The latest articles on Forem by InstaDevOps (@instadevops). https://forem.com/instadevops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2952358%2F474aa7f4-09cf-409d-891e-cfc4f071d18a.png https://forem.com/instadevops en InstaDevOps Thu, 16 Apr 2026 13:46:46 +0000 https://forem.com/instadevops/building-a-devsecops-pipeline-shift-security-left-without-slowing-down-31fl https://forem.com/instadevops/building-a-devsecops-pipeline-shift-security-left-without-slowing-down-31fl <h2> Introduction </h2> <p>Every week brings news of another data breach, supply chain attack, or misconfigured cloud resource exposing millions of records. The traditional approach of bolting security on at the end of the development cycle no longer works. By the time a penetration tester finds a vulnerability in staging, the code has been through weeks of development, and fixing it means expensive rework.</p> <p>DevSecOps integrates security testing directly into your CI/CD pipeline so vulnerabilities are caught in minutes, not months. The goal is not to slow down development - it is to catch security issues at the same speed you catch bugs: automatically, on every commit.</p> <p>This guide walks through building a practical DevSecOps pipeline with real tool configurations, covering static analysis, dependency scanning, container image scanning, infrastructure security, and policy-as-code.</p> <h2> The DevSecOps Pipeline Stages </h2> <p>A mature DevSecOps pipeline runs security checks at every stage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Code Commit → SAST → Dependency Scan → Build → Container Scan → IaC Scan → DAST → Deploy → Runtime Protection </code></pre> </div> <p>You do not need all of these on day one. Start with the highest-impact, lowest-friction stages and layer on additional checks as your team matures.</p> <h2> Stage 1: Static Application Security Testing (SAST) </h2> <p>SAST tools analyze your source code for vulnerabilities without executing it. They catch issues like SQL injection, cross-site scripting, hardcoded secrets, and insecure cryptographic patterns.</p> <h3> Semgrep for Custom and Community Rules </h3> <p>Semgrep is fast, supports 30+ languages, and lets you write custom rules in a simple YAML syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/sast.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SAST Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">semgrep</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">semgrep/semgrep</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">semgrep scan --config auto --error --sarif --output semgrep.sarif .</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">semgrep.sarif</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> </code></pre> </div> <p>The <code>--config auto</code> flag uses Semgrep's curated community ruleset. For stricter scanning, add specific rule packs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>semgrep scan <span class="se">\</span> <span class="nt">--config</span> p/security-audit <span class="se">\</span> <span class="nt">--config</span> p/secrets <span class="se">\</span> <span class="nt">--config</span> p/owasp-top-ten <span class="se">\</span> <span class="nt">--error</span> <span class="nb">.</span> </code></pre> </div> <h3> Writing Custom Security Rules </h3> <p>Create organization-specific rules for patterns your team should avoid:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .semgrep/custom-rules.yml</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">no-raw-sql-queries</span> <span class="na">patterns</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">db.query($SQL, ...)</span> <span class="pi">-</span> <span class="na">pattern-not</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">db.query($SQL, [...])</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Use</span><span class="nv"> </span><span class="s">parameterized</span><span class="nv"> </span><span class="s">queries</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">prevent</span><span class="nv"> </span><span class="s">SQL</span><span class="nv"> </span><span class="s">injection"</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">ERROR</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">javascript</span><span class="pi">,</span> <span class="nv">typescript</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">no-console-log-in-production</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">console.log(...)</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Remove</span><span class="nv"> </span><span class="s">console.log</span><span class="nv"> </span><span class="s">before</span><span class="nv"> </span><span class="s">merging</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">main"</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">WARNING</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">javascript</span><span class="pi">,</span> <span class="nv">typescript</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">src/</span> </code></pre> </div> <h2> Stage 2: Dependency and Supply Chain Scanning </h2> <p>Your application's dependencies are a massive attack surface. A single vulnerable transitive dependency can compromise your entire system.</p> <h3> Scanning with Trivy </h3> <p>Trivy scans not just containers but also filesystems for vulnerable dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/dependency-scan.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">scan-dependencies</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Trivy filesystem scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">scan-type</span><span class="pi">:</span> <span class="s">fs</span> <span class="na">scan-ref</span><span class="pi">:</span> <span class="s">.</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="na">format</span><span class="pi">:</span> <span class="s">sarif</span> <span class="na">output</span><span class="pi">:</span> <span class="s">trivy-fs.sarif</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">trivy-fs.sarif</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> </code></pre> </div> <h3> Software Bill of Materials (SBOM) </h3> <p>Generate an SBOM for compliance and vulnerability tracking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate SBOM with Syft</span> syft packages <span class="nb">dir</span>:. <span class="nt">-o</span> spdx-json <span class="o">&gt;</span> sbom.spdx.json <span class="c"># Scan the SBOM for vulnerabilities with Grype</span> grype sbom:sbom.spdx.json <span class="nt">--fail-on</span> high </code></pre> </div> <h3> Automated Dependency Updates </h3> <p>Use Renovate or Dependabot to keep dependencies current:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">renovate.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://docs.renovatebot.com/renovate-schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"config:recommended"</span><span class="p">],</span><span class="w"> </span><span class="nl">"vulnerabilityAlerts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"security"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"packageRules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchUpdateTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"patch"</span><span class="p">],</span><span class="w"> </span><span class="nl">"automerge"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"automergeType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"branch"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchUpdateTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"major"</span><span class="p">],</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"breaking-change"</span><span class="p">],</span><span class="w"> </span><span class="nl">"assignees"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"team-lead"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Stage 3: Container Image Scanning </h2> <p>Container images often contain vulnerable OS packages, misconfigured permissions, and unnecessary tools that increase the attack surface.</p> <h3> Scanning During Build </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Scan image with Trivy</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">myapp:${{ github.sha }}</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check for root user</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">USER=$(docker inspect --format='{{.Config.User}}' myapp:${{ github.sha }})</span> <span class="s">if [ -z "$USER" ] || [ "$USER" = "root" ]; then</span> <span class="s">echo "ERROR: Container runs as root. Add a USER directive to your Dockerfile."</span> <span class="s">exit 1</span> <span class="s">fi</span> </code></pre> </div> <h3> Hardening Dockerfiles </h3> <p>A secure Dockerfile follows these patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Use specific version, not :latest</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20.11-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Multi-stage build - no build tools in final image</span> <span class="k">FROM</span><span class="s"> node:20.11-alpine</span> <span class="c"># Create non-root user</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> appuser <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-S</span> appuser <span class="nt">-u</span> 1001 <span class="nt">-G</span> appuser <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> --chown=appuser:appuser . .</span> <span class="c"># Drop all capabilities</span> <span class="k">USER</span><span class="s"> appuser</span> <span class="c"># Use dumb-init to handle PID 1 properly</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> dumb-init <span class="k">ENTRYPOINT</span><span class="s"> ["dumb-init", "--"]</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <h2> Stage 4: Infrastructure as Code Security </h2> <p>Misconfigured infrastructure is the leading cause of cloud breaches. Scan your Terraform, CloudFormation, and Kubernetes manifests before they reach production.</p> <h3> Checkov for IaC Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">iac-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Checkov</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@v12</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="na">framework</span><span class="pi">:</span> <span class="s">terraform</span> <span class="na">soft_fail</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">output_format</span><span class="pi">:</span> <span class="s">sarif</span> <span class="na">output_file_path</span><span class="pi">:</span> <span class="s">checkov.sarif</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">checkov.sarif</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> </code></pre> </div> <p>Checkov catches misconfigurations like:</p> <ul> <li>S3 buckets without encryption</li> <li>Security groups open to 0.0.0.0/0</li> <li>RDS instances without encryption at rest</li> <li>IAM policies with wildcard permissions</li> <li>EBS volumes without encryption</li> </ul> <h3> tfsec for Terraform-Specific Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run tfsec on your Terraform directory</span> tfsec terraform/ <span class="nt">--format</span> sarif <span class="nt">--out</span> tfsec.sarif <span class="c"># Common findings:</span> <span class="c"># - aws-ec2-no-public-ingress-sgr</span> <span class="c"># - aws-s3-enable-bucket-encryption</span> <span class="c"># - aws-iam-no-policy-wildcards</span> <span class="c"># - aws-rds-encrypt-instance-storage-data</span> </code></pre> </div> <h2> Stage 5: Dynamic Application Security Testing (DAST) </h2> <p>DAST tools test your running application by sending requests and analyzing responses for vulnerabilities. Run these against a staging environment after deployment.</p> <h3> OWASP ZAP Baseline Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">dast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy-staging</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">OWASP ZAP Baseline Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">zaproxy/action-baseline@v0.12.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">target</span><span class="pi">:</span> <span class="s">https://staging.example.com</span> <span class="na">rules_file_name</span><span class="pi">:</span> <span class="s">zap-rules.tsv</span> <span class="na">fail_action</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">cmd_options</span><span class="pi">:</span> <span class="s1">'</span><span class="s">-a</span><span class="nv"> </span><span class="s">-j'</span> </code></pre> </div> <p>DAST scans are slower (minutes to hours) and noisier than SAST, so run them post-deployment rather than on every commit.</p> <h2> Stage 6: Policy-as-Code with Open Policy Agent </h2> <p>Policy-as-Code enforces organizational rules programmatically. Open Policy Agent (OPA) lets you write policies in Rego that gate deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="c1"># policy/kubernetes.rego</span> <span class="ow">package</span> <span class="n">kubernetes</span><span class="p">.