Forem: POTHURAJU JAYAKRISHNA YADAV The latest articles on Forem by POTHURAJU JAYAKRISHNA YADAV (@jayakrishnayadav24). https://forem.com/jayakrishnayadav24 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1212088%2F58079d8b-2311-41ef-9bff-1e92f5938836.jpg Forem: POTHURAJU JAYAKRISHNA YADAV https://forem.com/jayakrishnayadav24 en Terraform Modular EKS + Istio — Part 5 POTHURAJU JAYAKRISHNA YADAV Fri, 27 Mar 2026 02:49:35 +0000 https://forem.com/jayakrishnayadav24/-terraform-modular-eks-istio-part-5-38k7 https://forem.com/jayakrishnayadav24/-terraform-modular-eks-istio-part-5-38k7 <h2> CSI Drivers (How Storage Actually Works in EKS) </h2> <p>So far:</p> <ul> <li>VPC → network</li> <li>IAM → permissions</li> <li>EKS → control plane</li> <li>Nodes → compute</li> </ul> <p>Now comes the part many people ignore:</p> <p>👉 <strong>Storage</strong></p> <p>Without this:</p> <ul> <li>Pods can’t persist data</li> <li>Databases won’t work</li> <li>Logs disappear on restart</li> </ul> <p>This module installs <strong>CSI drivers</strong>, which allow Kubernetes to use AWS storage.</p> <h1> 📂 Module Files </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/csi-driver/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h1> 📄 variables.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"ebs_csi_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IAM role ARN for EBS CSI driver"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"s3_csi_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IAM role ARN for S3 CSI driver"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"node_group_dependency"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Node group dependency to ensure nodes exist first"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">any</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What these inputs mean </h2> <ul> <li> <code>cluster_name</code> → where to install addons</li> <li> <code>ebs_csi_role_arn</code> → IAM role for EBS driver</li> <li> <code>s3_csi_role_arn</code> → IAM role for S3 driver</li> <li> <code>node_group_dependency</code> → ensures nodes exist first</li> </ul> <h3> ⚠️ Important insight </h3> <p>This module depends on:</p> <p>👉 IAM (for IRSA roles)<br> 👉 Node groups (for scheduling pods)</p> <h1> 📄 main.tf </h1> <h2> 1. EBS CSI Driver </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"ebs_csi"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="s2">"aws-ebs-csi-driver"</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_csi_role_arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">node_group_dependency</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What this does </h2> <p>Installs:</p> <p>👉 AWS EBS CSI Driver inside cluster</p> <h3> What is CSI? </h3> <p>CSI = <strong>Container Storage Interface</strong></p> <p>👉 It allows Kubernetes to talk to AWS storage.</p> <h3> What EBS CSI enables </h3> <ul> <li>Create EBS volumes</li> <li>Attach volumes to pods</li> <li>Persist data</li> </ul> <h3> Important line </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">service_account_role_arn</span> <span class="err">=</span> <span class="kd">var</span><span class="err">.</span><span class="nx">ebs_csi_role_arn</span> </code></pre> </div> <p>👉 This is IRSA</p> <p>This means:</p> <ul> <li>Pod gets IAM role</li> <li>Pod can call AWS APIs</li> </ul> <h3> Without this </h3> <p>❌ Pod cannot create volumes<br> ❌ PVC fails</p> <h2> 2. S3 CSI Driver </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"s3_csi"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="s2">"aws-mountpoint-s3-csi-driver"</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">s3_csi_role_arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">node_group_dependency</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What this does </h2> <p>Installs:</p> <p>👉 S3 CSI driver</p> <h3> What it enables </h3> <p>Mount S3 bucket as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pod → S3 bucket (like filesystem) </code></pre> </div> <h3> Use cases </h3> <ul> <li>logs</li> <li>shared storage</li> <li>backups</li> </ul> <h2> 3. Dependency Handling </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">depends_on</span> <span class="err">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">node_group_dependency</span><span class="p">]</span> </code></pre> </div> <h3> Why this is critical </h3> <p>CSI driver runs as pods.</p> <p>👉 Pods need nodes</p> <p>So order must be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Nodes → CSI Driver </code></pre> </div> <h3> Without this </h3> <ul> <li>Addon installs</li> <li>But pods fail to schedule</li> </ul> <h1> 📄 outputs.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"ebs_csi_addon_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EBS CSI addon ID"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_addon</span><span class="p">.</span><span class="nx">ebs_csi</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"s3_csi_addon_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"S3 CSI addon ID"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_addon</span><span class="p">.</span><span class="nx">s3_csi</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 Why outputs matter </h2> <p>Used for:</p> <ul> <li>tracking addon deployment</li> <li>debugging</li> <li>dependencies in future modules</li> </ul> <h1> 🔥 What You Actually Built </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubernetes Pod │ │ CSI Driver │ │ AWS Storage (EBS / S3) </code></pre> </div> <h1> ⚠️ Real Issues People Face </h1> <ul> <li>Missing IRSA → access denied</li> <li>No node dependency → pods fail</li> <li>Wrong role → volume attach fails</li> <li>Forgetting CSI → PVC stuck in pending</li> </ul> <h1> 🧠 Key Takeaways </h1> <ul> <li>Kubernetes doesn’t manage storage directly</li> <li>CSI drivers connect Kubernetes to AWS</li> <li>IRSA is required for secure access</li> <li>EBS = block storage</li> <li>S3 = object storage</li> </ul> <h1> 🚀 Next </h1> <p>In Part 6:</p> <p>👉 AWS Load Balancer Controller<br> 👉 How ALB actually integrates with Kubernetes<br> 👉 Why <code>target-type: ip</code> matters</p> <p>At this point, your cluster can:</p> <ul> <li>run workloads</li> <li>persist data</li> </ul> <p>Now we move to traffic layer.</p> aws terraform csi Terraform Modular EKS + Istio — Part 4 POTHURAJU JAYAKRISHNA YADAV Fri, 27 Mar 2026 02:47:10 +0000 https://forem.com/jayakrishnayadav24/-terraform-modular-eks-istio-part-4-3p8h https://forem.com/jayakrishnayadav24/-terraform-modular-eks-istio-part-4-3p8h <h2> EKS Node Groups (Where Your Cluster Actually Gets Compute) </h2> <p>In the previous part, we created the EKS control plane.</p> <p>At that point:</p> <ul> <li>Kubernetes API exists</li> <li>Cluster is reachable</li> </ul> <p>But:</p> <p>👉 There are <strong>no machines to run workloads</strong></p> <p>That’s where <strong>Node Groups</strong> come in.</p> <p>This module creates the actual EC2 instances that:</p> <ul> <li>join the cluster</li> <li>run pods</li> <li>execute your applications</li> </ul> <h1> 📂 Module Files </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/eks-nodes/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h1> 📄 variables.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_group_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS node group"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ARN of the EKS node group IAM role"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of subnet IDs"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_types"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of instance types"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.large"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"desired_size"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Desired number of nodes"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"max_size"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Maximum number of nodes"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"min_size"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Minimum number of nodes"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"max_unavailable"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Maximum number of nodes unavailable during update"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"labels"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Key-value map of Kubernetes labels"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What these variables control </h2> <p>This module is completely configurable:</p> <ul> <li>cluster → which EKS cluster to join</li> <li>instance_types → what machines to use</li> <li>scaling → how many nodes</li> <li>labels → Kubernetes scheduling</li> </ul> <h3> Example thinking </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dev → small nodes (t3.medium) prod → bigger nodes (m5.large) </code></pre> </div> <p>👉 Same code, different behavior.</p> <h1> 📄 main.tf </h1> <h2> 1. Node Group Resource </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"nodes"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">node_group_name</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">node_role_arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_ids</span> </code></pre> </div> <h3> What this does </h3> <p>Creates:</p> <p>👉 EC2 instances managed by EKS</p> <p>These instances:</p> <ul> <li>automatically join the cluster</li> <li>register as Kubernetes nodes</li> </ul> <h3> Important inputs </h3> <ul> <li> <code>cluster_name</code> → which cluster to join</li> <li> <code>node_role_arn</code> → permissions for nodes</li> <li> <code>subnet_ids</code> → where nodes are created</li> </ul> <h3> Subnet choice </h3> <p>You are passing:</p> <p>👉 <strong>private subnets</strong></p> <p>This means:</p> <ul> <li>nodes do NOT have public IP</li> <li>more secure</li> <li>traffic goes through NAT</li> </ul> <h2> 2. Instance Types </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">instance_types</span> <span class="err">=</span> <span class="kd">var</span><span class="err">.</span><span class="nx">instance_types</span> </code></pre> </div> <h3> What this controls </h3> <p>Defines:</p> <ul> <li>CPU</li> <li>Memory</li> <li>cost</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>t3.large → 2 vCPU, 8GB RAM </code></pre> </div> <h2> 3. Scaling Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">desired_size</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">max_size</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">min_size</span> <span class="p">}</span> </code></pre> </div> <h3> Meaning </h3> <ul> <li>desired_size → current running nodes</li> <li>min_size → minimum nodes</li> <li>max_size → maximum nodes</li> </ul> <h3> Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>min = 1 desired = 2 max = 5 </code></pre> </div> <p>👉 Cluster can scale between 1–5 nodes</p> <h2> 4. Update Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">update_config</span> <span class="p">{</span> <span class="nx">max_unavailable</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">max_unavailable</span> <span class="p">}</span> </code></pre> </div> <h3> Why this matters </h3> <p>Controls rolling updates.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>max_unavailable = 1 </code></pre> </div> <p>👉 Only 1 node can be down during update</p> <h3> Why important </h3> <ul> <li>prevents downtime</li> <li>controls deployment safety</li> </ul> <h2> 5. Labels </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">labels</span> <span class="err">=</span> <span class="kd">var</span><span class="err">.