <tr> <td><code>Cache Trivy</code></td> <td>Trivy</td> <td>Optimiza tiempos</td> </tr> <tr> <td><code>Secrets Scan</code></td> <td>Trivy</td> <td>🔐 Claves, tokens</td> </tr> <tr> <td><code>Configs Scan</code></td> <td>Trivy</td> <td>🛡 Permisos inseguros</td> </tr> <tr> <td><code>Build Docker Image</code></td> <td>Docker</td> <td>Compilación controlada</td> </tr> <tr> <td><code>Dependencies Scan</code></td> <td>Trivy (SCA)</td> <td>📊 CVEs en libs y SO</td> </tr> <tr> <td><code>Notify</code></td> <td>Slack Webhook</td> <td>📢 Alertas en tiempo real</td> </tr> </tbody> </table></div> <h2> 🧪 ¿Por qué Trivy? </h2> <p>Trivy no solo escanea imágenes Docker.También detecta:</p> <ul> <li><p>Secrets en el código fuente (AWS keys, tokens, etc.)</p></li> <li><p>Errores de configuración en YAMLs</p></li> <li><p>Vulnerabilidades en dependencias (package.json, requirements.txt, etc.)</p></li> <li><p>CVEs a nivel de sistema operativo (Alpine, Debian, etc.)</p></li> </ul> <blockquote> <p>⚠ Todo esto en <strong>menos de 2 minutos</strong> por pipeline.</p> </blockquote> <h2> 🧠 Caso de uso empresarial </h2> <p>👉 <strong>Contexto: Consultora de seguridad financiera</strong><br> Una fintech tenía múltiples microservicios desplegados sin control de versiones ni escaneo de imágenes.<br> Con este pipeline CI se logró:</p> <ul> <li><p>Detectar más de <strong>30 secretos hardcodeados</strong> antes del merge</p></li> <li><p>Visibilidad en Slack de cada build inseguro</p></li> <li><p>Aprobación interna de seguridad sin llenar formularios</p></li> </ul> <blockquote> <p>Resultado: Cumplieron auditoría SOX en tiempo récord. 🎯</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80v9wu61dsi6jd3poxoj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80v9wu61dsi6jd3poxoj.png" alt="github-summary" width="800" height="530"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlg5skt0l7skb8g5vq4s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlg5skt0l7skb8g5vq4s.png" alt="slack" width="631" height="194"></a></p> <h2> 🔜 ¿Y el CD? </h2> <p>Este post cubre <strong>solo la etapa CI</strong>.La segunda parte incluirá:</p> <ul> <li><p>Despliegue en ambientes segregados (Dev, UAT, Prod)</p></li> <li><p>Validación post-deploy</p></li> <li><p>Políticas de rollback</p></li> <li><p>Escaneo en tiempo de ejecución</p></li> </ul> <h2> 🛠 ¿Cómo empezar? </h2> <ol> <li><p>Clona el repo 👉 git clone <a href="https://github.com/francotel/gitsecops-cicd-poc" rel="noopener noreferrer">https://github.com/francotel/gitsecops-cicd-poc</a></p></li> <li><p>Agrega tu workflow.yml desde la carpeta .github/workflows</p></li> <li><p>Crea tu webhook de Slack para recibir alertas</p></li> <li><p>🎯 Ejecuta un push y deja que Trivy haga su magia</p></li> </ol> <h2> 🧠 Bonus: Hacks que usamos </h2> <ul> <li><p>🔄 Cacheo de Trivy para escanear más rápido</p></li> <li><p>🕵‍♂ Reglas personalizadas para detectar secretos locales</p></li> <li><p>🔐 Uso de chmod 777 como <em>trampa</em> para validación</p></li> <li><p>🀖 Notificación temprana al equipo antes del merge</p></li> </ul> <h2> 🧯¿Por qué esto es mejor que Excel? </h2> <p>ExcelDevSecOps PipelineManual, lento, reactivoAutomático, veloz, proactivoRequiere validación humanaIntegración directa al códigoDifícil de auditarLogs en tiempo realSilos entre equiposSeguridad como parte del DevOps</p> <h2> 🧭 ¿Y si trabajamos juntos? </h2> <p>Este proyecto es una base.En <strong>CrossCloudX</strong>, diseñamos pipelines a la medida para empresas financieras, consultoras o startups con visión.<br> ¿Te interesa un piloto en tu empresa?<br> 📩 Escríbeme o abre un issue en el repo: <a href="https://github.com/francotel/gitsecops-cicd-poc" rel="noopener noreferrer">gitsecops-cicd-poc</a></p> <h2> 📌 TL;DR </h2> <p>✅ Pipeline CI moderno con Trivy<br> ✅ Escaneo de secretos, dependencias y configuración<br> ✅ Notificación directa a Slack<br> ✅ Base sólida para DevSecOps real</p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> devops trivy github crosscloudx Run IBM DataPower in Docker in 5 Minutes! 