</span><span class="n">admission</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">kind</span><span class="p">.</span><span class="n">kind</span> <span class="o">==</span> <span class="s2">"Deployment"</span> <span class="n">container</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">object</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">template</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">containers</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="ow">not</span> <span class="n">container</span><span class="p">.</span><span class="n">resources</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">memory</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Container '%v' must have memory limits set"</span><span class="p">,</span> <span class="p">[</span><span class="n">container</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">kind</span><span class="p">.</span><span class="n">kind</span> <span class="o">==</span> <span class="s2">"Deployment"</span> <span class="n">container</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">object</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">template</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">containers</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">container</span><span class="p">.</span><span class="n">image</span> <span class="ow">not</span> <span class="n">contains</span><span class="p">(</span><span class="n">container</span><span class="p">.</span><span class="n">image</span><span class="p">,</span> <span class="s2">"@sha256:"</span><span class="p">)</span> <span class="ow">not</span> <span class="n">regex</span><span class="p">.</span><span class="n">match</span><span class="p">(</span><span class="s2">"^.*:[0-9]+\\.[0-9]+\\.[0-9]+$"</span><span class="p">,</span> <span class="n">container</span><span class="p">.</span><span class="n">image</span><span class="p">)</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Container '%v' must use a specific version tag or digest, not :latest"</span><span class="p">,</span> <span class="p">[</span><span class="n">container</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">kind</span><span class="p">.</span><span class="n">kind</span> <span class="o">==</span> <span class="s2">"Deployment"</span> <span class="n">container</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">object</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">template</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">containers</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">container</span><span class="p">.</span><span class="n">securityContext</span><span class="p">.</span><span class="n">privileged</span> <span class="o">==</span> <span class="kc">true</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Container '%v' must not run in privileged mode"</span><span class="p">,</span> <span class="p">[</span><span class="n">container</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <h3> Conftest for CI Integration </h3> <p>Use Conftest to run OPA policies against Kubernetes manifests, Terraform plans, and Dockerfiles in CI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test Kubernetes manifests</span> conftest <span class="nb">test </span>k8s/deployment.yaml <span class="nt">--policy</span> policy/ <span class="c"># Test Terraform plans</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan terraform show <span class="nt">-json</span> tfplan <span class="o">&gt;</span> tfplan.json conftest <span class="nb">test </span>tfplan.json <span class="nt">--policy</span> policy/terraform/ <span class="c"># Test Dockerfiles</span> conftest <span class="nb">test </span>Dockerfile <span class="nt">--policy</span> policy/docker/ </code></pre> </div> <h2> Putting It All Together </h2> <p>Here is a complete pipeline that ties all stages together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">DevSecOps Pipeline</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="c1"># Fast checks first (&lt; 2 minutes)</span> <span class="na">secrets-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trufflesecurity/trufflehog@main</span> <span class="na">with</span><span class="pi">:</span> <span class="na">extra_args</span><span class="pi">:</span> <span class="s">--only-verified</span> <span class="na">sast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run --rm -v "${PWD}:/src" semgrep/semgrep \</span> <span class="s">semgrep scan --config auto --error /src</span> <span class="c1"># Medium checks (2-5 minutes)</span> <span class="na">dependency-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">scan-type</span><span class="pi">:</span> <span class="s">fs</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="na">iac-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@v12</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="c1"># Build and container scan</span> <span class="na">build</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">secrets-scan</span><span class="pi">,</span> <span class="nv">sast</span><span class="pi">,</span> <span class="nv">dependency-scan</span><span class="pi">,</span> <span class="nv">iac-scan</span><span class="pi">]</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t app:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">app:${{ github.sha }}</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># Deploy to staging, then DAST</span> <span class="na">deploy-staging</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "Deploy to staging"</span> <span class="na">dast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy-staging</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">zaproxy/action-baseline@v0.12.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">target</span><span class="pi">:</span> <span class="s">https://staging.example.com</span> </code></pre> </div> <h2> Managing False Positives </h2> <p>Every security scanning tool produces false positives. If you do not manage them, your team will start ignoring security alerts entirely.</p> <p><strong>Create a baseline.</strong> On initial integration, capture existing findings as a baseline and only alert on new issues.</p> <p><strong>Use inline suppressions with justification.</strong> Every suppressed finding should include a reason:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># nosemgrep: python.lang.security.audit.insecure-hash.insecure-hash # Justification: MD5 used for non-security cache key, not for cryptographic purposes </span><span class="n">cache_key</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">md5</span><span class="p">(</span><span class="n">data</span><span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> </code></pre> </div> <p><strong>Triage weekly.</strong> Assign someone to review and triage findings weekly. Close false positives, create tickets for real issues, and tune rules that produce too much noise.</p> <h2> Security Metrics That Matter </h2> <p>Tracking the right metrics tells you whether your DevSecOps pipeline is actually improving security or just generating noise.</p> <h3> Mean Time to Remediate (MTTR) </h3> <p>How long does it take from when a vulnerability is detected to when it is fixed in production? Track this by severity:</p> <ul> <li> <strong>Critical:</strong> Target under 24 hours</li> <li> <strong>High:</strong> Target under 7 days</li> <li> <strong>Medium:</strong> Target under 30 days</li> <li> <strong>Low:</strong> Target under 90 days</li> </ul> <h3> Vulnerability Escape Rate </h3> <p>What percentage of vulnerabilities make it past your CI/CD pipeline into production? This is your pipeline's effectiveness metric. Track it by comparing CI findings against production security scans and penetration test results.</p> <h3> Coverage Percentage </h3> <p>What percentage of your repositories have security scanning enabled? In most organizations, the answer is disturbingly low. Aim for 100% of production services covered by at minimum dependency scanning and SAST.</p> <h3> Fix Rate vs Find Rate </h3> <p>If you are finding vulnerabilities faster than you are fixing them, your backlog will grow indefinitely. This signals that your pipeline is too noisy (tune it) or your team needs more security training.</p> <h2> Getting Started: A Phased Approach </h2> <p>Do not try to implement everything at once. Here is a realistic rollout plan:</p> <p><strong>Week 1-2: Secrets scanning and dependency scanning.</strong> These have the highest signal-to-noise ratio and catch the most impactful issues. Enable Dependabot or Renovate for automated updates.</p> <p><strong>Week 3-4: SAST with Semgrep.</strong> Start with the default auto config. Do not write custom rules yet. Let the team get comfortable with the findings.</p> <p><strong>Month 2: Container image scanning.</strong> Add Trivy to your Docker build pipeline. Fix the critical and high findings, suppress the false positives with documentation.</p> <p><strong>Month 3: IaC scanning with Checkov.</strong> Scan your Terraform and Kubernetes manifests. This catches misconfigurations before they reach production.</p> <p><strong>Month 4+: DAST and policy-as-code.</strong> These require more setup and tuning but provide the deepest security coverage.</p> <h2> Need Help with Your DevOps? </h2> <p>Building a DevSecOps pipeline that catches real vulnerabilities without drowning your team in false positives takes careful tuning. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we implement security-hardened CI/CD pipelines for startups and growing teams - baking security in from day one.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to discuss your security posture.</p> devsecops security cicd devops InstaDevOps Wed, 15 Apr 2026 13:46:43 +0000 https://forem.com/instadevops/aws-ecs-vs-eks-a-practical-decision-framework-for-startups-3dgp https://forem.com/instadevops/aws-ecs-vs-eks-a-practical-decision-framework-for-startups-3dgp <h2> Introduction </h2> <p>You have containerized your application and now you need to run it in production on AWS. The two main options stare back at you from the AWS console: Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS). Both are fully managed, both run containers, and both integrate deeply with the AWS ecosystem.</p> <p>So which one should you pick?</p> <p>The answer is not "EKS because Kubernetes is the industry standard" and it is not "ECS because it is simpler." The right choice depends on your team size, operational maturity, workload characteristics, and growth trajectory. This article gives you a practical framework for making this decision, with real cost numbers and migration considerations.</p> <h2> ECS: The AWS-Native Path </h2> <p>ECS is AWS's proprietary container orchestration service. It is deeply integrated with the AWS ecosystem and was purpose-built to make running containers on AWS as straightforward as possible.</p> <h3> ECS Architecture </h3> <p>ECS has two launch types:</p> <p><strong>EC2 Launch Type:</strong> You manage the underlying EC2 instances. ECS handles container placement and scheduling.</p> <p><strong>Fargate Launch Type:</strong> Serverless containers. AWS manages the infrastructure entirely. You just define CPU, memory, and your container image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awsvpc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerDefinitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012.dkr.ecr.eu-west-1.amazonaws.com/my-api:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"portMappings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"containerPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">3000</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/my-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> ECS Strengths </h3> <p><strong>Zero Kubernetes knowledge required.</strong> Your team interacts with familiar AWS concepts: task definitions, services, target groups, IAM roles. There is no <code>kubectl</code>, no YAML manifests with 15 indentation levels, no CRDs.</p> <p><strong>Deep AWS integration.</strong> ECS natively integrates with ALB/NLB, CloudWatch, IAM task roles, Secrets Manager, Parameter Store, App Mesh, and CloudMap for service discovery. These integrations work out of the box with minimal configuration.</p> <p><strong>Lower operational overhead.</strong> Especially with Fargate, there are no nodes to patch, no cluster upgrades to manage, no etcd to worry about. AWS handles all of it.</p> <p><strong>Simpler networking.</strong> The <code>awsvpc</code> network mode gives each task its own ENI and security group. No overlay networks, no kube-proxy, no CNI plugin decisions.