</span><span class="nx">labels</span> </code></pre> </div> <h3> What labels do </h3> <p>Labels are used by Kubernetes for:</p> <ul> <li>scheduling</li> <li>targeting workloads</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>env = dev type = backend </code></pre> </div> <p>👉 Later you can do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">backend</span> </code></pre> </div> <h2> 6. Dependency </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">depends_on</span> <span class="err">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">node_role_arn</span><span class="p">]</span> </code></pre> </div> <h3> Why this is needed </h3> <p>Even though role is passed:</p> <p>Terraform might not always guarantee order.</p> <p>So this ensures:</p> <p>👉 IAM role exists before node creation</p> <h1> 📄 outputs.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"node_group_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Amazon Resource Name (ARN) of the EKS Node Group"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_node_group</span><span class="p">.</span><span class="nx">nodes</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"node_group_status"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Status of the EKS Node Group"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_node_group</span><span class="p">.</span><span class="nx">nodes</span><span class="p">.</span><span class="nx">status</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 Why outputs matter </h2> <p>These outputs help in:</p> <ul> <li>debugging</li> <li>monitoring</li> <li>integration with other modules</li> </ul> <h1> 🔥 What You Actually Built </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EKS Control Plane │ │ Managed Node Group (EC2 Instances) │ │ Kubernetes Pods run here </code></pre> </div> <h1> ⚠️ Real Issues People Face </h1> <ul> <li>Wrong subnet → nodes can’t join</li> <li>Missing IAM role → node creation fails</li> <li>No NAT → nodes can’t pull images</li> <li>Too small instance → pods crash</li> </ul> <h1> 🧠 Key Takeaways </h1> <ul> <li>Node group = actual compute layer</li> <li>Control plane alone is useless without nodes</li> <li>Scaling config controls capacity</li> <li>Labels help in workload placement</li> </ul> <h1> 🚀 Next </h1> <p>In Part 5:</p> <p>👉 Addons + CSI Driver<br> 👉 How storage works in EKS<br> 👉 Why IRSA becomes critical</p> <p>At this point, your cluster is alive — now we make it usable.</p> aws eks terraform Terraform Modular EKS + Istio — Part 3 POTHURAJU JAYAKRISHNA YADAV Fri, 27 Mar 2026 02:45:23 +0000 https://forem.com/jayakrishnayadav24/terraform-modular-eks-istio-part-3-4n9e https://forem.com/jayakrishnayadav24/terraform-modular-eks-istio-part-3-4n9e <h2> EKS Cluster Module (What Actually Creates Kubernetes) </h2> <p>After setting up VPC and IAM, the next step is creating the actual Kubernetes control plane using Amazon EKS.</p> <p>This module is responsible for:</p> <ul> <li>Creating the EKS cluster</li> <li>Configuring networking</li> <li>Enabling authentication</li> <li>Setting up OIDC (required for IRSA)</li> </ul> <h1> 📂 Module Files </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/eks-cluster/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h1> 📄 variables.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cluster_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kubernetes version"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cluster_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ARN of the EKS cluster IAM role"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of private subnet IDs"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of public subnet IDs"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What this module expects </h2> <p>This module doesn’t create everything itself. It depends on:</p> <ul> <li>VPC module → for subnets</li> <li>IAM module → for cluster role</li> </ul> <p>Inputs tell it:</p> <ul> <li>what to name the cluster</li> <li>which version to run</li> <li>where to place it</li> </ul> <h1> 📄 main.tf </h1> <p>This is where the actual EKS cluster is created.</p> <h2> 1. EKS Cluster Resource </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_role_arn</span> </code></pre> </div> <h3> What this does </h3> <p>This creates the <strong>EKS control plane</strong>.</p> <p>Important point:</p> <p>👉 You are NOT creating master nodes<br> 👉 AWS manages them for you</p> <h2> 2. Networking Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_ids</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Why both private and public subnets? </h3> <ul> <li>Private subnets → worker nodes</li> <li>Public subnets → load balancers</li> </ul> <p>If you only pass private:</p> <ul> <li>ALB/NLB creation can fail later</li> </ul> <p>If you only pass public:</p> <ul> <li>not secure</li> </ul> <p>👉 Passing both is correct production setup.</p> <h2> 3. Access Configuration (Very Important) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">access_config</span> <span class="p">{</span> <span class="nx">authentication_mode</span> <span class="p">=</span> <span class="s2">"API_AND_CONFIG_MAP"</span> <span class="nx">bootstrap_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h3> What this solves </h3> <p>Newer EKS versions changed authentication behavior.</p> <p>This block ensures:</p> <ul> <li>API-based authentication is enabled</li> <li>IAM + aws-auth both work</li> </ul> <h3> This line is critical </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">bootstrap_cluster_creator_admin_permissions</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p>👉 Gives admin access to the creator</p> <p>Without this:</p> <ul> <li>cluster gets created</li> <li>but you cannot access it</li> </ul> <h2> 4. Dependency Handling </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">depends_on</span> <span class="err">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_role_arn</span><span class="p">]</span> </code></pre> </div> <h3> Why needed? </h3> <p>Even though role ARN is passed:</p> <p>Terraform may not always detect dependency properly.</p> <p>This ensures:</p> <p>👉 IAM role exists before cluster creation</p> <h1> 🔥 OIDC Setup (Core Concept) </h1> <p>This is the most important part of this module.</p> <h2> 5. Fetch TLS Certificate </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"tls_certificate"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> </code></pre> </div> <h3> What is happening? </h3> <ul> <li>EKS creates an OIDC endpoint</li> <li>This block fetches its certificate</li> </ul> <p>Used for:<br> 👉 Trust verification in IAM</p> <h2> 6. Create OIDC Provider </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">tls_certificate</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">certificates</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">sha1_fingerprint</span><span class="p">]</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> </code></pre> </div> <h3> What this actually does </h3> <p>This creates a bridge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubernetes → IAM </code></pre> </div> <h3> Why this is required </h3> <p>Without OIDC:</p> <p>❌ Pods cannot assume IAM roles<br> ❌ IRSA will not work</p> <h3> Thumbprint </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">thumbprint_list</span> <span class="err">=</span> <span class="p">[...]</span> </code></pre> </div> <p>👉 Ensures secure trust between AWS and OIDC provider</p> <h1> 📄 outputs.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"cluster_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cluster_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cluster_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">endpoint</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cluster_security_group_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">vpc_config</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster_security_group_id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cluster_certificate_authority_data"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">certificate_authority</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="k">data</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"oidc_provider_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"oidc_provider"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">replace</span><span class="p">(</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 Why these outputs matter </h2> <p>These values are used by other modules:</p> <ul> <li>Kubernetes provider → uses endpoint + certificate</li> <li>IAM module → uses OIDC provider</li> <li>Node module → uses cluster name</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">host</span> <span class="err">=</span> <span class="k">module</span><span class="err">.</span><span class="nx">eks_cluster</span><span class="err">.</span><span class="nx">cluster_endpoint</span> </code></pre> </div> <h1> 🔥 What You Actually Built </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Managed Control Plane │ │ OIDC Provider (for IAM integration) </code></pre> </div> <h1> ⚠️ Real Issues People Face </h1> <ul> <li>No OIDC → IRSA breaks</li> <li>Wrong subnets → cluster unstable</li> <li>Missing access_config → login issues</li> <li>Wrong IAM role → cluster creation fails</li> </ul> <h1> 🧠 Key Takeaways </h1> <ul> <li>EKS cluster = control plane only</li> <li>AWS manages master nodes</li> <li>OIDC is required for IAM integration</li> <li>Outputs connect modules together</li> </ul> <h1> 🚀 Next Step </h1> <p>Next module:</p> <p>👉 Node Groups (actual compute layer)<br> 👉 How EC2 instances join the cluster<br> 👉 Scaling and updates</p> <p>This module is where Kubernetes actually starts — but without nodes, it’s still empty.</p> aws eks terraform Terraform Modular EKS + Istio — Part 2 POTHURAJU JAYAKRISHNA YADAV Fri, 27 Mar 2026 02:40:48 +0000 https://forem.com/jayakrishnayadav24/terraform-modular-eks-istio-part-2-abi https://forem.com/jayakrishnayadav24/terraform-modular-eks-istio-part-2-abi <h2> IAM Module (IRSA, OIDC, and Why This Controls Everything) </h2> <p>In the previous part, we built the VPC.</p> <p>Now we move to something that causes the most confusion in EKS setups:</p> <p>👉 <strong>IAM</strong></p> <p>This is not just “permissions”.</p> <p>This module controls:</p> <ul> <li>how EKS works</li> <li>how nodes behave</li> <li>how pods access AWS services</li> </ul> <p>If this is wrong:</p> <ul> <li>ALB won’t work</li> <li>CSI drivers fail</li> <li>Pods can’t access AWS</li> <li>Debugging becomes painful</li> </ul> <h1> 📂 Module Files </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/iam/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h1> 📄 variables.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"oidc_provider_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ARN of the OIDC provider"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"oidc_provider"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"OIDC provider URL"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What these inputs mean </h2> <ul> <li><p><code>cluster_name</code><br> → used to name roles</p></li> <li><p><code>oidc_provider_arn</code><br> → comes from EKS module</p></li> <li><p><code>oidc_provider</code><br> → used for IRSA condition matching</p></li> </ul> <p>👉 Important:</p> <p>This module <strong>depends on EKS</strong><br> Because OIDC is created inside the EKS module.