🚀 (No IBM Cloud Needed!) francotel Tue, 03 Jun 2025 03:09:24 +0000 https://forem.com/francotel/run-ibm-datapower-in-docker-in-5-minutes-no-ibm-cloud-needed-3lo7 https://forem.com/francotel/run-ibm-datapower-in-docker-in-5-minutes-no-ibm-cloud-needed-3lo7 <p><em>"IBM DataPower is a powerful API gateway, but it's usually locked behind complex setups. Let’s run it locally with Docker—no licenses or cloud accounts required!"</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuoc9vi6z7rb3l5w9w0ms.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuoc9vi6z7rb3l5w9w0ms.png" alt="datapower" width="800" height="400"></a></p> <h2> 🔧 What You’ll Need </h2> <ul> <li> <strong>Docker</strong> installed (👉 <a href="https://docs.docker.com/get-docker/" rel="noopener noreferrer">Install guide</a>)</li> <li> <strong>5 minutes</strong> of time</li> <li> <strong>Terminal</strong> (Bash or ZSH)</li> </ul> <h2> 🔍 Before We Start: About Skopeo </h2> <p>Need to check container versions <em>before</em> downloading? <strong>Skopeo</strong> is your friend! This handy tool lets you:</p> <ul> <li>🔎 <strong>Inspect images</strong> without pulling them</li> <li>🏷 <strong>List available versions</strong> (tags)</li> <li>🔄 <strong>Copy images</strong> between registries </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>skopeo list-tags docker://icr.io/cpopen/datapower/datapower-limited </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F65eczcjaa6k0i8h4hmt1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F65eczcjaa6k0i8h4hmt1.png" alt="skopeo-tags" width="600" height="283"></a></p> <h3> 📂 Step 1: Prep Your Workspace </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>datapower <span class="o">&amp;&amp;</span> <span class="nb">cd </span>datapower </code></pre> </div> <p><strong>Using version <code>2018.4.1.9</code></strong> (stable and widely compatible):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Pull the specific DataPower version</span> docker pull icr.io/cpopen/datapower/datapower-limited:2018.4.1.9 </code></pre> </div> <h4> Launch the container with persistent configs </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-it</span> <span class="se">\</span> <span class="nt">-v</span> <span class="nv">$PWD</span>/config:/drouter/config <span class="se">\</span> <span class="nt">-v</span> <span class="nv">$PWD</span>/local:/drouter/local <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DATAPOWER_ACCEPT_LICENSE</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DATAPOWER_INTERACTIVE</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">-p</span> 9090:9090 <span class="se">\</span> <span class="nt">-p</span> 9022:22 <span class="se">\</span> <span class="nt">-p</span> 8000-8010:8000-8010 <span class="se">\</span> <span class="nt">--name</span> idg <span class="se">\</span> icr.io/cpopen/datapower/datapower-limited:2018.4.1.9 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fduk767izw14qpim6sjcd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fduk767izw14qpim6sjcd.png" alt="docker-run" width="800" height="495"></a></p> <h3> 🔧 Key Notes (Best Practices!) </h3> <h4> 🚪 <strong>Ports Management</strong> </h4> <ul> <li> <strong>Auto-port assignment</strong>: For multi-container setups, use <code>-p 8000</code> (let Docker choose host port) </li> <li> <strong>Port conflicts?</strong> Remap the WebGUI (e.g., <code>-p 9191:9090</code> → access via <code>http://localhost:9191</code>) </li> </ul> <h4> 📂 <strong>Folder Structure</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>datapower/ ├── config/ <span class="c"># Stores all configurations (edit directly!)