</p> <h3> ECS Limitations </h3> <ul> <li>Vendor lock-in to AWS</li> <li>Smaller community and ecosystem compared to Kubernetes</li> <li>Limited scheduling customization</li> <li>No equivalent to Kubernetes operators or CRDs for extending the platform</li> <li>Fewer third-party tools (no Helm, no ArgoCD, no Istio)</li> </ul> <h2> EKS: The Kubernetes Path </h2> <p>EKS is AWS's managed Kubernetes service. AWS manages the control plane (API server, etcd, scheduler), and you manage the worker nodes or use Fargate for serverless pods.</p> <h3> EKS Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Sample Kubernetes deployment</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">123456789012.dkr.ecr.eu-west-1.amazonaws.com/my-api:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">250m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> EKS Strengths </h3> <p><strong>Portability.</strong> Kubernetes manifests work on any cloud provider or on-premises cluster. If multi-cloud or hybrid-cloud is in your future, EKS keeps your options open.</p> <p><strong>Rich ecosystem.</strong> Helm charts, ArgoCD for GitOps, Istio or Linkerd for service mesh, Prometheus and Grafana for monitoring, cert-manager for TLS, external-dns for DNS automation. The Kubernetes ecosystem is enormous.</p> <p><strong>Advanced scheduling.</strong> Node affinities, taints and tolerations, pod topology spread constraints, priority classes, and preemption give you fine-grained control over workload placement.</p> <p><strong>Extensibility.</strong> Custom Resource Definitions and operators let you extend Kubernetes to manage databases, message queues, ML pipelines, and virtually anything else as native Kubernetes resources.</p> <h3> EKS Limitations </h3> <ul> <li>$0.10/hour ($73/month) control plane cost before any compute</li> <li>Steep learning curve (expect 3-6 months for a team new to Kubernetes)</li> <li>Cluster upgrades require planning and testing (new version every 4 months)</li> <li>More moving parts: CNI plugins, ingress controllers, cluster autoscaler, DNS</li> <li>Significantly higher operational burden</li> </ul> <h2> Cost Comparison </h2> <p>Let us compare the cost of running a typical startup workload: 3 services, each running 2 replicas with 0.5 vCPU and 1 GB RAM.</p> <h3> ECS Fargate </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Per task: 0.5 vCPU + 1 GB RAM Fargate pricing (eu-west-1): vCPU: $0.04048/hour Memory: $0.004445/GB/hour Per task/hour: (0.5 * $0.04048) + (1 * $0.004445) = $0.02469 6 tasks total: $0.02469 * 6 = $0.14814/hour Monthly: $0.14814 * 730 = $108.14/month </code></pre> </div> <h3> ECS EC2 (with Reserved Instances) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2x t3.medium (2 vCPU, 4 GB) with 1-year RI: On-demand: $0.0416/hour each 1-year RI (no upfront): $0.027/hour each Monthly: 2 * $0.027 * 730 = $39.42/month </code></pre> </div> <h3> EKS with Managed Node Group </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EKS control plane: $0.10/hour = $73/month 2x t3.medium nodes (same as ECS EC2): 1-year RI: 2 * $0.027 * 730 = $39.42/month Monthly total: $73 + $39.42 = $112.42/month </code></pre> </div> <h3> EKS Fargate </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EKS control plane: $73/month Fargate pods (same as ECS Fargate): $108.14/month Plus CoreDNS pods on Fargate: ~$15/month Monthly total: $73 + $108.14 + $15 = $196.14/month </code></pre> </div> <p>At small scale, ECS on EC2 is the cheapest option by far. EKS adds a fixed $73/month control plane cost that only becomes negligible at larger scales.</p> <h2> The Decision Framework </h2> <h3> Choose ECS When </h3> <p><strong>Your team is small (under 10 engineers).</strong> The operational overhead of Kubernetes is not justified when a few people can manage ECS with part-time attention.</p> <p><strong>You are all-in on AWS.</strong> If you have no plans for multi-cloud and are already using ALB, CloudWatch, and IAM extensively, ECS slots in naturally.</p> <p><strong>You want Fargate's simplicity.</strong> ECS Fargate is the easiest path from container image to running workload. No nodes, no cluster management, no upgrades.</p> <p><strong>Your workloads are straightforward.</strong> Web APIs, background workers, and scheduled tasks that do not need advanced scheduling or custom operators.</p> <p><strong>You need to ship fast.</strong> A team new to containers can have ECS running in production within a week. Kubernetes takes months to operate confidently.</p> <h3> Choose EKS When </h3> <p><strong>Multi-cloud or hybrid is a real requirement.</strong> Not a hypothetical future possibility, but an actual business constraint.</p> <p><strong>You have Kubernetes experience on the team.</strong> If your engineers already know Kubernetes, EKS employs that knowledge. Forcing Kubernetes-experienced engineers to learn ECS is a lateral move with no payoff.</p> <p><strong>You need the ecosystem.</strong> If your architecture requires service mesh, GitOps (ArgoCD), advanced traffic management, or custom operators, the Kubernetes ecosystem is unmatched.</p> <p><strong>You are running 20+ services.</strong> At scale, Kubernetes' sophisticated scheduling, resource management, and namespace isolation become genuine advantages.</p> <p><strong>You are building a platform team.</strong> If part of your strategy is building an internal developer platform, Kubernetes provides the extensibility to build abstractions on top.</p> <h2> Migration Paths </h2> <h3> ECS to EKS </h3> <p>If you outgrow ECS, migration is manageable:</p> <ol> <li>Set up EKS cluster alongside existing ECS</li> <li>Convert task definitions to Kubernetes deployments (the container config is similar)</li> <li>Use AWS ALB Ingress Controller to maintain the same load balancer</li> <li>Migrate services one at a time, shifting traffic gradually</li> <li>Decommission ECS services after verification</li> </ol> <h3> EKS to ECS </h3> <p>Rarer, but it happens when teams realize they over-invested in Kubernetes:</p> <ol> <li>Convert Kubernetes deployments to ECS task definitions</li> <li>Replace Kubernetes services with ECS services + ALB target groups</li> <li>Replace Helm/ArgoCD with AWS CodePipeline or similar</li> <li>Migrate ConfigMaps/Secrets to AWS Parameter Store/Secrets Manager</li> </ol> <h2> A Pragmatic Recommendation </h2> <p>For most startups and SMBs running fewer than 15 services on AWS, <strong>start with ECS</strong>. Here is why:</p> <ol> <li>You avoid 3-6 months of Kubernetes learning curve</li> <li>You save $73/month in control plane costs (trivial individually, but symbolic of broader overhead)</li> <li>You eliminate cluster upgrade maintenance windows</li> <li>Your engineers focus on product features instead of infrastructure plumbing</li> <li>If you outgrow ECS, the migration to EKS is well-understood</li> </ol> <p>The exception: if you already have a team member who is deeply experienced with Kubernetes and can own the cluster operations, EKS is fine from day one.</p> <h2> Operational Overhead: What Nobody Tells You </h2> <p>The cost comparison above only covers compute. The real difference between ECS and EKS is operational overhead - the time your engineers spend managing the orchestration platform itself rather than building product features.</p> <h3> ECS Day-2 Operations </h3> <p>With ECS (especially Fargate), your ongoing operational tasks are minimal:</p> <ul> <li> <strong>Task definition updates</strong> when you change container config (straightforward JSON/Terraform changes)</li> <li> <strong>Service scaling policies</strong> adjustments based on traffic patterns</li> <li> <strong>ALB health check tuning</strong> to match your application's startup time</li> <li> <strong>Security group and IAM role updates</strong> as your network requirements change</li> </ul> <p>Most of this is standard AWS work that any cloud engineer can handle.</p> <h3> EKS Day-2 Operations </h3> <p>EKS adds a significant layer of Kubernetes-specific operational work:</p> <ul> <li> <strong>Cluster version upgrades</strong> every 4 months (Kubernetes drops support for old versions aggressively). Each upgrade requires testing all workloads, updating add-ons, and often updating manifests for deprecated APIs.</li> <li> <strong>Add-on management</strong>: CoreDNS, kube-proxy, VPC CNI, cluster autoscaler, ingress controller, cert-manager, external-dns - each has its own version matrix and upgrade path.</li> <li> <strong>Node group rotation</strong> when you change AMIs or instance types. Cordon, drain, replace.</li> <li> <strong>RBAC policy management</strong> as teams and services grow.</li> <li> <strong>etcd monitoring</strong> for the control plane (managed by AWS, but you still need to understand its implications for API server performance).</li> <li> <strong>Debugging Kubernetes networking</strong> when services cannot reach each other (is it a NetworkPolicy? A CNI issue? A security group? A missing service account?).</li> </ul> <p>A reasonable estimate: EKS adds 10-20 hours per month of platform engineering work compared to ECS. At a senior engineer's loaded cost, that is $3,000-6,000/month in operational overhead that does not show up on your AWS bill.</p> <h2> Real-World Scenarios </h2> <h3> Scenario 1: 4-Person Startup, 2 Services </h3> <p><strong>Choose ECS Fargate.</strong> You do not have the engineering bandwidth to learn and operate Kubernetes. ECS Fargate lets you deploy containers in an afternoon and forget about infrastructure management for the next 12 months.</p> <h3> Scenario 2: 25-Person Scale-Up, 12 Services, AWS Only </h3> <p><strong>Choose ECS EC2.</strong> You are big enough that Fargate costs add up, but your services are straightforward enough that Kubernetes' advanced features are not needed. ECS on EC2 with Reserved Instances gives you the best cost efficiency.</p> <h3> Scenario 3: 50-Person Company, 30 Services, Multi-Cloud Mandate </h3> <p><strong>Choose EKS.</strong> At this scale, you likely have or can hire a dedicated platform engineer. Kubernetes' portability and ecosystem justify the operational investment, and you will benefit from tools like ArgoCD, Istio, and custom operators.</p> <h3> Scenario 4: Regulated Industry, Compliance Requirements </h3> <p><strong>EKS edges ahead.</strong> Kubernetes' namespace isolation, network policies, pod security standards, and OPA Gatekeeper provide a richer set of compliance controls. Combined with tools like Falco for runtime security, you can build a compliance story that auditors understand and respect.</p> <h2> Need Help with Your DevOps? </h2> <p>Choosing the right container orchestration platform is just the first decision. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we help startups set up production-grade container infrastructure on AWS - whether that is ECS, EKS, or a migration between the two.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to discuss your container strategy.</p> aws ecs eks kubernetes InstaDevOps Tue, 14 Apr 2026 13:46:40 +0000 https://forem.com/instadevops/advanced-github-actions-matrix-builds-reusable-workflows-and-self-hosted-runners-h07 https://forem.com/instadevops/advanced-github-actions-matrix-builds-reusable-workflows-and-self-hosted-runners-h07 <h2> Introduction </h2> <p>GitHub Actions has matured from a simple CI tool into a full-featured automation platform. Most teams start with a basic build-and-test workflow, but GitHub Actions offers far more powerful patterns that can dramatically reduce pipeline duplication, speed up builds, and cut CI costs.</p> <p>This article covers advanced patterns that separate hobby-level GitHub Actions usage from production-grade CI/CD: matrix builds for testing across multiple environments, reusable workflows for eliminating duplication, self-hosted runners for cost and performance, and secrets management strategies that keep your pipelines secure.</p> <p>If you are already comfortable writing basic GitHub Actions workflows, this guide will take you to the next level.</p> <h2> Matrix Builds: Test Everything in Parallel </h2> <p>Matrix builds let you run the same job across multiple combinations of variables - OS versions, language versions, dependency versions - without duplicating workflow code.</p> <h3> Basic Matrix Strategy </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">18</span><span class="pi">,</span> <span class="nv">20</span><span class="pi">,</span> <span class="nv">22</span><span class="pi">]</span> <span class="na">os</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ubuntu-latest</span><span class="pi">,</span> <span class="nv">macos-latest</span><span class="pi">]</span> <span class="na">fail-fast</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> </code></pre> </div> <p>Setting <code>fail-fast: false</code> ensures all matrix combinations run to completion even if one fails. This is critical for understanding the full scope of compatibility issues.