</p> <h1> 📄 main.tf (Core IAM Logic) </h1> <h1> 1. EKS Cluster Role </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks_cluster"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-cluster-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What this actually does </h2> <p>This role is used by:</p> <p>👉 <strong>EKS Control Plane (managed by AWS)</strong></p> <h3> Key line </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">Service</span> <span class="err">=</span> <span class="s2">"eks.amazonaws.com"</span> </code></pre> </div> <p>👉 Means:</p> <blockquote> <p>“EKS service is allowed to assume this role”</p> </blockquote> <h2> Attach Policy </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_cluster_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h3> Why this policy? </h3> <p>This allows EKS to:</p> <ul> <li>manage nodes</li> <li>communicate with AWS</li> <li>create resources</li> </ul> <h1> 2. Node Group Role </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks_nodes"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-node-group-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What this role is for </h2> <p>👉 Used by <strong>EC2 instances (worker nodes)</strong></p> <h3> Key line </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">Service</span> <span class="err">=</span> <span class="s2">"ec2.amazonaws.com"</span> </code></pre> </div> <p>👉 Means:</p> <blockquote> <p>EC2 instances can assume this role</p> </blockquote> <h1> 3. Node Policies </h1> <p>Now we attach multiple policies.</p> <h2> a. Worker Node Policy </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_worker_node_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> <span class="p">}</span> </code></pre> </div> <p>👉 Allows nodes to:</p> <ul> <li>join cluster</li> <li>communicate with control plane</li> </ul> <h2> b. CNI Policy </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_cni_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> <span class="p">}</span> </code></pre> </div> <p>👉 This is very important</p> <p>Allows:</p> <ul> <li>Pod networking</li> <li>ENI management</li> </ul> <p>👉 Without this:<br> Pods won’t get IPs</p> <h2> c. ECR Access </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_container_registry_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> <span class="p">}</span> </code></pre> </div> <p>👉 Allows nodes to:</p> <ul> <li>pull Docker images</li> </ul> <h2> d. SSM Access </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_ssm_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"</span> <span class="p">}</span> </code></pre> </div> <p>👉 Allows:</p> <ul> <li>SSM access</li> <li>no need for SSH</li> </ul> <p>👉 This is production best practice</p> <h1> 4. EBS CSI Driver Role (🔥 Most Important Part) </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ebs_csi_driver"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-driver-role"</span> </code></pre> </div> <p>This is NOT for nodes.</p> <p>This is for:</p> <p>👉 <strong>Kubernetes Pod (EBS CSI controller)</strong></p> <h2> 🔥 This is IRSA (Core Concept) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">Action</span> <span class="err">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> </code></pre> </div> <p>👉 This is different from EC2 roles</p> <p>This allows:</p> <p>👉 Pods → assume IAM role</p> <h2> 🔥 OIDC Trust </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">Principal</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="p">}</span> </code></pre> </div> <p>👉 This links:</p> <ul> <li>EKS cluster</li> <li>IAM</li> </ul> <h2> 🔥 Condition (VERY IMPORTANT) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">oidc_provider</span><span class="k">}</span><span class="s2">:sub"</span> <span class="err">=</span> <span class="s2">"system:serviceaccount:kube-system:ebs-csi-controller-sa"</span> </code></pre> </div> <p>👉 This means:</p> <p>ONLY this service account can assume the role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kube-system / ebs-csi-controller-sa </code></pre> </div> <h3> Why this matters </h3> <p>👉 This is <strong>fine-grained security</strong></p> <p>Instead of:</p> <p>❌ giving full access to nodes</p> <p>You do:</p> <p>✅ give access only to specific pod</p> <h2> Attach Policy </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ebs_csi_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"</span> <span class="p">}</span> </code></pre> </div> <h3> What this enables </h3> <ul> <li>Create volumes</li> <li>Attach volumes</li> <li>Manage storage</li> </ul> <h1> 📄 outputs.tf </h1> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"eks_cluster_role_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"eks_nodes_role_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_nodes</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"ebs_csi_driver_role_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ebs_csi_driver</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 Why outputs matter </h2> <p>These are used in:</p> <ul> <li>EKS module</li> <li>Node module</li> <li>CSI module</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">cluster_role_arn</span> <span class="err">=</span> <span class="k">module</span><span class="err">.</span><span class="nx">iam</span><span class="err">.</span><span class="nx">eks_cluster_role_arn</span> </code></pre> </div> <p>👉 This creates dependency automatically.</p> <h1> 🔥 Real Architecture (What You Built) </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EKS Control Plane → uses cluster role EC2 Nodes → use node role Pods (CSI) → use IRSA role (OIDC) </code></pre> </div> <h1> ⚠️ Real Mistakes People Make </h1> <ul> <li>Giving full IAM to nodes (bad security)</li> <li>Not using IRSA</li> <li>Wrong OIDC condition → role not assumed</li> <li>Forgetting CNI policy → pods fail</li> </ul> <h1> 🧠 Key Takeaways </h1> <ul> <li>IAM is not optional — it defines system behavior</li> <li>Nodes and pods should have separate roles</li> <li>IRSA is the correct way to give AWS access to pods</li> <li>OIDC is what connects Kubernetes to IAM</li> </ul> <h1> 🚀 Next </h1> <p>In Part 3:</p> <p>👉 EKS Cluster Module<br> 👉 How control plane is created<br> 👉 What OIDC actually does internally</p> <p>If you understand this module, you understand how AWS + Kubernetes actually connect behind the scenes.</p> aws iam terraform istio Terraform Modular EKS + Istio — Part 1 POTHURAJU JAYAKRISHNA YADAV Fri, 27 Mar 2026 02:37:41 +0000 https://forem.com/jayakrishnayadav24/terraform-modular-eks-istio-part-1-2j14 https://forem.com/jayakrishnayadav24/terraform-modular-eks-istio-part-1-2j14 <h2> VPC Module (Complete Code + Real Explanation) </h2> <p>Before touching EKS, Istio, or routing — everything depends on one thing:</p> <p>👉 <strong>Your network</strong></p> <p>If the VPC is wrong:</p> <ul> <li>Nodes won’t join</li> <li>ALB won’t work</li> <li>Pods won’t get IPs</li> <li>Routing will fail in weird ways</li> </ul> <p>So in this part, I’ll walk through the <strong>entire VPC module from my setup</strong>, using the exact code — and explain what each part is doing and why it exists.</p> <h1> 📂 Module Files </h1> <p>This module consists of 3 files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/vpc/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <h1> 📄 variables.tf </h1> <p>This file defines what inputs the module expects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"vpc_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the VPC"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR block for VPC"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"availability_zones"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Availability zones"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"private_subnet_cidrs"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR blocks for private subnets"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_subnet_cidrs"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR blocks for public subnets"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h2> 🧠 What this means </h2> <p>This module is <strong>not hardcoded</strong>.</p> <p>Everything is controlled from outside:</p> <ul> <li>CIDR ranges</li> <li>AZs</li> <li>Subnet layout</li> <li>Cluster name</li> </ul> <p>👉 That’s what makes it reusable across:</p> <ul> <li>dev</li> <li>staging</li> <li>prod</li> </ul> <h1> 📄 main.tf (Core Logic) </h1> <p>This is where actual infrastructure is created.</p> <h2> 1. VPC </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Why this matters </h3> <ul> <li> <code>cidr_block</code> → defines network size</li> <li> <code>enable_dns_support</code> → required for internal communication</li> <li> <p><code>enable_dns_hostnames</code> → required for:</p> <ul> <li>EKS</li> <li>ALB</li> <li>service discovery</li> </ul> </li> </ul> <p>👉 If DNS is off, things break silently.</p> <h2> 2. Private Subnets (EKS Nodes) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private_subnets"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> </code></pre> </div> <h3> What’s happening </h3> <ul> <li> <code>count</code> creates multiple subnets</li> <li>Each subnet is tied to an AZ</li> </ul> <h3> 🔥 Important Tags </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">tags</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-private-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"owned"</span> <span class="p">}</span> </code></pre> </div> <h3> Why these tags matter </h3> <p>These are <strong>not optional</strong></p> <ul> <li><p><code>internal-elb</code><br> → used by AWS to place <strong>internal load balancers</strong></p></li> <li><p><code>cluster tag</code><br> → required for EKS to discover subnets</p></li> </ul> <p>👉 Missing this = ALB or services fail later</p> <h2> 3. Public Subnets (ALB Layer) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnets"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> </code></pre> </div> <h3> Key difference </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">map_public_ip_on_launch</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p>👉 Instances here get public IPs</p> <h3> Tag Difference </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="s2">"kubernetes.io/role/elb"</span> <span class="err">=</span> <span class="s2">"1"</span> </code></pre> </div> <p>👉 This tells AWS:</p> <blockquote> <p>“Use this subnet for internet-facing load balancers”</p> </blockquote> <h2> 4. Internet Gateway </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"igw"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-igw"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Purpose </h3> <p>Allows:</p> <p>👉 Public subnet → Internet</p> <h2> 5. Elastic IP (for NAT) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"nat"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span><span class="p">)</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-nat-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">igw</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Why EIP? </h3> <p>NAT Gateway needs a <strong>public IP</strong></p> <h2> 6. NAT Gateway (Critical) </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"nat"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span><span class="p">)</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> </code></pre> </div> <h3> What it does </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Private Subnet → NAT → Internet </code></pre> </div> <p>👉 Nodes can:</p> <ul> <li>pull Docker images</li> <li>access APIs</li> </ul> <p>BUT:</p> <p>👉 They don’t get public IP (secure)</p> <h2> 7. Private Route Table </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">nat</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Meaning </h3> <p>All outbound traffic → NAT</p> <h2> 8. Public Route Table </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">igw</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Meaning </h3> <p>Public subnet → direct internet</p> <h2> 9. Route Table Associations </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> Why needed </h3> <p>👉 Subnets don’t automatically get routing</p> <p>You must attach:</p> <ul> <li>subnet → route table</li> </ul> <h1> 📄 outputs.tf </h1> <p>This file exposes values for other modules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the VPC"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IDs of the private subnets"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IDs of the public subnets"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Why outputs matter </h2> <p>These are used by:</p> <ul> <li>EKS cluster</li> <li>Node groups</li> <li>ALB controller</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">private_subnet_ids</span> <span class="err">=</span> <span class="k">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">private_subnet_ids</span> </code></pre> </div> <p>👉 This creates dependency automatically.