</span> └── <span class="nb">local</span>/ <span class="c"># For certificates, scripts (XSLT/JS), and keys</span> </code></pre> </div> <h4> 🔐 <strong>Security Must-Dos</strong> </h4> <ol> <li> <strong>First step</strong>: Change default credentials (<code>admin/admin</code>)! </li> <li> <strong>Production tip</strong>: Disable <code>DATAPOWER_INTERACTIVE</code> to avoid log clutter </li> </ol> <h3> 🌐 Step 2: Enable the Web GUI </h3> <ol> <li> <strong>In the running container's CLI</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> configure<span class="p">;</span> web-mgmt 0 9090<span class="p">;</span> <span class="c"># Activates WebGUI</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr7uzje8pqjw36ksrbyi4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr7uzje8pqjw36ksrbyi4.png" alt="datapower-access" width="800" height="227"></a></p> <p><strong>Access it</strong>:<br> URL: <a href="https://localhost:9090" rel="noopener noreferrer">https://localhost:9090</a><br> Credentials: admin / admin (change this!)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomlrzrwv39k01th917gq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomlrzrwv39k01th917gq.png" alt="datapower-gui-1" width="800" height="530"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl79bi9pqez36y94mnq54.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl79bi9pqez36y94mnq54.png" alt="datapower-gui-2" width="800" height="443"></a></p> <p><strong>Cleanup</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker stop idg <span class="o">&amp;&amp;</span> docker <span class="nb">rm </span>idg </code></pre> </div> <h2> 🏁 Conclusion </h2> <p>You've now got <strong>IBM DataPower</strong> running in Docker in just minutes! Key takeaways:</p> <p>✓ <strong>Local testing</strong> without expensive hardware<br><br> ✓ <strong>Persistent configs</strong> via Docker volumes<br><br> ✓ <strong>Full access</strong> to WebGUI and CLI </p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> ibm datapower crosscloudx docker Kubernetes 1.33: Change Pod Size Without Restart! (No More Problems!) francotel Fri, 30 May 2025 02:23:57 +0000 https://forem.com/francotel/kubernetes-133-change-pod-size-without-restart-no-more-problems-31pl https://forem.com/francotel/kubernetes-133-change-pod-size-without-restart-no-more-problems-31pl <h3> 😅 The Problem Every DevOps Knows </h3> <p>Imagine this: It's midnight, your app has too many users, and your Pods need more CPU and memory. But in Kubernetes, changing resources means:</p> <ol> <li> <strong>Delete and restart the Pods</strong> (bye-bye, active connections!)</li> <li> <strong>Wait for a rolling update</strong> (more waiting time)</li> <li> <strong>Hope there's no downtime</strong> (but there's always some)</li> </ol> <p>Until now, changing Pod resources <strong>required a restart</strong>. But with <strong>Kubernetes 1.33, this is no longer true!</strong> 🎉</p> <h3> 🚀 What's New? Pods That Grow Without Restarting! </h3> <p>Now you can:<br> ✅ <strong>Increase/Decrease CPU and memory without restarting</strong><br> ✅ <strong>Works with StatefulSets</strong> (great for databases!)<br> ✅ <strong>Choose if the Pod restarts on errors</strong></p> <p><strong>Real-life example:</strong></p> <ul> <li> <strong>Problem:</strong> An API gets 10x more traffic than usual</li> <li> <strong>Old way:</strong> Rolling update → 30 seconds of downtime</li> <li> <strong>New way:</strong> <code>kubectl patch</code> → <strong>0 downtime</strong> </li> </ul> <h3> 💡 How to Use It? (Easy Code Example 🛠) </h3> <h4> 1. Create a Pod with resize policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">scalable-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2Gi"</span> <span class="na">resizePolicy</span><span class="pi">:</span> <span class="c1"># The magic is here!</span> <span class="pi">-</span> <span class="na">resourceName</span><span class="pi">:</span> <span class="s">cpu</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">NotRequired</span> <span class="c1"># No restart if it fails</span> <span class="pi">-</span> <span class="na">resourceName</span><span class="pi">:</span> <span class="s">memory</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">NotRequired</span> </code></pre> </div> <h4> 2. Change resources while running </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl patch pod scalable-app <span class="nt">-p</span> <span class="s1">'{ "spec": { "containers": [{ "name": "web", "resources": { "requests": {"cpu": "2", "memory": "2Gi"}, "limits": {"cpu": "3", "memory": "3Gi"} } }] } }'</span> </code></pre> </div> <h4> Done! The