</p> <h3> Dynamic Matrix Generation </h3> <p>For more complex scenarios, generate the matrix dynamically from a previous job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">detect-services</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="s">${{ steps.find.outputs.services }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">find</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Find all directories with a Dockerfile</span> <span class="s">SERVICES=$(find services/ -name Dockerfile -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')</span> <span class="s">echo "services=$SERVICES" &gt;&gt; $GITHUB_OUTPUT</span> <span class="na">build</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect-services</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="s">${{ fromJson(needs.detect-services.outputs.services) }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t ${{ matrix.service }}:latest ${{ matrix.service }}</span> </code></pre> </div> <p>This pattern is invaluable for monorepos: only build and test services that have changed, and automatically pick up new services without modifying the workflow.</p> <h3> Matrix Include and Exclude </h3> <p>Fine-tune your matrix with include and exclude rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">os</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ubuntu-latest</span><span class="pi">,</span> <span class="nv">windows-latest</span><span class="pi">]</span> <span class="na">node</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">18</span><span class="pi">,</span> <span class="nv">20</span><span class="pi">]</span> <span class="na">include</span><span class="pi">:</span> <span class="c1"># Add an experimental Node 22 build on Ubuntu only</span> <span class="pi">-</span> <span class="na">os</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">node</span><span class="pi">:</span> <span class="m">22</span> <span class="na">experimental</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">exclude</span><span class="pi">:</span> <span class="c1"># Skip Node 18 on Windows (known incompatibility)</span> <span class="pi">-</span> <span class="na">os</span><span class="pi">:</span> <span class="s">windows-latest</span> <span class="na">node</span><span class="pi">:</span> <span class="m">18</span> </code></pre> </div> <h2> Reusable Workflows: Eliminate Duplication </h2> <p>If you have 10 microservices with nearly identical CI workflows, reusable workflows let you define the pipeline once and call it from each repository.</p> <h3> Creating a Reusable Workflow </h3> <p>Define a workflow with <code>workflow_call</code> trigger in a shared repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/build-and-deploy.yml in org/shared-workflows repo</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Deploy Service</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_call</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">service-name</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">dockerfile-path</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">./Dockerfile'</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">IMAGE="${{ secrets.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ github.sha }}"</span> <span class="s">docker build -f ${{ inputs.dockerfile-path }} -t $IMAGE .</span> <span class="s">docker push $IMAGE</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">${{ inputs.environment }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to ECS</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs update-service \</span> <span class="s">--cluster ${{ inputs.environment }}-cluster \</span> <span class="s">--service ${{ inputs.service-name }} \</span> <span class="s">--force-new-deployment</span> </code></pre> </div> <h3> Calling a Reusable Workflow </h3> <p>Each service repository calls the shared workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml in service repo</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy-staging</span><span class="pi">:</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">org/shared-workflows/.github/workflows/build-and-deploy.yml@v2.1.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">service-name</span><span class="pi">:</span> <span class="s">payment-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ secrets.ECR_REGISTRY }}</span> <span class="na">deploy-production</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy-staging</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">org/shared-workflows/.github/workflows/build-and-deploy.yml@v2.1.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">service-name</span><span class="pi">:</span> <span class="s">payment-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ secrets.ECR_REGISTRY }}</span> </code></pre> </div> <p>Pin the reusable workflow to a specific tag (<code>@v2.1.0</code>) so that upstream changes do not break your pipelines unexpectedly.</p> <h2> Self-Hosted Runners: Performance and Cost Control </h2> <p>GitHub-hosted runners are convenient but come with limitations: fixed hardware specs, cold start times, no persistent caches, and costs that scale linearly with usage. Self-hosted runners solve these problems.</p> <h3> When Self-Hosted Runners Make Sense </h3> <ul> <li> <strong>Large Docker builds</strong> that benefit from persistent layer caches</li> <li> <strong>GPU workloads</strong> for ML model training or testing</li> <li> <strong>Network-restricted environments</strong> where jobs need access to internal resources</li> <li> <strong>High CI volume</strong> where GitHub-hosted runner costs exceed $1,000/month</li> <li> <strong>Specialized hardware</strong> requirements</li> </ul> <h3> Setting Up Ephemeral Self-Hosted Runners on AWS </h3> <p>Use the <code>actions-runner-controller</code> (ARC) to autoscale runners on Kubernetes, or use EC2 with a simpler setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Terraform for self-hosted runner ASG</span> <span class="s">resource "aws_launch_template" "runner" {</span> <span class="s">name_prefix = "github-runner-"</span> <span class="s">image_id = data.aws_ami.ubuntu.id</span> <span class="s">instance_type = "c6i.2xlarge"</span> <span class="s">user_data = base64encode(templatefile("runner-init.sh", {</span> <span class="s">github_org = var.github_org</span> <span class="s">runner_token = var.runner_registration_token</span> <span class="s">runner_labels = "self-hosted,linux,x64,large"</span> <span class="s">}))</span> <span class="s">block_device_mappings {</span> <span class="s">device_name = "/dev/sda1"</span> <span class="s">ebs {</span> <span class="s">volume_size = </span><span class="m">100</span> <span class="s">volume_type = "gp3"</span> <span class="s">}</span> <span class="s">}</span> <span class="err">}</span> <span class="s">resource "aws_autoscaling_group" "runners" {</span> <span class="s">desired_capacity = </span><span class="m">2</span> <span class="s">max_size = </span><span class="m">10</span> <span class="s">min_size = </span><span class="m">0</span> <span class="s">launch_template {</span> <span class="s">id = aws_launch_template.runner.id</span> <span class="s">version = "$Latest"</span> <span class="s">}</span> <span class="s">tag {</span> <span class="s">key = "Purpose"</span> <span class="s">value = "github-actions-runner"</span> <span class="s">propagate_at_launch = </span><span class="kc">true</span> <span class="s">}</span> <span class="err">}</span> </code></pre> </div> <h3> Using Runner Labels for Job Routing </h3> <p>Target specific runners using labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">unit-tests</span><span class="pi">:</span> <span class="c1"># Fast tests on GitHub-hosted runners</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="na">docker-build</span><span class="pi">:</span> <span class="c1"># Heavy builds on self-hosted with Docker cache</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">self-hosted</span><span class="pi">,</span> <span class="nv">linux</span><span class="pi">,</span> <span class="nv">large</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp:latest .</span> <span class="na">gpu-tests</span><span class="pi">:</span> <span class="c1"># ML tests on GPU runners</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">self-hosted</span><span class="pi">,</span> <span class="nv">gpu</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python -m pytest tests/ml/</span> </code></pre> </div> <h2> Secrets Management Patterns </h2> <p>Secrets handling in CI/CD is a top security concern. GitHub Actions provides several mechanisms, but you need to layer them correctly.</p> <h3> Environment-Scoped Secrets </h3> <p>Use GitHub environments to scope secrets to specific deployment targets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="c1"># Only secrets defined in "production" environment are available</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">${{ secrets.DB_PASSWORD }}</span> <span class="c1"># Production-specific secret</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./deploy.sh</span> </code></pre> </div> <p>Configure required reviewers on the production environment so deployments require manual approval.</p> <h3> OIDC Authentication (No Long-Lived Keys) </h3> <p>Eliminate static AWS credentials entirely using OpenID Connect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/GitHubActionsRole</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="c1"># No access key or secret needed - uses OIDC token exchange</span> </code></pre> </div> <p>The IAM role trust policy restricts which repositories and branches can assume it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"repo:yourorg/yourrepo:ref:refs/heads/main"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Secrets Scanning and Rotation </h3> <p>Add a workflow that scans for accidentally committed secrets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">secrets-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trufflesecurity/trufflehog@main</span> <span class="na">with</span><span class="pi">:</span> <span class="na">extra_args</span><span class="pi">:</span> <span class="s">--only-verified</span> </code></pre> </div> <h2> Caching Strategies for Faster Builds </h2> <p>Effective caching can cut build times by 50-80%.</p> <h3> Dependency Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">~/.npm</span> <span class="s">node_modules</span> <span class="na">key</span><span class="pi">:</span> <span class="s">deps-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">deps-${{ runner.os }}-</span> </code></pre> </div> <h3> Docker Layer Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=gha</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=gha,mode=max</span> </code></pre> </div> <h3> Artifact Passing Between Jobs </h3> <p>Use artifacts to pass build outputs between jobs without rebuilding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">build-output</span> <span class="na">path</span><span class="pi">:</span> <span class="s">dist/</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">1</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">build-output</span> <span class="na">path</span><span class="pi">:</span> <span class="s">dist/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./deploy.sh dist/</span> </code></pre> </div> <h2> Workflow Organization at Scale </h2> <h3> Path-Based Triggers </h3> <p>Only run workflows when relevant files change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/payment-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">.github/workflows/payment-api.yml'</span> </code></pre> </div> <h3> Concurrency Control </h3> <p>Prevent redundant workflow runs when commits are pushed rapidly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">concurrency</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">deploy-${{ github.ref }}</span> <span class="na">cancel-in-progress</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>This cancels the previous run when a new commit is pushed to the same branch, saving runner minutes.</p> <h3> Composite Actions for Shared Steps </h3> <p>When full reusable workflows are overkill, composite actions bundle common steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/actions/setup-project/action.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Project</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Install dependencies and configure environment</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">runs</span><span class="pi">:</span> <span class="na">using</span><span class="pi">:</span> <span class="s">composite</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ inputs.node-version }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">node_modules</span> <span class="na">key</span><span class="pi">:</span> <span class="s">deps-${{ hashFiles('package-lock.json') }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> </code></pre> </div> <p>Use it in any workflow with a single line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/actions/setup-project</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> </code></pre> </div> <h2> Monitoring and Debugging Workflows </h2> <p>When workflows fail in production, you need fast diagnosis. GitHub provides several tools for this.