</p> <h1> 🧠 Final Architecture </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet │ Internet Gateway │ Public Subnets (ALB) │ NAT Gateway │ Private Subnets (EKS Nodes) </code></pre> </div> <h1> ⚠️ Real Things That Break in Production </h1> <ul> <li>Missing subnet tags → ALB won’t create</li> <li>No NAT → nodes can’t pull images</li> <li>Wrong AZ mapping → cluster unstable</li> <li>Public nodes → security issue</li> </ul> <h1> 🧠 Key Takeaways </h1> <ul> <li>VPC is the foundation of everything</li> <li>Subnet tagging is critical for EKS</li> <li>NAT enables private nodes</li> <li>Outputs drive Terraform dependencies</li> </ul> <h1> 🚀 Next </h1> <p>In Part 2:</p> <p>👉 IAM Module — IRSA explained properly<br> 👉 How pods assume AWS roles<br> 👉 Why OIDC is required</p> <p>If you're building EKS in production, this part is not optional — this is where most issues actually start.</p> aws terraform vpc 🔍 Terraform Modular EKS + Istio — The Part Nobody Explains POTHURAJU JAYAKRISHNA YADAV Thu, 26 Mar 2026 12:17:09 +0000 https://forem.com/aws-builders/-terraform-modular-eks-istio-the-part-nobody-explains-2mk3 https://forem.com/aws-builders/-terraform-modular-eks-istio-the-part-nobody-explains-2mk3 <p>When I first modularized my Terraform for EKS, everything looked clean…</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwuvfxll9li71wl31nr1a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwuvfxll9li71wl31nr1a.png" alt=" " width="800" height="640"></a></p> <p>Until it didn’t work.</p> <p>Modules were correct.<br> Code was clean.<br> Folder structure looked “perfect”.</p> <p>But Terraform was behaving in ways I didn’t expect.</p> <p>Resources were creating in weird order.<br> Dependencies felt invisible.<br> And debugging became painful.</p> <p>That’s when I realized:</p> <p>👉 Understanding Terraform syntax is easy<br> 👉 Understanding how Terraform <em>thinks</em> is the real game</p> <p>This blog is about that shift.</p> <h1> 🧠 The Biggest Misconception </h1> <p>Initially, I thought Terraform runs like a script:</p> <p>Step 1 → Step 2 → Step 3</p> <p>But that assumption is completely wrong.</p> <p>Terraform doesn’t execute line by line.</p> <p>👉 It builds a <strong>dependency graph first</strong>, and only then decides what to create and in what order.</p> <p>Once this clicked, everything started making sense.</p> <h1> 🧩 My Project Structure (Real Setup) </h1> <p>Here’s how I organized everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modularized/ ├── eks/ # Root module (entry point) │ ├── main.tf │ ├── variables.tf │ ├── providers.tf │ └── backend.tf ├── modules/ │ ├── vpc/ │ ├── iam/ │ ├── eks-cluster/ │ ├── eks-nodes/ │ ├── aws-load-balancer-controller/ │ ├── istio-base/ │ ├── istiod/ │ ├── istio-gateway/ │ └── istio-manifests/ └── environments/ ├── dev/ │ ├── terraform.tfvars │ └── backend.hcl </code></pre> </div> <p>At a glance, this looks like just folders.</p> <p>But in reality:</p> <p>👉 This is a <strong>system design mapped into code</strong></p> <h1> 🔗 The Real Role of <code>main.tf</code> </h1> <p>Think of <code>main.tf</code> not as a file…</p> <p>👉 But as an <strong>orchestrator</strong></p> <p>It doesn’t “do” things directly.<br> It <strong>connects modules together using data</strong>.</p> <h1> 🔹 Step 1: VPC — The Foundation </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/vpc"</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_name</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">availability_zones</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zones</span> <span class="nx">private_subnet_cidrs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span> <span class="nx">public_subnet_cidrs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <p>This module creates:</p> <ul> <li>VPC</li> <li>Public &amp; private subnets</li> <li>Routing</li> </ul> <p>But the important part is not creation…</p> <p>👉 It’s what it <strong>exports</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h1> 🧠 First Realization </h1> <p>Terraform modules don’t “talk” directly.</p> <p>They communicate through:</p> <p>👉 <strong>Outputs → Inputs</strong></p> <h1> 🔹 Step 2: IAM — Identity Layer </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"iam"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/iam"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <p>This creates:</p> <ul> <li>Cluster role</li> <li>Node role</li> <li>IRSA roles</li> </ul> <p>And exposes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"eks_cluster_role_arn"</span> <span class="p">{}</span> <span class="nx">output</span> <span class="s2">"eks_nodes_role_arn"</span> <span class="p">{}</span> </code></pre> </div> <h1> 🔗 Step 3: EKS Cluster — Where Things Clicked </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/eks-cluster"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="nx">cluster_role_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nx">eks_cluster_role_arn</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">public_subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="p">}</span> </code></pre> </div> <p>This line changed everything for me:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span><span class="err">.</span><span class="nx">iam</span><span class="err">.</span><span class="nx">eks_cluster_role_arn</span> </code></pre> </div> <p>👉 This is not just a reference<br> 👉 This is a <strong>dependency signal</strong></p> <h1> 💥 The Aha Moment </h1> <p>I didn’t define any order like:</p> <ul> <li>“Create IAM first”</li> <li>“Then VPC”</li> <li>“Then EKS”</li> </ul> <p>Yet Terraform <em>automatically</em> knew.</p> <p>Why?</p> <p>Because:</p> <p>👉 Dependencies define execution order</p> <h1> 🔹 Step 4: Node Groups — Implicit Dependency </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks_nodes"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/eks-nodes"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks_cluster</span><span class="p">.</span><span class="nx">cluster_id</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nx">eks_nodes_role_arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="p">}</span> </code></pre> </div> <p>Now Terraform understands:</p> <ul> <li>Nodes depend on cluster</li> <li>Cluster depends on IAM + VPC</li> </ul> <p>So it builds a graph like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC → IAM → EKS → Nodes </code></pre> </div> <p>Without you ever writing that flow.</p> <h1> ⚠️ Mistake I Made (Important) </h1> <p>At one point, I hardcoded subnet IDs inside my EKS module.</p> <p>It worked… initially.</p> <p>But the moment I tried another environment — everything broke.</p> <p>That’s when I understood:</p> <p>👉 Hardcoding breaks modular design<br> 👉 Outputs make modules reusable</p> <h1> ⚙️ Variables — The Real Power </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Values come from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev/terraform.tfvars</span> <span class="nx">cluster_name</span> <span class="err">=</span> <span class="s2">"dev-cluster"</span> </code></pre> </div> <p>👉 Same code<br> 👉 Different environments</p> <p>No duplication.</p> <h1> 🧠 What Terraform Actually Does </h1> <p>When you run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p>Terraform does NOT just “run code”.</p> <p>It:</p> <ol> <li>Reads variables</li> <li>Resolves all references</li> <li>Builds dependency graph</li> <li>Plans execution order</li> <li>Applies resources</li> </ol> <h1> 🔐 Backend — Silent but Critical </h1> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-tf-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"eks/dev/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This enables:</p> <ul> <li>Remote state</li> <li>Team collaboration</li> <li>State locking</li> </ul> <p>Without this, things get messy fast.</p> <h1> 🧠 Final Shift in Thinking </h1> <p>At the beginning, Terraform felt like:</p> <p>👉 “Writing infrastructure scripts”</p> <p>Now it feels like:</p> <p>👉 “Designing systems using data flow”</p> <p>That shift changes everything.</p> <h1> 💡 Key Takeaways </h1> <ul> <li> <code>main.tf</code> is not execution — it’s orchestration</li> <li>Outputs are how modules communicate</li> <li>Dependencies are inferred, not written</li> <li>Variables make environments scalable</li> <li>Terraform is a graph engine, not a script runner</li> </ul> <h1> 🔗 Repo </h1> <p><a href="https://github.com/jayakrishnayadav24/istio-ip-based-routing" rel="noopener noreferrer">https://github.com/jayakrishnayadav24/istio-ip-based-routing</a></p> <h1> 🚀 Final Thought </h1> <p>Once you stop thinking in terms of files…</p> <p>And start thinking in terms of <strong>data flowing between modules</strong>…</p> <p>Terraform stops being just infrastructure code.</p> <p>👉 It becomes a system design tool.</p> <p>If this helped you understand Terraform at a deeper level:</p> <p>⭐ Star the repo<br> 🔁 Share with others<br> 💬 Let me know what confused you — I’ll write about it next</p> <p>Happy building 🚀</p> aws terraform istio 🚀 Creating an EC2 Instance Using Python requests (Without boto3) POTHURAJU JAYAKRISHNA YADAV Tue, 24 Mar 2026 04:36:51 +0000 https://forem.com/aws-builders/creating-an-ec2-instance-using-python-requests-without-boto3-1m5n https://forem.com/aws-builders/creating-an-ec2-instance-using-python-requests-without-boto3-1m5n <p>Most developers use <code>boto3</code> to interact with AWS.</p> <p>But have you ever wondered…</p> <p>👉 What actually happens behind the scenes?<br> 👉 How does AWS authenticate your API requests?</p> <p>I always used boto3 without thinking much about it — until I tried calling AWS APIs directly.</p> <p>In this blog, we’ll go one level deeper and:</p> <blockquote> <p>🔥 Create an EC2 instance using raw HTTP requests with AWS Signature Version 4 (SigV4)</p> </blockquote> <h1> 🧠 boto3 is Just a Wrapper </h1> <p>When you run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ec2</span><span class="p">.</span><span class="nf">run_instances</span><span class="p">(...)</span> </code></pre> </div> <p>Behind the scenes, boto3:</p> <ul> <li>Builds an HTTP request</li> <li>Signs it using AWS Signature Version 4</li> <li>Sends it to AWS APIs</li> </ul> <p>In this blog, we’ll do all of that manually.</p> <h1> ⚙️ What We’re Building </h1> <p>We’ll create a Python script that:</p> <ul> <li>Uses <code>requests</code> </li> <li>Implements AWS SigV4 authentication</li> <li>Launches a real EC2 instance</li> </ul> <p>No SDK. No shortcuts.