Pod keeps running with more resources. </h4> <h3> 🏢 Why Is This Good for Companies? </h3> <ul> <li> <strong>🔄 Less downtime</strong> → Better for important apps </li> <li> <strong>💰 Save cloud costs</strong> → Reduce resources when not needed </li> <li> <strong>📈 Handle traffic spikes fast</strong> → No waiting for deployments </li> <li> <strong>🗃 Better for databases</strong> → No restarts to change memory </li> </ul> <h3> ⚠ Any Problems? </h3> <ul> <li> <strong>Not all runtimes support it yet</strong> (check your CRI) </li> <li> <strong>You need to configure it</strong> (add <code>resizePolicy</code>) </li> <li> <strong>New feature = possible bugs</strong> (test first in staging) </li> </ul> <h3> 🔚 Conclusion: A Big Step for Kubernetes </h3> <p>Now you can <strong>change Pod resources without restarting</strong>. No more choosing between "low resources" or "risky restarts". </p> <p><strong>Will you try it? Tell me in the comments!</strong> 👇 </p> <p>📌 <strong>Did you like this?</strong> Share and follow for more Kubernetes/DevOps posts. 🚀 </p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> aws kubernetes devops crosscloudx Misconfigured S3 Buckets: Detect and Remediate with AWS Config + Lambda francotel Wed, 07 May 2025 17:55:24 +0000 https://forem.com/francotel/misconfigured-s3-buckets-detect-and-remediate-with-aws-config-lambda-11p https://forem.com/francotel/misconfigured-s3-buckets-detect-and-remediate-with-aws-config-lambda-11p <h2> 🚚 1. The Hidden Danger: S3 Buckets Left Public </h2> <p>Many developers create S3 buckets using the default console settings, CLI scripts, or even automation templates (like CloudFormation or Terraform) — <strong>without fully reviewing access policies.</strong></p> <p>🎯 <strong>What could go wrong?</strong></p> <ul> <li> <code>public-read</code> or <code>public-write</code> is enabled by mistake</li> <li>Bucket policies allow <code>Principal: "*"</code> </li> <li>Static websites are deployed with no access restrictions</li> <li>Files contain sensitive data: <code>.env</code>, <code>backup.zip</code>, <code>user-data.csv</code> </li> </ul> <blockquote> <p><strong>Case Study</strong><br><br> A dev team created a bucket to share app logs for debugging. The bucket had public access, and after 3 weeks it was indexed by a search engine. It contained logs with API keys and customer email addresses.<br><br> 💞 This resulted in an internal audit and months of cleanup work.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft7zpbcrwkmwhqr2arbya.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft7zpbcrwkmwhqr2arbya.png" alt="s3-mis" width="800" height="435"></a></p> <h2> 🔎 2. What Causes These Misconfigurations? </h2> <ul> <li>Rushed deployment with <code>aws s3api create-bucket</code> </li> <li>CI/CD pipelines that skip security checks</li> <li>Inexperienced teams who don't understand IAM or bucket policy syntax</li> <li>Copy-pasted infrastructure templates with bad defaults</li> <li>Developers assume "private unless shared" — but <strong>S3 can default to public</strong> </li> </ul> <h2> ⚠ 3. Consequences of Misconfigured Buckets </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Impact</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>🕵‍♂ Data Exposure</td> <td>Customer data, code, secrets available online</td> </tr> <tr> <td>💰 Cost Spike</td> <td>Public write access can be exploited to store malware or pirated files</td> </tr> <tr> <td>❌ Compliance Violation</td> <td>Breach of GDPR, HIPAA, SOC2 or ISO27001</td> </tr> <tr> <td>📉 Reputational Damage</td> <td>Public trust loss, press coverage</td> </tr> <tr> <td>🛠 Incident Response</td> <td>Reactive patching, forensic work, legal reports</td> </tr> </tbody> </table></div> <h2> ✅ 4. How to Fix It Automatically </h2> <h3> 💡 Best combo: <strong>AWS Config + Lambda</strong> </h3> <p>🧭 <strong>AWS Config</strong><br><br> Monitors and evaluates your AWS resources against a list of compliance rules. For S3, it can detect:</p> <ul> <li>Public read/write access</li> <li>Missing encryption</li> <li>Logging not enabled</li> </ul> <p>⚙ <strong>AWS Lambda</strong><br><br> Executes custom code to fix non-compliant resources, instantly and automatically.