</p> <h3> Step-Level Timing Analysis </h3> <p>Every workflow run shows timing per step. If your pipeline is slow, look for steps that take disproportionate time. Common culprits:</p> <ul> <li> <strong>Checkout with full history</strong> (<code>fetch-depth: 0</code>) on large repos - use shallow clones unless you need full history</li> <li> <strong>Docker builds without caching</strong> - always use BuildKit cache with <code>cache-from</code> and <code>cache-to</code> </li> <li> <strong>NPM/pip installs without cache</strong> - dependency caching alone can save 30-60 seconds per run</li> </ul> <h3> Workflow Run Logs and Annotations </h3> <p>Use <code>::warning</code> and <code>::error</code> workflow commands to surface issues directly in PR annotations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check bundle size</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">SIZE=$(stat -f%z dist/bundle.js)</span> <span class="s">if [ "$SIZE" -gt 500000 ]; then</span> <span class="s">echo "::warning file=dist/bundle.js::Bundle size is ${SIZE} bytes (over 500KB limit)"</span> <span class="s">fi</span> </code></pre> </div> <h3> Reusable Debug Workflow </h3> <p>Create a debug composite action that dumps useful context when things go wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug info</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "## Environment" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Runner: ${{ runner.os }} ${{ runner.arch }}" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Node: $(node --version)" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Disk: $(df -h / | tail -1)" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Memory: $(free -h 2&gt;/dev/null || vm_stat)" &gt;&gt; $GITHUB_STEP_SUMMARY</span> </code></pre> </div> <h2> Common Pitfalls to Avoid </h2> <p><strong>Not pinning action versions.</strong> Using <code>actions/checkout@main</code> means your workflow can break without any change on your side. Always pin to a specific version tag or commit SHA for third-party actions.</p> <p><strong>Leaking secrets in logs.</strong> GitHub automatically masks secrets in logs, but derived values (like a URL containing a token) are not masked. Use <code>::add-mask::</code> for any sensitive derived values.</p> <p><strong>Ignoring workflow permissions.</strong> The default <code>GITHUB_TOKEN</code> has broad permissions. Use the <code>permissions</code> key to restrict to only what each job needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> </code></pre> </div> <p><strong>Running everything on push and pull_request.</strong> This causes duplicate runs. Use <code>push</code> for deploys (main branch only) and <code>pull_request</code> for checks.</p> <p><strong>Not using job summaries.</strong> The <code>$GITHUB_STEP_SUMMARY</code> file lets you write rich Markdown summaries that appear in the workflow run UI - much better than scrolling through raw logs.</p> <h2> Need Help with Your DevOps? </h2> <p>Setting up production-grade CI/CD pipelines with proper security, caching, and scaling takes real-world experience. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we build and maintain CI/CD infrastructure for startups and growing teams so your developers can focus on shipping features.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to optimize your GitHub Actions workflows.</p> github cicd devops automation InstaDevOps Mon, 13 Apr 2026 13:46:36 +0000 https://forem.com/instadevops/terraform-modules-done-right-mono-repo-versioning-and-registry-patterns-34g6 https://forem.com/instadevops/terraform-modules-done-right-mono-repo-versioning-and-registry-patterns-34g6 <h2> Introduction </h2> <p>As your Terraform codebase grows beyond a handful of resources, you inevitably face a structural decision: how do you organize reusable infrastructure components so that multiple teams can collaborate without stepping on each other's toes?</p> <p>The answer is Terraform modules. But writing a module is easy - organizing, versioning, and distributing them at scale is where most teams struggle. Poorly structured modules lead to copy-paste drift, version conflicts, and infrastructure that nobody fully understands.</p> <p>In this guide, we will walk through battle-tested patterns for organizing Terraform modules, choosing between mono-repo and multi-repo strategies, leveraging module registries, and implementing versioning that actually works in production.</p> <h2> What Makes a Good Terraform Module </h2> <p>Before discussing organization, let us establish what a well-designed module looks like. A good Terraform module follows these principles:</p> <p><strong>Single responsibility.</strong> Each module should manage one logical piece of infrastructure. A VPC module should not also create RDS instances.</p> <p><strong>Sensible defaults with full override capability.</strong> Provide defaults that work for 80% of use cases, but allow every significant parameter to be overridden:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type for the application servers"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"enable_enhanced_monitoring"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Enable enhanced monitoring with 60-second granularity"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"tags"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional tags to apply to all resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Clear input/output contracts.</strong> Every variable should have a description, type constraint, and validation where appropriate. Every output that downstream consumers need should be explicitly exported:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR block for the VPC"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be a valid CIDR block."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the created VPC"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of private subnet IDs"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p><strong>Minimal provider assumptions.</strong> Do not hardcode provider configurations inside modules. Let the caller configure the provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Bad - hardcoded provider in module</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="c1"># Good - module relies on caller's provider configuration</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Mono-Repo vs Multi-Repo: Choosing the Right Strategy </h2> <p>This is the most debated structural decision in Terraform module management. Both approaches have legitimate trade-offs.</p> <h3> Mono-Repo Pattern </h3> <p>All modules live in a single repository with a directory structure like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-modules/ ├── modules/ │ ├── vpc/ │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── README.md │ ├── ecs-service/ │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── README.md │ ├── rds-postgres/ │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── README.md │ └── s3-bucket/ │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── examples/ │ ├── complete-vpc/ │ └── ecs-with-rds/ ├── tests/ │ ├── vpc_test.go │ └── ecs_test.go └── .github/ └── workflows/ └── test.yml </code></pre> </div> <p><strong>Advantages:</strong></p> <ul> <li>Atomic cross-module changes in a single PR</li> <li>Unified CI/CD pipeline for testing</li> <li>Easier to maintain consistency across modules</li> <li>Simpler onboarding for new team members</li> <li>One place to search for all infrastructure patterns</li> </ul> <p><strong>Disadvantages:</strong></p> <ul> <li>Git tags version the entire repo, not individual modules</li> <li>Large repos can slow down CI runs</li> <li>Permission boundaries are harder (everyone can see everything)</li> </ul> <p><strong>When to use:</strong> Teams under 20 engineers, organizations with fewer than 30 modules, or when most modules are tightly coupled.</p> <h3> Multi-Repo Pattern </h3> <p>Each module gets its own repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-module-vpc/ (v2.3.1) terraform-module-ecs-service/ (v1.8.0) terraform-module-rds-postgres/ (v3.1.0) terraform-module-s3-bucket/ (v1.2.4) </code></pre> </div> <p><strong>Advantages:</strong></p> <ul> <li>Independent versioning per module using Git tags</li> <li>Fine-grained access control per repository</li> <li>Smaller, focused CI/CD pipelines</li> <li>Clear ownership boundaries</li> </ul> <p><strong>Disadvantages:</strong></p> <ul> <li>Cross-module changes require multiple PRs</li> <li>Dependency management becomes complex</li> <li>More repositories to maintain</li> <li>Harder to ensure consistency</li> </ul> <p><strong>When to use:</strong> Organizations with 50+ modules, multiple platform teams owning different modules, or strict compliance requirements needing audit trails per component.</p> <h3> The Hybrid Approach </h3> <p>Many mature organizations use a hybrid: a mono-repo for foundational modules maintained by the platform team, with separate repos for domain-specific modules owned by product teams:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>platform-terraform-modules/ # Platform team owns VPC, IAM, networking ├── modules/vpc/ ├── modules/iam-roles/ └── modules/cloudfront/ team-payments-terraform/ # Payments team owns their service modules ├── modules/payment-service/ └── modules/fraud-detection/ </code></pre> </div> <h2> Module Versioning Strategies </h2> <p>Versioning is where most Terraform setups break down. Without proper versioning, a module change can silently break every environment that references it.</p> <h3> Semantic Versioning </h3> <p>Follow semver strictly for modules:</p> <ul> <li> <strong>MAJOR</strong> (v2.0.0): Breaking changes (removed variables, renamed resources that force replacement)</li> <li> <strong>MINOR</strong> (v1.3.0): New features, new optional variables with defaults</li> <li> <strong>PATCH</strong> (v1.2.1): Bug fixes, documentation updates</li> </ul> <h3> Pinning Module Versions </h3> <p>Always pin module versions in your root configurations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Good - pinned to exact version</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc?ref=v2.3.1"</span> <span class="p">}</span> <span class="c1"># Acceptable - pinned to minor version range</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.3"</span> <span class="p">}</span> <span class="c1"># Bad - no version pin, uses latest</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc"</span> <span class="p">}</span> </code></pre> </div> <h3> Automated Version Bumping </h3> <p>Use a CI workflow that automatically creates releases when module directories change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/release.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Release Modules</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">detect-changes</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">changed_modules</span><span class="pi">:</span> <span class="s">${{ steps.changes.outputs.modules }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">changes</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">CHANGED=$(git diff --name-only HEAD~1 HEAD | grep '^modules/' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1]')</span> <span class="s">echo "modules=$CHANGED" &gt;&gt; $GITHUB_OUTPUT</span> <span class="na">release</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect-changes</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.detect-changes.outputs.changed_modules != '[]'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">module</span><span class="pi">:</span> <span class="s">${{ fromJson(needs.detect-changes.outputs.changed_modules) }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Determine version bump</span> <span class="na">id</span><span class="pi">:</span> <span class="s">version</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">CURRENT=$(git tag -l "modules/${{ matrix.module }}/v*" | sort -V | tail -1)</span> <span class="s"># Parse commit messages for bump type</span> <span class="s">if git log --oneline HEAD~1..HEAD | grep -q "BREAKING"; then</span> <span class="s">BUMP="major"</span> <span class="s">elif git log --oneline HEAD~1..HEAD | grep -q "feat"; then</span> <span class="s">BUMP="minor"</span> <span class="s">else</span> <span class="s">BUMP="patch"</span> <span class="s">fi</span> <span class="s">echo "bump=$BUMP" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create release tag</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Bump version and create tag</span> <span class="s">git tag "modules/${{ matrix.module }}/v${NEW_VERSION}"</span> <span class="s">git push --tags</span> </code></pre> </div> <h2> Using a Private Module Registry </h2> <p>A module registry provides a discoverable, versioned catalog of your organization's modules. You have several options.