</p> <h1> 🔄 High-Level Flow </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client → Canonical Request → String to Sign → Signature → AWS API → Response </code></pre> </div> <h1> 🔐 Understanding AWS Signature Version 4 (SigV4) </h1> <p>AWS secures every API request using SigV4. It ensures:</p> <ul> <li>Authentication (who you are)</li> <li>Integrity (request not tampered)</li> </ul> <h1> 💻 Full Working Code </h1> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">hmac</span> <span class="kn">import</span> <span class="n">urllib.parse</span> <span class="c1"># 🔐 AWS credentials </span><span class="n">ACCESS_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_ACCESS_KEY</span><span class="sh">"</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_SECRET_KEY</span><span class="sh">"</span> <span class="n">REGION</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ap-south-1</span><span class="sh">"</span> <span class="n">SERVICE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ec2</span><span class="sh">"</span> <span class="n">HOST</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ec2.</span><span class="si">{</span><span class="n">REGION</span><span class="si">}</span><span class="s">.amazonaws.com</span><span class="sh">"</span> <span class="n">ENDPOINT</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://</span><span class="si">{</span><span class="n">HOST</span><span class="si">}</span><span class="s">/</span><span class="sh">"</span> <span class="c1"># 📦 EC2 parameters </span><span class="n">params</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">RunInstances</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ImageId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ami-0f5ee92e2d63afc18</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">InstanceType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">t2.micro</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MinCount</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MaxCount</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2016-11-15</span><span class="sh">"</span> <span class="p">}</span> <span class="c1"># 🕒 Time </span><span class="n">t</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="n">amz_date</span> <span class="o">=</span> <span class="n">t</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y%m%dT%H%M%SZ</span><span class="sh">'</span><span class="p">)</span> <span class="n">date_stamp</span> <span class="o">=</span> <span class="n">t</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y%m%d</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># 🔹 Step 1: Canonical Query String </span><span class="n">canonical_querystring</span> <span class="o">=</span> <span class="sh">'</span><span class="s">&amp;</span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">k</span><span class="p">)</span><span class="si">}</span><span class="s">=</span><span class="si">{</span><span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">v</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">params</span><span class="p">.</span><span class="nf">items</span><span class="p">())</span> <span class="p">)</span> <span class="c1"># 🔹 Step 2: Canonical Request </span><span class="n">canonical_headers</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">host:</span><span class="si">{</span><span class="n">HOST</span><span class="si">}</span><span class="se">\n</span><span class="s">x-amz-date:</span><span class="si">{</span><span class="n">amz_date</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="n">signed_headers</span> <span class="o">=</span> <span class="sh">"</span><span class="s">host;x-amz-date</span><span class="sh">"</span> <span class="n">payload_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="sa">b</span><span class="sh">""</span><span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="n">canonical_request</span> <span class="o">=</span> <span class="p">(</span> <span class="sh">"</span><span class="s">GET</span><span class="se">\n</span><span class="sh">"</span> <span class="sh">"</span><span class="s">/</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">canonical_querystring</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">canonical_headers</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">signed_headers</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">payload_hash</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># 🔹 Step 3: String to Sign </span><span class="n">algorithm</span> <span class="o">=</span> <span class="sh">"</span><span class="s">AWS4-HMAC-SHA256</span><span class="sh">"</span> <span class="n">credential_scope</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">date_stamp</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">REGION</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">SERVICE</span><span class="si">}</span><span class="s">/aws4_request</span><span class="sh">"</span> <span class="n">string_to_sign</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">algorithm</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">amz_date</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">credential_scope</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">canonical_request</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># 🔹 Step 4: Signing Key </span><span class="k">def</span> <span class="nf">sign</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">msg</span><span class="p">):</span> <span class="k">return</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">msg</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">digest</span><span class="p">()</span> <span class="n">k_date</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">((</span><span class="sh">"</span><span class="s">AWS4</span><span class="sh">"</span> <span class="o">+</span> <span class="n">SECRET_KEY</span><span class="p">).</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">date_stamp</span><span class="p">)</span> <span class="n">k_region</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">(</span><span class="n">k_date</span><span class="p">,</span> <span class="n">REGION</span><span class="p">)</span> <span class="n">k_service</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">(</span><span class="n">k_region</span><span class="p">,</span> <span class="n">SERVICE</span><span class="p">)</span> <span class="n">k_signing</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">(</span><span class="n">k_service</span><span class="p">,</span> <span class="sh">"</span><span class="s">aws4_request</span><span class="sh">"</span><span class="p">)</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="n">k_signing</span><span class="p">,</span> <span class="n">string_to_sign</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span> <span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="c1"># 🔹 Step 5: Headers </span><span class="n">authorization_header</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">algorithm</span><span class="si">}</span><span class="s"> Credential=</span><span class="si">{</span><span class="n">ACCESS_KEY</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">credential_scope</span><span class="si">}</span><span class="s">, </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SignedHeaders=</span><span class="si">{</span><span class="n">signed_headers</span><span class="si">}</span><span class="s">, Signature=</span><span class="si">{</span><span class="n">signature</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">x-amz-date</span><span class="sh">"</span><span class="p">:</span> <span class="n">amz_date</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="n">authorization_header</span> <span class="p">}</span> <span class="c1"># 🔹 Final request </span><span class="n">request_url</span> <span class="o">=</span> <span class="n">ENDPOINT</span> <span class="o">+</span> <span class="sh">"</span><span class="s">?</span><span class="sh">"</span> <span class="o">+</span> <span class="n">canonical_querystring</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">👉 Calling:</span><span class="sh">"</span><span class="p">,</span> <span class="n">request_url</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">request_url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Status Code:</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Response:</span><span class="se">\n</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> </code></pre> </div> <h1> 🔍 Breaking Down the Code (with Snippets) </h1> <p>Let’s understand what’s happening step by step.</p> <h2> 🔐 1. AWS Credentials &amp; Config </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ACCESS_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_ACCESS_KEY</span><span class="sh">"</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_SECRET_KEY</span><span class="sh">"</span> <span class="n">REGION</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ap-south-1</span><span class="sh">"</span> <span class="n">SERVICE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ec2</span><span class="sh">"</span> <span class="n">HOST</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ec2.</span><span class="si">{</span><span class="n">REGION</span><span class="si">}</span><span class="s">.amazonaws.com</span><span class="sh">"</span> </code></pre> </div> <p>👉 Defines credentials + region + service endpoint.</p> <h2> 📦 2. EC2 Parameters </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">params</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">RunInstances</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ImageId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ami-0f5ee92e2d63afc18</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">InstanceType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">t2.micro</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MinCount</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MaxCount</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2016-11-15</span><span class="sh">"</span> <span class="p">}</span> </code></pre> </div> <p>👉 This is the actual API request payload.</p> <h2> 🕒 3. Timestamp </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">t</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="n">amz_date</span> <span class="o">=</span> <span class="n">t</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y%m%dT%H%M%SZ</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>👉 Required for AWS request validation.</p> <h2> 🔹 4. Canonical Query String </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">canonical_querystring</span> <span class="o">=</span> <span class="sh">'</span><span class="s">&amp;</span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">k</span><span class="p">)</span><span class="si">}</span><span class="s">=</span><span class="si">{</span><span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">v</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">params</span><span class="p">.</span><span class="nf">items</span><span class="p">())</span> <span class="p">)</span> </code></pre> </div> <p>👉 Sort + encode parameters<br> 👉 Critical step (most common failure point)</p> <h2> 🔹 5. Canonical Request </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">canonical_request</span> <span class="o">=</span> <span class="p">(</span> <span class="sh">"</span><span class="s">GET</span><span class="se">\n</span><span class="sh">"</span> <span class="sh">"</span><span class="s">/</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">canonical_querystring</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">canonical_headers</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">signed_headers</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">payload_hash</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p>👉 Exact request AWS validates internally.