</p> <blockquote> <p>Together, they create a <strong>self-healing cloud security workflow</strong>.</p> </blockquote> <h3> 🛡 AWS Config Rules: Managed vs. Custom (S3 Security Demo) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>🔧 Managed Rules (AWS)</th> <th>⚡ Custom Rules (Your Code)</th> </tr> </thead> <tbody> <tr> <td><strong>🚀 Setup Speed</strong></td> <td>✅ Instant (~1 minute)</td> <td>⏳ 15-30 mins (coding required)</td> </tr> <tr> <td><strong>🔧 Maintenance</strong></td> <td>🀖 Fully automated by AWS</td> <td>👚💻 Your team maintains</td> </tr> <tr> <td><strong>💡 Intelligence</strong></td> <td>📜 Fixed logic (CIS benchmarks)</td> <td>🧠 Your custom business logic</td> </tr> <tr> <td><strong>🔒 S3 Protection</strong></td> <td>🛡 Basic security checks</td> <td>🛡🛡🛡 Advanced protection</td> </tr> <tr> <td><strong>💞 Cost</strong></td> <td>💰 Included in Config pricing</td> <td>💰💰 + Lambda costs</td> </tr> <tr> <td><strong>🛠 Demo Ready?</strong></td> <td>❌ Too generic</td> <td>✅ Perfect for custom demos!</td> </tr> </tbody> </table></div> <p>I'm Choosing Custom Rules for Precision Targeting 🎯 </p> <h3> 🔐 Auto-Securing S3 Buckets with AWS Config &amp; Lambda </h3> <p><strong>🚀 Full Architecture &amp; Deployment Code on GitHub</strong> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffygf0pyt984y8w6dmjnj.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffygf0pyt984y8w6dmjnj.gif" alt="archi" width="914" height="644"></a></p> <p>This automated solution protects your S3 buckets by: </p> <ol> <li> <strong>Detecting risks</strong> → Unencrypted buckets/public access </li> <li> <strong>Auto-fixing issues</strong> → Enforces KMS encryption &amp; security settings </li> <li> <strong>Maintaining compliance</strong> → Continuous AWS Config monitoring </li> </ol> <p>✹ <strong>Key Features</strong>: </p> <ul> <li> <strong>Terraform-powered</strong> infrastructure </li> <li> <strong>Python Lambda</strong> remediation logic </li> <li> <strong>Zero-touch</strong> security enforcement </li> <li> <strong>Demo mode</strong> included for testing </li> </ul> <p>📊 <strong>GitHub Repo Includes</strong>:<br><br> ✅ Complete Terraform deployment<br><br> ✅ Lambda source code<br><br> ✅ Architecture diagrams<br><br> ✅ Step-by-step instructions </p> <p>🔗 <strong><a href="https://github.com/francotel/auto-fix-s3-buckets-with-terraform" rel="noopener noreferrer">Get the Code →</a></strong> </p> <p><strong>🔄 Before Fix</strong><br><br> 🚚 Non-compliant bucket: </p> <ul> <li>No encryption ❌ </li> <li>Public access allowed ❌ </li> </ul> <p><strong>⚡ After Auto-Remediation</strong><br><br> ✅ Encryption enabled (KMS)<br><br> ✅ Public access blocked<br><br> 🕒 Compliance achieved in &lt;1 minute </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8xjjaq7n4osg9wduanf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8xjjaq7n4osg9wduanf.png" alt="remediation1" width="800" height="192"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3uiqniwn5yv7g6gxrsih.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3uiqniwn5yv7g6gxrsih.png" alt="remediation2" width="800" height="267"></a></p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> aws devops crosscloudx s3 🛠 Automate AMI Builds with Packer + EC2 Image Builder francotel Tue, 15 Apr 2025 11:37:27 +0000 https://forem.com/francotel/automate-ami-builds-with-packer-ec2-image-builder-3p70 https://forem.com/francotel/automate-ami-builds-with-packer-ec2-image-builder-3p70 <h3> 📊 DevOps Battle for Golden Images in AWS </h3> <h2> 🧭 1. Why Automate AMI Builds? </h2> <p><strong>Golden AMIs</strong> ensure that all your EC2 instances start with consistent, hardened, and pre-configured environments.