</p> <h3> Terraform Cloud / HCP Terraform Registry </h3> <p>The simplest option if you are already using Terraform Cloud:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.3.1"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <p>Publishing is automatic when you connect your VCS repository to the registry.</p> <h3> Self-Hosted with Artifactory or S3 </h3> <p>For air-gapped or highly regulated environments, you can host modules on S3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"s3::https://my-terraform-modules.s3.amazonaws.com/vpc/v2.3.1.zip"</span> <span class="p">}</span> </code></pre> </div> <p>Pair this with a CI pipeline that packages and uploads module archives on release:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">MODULE</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">VERSION</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">cd </span>modules/<span class="nv">$MODULE</span> zip <span class="nt">-r</span> <span class="s2">"/tmp/</span><span class="k">${</span><span class="nv">MODULE</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="s2">.zip"</span> <span class="nb">.</span> aws s3 <span class="nb">cp</span> <span class="s2">"/tmp/</span><span class="k">${</span><span class="nv">MODULE</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="s2">.zip"</span> <span class="se">\</span> <span class="s2">"s3://my-terraform-modules/</span><span class="k">${</span><span class="nv">MODULE</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="s2">.zip"</span> </code></pre> </div> <h3> GitHub Releases as a Registry </h3> <p>A lightweight approach using Git tags directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc?ref=v2.3.1"</span> <span class="p">}</span> </code></pre> </div> <p>This works well for smaller organizations and avoids the overhead of a dedicated registry.</p> <h2> Module Testing and Validation </h2> <p>Modules without tests are modules you cannot trust. Here are the layers of testing you should implement.</p> <h3> Static Analysis </h3> <p>Run these on every PR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format check</span> terraform <span class="nb">fmt</span> <span class="nt">-check</span> <span class="nt">-recursive</span> modules/ <span class="c"># Validation</span> <span class="k">for </span><span class="nb">dir </span><span class="k">in </span>modules/<span class="k">*</span>/<span class="p">;</span> <span class="k">do </span><span class="nb">cd</span> <span class="s2">"</span><span class="nv">$dir</span><span class="s2">"</span> terraform init <span class="nt">-backend</span><span class="o">=</span><span class="nb">false </span>terraform validate <span class="nb">cd</span> ../.. <span class="k">done</span> <span class="c"># Security scanning with tfsec</span> tfsec modules/ <span class="c"># Linting with tflint</span> tflint <span class="nt">--recursive</span> </code></pre> </div> <h3> Integration Testing with Terratest </h3> <p>Write Go tests that actually provision and destroy infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">test</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"testing"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/terraform"</span> <span class="s">"github.com/stretchr/testify/assert"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestVpcModule</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">WithDefaultRetryableErrors</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../modules/vpc"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"cidr_block"</span><span class="o">:</span> <span class="s">"10.99.0.0/16"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"test"</span><span class="p">,</span> <span class="s">"name"</span><span class="o">:</span> <span class="s">"terratest-vpc"</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="k">defer</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Destroy</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">vpcId</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"vpc_id"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">NotEmpty</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">vpcId</span><span class="p">)</span> <span class="n">privateSubnets</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">OutputList</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"private_subnet_ids"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="m">3</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">privateSubnets</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <h3> Example Configurations </h3> <p>Every module should ship with a working example in an <code>examples/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/vpc/ ├── main.tf ├── variables.tf ├── outputs.tf ├── README.md └── examples/ ├── simple/ │ └── main.tf # Minimal usage └── complete/ └── main.tf # All features enabled </code></pre> </div> <h2> Module Composition Patterns </h2> <p>Real infrastructure is built by composing modules together. Here are patterns that work well at scale.</p> <h3> The Root Module Pattern </h3> <p>Create environment-specific root modules that compose shared modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/production/main.tf</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.3.1"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">availability_zones</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">,</span> <span class="s2">"eu-west-1c"</span><span class="p">]</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"database"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/rds-postgres/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"3.1.0"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"application"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/ecs-service/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.8.0"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">lb_target_group</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">alb_target_group_arn</span> <span class="nx">database_endpoint</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">database</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="mi">6</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <h3> The Terragrunt DRY Pattern </h3> <p>For organizations managing many environments, Terragrunt eliminates repetition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terragrunt.hcl (root)</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myorg-terraform-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># environments/production/vpc/terragrunt.hcl</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc?ref=v2.3.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <h2> Common Pitfalls and How to Avoid Them </h2> <p><strong>Over-abstracting too early.</strong> Do not create a module until you have written the same Terraform code at least twice. Premature abstraction creates rigid modules that fight against real requirements.</p> <p><strong>Nested modules more than two levels deep.</strong> Module A calls module B which calls module C is already hard to debug. Keep your module hierarchy shallow.</p> <p><strong>Not using <code>moved</code> blocks during refactors.</strong> When restructuring modules, use <code>moved</code> blocks to prevent Terraform from destroying and recreating resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">web</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">application</span><span class="p">.</span><span class="nx">aws_instance</span><span class="p">.</span><span class="nx">web</span> <span class="p">}</span> </code></pre> </div> <p><strong>Ignoring module documentation.</strong> Every module should have a README generated by <code>terraform-docs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate docs automatically</span> terraform-docs markdown table modules/vpc/ <span class="o">&gt;</span> modules/vpc/README.md </code></pre> </div> <p><strong>Storing secrets in tfvars files.</strong> Use a secrets manager and data sources instead of committing sensitive values.</p> <h2> Need Help with Your DevOps? </h2> <p>Building and maintaining a well-structured Terraform module library takes experience. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we help startups and growing teams implement production-grade Infrastructure as Code from day one - so you can ship infrastructure changes with the same confidence as application code.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to discuss your Terraform architecture.</p> terraform iac devops modules InstaDevOps Sun, 12 Apr 2026 13:46:59 +0000 https://forem.com/instadevops/infrastructure-testing-terratest-checkov-and-validating-your-iac-2c49 https://forem.com/instadevops/infrastructure-testing-terratest-checkov-and-validating-your-iac-2c49 <h2> Introduction </h2> <p>Infrastructure as Code has transformed cloud management, but when a single Terraform apply can spin up hundreds of resources, testing becomes essential.</p> <p>This article explores Terratest for functional testing and Checkov for security scanning.</p> <h2> Static Analysis with Checkov </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>checkov checkov <span class="nt">-d</span> ./terraform </code></pre> </div> <h3> Custom Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">checkov.terraform.checks.resource.base_resource_check</span> <span class="kn">import</span> <span class="n">BaseResourceCheck</span> <span class="kn">from</span> <span class="n">checkov.common.models.enums</span> <span class="kn">import</span> <span class="n">CheckCategories</span><span class="p">,</span> <span class="n">CheckResult</span> <span class="k">class</span> <span class="nc">EC2HasEnvironmentTag</span><span class="p">(</span><span class="n">BaseResourceCheck</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">name</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Ensure EC2 instances have environment tag</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="sh">"</span><span class="s">CKV_CUSTOM_1</span><span class="sh">"</span> <span class="n">supported_resources</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">aws_instance</span><span class="sh">'</span><span class="p">]</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="nb">id</span><span class="p">,</span> <span class="n">supported_resources</span><span class="o">=</span><span class="n">supported_resources</span><span class="p">)</span> <span class="k">def</span> <span class="nf">scan_resource_conf</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">conf</span><span class="p">):</span> <span class="n">tags</span> <span class="o">=</span> <span class="n">conf</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">tags</span><span class="sh">'</span><span class="p">,</span> <span class="p">[{}])[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">tags</span><span class="p">,</span> <span class="nb">dict</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">Environment</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">tags</span><span class="p">:</span> <span class="k">return</span> <span class="n">CheckResult</span><span class="p">.</span><span class="n">PASSED</span> <span class="k">return</span> <span class="n">CheckResult</span><span class="p">.</span><span class="n">FAILED</span> </code></pre> </div> <h2> Functional Testing with Terratest </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestS3Bucket</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">WithDefaultRetryableErrors</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../modules/s3-bucket"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"bucket_name"</span><span class="o">:</span> <span class="s">"test-bucket-"</span> <span class="o">+</span> <span class="n">random</span><span class="o">.</span><span class="n">UniqueId</span><span class="p">(),</span> <span class="p">},</span> <span class="p">})</span> <span class="k">defer</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Destroy</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">bucketID</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"bucket_id"</span><span class="p">)</span> <span class="n">actualStatus</span> <span class="o">:=</span> <span class="n">aws</span><span class="o">.