</p> <h2> 🔹 6. String to Sign </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">string_to_sign</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">algorithm</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">amz_date</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">credential_scope</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">canonical_request</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p>👉 This is what gets signed.</p> <h2> 🔑 7. Signing Key </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">k_date</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">((</span><span class="sh">"</span><span class="s">AWS4</span><span class="sh">"</span> <span class="o">+</span> <span class="n">SECRET_KEY</span><span class="p">).</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">date_stamp</span><span class="p">)</span> <span class="n">k_region</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">(</span><span class="n">k_date</span><span class="p">,</span> <span class="n">REGION</span><span class="p">)</span> <span class="n">k_service</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">(</span><span class="n">k_region</span><span class="p">,</span> <span class="n">SERVICE</span><span class="p">)</span> <span class="n">k_signing</span> <span class="o">=</span> <span class="nf">sign</span><span class="p">(</span><span class="n">k_service</span><span class="p">,</span> <span class="sh">"</span><span class="s">aws4_request</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>👉 Multi-step key derivation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Secret → Date → Region → Service → aws4_request </code></pre> </div> <h2> 🔐 8. Signature </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">signature</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="n">k_signing</span><span class="p">,</span> <span class="n">string_to_sign</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span> <span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> </code></pre> </div> <p>👉 Final cryptographic signature.</p> <h2> 📬 9. Authorization Header </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">x-amz-date</span><span class="sh">"</span><span class="p">:</span> <span class="n">amz_date</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="n">authorization_header</span> <span class="p">}</span> </code></pre> </div> <p>👉 This header authenticates your request.</p> <h2> 🌐 10. Sending Request </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">request_url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> </code></pre> </div> <p>👉 Sends request → AWS validates → returns response.</p> <h1> 🧠 Simple Analogy </h1> <p>Think of SigV4 like a sealed envelope:</p> <ul> <li>Canonical request → message</li> <li>Signing key → secret stamp</li> <li>Signature → seal</li> </ul> <p>AWS checks the seal before accepting it.</p> <h1> ✅ Real Output </h1> <ul> <li>Status Code: <code>200</code> </li> <li>Instance created successfully</li> <li>Instance ID: <code>i-069a545b1814c6cec</code> </li> </ul> <h1> ⚠️ Common Errors </h1> <h3> ❌ SignatureDoesNotMatch </h3> <ul> <li>Wrong encoding</li> <li>Params not sorted</li> </ul> <h2> I got SignatureDoesNotMatch for almost 30 minutes before realizing I wasn’t sorting parameters correctly. </h2> <h3> ❌ UnauthorizedOperation </h3> <ul> <li>Missing IAM permissions</li> </ul> <h3> ❌ InvalidAMIID.NotFound </h3> <ul> <li>Wrong AMI</li> </ul> <h1> ⚖️ boto3 vs requests </h1> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>boto3</th> <th>requests + SigV4</th> </tr> </thead> <tbody> <tr> <td>Ease</td> <td>✅ Easy</td> <td>❌ Complex</td> </tr> <tr> <td>Control</td> <td>❌ Limited</td> <td>✅ Full</td> </tr> <tr> <td>Use Case</td> <td>Production</td> <td>Learning</td> </tr> </tbody> </table></div> <h1> 🧠 Key Takeaway </h1> <blockquote> <p>After doing this, boto3 didn’t feel like magic anymore — just automation over HTTP.</p> </blockquote> <h1> 🚨 Important Note </h1> <p>Use this approach for:</p> <p>✅ Learning<br> ✅ Debugging<br> ✅ Deep understanding</p> <p>❌ Not production</p> <h1> ✍️ Final Thought </h1> <blockquote> <p>The hardest part wasn’t writing the code — it was getting the signature exactly right.</p> </blockquote> api aws python tutorial 🐳 Containerizing a Python FastAPI Application with Docker (and Solving ARM vs x86 Architecture Issues) POTHURAJU JAYAKRISHNA YADAV Sat, 07 Mar 2026 07:18:19 +0000 https://forem.com/jayakrishnayadav24/containerizing-a-python-fastapi-application-with-docker-and-solving-arm-vs-x86-architecture-1gfh https://forem.com/jayakrishnayadav24/containerizing-a-python-fastapi-application-with-docker-and-solving-arm-vs-x86-architecture-1gfh <p>When working with containerized applications, Docker usually makes deployments predictable and consistent. Once everything is packaged inside a container, the expectation is simple: “If it works on my machine, it should work everywhere.”</p> <p>However, real-world environments sometimes introduce subtle issues — especially when applications are built on machines with different CPU architectures, such as x86 (AMD64) and ARM64.</p> <p>Recently, I was containerizing a small Python FastAPI application, and I noticed something interesting. The Docker image worked perfectly on my Ubuntu server but behaved differently on another machine. After some investigation, the root cause turned out to be architecture differences between systems.</p> <p>In this article, I'll walk through the entire process:</p> <ul> <li>Containerizing a FastAPI application with Docker</li> <li>Running the application using Docker Compose</li> <li>Understanding ARM vs x86 architecture differences</li> <li>Troubleshooting Docker daemon issues</li> <li>Building multi-architecture images</li> </ul> <p>If you work with Python, FastAPI, Docker, or cloud deployments, this guide will help you avoid some common pitfalls.</p> <p>📁 Project Structure</p> <p>For this example, we'll use a simple API service called task-api-service.</p> <p>The project structure looks like this:</p> <p>task-api-service<br> │<br> ├── Dockerfile<br> ├── docker-compose.yml<br> ├── requirements.txt<br> ├── main.py<br> └── app/</p> <p>The FastAPI application exposes a REST API running on port 8080.</p> <p>🐍 Step 1 — Writing the Dockerfile</p> <p>The first step is creating a Dockerfile to containerize the application.</p> <p>We start with the official Python slim image, which provides a lightweight base environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FROM python:3.10-slim ENV PYTHONDONTWRITEBYTECODE=1 ENV PYTHONUNBUFFERED=1 WORKDIR /app RUN apt-get update &amp;&amp; apt-get install -y \ libgl1 \ libglib2.0-0 \ build-essential \ &amp;&amp; rm -rf /var/lib/apt/lists/* COPY requirements.txt . RUN pip install --upgrade pip \ &amp;&amp; pip install --no-cache-dir -r requirements.txt COPY . . EXPOSE 8080 CMD ["uvicorn","main:app","--host","0.0.0.0","--port","8080"] </code></pre> </div> <p>Why these optimizations?</p> <p>There are a few small improvements here that make the container more production-friendly.</p> <p>1️⃣ Prevent Python cache files<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PYTHONDONTWRITEBYTECODE=1 </code></pre> </div> <p>This prevents .pyc files from being created inside the container.</p> <p>2️⃣ Better logging<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PYTHONUNBUFFERED=1 </code></pre> </div> <p>This ensures logs are immediately visible in Docker logs.</p> <p>3️⃣ Removing package cache<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rm -rf /var/lib/apt/lists/* </code></pre> </div> <p>This reduces the final image size.</p> <p>🏗 Step 2 — Building the Docker Image</p> <p>Once the Dockerfile is ready, we can build the image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker build -t task-api-service . </code></pre> </div> <p>After building, verify the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker images </code></pre> </div> <p>You should see the new image listed.</p> <p>🚀 Step 3 — Running the Container</p> <p>Now we can run the container.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker run -p 8088:8080 task-api-service </code></pre> </div> <p>The application will now be accessible at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:8088 </code></pre> </div> <p>Docker maps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Host Port 8088 → Container Port 8080 </code></pre> </div> <p>⚙️ Step 4 — Using Docker Compose</p> <p>Managing containers manually becomes inconvenient as applications grow.</p> <p>This is where Docker Compose becomes useful.</p> <p>Create a file called docker-compose.yml.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version: "3.9" services: fastapi-app: container_name: fastapi-app build: context: . dockerfile: Dockerfile ports: - "8088:8080" volumes: - .:/app restart: unless-stopped </code></pre> </div> <p>📂 Why Use Volumes?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>volumes: - .:/app </code></pre> </div> <p>This mounts the local project directory into the container.</p> <p>Benefits include:</p> <ul> <li>Instant reflection of code changes</li> <li>Faster development workflow</li> <li>No need to rebuild images repeatedly</li> </ul> <p>If you run Uvicorn with the --reload flag, the server automatically restarts when files change.</p> <p>▶️ Running with Docker Compose</p> <p>Start the application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker compose up --build </code></pre> </div> <p>Run it in the background:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker compose up -d </code></pre> </div> <p>Stop the containers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker compose down </code></pre> </div> <p>⚠️ The Architecture Problem (ARM vs x86)</p> <p>Everything worked perfectly on my Ubuntu machine.</p> <p>To check the system architecture, I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>uname -m </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>x86_64 </code></pre> </div> <p>This means the system uses AMD64 architecture.</p> <p>However, many modern systems now use ARM architecture, including:</p> <ul> <li>Apple Silicon Macs</li> <li>AWS Graviton instances</li> <li>Raspberry Pi servers</li> </ul> <p>Running the same command on those systems usually returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>arm64 </code></pre> </div> <p>This difference can cause compatibility issues when Docker images are built on one architecture and run on another.</p> <p>🔧 Forcing a Specific Docker Platform</p> <p>Docker allows specifying the target architecture during builds.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker build --platform linux/arm64 -t task-api-service . </code></pre> </div> <p>This forces Docker to build an ARM-compatible image.</p> <p>You can also define the platform inside Docker Compose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>services: fastapi-app: build: context: . platform: linux/arm64 ports: - "8088:8080" </code></pre> </div> <p>🛠 Troubleshooting Docker Daemon Issues</p> <p>During testing, I encountered an error like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cannot connect to the Docker daemon at unix:///var/run/docker.sock </code></pre> </div> <p>This usually means the Docker daemon is not running.