</p> <p>❌ Manual builds = human errors, time waste, inconsistent images<br><br> ✅ Automated builds = repeatable, secure, auditable</p> <h2> ⚔ 2. Packer vs EC2 Image Builder: The Showdown </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>🧰 Packer</th> <th>🖌 EC2 Image Builder</th> </tr> </thead> <tbody> <tr> <td>🔧 Configuration Language</td> <td>JSON or HCL</td> <td>YAML or Console</td> </tr> <tr> <td>🔄 Integration with CI/CD</td> <td>✅ Very flexible</td> <td>⚠ Limited (manual triggers, EventBridge workaround)</td> </tr> <tr> <td>🛡 Security Controls</td> <td>✅ Custom via hardening scripts</td> <td>✅ SSM + IAM roles</td> </tr> <tr> <td>📊 Output Formats</td> <td>AMIs, Docker, Vagrant, etc.</td> <td>AMIs (only)</td> </tr> <tr> <td>☁ AWS Native</td> <td>❌ Third-party tool</td> <td>✅ Fully managed</td> </tr> <tr> <td>📜 Logging &amp; Visibility</td> <td>CLI or external</td> <td>✅ CloudWatch logs, detailed history</td> </tr> <tr> <td>🧪 Testing AMIs</td> <td>Manual or via external tools</td> <td>✅ Supports testing phases (e.g., InSpec)</td> </tr> <tr> <td>💰 Cost</td> <td>Low (runs in your own infra)</td> <td>Low, but requires pipeline resources</td> </tr> </tbody> </table></div> <blockquote> <p><strong>🏁 TL;DR:</strong> </p> <ul> <li>Use <strong>Packer</strong> when you need portability and full control. </li> <li>Use <strong>EC2 Image Builder</strong> when you prefer AWS-native, low-maintenance pipelines.</li> </ul> </blockquote> <h2> 🔧 3. Demo: Building a Hardened Ubuntu AMI in Both Tools </h2> <h3> Option A: Using Packer + HCL </h3> <ol> <li>Define <code>ubuntu.pkr.hcl</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">packer</span> <span class="p">{</span> <span class="nx">required_plugins</span> <span class="p">{</span> <span class="nx">amazon</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.2.8"</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/hashicorp/amazon"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">source</span> <span class="s2">"amazon-ebs"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">ami_name</span> <span class="p">=</span> <span class="s2">"learn-packer-linux-aws"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-west-2"</span> <span class="nx">source_ami_filter</span> <span class="p">{</span> <span class="nx">filters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ubuntu/images/*ubuntu-jammy-22.04-amd64-server-*"</span> <span class="nx">root-device-type</span> <span class="p">=</span> <span class="s2">"ebs"</span> <span class="nx">virtualization-type</span> <span class="p">=</span> <span class="s2">"hvm"</span> <span class="p">}</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ssh_username</span> <span class="p">=</span> <span class="s2">"ubuntu"</span> <span class="p">}</span> <span class="nx">build</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"learn-packer"</span> <span class="nx">sources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"source.amazon-ebs.ubuntu"</span><span class="p">]</span> <span class="nx">provisioner</span> <span class="s2">"shell"</span> <span class="p">{</span> <span class="nx">inline</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sudo apt-get update"</span><span class="p">,</span> <span class="s2">"sudo apt-get install -y nginx"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ol> <li>Build the image: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>packer init <span class="nb">.</span> packer build ubuntu.pkr.hcl </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxc7cnpjcqyi3httogn3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxc7cnpjcqyi3httogn3.png" alt="packer-build" width="755" height="453"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5j4k7fnc0eshf6tc1mi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5j4k7fnc0eshf6tc1mi.png" alt="ami-ec2" width="648" height="163"></a></p> <h3> Option B: Using EC2 Image Builder </h3> <p>Create a Recipe</p> <ol> <li>Example component in YAML: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">install-nginx</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Install Nginx</span> <span class="na">phases</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt update</span> <span class="pi">-</span> <span