</span><span class="n">GetS3BucketVersioning</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"us-east-1"</span><span class="p">,</span> <span class="n">bucketID</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"Enabled"</span><span class="p">,</span> <span class="n">actualStatus</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> When to Use Each Tool </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Checkov</th> <th>Terratest</th> </tr> </thead> <tbody> <tr> <td>Type</td> <td>Static analysis</td> <td>Functional testing</td> </tr> <tr> <td>Speed</td> <td>Seconds</td> <td>Minutes to hours</td> </tr> <tr> <td>Cost</td> <td>Free</td> <td>Incurs cloud costs</td> </tr> <tr> <td>Coverage</td> <td>Security, compliance</td> <td>Actual functionality</td> </tr> </tbody> </table></div> <h2> CI/CD Integration </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">static-analysis</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="na">terratest</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">static-analysis</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd test</span> <span class="s">go test -v -timeout 30m ./...</span> </code></pre> </div> <h2> Conclusion </h2> <p>Layer your testing: Start with Checkov for fast feedback, add Terratest for critical modules, and run full integration tests before production.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/infrastructure-testing" rel="noopener noreferrer">instadevops.com</a></em></p> terraform testing iac devops InstaDevOps Sat, 11 Apr 2026 13:46:57 +0000 https://forem.com/instadevops/kubernetes-networking-demystified-services-ingress-and-network-policies-43ne https://forem.com/instadevops/kubernetes-networking-demystified-services-ingress-and-network-policies-43ne <h2> Introduction </h2> <p>Kubernetes networking is often cited as one of the most challenging aspects of container orchestration. This guide covers the three pillars: Services, Ingress, and Network Policies.</p> <h2> Services: Stable Endpoints for Dynamic Pods </h2> <h3> ClusterIP Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <h3> LoadBalancer Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">public-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8443</span> </code></pre> </div> <h2> Ingress: HTTP/HTTPS Traffic Management </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-ingress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app.example.com</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">app-tls-secret</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">app.example.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-api</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <h2> Network Policies: Securing Pod Communication </h2> <h3> Default Deny All </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default-deny-all</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="pi">-</span> <span class="s">Egress</span> </code></pre> </div> <h3> Allow Specific Ingress </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">allow-frontend-to-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <h2> Troubleshooting </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check endpoints</span> kubectl get endpoints my-service <span class="c"># Test DNS</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> my-pod <span class="nt">--</span> nslookup kubernetes.default <span class="c"># Debug with netshoot</span> kubectl run netshoot <span class="nt">--image</span><span class="o">=</span>nicolaka/netshoot <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">--</span> bash </code></pre> </div> <h2> Conclusion </h2> <p>Master Services, Ingress, and Network Policies, and you'll have a solid foundation for building secure, scalable applications on Kubernetes.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/kubernetes-networking" rel="noopener noreferrer">instadevops.com</a></em></p> kubernetes networking devops security InstaDevOps Fri, 10 Apr 2026 13:46:54 +0000 https://forem.com/instadevops/container-registry-best-practices-ecr-docker-hub-and-self-hosted-options-22kh https://forem.com/instadevops/container-registry-best-practices-ecr-docker-hub-and-self-hosted-options-22kh <h2> Introduction </h2> <p>Container registries are the backbone of containerized application deployment. Choosing the right registry and implementing proper practices can mean the difference between smooth deployments and security nightmares.</p> <h2> Amazon ECR: AWS-Native Registry </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a repository</span> aws ecr create-repository <span class="se">\</span> <span class="nt">--repository-name</span> my-app <span class="se">\</span> <span class="nt">--image-scanning-configuration</span> <span class="nv">scanOnPush</span><span class="o">=</span><span class="nb">true</span> <span class="c"># Push an image</span> docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest </code></pre> </div> <h3> ECR Lifecycle Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"rulePriority"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Keep last 10 production images"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selection"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tagStatus"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tagged"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tagPrefixList"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"prod-"</span><span class="p">],</span><span class="w"> </span><span class="nl">"countType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"imageCountMoreThan"</span><span class="p">,</span><span class="w"> </span><span class="nl">"countNumber"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"expire"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Docker Hub </h2> <p>Docker Hub remains the most widely used registry, hosting millions of public images.</p> <p><strong>Rate Limits</strong>: Anonymous pulls limited to 100 per 6 hours; authenticated free users get 200.</p> <h2> Self-Hosted: Harbor </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">helm install harbor harbor/harbor \</span> <span class="s">--set expose.type=ingress \</span> <span class="s">--set expose.ingress.hosts.core=registry.example.com \</span> <span class="s">--set trivy.enabled=true</span> </code></pre> </div> <h2> Security Best Practices </h2> <ol> <li>Enable image scanning</li> <li>Implement least-privilege access</li> <li>Sign your images with Cosign</li> <li>Use immutable tags</li> <li>Scan base images regularly</li> </ol> <h2> Image Tagging Strategies </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">VERSION</span><span class="o">=</span><span class="s2">"1.2.3"</span> <span class="nv">GIT_SHA</span><span class="o">=</span><span class="si">$(</span>git rev-parse <span class="nt">--short</span> HEAD<span class="si">)</span> docker build <span class="se">\</span> <span class="nt">-t</span> my-app:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span> <span class="se">\</span> <span class="nt">-t</span> my-app:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>-<span class="k">${</span><span class="nv">GIT_SHA</span><span class="k">}</span> <span class="se">\</span> <span class="nt">-t</span> my-app:<span class="k">${</span><span class="nv">GIT_SHA</span><span class="k">}</span> <span class="se">\</span> <span class="nb">.</span> </code></pre> </div> <h2> Conclusion </h2> <p>Whether you choose ECR for AWS integration, Docker Hub for ubiquity, or Harbor for control, applying security best practices will keep your container infrastructure secure.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/container-registry-guide" rel="noopener noreferrer">instadevops.com</a></em></p> docker ecr containers devops InstaDevOps Thu, 09 Apr 2026 20:46:50 +0000 https://forem.com/instadevops/incident-management-building-effective-on-call-rotations-and-runbooks-10ho https://forem.com/instadevops/incident-management-building-effective-on-call-rotations-and-runbooks-10ho <h2> Introduction </h2> <p>Every engineering team dreads the 3 AM page. How your team handles these moments defines your reliability as a service provider.</p> <p>This guide covers on-call rotation design, runbook creation, incident response processes, and blameless post-mortems.</p> <h2> On-Call Best Practices </h2> <h3> Designing Sustainable Rotations </h3> <ul> <li> <strong>Rotation Length</strong>: Weekly rotations work best</li> <li> <strong>Minimum Team Size</strong>: Never fewer than 4 engineers</li> <li> <strong>Compensation</strong>: Fair pay for on-call work</li> </ul> <h3> Reducing Alert Fatigue </h3> <ul> <li>Actionable alerts only</li> <li>Consolidate related alerts</li> <li>Regular alert reviews</li> </ul> <h2> Runbook Template Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Runbook: Database Connection Pool Exhausted</span> <span class="gu">## Impact Assessment</span> <span class="p">-</span> User Impact: New requests may fail <span class="p">-</span> Affected Services: All services using primary database <span class="gu">## Immediate Actions</span> <span class="p">1.</span> Check current connections: SELECT count(<span class="err">*</span>), state FROM pg_stat_activity GROUP BY state; <span class="p"> 2.</span> Identify connection hogs: SELECT usename, application_name, count(<span class="err">*</span>) FROM pg_stat_activity GROUP BY usename, application_name; <span class="gu">## Resolution Steps</span> <span class="p">-</span> If long-running query: pg_terminate_backend(<span class="nt">&lt;pid&gt;</span>) <span class="p">-</span> If traffic spike: Scale up read replicas <span class="p">-</span> If connection leak: Restart affected service </code></pre> </div> <h2> Incident Response Process </h2> <h3> Phase 1: Detection and Triage (0-5 minutes) </h3> <ol> <li>Acknowledge the alert</li> <li>Assess severity</li> <li>Open relevant runbook</li> </ol> <h3> Phase 2: Response Coordination </h3> <ul> <li> <strong>Incident Commander</strong>: Coordinates response</li> <li> <strong>Technical Lead</strong>: Hands-on debugging</li> <li> <strong>Communications Lead</strong>: Updates stakeholders</li> </ul> <h2> Blameless Post-Mortems </h2> <p>Focus on systems and processes, not individuals. The goal is learning and improvement.</p> <h2> Conclusion </h2> <p>Effective incident management is built on preparation, not heroics. Well-designed rotations, comprehensive runbooks, and blameless post-mortems transform incident response from stress into a competitive advantage.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/incident-management" rel="noopener noreferrer">instadevops.com</a></em></p> incident oncall sre devops InstaDevOps Thu, 09 Apr 2026 20:33:35 +0000 https://forem.com/instadevops/sre-fundamentals-defining-slos-slis-and-error-budgets-that-actually-work-42k7 https://forem.com/instadevops/sre-fundamentals-defining-slos-slis-and-error-budgets-that-actually-work-42k7 <h2> Introduction </h2> <p>Site Reliability Engineering (SRE) has transformed how organizations think about system reliability. Central to this framework are Service Level Objectives (SLOs), Service Level Indicators (SLIs), and Error Budgets.</p> <p>This guide will walk you through defining SLOs, SLIs, and Error Budgets that actually drive meaningful improvements.</p> <h2> Understanding the Reliability Hierarchy </h2> <p><strong>SLAs (Service Level Agreements)</strong>: External contracts with customers specifying consequences for failures.</p> <p><strong>SLOs (Service Level Objectives)</strong>: Internal targets your team commits to, stricter than SLAs.</p> <p><strong>SLIs (Service Level Indicators)</strong>: The actual measurements determining whether you're meeting SLOs.</p> <p><strong>Error Budgets</strong>: How much unreliability you can tolerate while meeting your SLO.</p> <h2> Defining Meaningful SLIs </h2> <h3> The Four Golden Signals </h3> <ul> <li> <strong>Latency</strong>: How long requests take</li> <li> <strong>Traffic</strong>: Request volume</li> <li> <strong>Errors</strong>: Rate of failed requests</li> <li> <strong>Saturation</strong>: How "full" your service is </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Availability SLI sum(rate(http_requests_total{status=~"2.."}[5m])) / sum(rate(http_requests_total[5m])) # Latency SLI sum(rate(http_request_duration_seconds_bucket{le="0.2"}[5m])) / sum(rate(http_request_duration_seconds_count[5m])) </code></pre> </div> <h2> Setting Realistic SLOs </h2> <p>Each additional "nine" dramatically reduces your error budget:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Availability</th> <th>Monthly Downtime</th> </tr> </thead> <tbody> <tr> <td>99%</td> <td>7.2 hours</td> </tr> <tr> <td>99.9%</td> <td>43.8 minutes</td> </tr> <tr> <td>99.99%</td> <td>4.38 minutes</td> </tr> </tbody> </table></div> <h2> Error Budgets: The Key to Balance </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error Budget = 1 - SLO For a 99.9% SLO over 30 days: Error Budget = 0.1% = 43.2 minutes of downtime </code></pre> </div> <h2> Conclusion </h2> <p>SLOs, SLIs, and Error Budgets aren't just metrics—they're a framework for making better decisions about reliability. The goal is appropriate reliability—enough to keep users happy while maintaining velocity.