</p> <p>To verify Docker status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo systemctl status docker </code></pre> </div> <p>If the service is inactive, restart it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo systemctl restart docker </code></pre> </div> <p>Then confirm Docker is working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker ps </code></pre> </div> <p>🔐 Fixing Docker Permission Issues</p> <p>Another common issue occurs when Docker commands require sudo.</p> <p>This happens because the user is not part of the Docker group.</p> <p>To fix it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo usermod -aG docker $USER </code></pre> </div> <p>Then reload the shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>newgrp docker </code></pre> </div> <p>Now Docker commands can run without sudo.</p> <p>🌍 Best Practice: Multi-Architecture Docker Images</p> <p>Instead of building separate images for ARM and x86 systems, Docker allows multi-architecture builds.</p> <p>Using Docker Buildx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker buildx build \ --platform linux/amd64,linux/arm64 \ -t myrepo/task-api-service:latest \ --push . </code></pre> </div> <p>This creates a single image compatible with multiple architectures.</p> <p>Official Docker images such as:</p> <ul> <li>Python</li> <li>Node.js</li> <li>Nginx</li> </ul> <p>all use this approach.</p> <p>🧠 Final Thoughts</p> <p>Docker makes it easy to package and deploy applications consistently, but architecture differences can sometimes introduce unexpected issues.</p> <p>A few key lessons from this experience:</p> <ul> <li>Always check system architecture using uname -m</li> <li>Use Docker Compose for easier container management</li> <li>Ensure the Docker daemon is running before troubleshooting builds</li> <li>Consider multi-architecture images for production deployments</li> </ul> <p>By understanding these concepts, you can ensure your containerized applications run smoothly across different environments, cloud platforms, and development machines.</p> docker fastapi python tutorial 🚀 Real-Time Data Replication Using MySQL, Debezium, Kafka, and Docker (CDC Guide) POTHURAJU JAYAKRISHNA YADAV Fri, 20 Feb 2026 03:11:12 +0000 https://forem.com/aws-builders/real-time-data-replication-using-mysql-debezium-kafka-and-docker-cdc-guide-4i88 https://forem.com/aws-builders/real-time-data-replication-using-mysql-debezium-kafka-and-docker-cdc-guide-4i88 <h2> 📌 Introduction </h2> <p>Modern applications often need data to move between systems in real time — analytics platforms, microservices, search indexes, or backup databases.</p> <p>Traditional approaches like batch jobs or cron-based sync introduce delays, inconsistencies, and operational complexity.</p> <p>This is where <strong>Change Data Capture (CDC)</strong> becomes powerful.</p> <p>In this article, we’ll build a simple but powerful <strong>real-time database replication pipeline</strong> using:</p> <ul> <li>MySQL</li> <li>Debezium</li> <li>Apache Kafka</li> <li>Kafka Connect (JDBC Sink)</li> <li>Docker Compose</li> </ul> <p>By the end, you’ll have a working system that automatically replicates inserts, updates, and deletes from one database to another.</p> <h1> 🔥 What is Change Data Capture (CDC)? </h1> <p>Change Data Capture is a technique used to capture database changes (INSERT, UPDATE, DELETE) and stream them to other systems in real time.</p> <p>Instead of polling the database repeatedly, CDC reads the <strong>database transaction log</strong> (binlog in MySQL).</p> <p>This makes CDC:</p> <p>✅ Real-time<br> ✅ Efficient<br> ✅ Reliable<br> ✅ Scalable</p> <h1> ❓ Why Do We Need CDC? </h1> <p>Common use cases:</p> <ul> <li>Real-time analytics pipelines</li> <li>Microservices data synchronization</li> <li>Data warehousing</li> <li>Cache invalidation</li> <li>Event-driven architectures</li> <li>Search indexing (Elasticsearch)</li> <li>Zero-downtime migrations</li> </ul> <p>Without CDC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App → DB → Batch Job → Other Systems </code></pre> </div> <p>With CDC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App → DB → CDC Stream → Multiple Systems </code></pre> </div> <p>Much faster and cleaner.</p> <h1> 🏗 Architecture Overview </h1> <p>We will build the following pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MySQL Source ↓ (binlog) Debezium Connector ↓ Kafka Topic ↓ JDBC Sink Connector ↓ MySQL Target </code></pre> </div> <h1> 🐳 Step 1 — Docker Compose Setup </h1> <p>We’ll run everything using Docker so the setup is easy and reproducible.</p> <p>Create a file called <strong>docker-compose.yml</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">zookeeper</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">confluentinc/cp-zookeeper:7.5.0</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">ZOOKEEPER_CLIENT_PORT</span><span class="pi">:</span> <span class="m">2181</span> <span class="na">kafka</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">confluentinc/cp-kafka:7.5.0</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">zookeeper</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9092:9092"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">KAFKA_BROKER_ID</span><span class="pi">:</span> <span class="m">1</span> <span class="na">KAFKA_ZOOKEEPER_CONNECT</span><span class="pi">:</span> <span class="s">zookeeper:2181</span> <span class="na">KAFKA_LISTENERS</span><span class="pi">:</span> <span class="s">PLAINTEXT://0.0.0.0:9092</span> <span class="na">KAFKA_ADVERTISED_LISTENERS</span><span class="pi">:</span> <span class="s">PLAINTEXT://localhost:9092</span> <span class="na">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span><span class="pi">:</span> <span class="m">1</span> <span class="na">mysql-source</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mysql:8.0</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MYSQL_ROOT_PASSWORD</span><span class="pi">:</span> <span class="s">root</span> <span class="na">MYSQL_DATABASE</span><span class="pi">:</span> <span class="s">company</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">--server-id=1</span> <span class="s">--log-bin=mysql-bin</span> <span class="s">--binlog-format=ROW</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3306:3306"</span> <span class="na">mysql-target</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mysql:8.0</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MYSQL_ROOT_PASSWORD</span><span class="pi">:</span> <span class="s">root</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3307:3306"</span> <span class="na">connect</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">debezium/connect:2.5</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka</span> <span class="pi">-</span> <span class="s">mysql-source</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8083:8083"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">BOOTSTRAP_SERVERS</span><span class="pi">:</span> <span class="s">kafka:9092</span> <span class="na">GROUP_ID</span><span class="pi">:</span> <span class="m">1</span> <span class="na">CONFIG_STORAGE_TOPIC</span><span class="pi">:</span> <span class="s">connect_configs</span> <span class="na">OFFSET_STORAGE_TOPIC</span><span class="pi">:</span> <span class="s">connect_offsets</span> <span class="na">STATUS_STORAGE_TOPIC</span><span class="pi">:</span> <span class="s">connect_status</span> </code></pre> </div> <p>Start everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Give it ~30 seconds for services to fully start.</p> <h1> 🗄 Step 2 — Create Database and Table (Source) </h1> <p>Because MySQL is running inside Docker, we execute commands using Docker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec</span> <span class="nt">-T</span> mysql-source mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> CREATE DATABASE IF NOT EXISTS company; USE company; CREATE TABLE IF NOT EXISTS employees ( id INT PRIMARY KEY AUTO_INCREMENT, name VARCHAR(100), email VARCHAR(100), created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); </span><span class="no">EOF </span>docker compose <span class="nb">exec</span> <span class="nt">-T</span> mysql-target mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> CREATE DATABASE IF NOT EXISTS company; USE company; DROP TABLE IF EXISTS employees; CREATE TABLE employees ( id INT PRIMARY KEY, name VARCHAR(100), email VARCHAR(100), created_at TIMESTAMP NULL ); </span><span class="no">EOF </span></code></pre> </div> <p>Insert some sample data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec </span>mysql-source mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="nt">-e</span> <span class="s2">" USE company; INSERT INTO employees(name,email) VALUES ('John Doe','john@example.com'); "</span> </code></pre> </div> <h1> 🔌 Step 3 — Configure Debezium Source Connector </h1> <p>This connector reads MySQL binlog and publishes events into Kafka.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8083/connectors <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "name": "mysql-connector", "config": { "connector.class": "io.debezium.connector.mysql.MySqlConnector", "database.hostname": "mysql-source", "database.port": "3306", "database.user": "root", "database.password": "root", "database.server.id": "184054", "topic.prefix": "dbserver1", "database.include.list": "company", "table.include.list": "company.employees", "schema.history.internal.kafka.bootstrap.servers": "kafka:9092", "schema.history.internal.kafka.topic": "schema-changes.company", "transforms": "unwrap", "transforms.unwrap.type": "io.debezium.transforms.ExtractNewRecordState" } }'</span> </code></pre> </div> <p>Kafka topic created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dbserver1.company.employees </code></pre> </div> <h1> 🎯 Step 4 — Configure Sink Connector (Target MySQL) </h1> <p>Create target database first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec </span>mysql-target mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="nt">-e</span> <span class="s2">" CREATE DATABASE IF NOT EXISTS company; "</span> </code></pre> </div> <p>Then create the sink connector:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8083/connectors <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "name": "mysql-sink", "config": { "connector.class": "io.debezium.connector.jdbc.JdbcSinkConnector", "topics": "dbserver1.company.employees", "connection.url": "jdbc:mysql://mysql-target:3306/company", "connection.username": "root", "connection.password": "root", "insert.mode": "upsert", "delete.enabled": "true", "primary.key.mode": "record_key", "primary.key.fields": "id", "auto.create": "true", "auto.evolve": "true", "table.name.format": "employees" } }'</span> </code></pre> </div> <h1> ⚠️ Important — Restart Connector if Needed </h1> <p>Sometimes connectors fail initially due to schema timing or table issues.</p> <p>Restart connector:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> <span class="s2">"http://localhost:8083/connectors/mysql-sink/restart?includeTasks=true"</span> </code></pre> </div> <p>Check status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8083/connectors/mysql-sink/status </code></pre> </div> <p>This is completely normal when working with Kafka Connect.