class="s">apt install -y nginx</span> </code></pre> </div> <ol> <li>Create a Pipeline with:</li> </ol> <ul> <li>Source AMI: Ubuntu 22.04</li> <li>Build Component: install-nginx</li> <li>Test Component (optional): e.g., check Nginx service</li> <li>Output: AMI in target region</li> </ul> <p>Trigger manually or via EventBridge for automation (e.g., weekly builds)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5na0iuwkhy1n8mxm7qdv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5na0iuwkhy1n8mxm7qdv.png" alt="ec2-image-builder" width="800" height="344"></a></p> <h2> 🎯 5. Conclusions &amp; Recommendations </h2> <blockquote> <p><strong>Verdict:</strong><br><br> 🧰 Use <strong>Packer</strong> if: </p> <ul> <li>You want cross-cloud image creation </li> <li>You need integration with existing pipelines </li> <li>You're comfortable managing infrastructure</li> </ul> <p>🖌 Use <strong>EC2 Image Builder</strong> if: </p> <ul> <li>You're all-in on AWS </li> <li>You want minimal setup with native controls </li> <li>You want to integrate with AWS Config, IAM, and SSM easily</li> </ul> </blockquote> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> aws devops terraform crosscloudx Friday Deployments: A Horror Story 💀 francotel Fri, 21 Mar 2025 15:11:06 +0000 https://forem.com/francotel/friday-deployments-a-horror-story-4m12 https://forem.com/francotel/friday-deployments-a-horror-story-4m12 <p>It was <strong>4:55 PM on a Friday</strong> at <strong>SpookyCloud Inc.</strong>. <strong>Alice</strong>, the lead developer, stretched her arms and smiled. </p> <p><em>"Just one last deployment before the weekend!"</em> she said. </p> <p>Bob, the DevOps engineer, looked up in horror. <strong>"Wait... you’re deploying on a Friday?"</strong> </p> <p><em>"Relax, it’s just a small update. What could go wrong?"</em> Alice laughed as she ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git push origin main </code></pre> </div> <p>☠ Big mistake.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74777hafrtzb0xqfqfhw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74777hafrtzb0xqfqfhw.png" alt="friday-deploy" width="600" height="450"></a></p> <h2> 🚚 <strong>The Chaos Begins</strong> </h2> <p>At <strong>5:02 PM</strong>, alerts flooded Slack: </p> <blockquote> <p><strong>🔥 500 Internal Server Error!</strong><br><br> <strong>🔥 Database connection failed!</strong><br><br> <strong>🔥 API Gateway timeout!</strong> </p> </blockquote> <p>The production site was <strong>down</strong>. </p> <p>Bob frantically checked the logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>backend <span class="nt">--tail</span><span class="o">=</span>20 </code></pre> </div> <p>👀 <strong>ERROR: Missing database migration</strong> </p> <p>Alice gasped. <em>"Oh no... I forgot to apply the migration!"</em> </p> <p>Bob tried to roll back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout undo deployment backend </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz7hwte1qxfddpssz0dmj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz7hwte1qxfddpssz0dmj.png" alt="callback" width="360" height="360"></a></p> <p>⚠ <strong>FAILED: Image not found</strong> </p> <p>😚 <em>The rollback failed. They were trapped.</em> </p> <h2> ⏳ <strong>The Longest Friday Night</strong> </h2> <p>By <strong>7:30 PM</strong>, Bob and Alice were still debugging. Their Slack statuses changed to: </p> <p>🛠 <strong>“Fixing production 😭”</strong> </p> <p>By <strong>9:45 PM</strong>, the <strong>CTO</strong> joined the call: </p> <blockquote> <p><em>"Why are we down? Who pushed to <strong>main</strong> on a Friday?"</em> </p> </blockquote> <p>Alice turned pale. She felt a chill down her spine. </p> <p><em>"It was me... I thought it was safe..."</em> she whispered. </p> <p>The CTO sighed. <em>"Well, guess what? We’re all working late now."</em> </p> <p>By <strong>1:15 AM</strong>, they finally fixed the issue. The site was back, but their weekend was ruined. </p> <h2> 📜 <strong>Lessons from the Nightmare</strong> </h2> <p>🕵‍♂ <strong>Never deploy on a Friday.