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/sre-slos-slis" rel="noopener noreferrer">instadevops.com</a></em></p> sre monitoring devops InstaDevOps Wed, 08 Apr 2026 14:15:32 +0000 https://forem.com/instadevops/disaster-recovery-in-the-cloud-rpo-rto-and-building-resilient-systems-3e5p https://forem.com/instadevops/disaster-recovery-in-the-cloud-rpo-rto-and-building-resilient-systems-3e5p <h2> Introduction </h2> <p>Every minute of downtime costs money. For some enterprises, that figure reaches $5,600 per minute. But beyond financial impact, outages erode customer trust and can pose compliance risks.</p> <p>This article explores disaster recovery fundamentals, specifically Recovery Point Objective (RPO) and Recovery Time Objective (RTO), and provides practical guidance for building resilient cloud systems.</p> <h2> Understanding RPO and RTO </h2> <h3> Recovery Point Objective (RPO) </h3> <p>How much data can we afford to lose? RPO represents the maximum acceptable data loss measured in time.</p> <h3> Recovery Time Objective (RTO) </h3> <p>How quickly must we restore operations? RTO defines maximum acceptable downtime.</p> <h2> DR Strategy Tiers </h2> <h3> Tier 1: Backup and Restore </h3> <p><strong>RPO:</strong> Hours to days | <strong>RTO:</strong> Hours to days | <strong>Cost:</strong> Lowest</p> <h3> Tier 2: Pilot Light </h3> <p><strong>RPO:</strong> Minutes to hours | <strong>RTO:</strong> Hours | <strong>Cost:</strong> Low to Medium</p> <p>Keep core components synchronized, but application servers remain off until needed.</p> <h3> Tier 3: Warm Standby </h3> <p><strong>RPO:</strong> Minutes | <strong>RTO:</strong> Minutes to hours | <strong>Cost:</strong> Medium to High</p> <p>A scaled-down but fully functional environment runs continuously.</p> <h3> Tier 4: Multi-Region Active-Active </h3> <p><strong>RPO:</strong> Near-zero | <strong>RTO:</strong> Near-zero | <strong>Cost:</strong> Highest<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_globalaccelerator_accelerator"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-global"</span> <span class="nx">ip_address_type</span> <span class="p">=</span> <span class="s2">"IPV4"</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Automating Failover </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route53_health_check"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">fqdn</span> <span class="p">=</span> <span class="s2">"api-primary.example.com"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">failure_threshold</span> <span class="p">=</span> <span class="s2">"3"</span> <span class="nx">request_interval</span> <span class="p">=</span> <span class="s2">"10"</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your DR Plan </h2> <p>A DR plan that has never been tested is not a plan. Regular testing validates assumptions and trains your team.</p> <h2> Conclusion </h2> <p>Building resilient systems requires understanding business requirements, choosing appropriate DR strategies, and relentlessly testing. The cost of preparation is always less than the cost of recovery without a plan.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/disaster-recovery-cloud" rel="noopener noreferrer">instadevops.com</a></em></p> disasterrecovery cloud aws devops InstaDevOps Sun, 05 Apr 2026 13:48:01 +0000 https://forem.com/instadevops/api-gateway-patterns-kong-aws-api-gateway-and-when-to-use-each-3e3m https://forem.com/instadevops/api-gateway-patterns-kong-aws-api-gateway-and-when-to-use-each-3e3m <h2> Introduction </h2> <p>API gateways have become the backbone of modern microservices architecture. They act as the single entry point for all client requests, handling everything from routing and authentication to rate limiting and load balancing.</p> <p>In this article, we'll compare two popular API gateway solutions: <strong>Kong</strong> (open-source and self-hosted) and <strong>AWS API Gateway</strong> (fully managed).</p> <h2> Understanding API Gateway Patterns </h2> <p><strong>Edge Gateway Pattern</strong>: A single entry point at the network edge that handles all external traffic.</p> <p><strong>Backend for Frontend (BFF) Pattern</strong>: Separate gateways optimized for different client types.</p> <p><strong>Sidecar Pattern</strong>: A gateway deployed alongside each service in service mesh architectures.</p> <h2> Kong: The Open-Source Powerhouse </h2> <p>Kong is built on NGINX and offers both open-source and enterprise versions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kong.yaml - Declarative configuration</span> <span class="na">_format_version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.0"</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">user-service</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://user-api:3000</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">user-routes</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/api/users</span> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rate-limiting</span> <span class="na">config</span><span class="pi">:</span> <span class="na">minute</span><span class="pi">:</span> <span class="m">100</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">key-auth</span> </code></pre> </div> <h2> AWS API Gateway </h2> <p>AWS API Gateway is fully managed and integrates deeply with AWS services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_api_gateway_rest_api"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"production-api"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Production API Gateway"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_method"</span> <span class="s2">"get_users"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_resource</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">id</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"GET"</span> <span class="nx">authorization</span> <span class="p">=</span> <span class="s2">"COGNITO_USER_POOLS"</span> <span class="p">}</span> </code></pre> </div> <h2> Decision Framework </h2> <h3> Choose Kong When: </h3> <ul> <li>Multi-cloud or hybrid deployments</li> <li>Advanced customization needs</li> <li>Cost optimization at scale</li> <li>Avoiding vendor lock-in</li> </ul> <h3> Choose AWS API Gateway When: </h3> <ul> <li>AWS-native architecture</li> <li>Minimal operational overhead</li> <li>Rapid prototyping</li> <li>Deep AWS integration needed</li> </ul> <h2> Conclusion </h2> <p>Both Kong and AWS API Gateway are excellent choices. Kong excels in flexibility and multi-cloud scenarios, while AWS API Gateway shines in AWS-native architectures.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups and scale-ups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/api-gateway-patterns" rel="noopener noreferrer">instadevops.com</a></em></p> api kong aws microservices InstaDevOps Sat, 04 Apr 2026 13:47:59 +0000 https://forem.com/instadevops/kubernetes-cost-optimization-finops-strategies-for-k8s-clusters-1h46 https://forem.com/instadevops/kubernetes-cost-optimization-finops-strategies-for-k8s-clusters-1h46 <h2> Introduction </h2> <p>Kubernetes has become the de facto standard for container orchestration, but with great power comes great... cloud bills. According to recent studies, organizations waste an average of 30-35% of their Kubernetes spending on over-provisioned or idle resources. This isn't just a technical problem—it's a business problem that directly impacts your bottom line.</p> <p>FinOps (Financial Operations) brings financial accountability to the variable spend model of cloud computing. When applied to Kubernetes, FinOps practices help teams understand, manage, and optimize their cluster costs while maintaining the performance and reliability their applications need.</p> <p>In this guide, we'll explore practical strategies for optimizing Kubernetes costs, from right-sizing workloads to implementing automated scaling policies.</p> <h2> Understanding Kubernetes Cost Drivers </h2> <p>Before optimizing costs, you need to understand where your money goes. Kubernetes costs typically break down into several categories:</p> <p><strong>Compute Resources</strong>: The CPU and memory allocated to your nodes and pods represent the largest portion of most Kubernetes bills.</p> <p><strong>Storage</strong>: Persistent volumes, storage classes, and backup solutions add up quickly.</p> <p><strong>Networking</strong>: Data transfer between availability zones, regions, and the internet can surprise you with unexpected charges.</p> <p><strong>Control Plane</strong>: Managed Kubernetes services (EKS, GKE, AKS) charge for the control plane itself.</p> <h2> Right-Sizing Workloads with Resource Requests and Limits </h2> <p>The foundation of Kubernetes cost optimization is properly configuring resource requests and limits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-server</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp/api:v1.2.3</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> </code></pre> </div> <h2> Implementing Vertical Pod Autoscaler (VPA) </h2> <p>VPA automatically adjusts resource requests for pods based on actual usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VerticalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-server-vpa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">targetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-server</span> <span class="na">updatePolicy</span><span class="pi">:</span> <span class="na">updateMode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Auto"</span> </code></pre> </div> <h2> Horizontal Pod Autoscaler for Demand-Based Scaling </h2> <p>HPA adjusts the number of replicas based on demand:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-server-hpa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-server</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">20</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cpu</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="m">70</span> </code></pre> </div> <h2> Leveraging Spot Instances </h2> <p>Spot instances offer 60-90% discounts for suitable workloads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">batch-processor</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">kubernetes.io/lifecycle</span><span class="pi">:</span> <span class="s">spot</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kubernetes.io/lifecycle"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Equal"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">spot"</span> <span class="na">effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NoSchedule"</span> </code></pre> </div> <h2> Namespace Resource Quotas </h2> <p>Prevent runaway costs with namespace-level guardrails:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ResourceQuota</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">team-alpha-quota</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">team-alpha</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hard</span><span class="pi">:</span> <span class="na">requests.cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">20"</span> <span class="na">requests.memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">40Gi"</span> <span class="na">limits.cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">40"</span> <span class="na">limits.memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">80Gi"</span> </code></pre> </div> <h2> Best Practices Checklist </h2> <ol> <li>Set resource requests and limits on every container</li> <li>Use VPA in recommendation mode first</li> <li>Configure HPA with appropriate thresholds</li> <li>Enable Cluster Autoscaler with 50% scale-down threshold</li> <li>Use spot instances for fault-tolerant workloads</li> <li>Implement namespace quotas for accountability</li> <li>Deploy cost monitoring tools like Kubecost</li> </ol> <h2> Conclusion </h2> <p>Kubernetes cost optimization isn't a one-time project—it's an ongoing practice. Start with visibility, implement technical controls, and treat cost as a first-class metric alongside availability and performance.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups and scale-ups build production-ready infrastructure without the overhead of a full-time DevOps team.</p> <p><strong>Our Services:</strong></p> <ul> <li>🏗️ <strong>AWS Consulting</strong> - Cloud architecture, cost optimization, and migration</li> <li>☸️ <strong>Kubernetes Management</strong> - Production-ready clusters and orchestration</li> <li>🚀 <strong>CI/CD Pipelines</strong> - Automated deployment pipelines that just work</li> <li>📊 <strong>Monitoring &amp; Observability</strong> - See what's happening in your infrastructure</li> </ul> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/kubernetes-cost-optimization" rel="noopener noreferrer">instadevops.com</a></em></p> kubernetes finops cost devops