</strong><br><br> 📋 <strong>Test in staging first.</strong><br><br> 🔄 <strong>Always have a rollback plan.</strong><br><br> 🛑 <strong>Feature flags are your friend.</strong> </p> <h2> 🔥 <strong>Don't Let This Happen to You</strong> </h2> <p>Do you <strong>really</strong> want to risk your weekend? </p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> 🧟‍♂ The Zombie Server That Wouldn’t Die 💀 francotel Wed, 12 Mar 2025 22:47:05 +0000 https://forem.com/francotel/the-zombie-server-that-wouldnt-die-45di https://forem.com/francotel/the-zombie-server-that-wouldnt-die-45di <h2> 🕛 The Midnight Nightmare </h2> <p>It was midnight at <strong>SpookyCloud Inc.</strong>. The office was dark, and the only light came from <strong>Bob’s</strong> laptop screen. He was tired, ready to go home when suddenly... </p> <blockquote> <p><strong>🔔 Slack Alert: "EC2 instance terminated"</strong> </p> </blockquote> <p>"Finally," Bob sighed. That old server was deleted weeks ago. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd42xxep6z57ggwv1323v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd42xxep6z57ggwv1323v.png" alt="ec2-terminated" width="800" height="371"></a></p> <p>But then... </p> <blockquote> <p><strong>🔔 Slack Alert: "EC2 instance running"</strong> </p> </blockquote> <p>Bob’s heart skipped a beat. "No... no way," he whispered. </p> <p>He opened the AWS console — there it was, running again. He stopped it once more. </p> <blockquote> <p><strong>🔔 Slack Alert: "EC2 instance running"</strong> </p> </blockquote> <p>😚 <em>The server was back... again.</em> </p> <h2> 💀 The Monster Grows Stronger </h2> <p>Every time Bob stopped the server, it returned — stronger and angrier. The CPU usage climbed higher, draining resources like a hungry beast. </p> <p>Bob checked the logs... <strong>nothing</strong>. No deployments, no cron jobs. It was as if the server had a mind of its own. </p> <p>He grabbed his keyboard and typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=instance-state-name,Values=running"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Reservations[*].Instances[*].[InstanceId,Tags]'</span> </code></pre> </div> <h3> 📋 The result? No tags. No owner. No clues. </h3> <p>"It's a ghost..." Bob muttered.</p> <h2> 👁 The Forgotten Curse </h2> <p>Digging deeper, Bob discovered the truth — the server belonged to a forgotten Auto Scaling Group from an ex-employee. Each time the server died, the group brought it back to life... like a cursed tomb opening again and again.</p> <p>Bob’s fingers shook as he ran this final command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws autoscaling delete-auto-scaling-group <span class="se">\</span> <span class="nt">--auto-scaling-group-name</span> <span class="s2">"zombie-asg"</span> <span class="se">\</span> <span class="nt">--force-delete</span> </code></pre> </div> <p>⚰ The server was gone. For real this time.</p> <h2> 📜 The Moral of the Story </h2> <p>Like any good fable, Bob learned important lessons that night:</p> <p>🧟‍♂ Always tag your resources. A tagless server is a mystery waiting to haunt you.<br> 🧟‍♂ Clean up old environments. Forgotten test systems may return from the grave.<br> 🧟‍♂ Review your Auto Scaling Groups. Hidden triggers can summon the undead.<br> 🧟‍♂ Automate cleanup tasks. Don’t leave ghost servers to haunt your bill.</p> <h2> 🀝 <strong>Let's Connect!</strong> </h2> <p>If you find this repository useful and want to see more content like this, follow me on LinkedIn to stay updated on more projects and resources!</p> <p><a href="https://www.linkedin.com/in/franconavarro/" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n0txk0zfofh94t4rza7.png" alt="LinkedIn" width="300" height="76"></a></p> <p>If you’d like to support my work, you can buy me a coffee. Thank you for your support!</p> <p><a href="https://www.buymeacoffee.com/francotel" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpyb3wzaeuqkdfb9utao8.png" alt="BuyMeACoffee" width="512" height="100"></a></p> <p>Thank you for reading! 😊</p> devops terraform crosscloudx aws