</p> <h1> 🧪 Step 5 — Test Real-Time Replication </h1> <h3> Insert </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec </span>mysql-source mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="nt">-e</span> <span class="s2">" USE company; INSERT INTO employees(name,email) VALUES ('Alice','alice@test.com'); "</span> </code></pre> </div> <h3> Update </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec </span>mysql-source mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="nt">-e</span> <span class="s2">" USE company; UPDATE employees SET name='Updated User' WHERE id=1; "</span> </code></pre> </div> <h3> Delete </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec </span>mysql-source mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="nt">-e</span> <span class="s2">" USE company; DELETE FROM employees WHERE id=2; "</span> </code></pre> </div> <h1> 📥 Verify Data in Target </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nb">exec </span>mysql-target mysql <span class="nt">-uroot</span> <span class="nt">-proot</span> <span class="nt">-e</span> <span class="s2">" USE company; SELECT * FROM employees; "</span> </code></pre> </div> <p>If data doesn’t appear immediately:</p> <ol> <li>Wait a few seconds</li> <li>Restart connector</li> <li>Try again</li> </ol> <h1> 🧠 How It Works Internally </h1> <ol> <li>MySQL writes change to binlog</li> <li>Debezium reads binlog</li> <li>Kafka stores event</li> <li>Sink connector consumes event</li> <li>JDBC writes to target DB</li> </ol> <p>All within seconds.</p> <h1> ⚠️ Lessons Learned </h1> <p>During setup we faced:</p> <ul> <li>Connector schema issues</li> <li>Table mapping problems</li> <li>Sink auto-creation failures</li> <li>Connector crashes</li> </ul> <p>Key learnings:</p> <ul> <li>Always unwrap Debezium events</li> <li>Pre-create tables in production</li> <li>Restart connector tasks when failed</li> <li>Understand topic naming</li> </ul> <h1> 🚀 Production Best Practices </h1> <ul> <li>Use Schema Registry</li> <li>Enable monitoring</li> <li>Use DLQ</li> <li>Use migration tools</li> <li>Secure credentials</li> </ul> <h1> ✅ Conclusion </h1> <p>CDC enables real-time data movement with minimal overhead.</p> <p>Debezium + Kafka provides:</p> <ul> <li>Scalability</li> <li>Reliability</li> <li>Low latency</li> <li>Event-driven architecture</li> </ul> <p>This pattern is widely used in modern distributed systems.</p> <h1> 🙌 Final Thoughts </h1> <p>If you are working in:</p> <ul> <li>Data Engineering</li> <li>DevOps</li> <li>Backend Systems</li> <li>Platform Engineering</li> </ul> <p>Learning CDC is extremely valuable.</p> <p>⭐ If you enjoyed this article, feel free to connect and share your feedback!</p> kafka mysql docker microservices Zero‑Downtime Deployments on AKS with Azure Application Gateway Ingress Controller (AGIC) POTHURAJU JAYAKRISHNA YADAV Fri, 23 Jan 2026 15:10:27 +0000 https://forem.com/jayakrishnayadav24/zero-downtime-deployments-on-aks-with-azure-application-gateway-ingress-controller-agic-on5 https://forem.com/jayakrishnayadav24/zero-downtime-deployments-on-aks-with-azure-application-gateway-ingress-controller-agic-on5 <h2> Background </h2> <p>While deploying applications on <strong>Azure Kubernetes Service (AKS)</strong> behind <strong>Azure Application Gateway Ingress Controller (AGIC)</strong>, I repeatedly faced <strong>brief but noticeable downtime</strong> during deployments.</p> <p>The issue was not with Kubernetes itself, but with <strong>how AGIC updates backend pool IPs</strong> when pods are replaced during a deployment.</p> <p>By default, during a rollout:</p> <ul> <li>Old pods are terminated</li> <li>New pods come up with new IPs</li> <li>AGIC takes <strong>around 30 seconds</strong> (sometimes more) to detect and update these new pod IPs in Application Gateway</li> </ul> <p>During this window, Application Gateway may still route traffic to terminating pods → resulting in <strong>5xx errors or downtime</strong>.</p> <h2> The Root Cause </h2> <p>Let’s understand what was happening internally:</p> <ol> <li>Kubernetes starts terminating old pods</li> <li>Pods are removed from Endpoints</li> <li> <strong>AGIC needs time</strong> to:</li> </ol> <ul> <li>Detect endpoint changes</li> <li>Update Application Gateway backend pool</li> <li>Push config updates <ol> <li>Meanwhile, traffic is still flowing</li> </ol> </li> </ul> <p>If pods terminate <strong>too fast</strong>, Application Gateway temporarily has <strong>no healthy backend</strong>, causing downtime.</p> <h2> The Strategy That Fixed It </h2> <p>After digging into this and testing a few approaches in production, I implemented <strong>three small but very effective changes</strong> in my Deployment YAML:</p> <h3> 1. RollingUpdate Strategy </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">0</span> </code></pre> </div> <p><strong>Why this matters:</strong></p> <ul> <li>Ensures <strong>at least one pod is always available</strong> </li> <li>New pod comes up <strong>before</strong> old pod is removed</li> </ul> <h3> 2. Increased Termination Grace Period </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spec</span><span class="pi">:</span> <span class="na">terminationGracePeriodSeconds</span><span class="pi">:</span> <span class="m">300</span> </code></pre> </div> <p><strong>Why this matters:</strong></p> <ul> <li>Gives Kubernetes <strong>5 minutes</strong> before force‑killing the pod</li> <li>Allows existing connections to complete</li> <li>Buys time for AGIC to update backend pool</li> </ul> <h3> 3. preStop Hook to Delay Pod Shutdown </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">lifecycle</span><span class="pi">:</span> <span class="na">preStop</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">280"</span><span class="pi">]</span> </code></pre> </div> <p><strong>Why this matters:</strong></p> <ul> <li>Pod stays in <code>Terminating</code> state for ~280 seconds</li> <li>Application Gateway continues routing traffic safely</li> <li>AGIC finishes updating new pod IPs before traffic stops</li> </ul> <h2> What Changed After This? </h2> <p>After applying this configuration in production, the difference was immediately noticeable:</p> <p>✅ No more deployment‑time downtime</p> <p>✅ Zero 502 / 504 errors from Application Gateway</p> <p>✅ Smooth traffic transition between old and new pods</p> <p>✅ AGIC gets enough time to sync backend pool changes</p> <p>Even during peak traffic, deployments became <strong>completely seamless</strong>.</p> <h2> Why This Is Important for AGIC Users </h2> <p>AGIC is <strong>not instant</strong>. It operates asynchronously and depends on:</p> <ul> <li>Kubernetes endpoint updates</li> <li>ARM / Application Gateway config propagation</li> </ul> <p>So <strong>fast pod termination = broken traffic</strong>.</p> <p>This pattern ensures:</p> <blockquote> <p><em>“Never kill a pod until the load balancer has fully learned about the new one.”</em></p> </blockquote> <h2> Final Thoughts (From Real Experience) </h2> <p>If you are using:</p> <ul> <li>AKS</li> <li>Azure Application Gateway</li> <li>AGIC</li> </ul> <p>and facing <strong>deployment‑time downtime</strong>, this approach is <strong>mandatory</strong>, not optional.</p> <p>Kubernetes already gives us the right tools — we just need to tune them correctly based on how cloud load balancers like Application Gateway behave in the real world.</p> <p>Happy deploying 🚀</p> <p>Let me know if you want a version with:</p> <ul> <li>Diagrams</li> <li>AGIC internals</li> <li>Comparison with NGINX ingress</li> <li>Real production metrics</li> </ul> azure aks devops agic Reducing Sentry APM Costs in FastAPI by Sending Only What Matters POTHURAJU JAYAKRISHNA YADAV Thu, 08 Jan 2026 06:41:51 +0000 https://forem.com/jayakrishnayadav24/reducing-sentry-apm-costs-in-fastapi-by-sending-only-what-matters-2lmm https://forem.com/jayakrishnayadav24/reducing-sentry-apm-costs-in-fastapi-by-sending-only-what-matters-2lmm <p>When I first enabled managed Sentry APM for a FastAPI application, the visibility felt amazing.<br> Every request was traced. Every endpoint had performance data.</p> <p>But that excitement didn’t last long.</p> <p>After a few days in production, I realized something important:</p> <p>Most of my Sentry APM usage was coming from perfectly healthy, fast requests that I never looked at again.</p> <p>Successful GETs, quick POSTs, OpenAPI calls — all of them were being sent to Sentry, eating up the quota and increasing cost without providing real value.</p> <p>So instead of scaling my Sentry plan, I chose a different approach:</p> <p>👉 Send fewer transactions, but send the right ones.</p> <h2> The Real Problem with Default APM </h2> <p>By default, Sentry APM is very generous:</p> <ul> <li>Every request becomes a transaction</li> <li>Even sub-second successful calls are recorded</li> <li>Docs and schema endpoints are also traced</li> </ul> <p>For high-traffic APIs, this quickly turns into:</p> <ul> <li>Large transaction volume</li> <li>Faster quota exhaustion</li> <li>Paying for noise instead of insight</li> </ul> <p>In reality, I only needed visibility into:</p> <ul> <li>Requests that fail (5xx)</li> <li>Requests that are slow</li> <li>Anything abnormal or risky</li> </ul> <p>Everything else was just background noise.</p> <h2> The Cost-Saving Strategy </h2> <p>I defined very simple rules:</p> <h2> Always Send to Sentry </h2> <ul> <li>Any request returning 5xx</li> <li>Any request taking more than 5 seconds</li> </ul> <h2> Drop from Sentry </h2> <ul> <li>Fast GET / POST / PUT requests</li> <li>Successful requests completing under 3 seconds</li> <li>/docs and /openapi.json endpoints</li> </ul> <p>This keeps Sentry focused on problems, not traffic volume.</p> <h2> Why Two Middlewares Are Required </h2> <p>This part is important and often misunderstood.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app.add_middleware(SentryAsgiMiddleware) app.add_middleware(TimingMiddleware) </code></pre> </div> <p>These two middlewares do different jobs, and both are required.</p> <h2> SentryAsgiMiddleware – Enables APM </h2> <p>SentryAsgiMiddleware is what actually:</p> <ul> <li>Starts and finishes Sentry transactions</li> <li>Hooks into the ASGI request lifecycle</li> <li>Sends performance data to Sentry</li> </ul> <p>Without this middleware:</p> <ul> <li>No transactions are created</li> <li>before_send_transaction is never called</li> <li>APM simply does not work</li> </ul> <p>In short:</p> <p>No SentryAsgiMiddleware = No APM</p> <h2> TimingMiddleware – Adds Intelligence </h2> <p>The second middleware is custom.</p> <p>It measures the real execution time of each request and attaches it to the Sentry scope.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>class TimingMiddleware(BaseHTTPMiddleware): async def dispatch(self, request: Request, call_next): start_time = time.time() response = await call_next(request) duration = time.time() - start_time with sentry_sdk.configure_scope() as scope: scope.set_extra("duration", duration) return response </code></pre> </div> <p>Why this is needed:</p> <ul> <li>Execution time is required to decide whether a request is “important”</li> <li>Sentry’s internal timing isn’t easily usable for filtering</li> <li>Without this, cost-control logic becomes guesswork</li> </ul> <p>Think of it this way:</p> <ul> <li>SentryAsgiMiddleware is the pipeline</li> <li>TimingMiddleware is the brain</li> </ul> <h2> Filtering Transactions Before They Are Sent </h2> <p>Sentry provides a hook called before_send_transaction.<br> This runs just before a transaction is sent to Sentry and allows you to drop it.</p> <p>This is where the cost optimization happens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def before_send_transaction(event, hint): transaction_name = event.get("transaction", "") request_method = event.get("request", {}).get("method", "") status_code = event.get("contexts", {}).get("response", {}).get("status_code", 0) duration = event.get("extra", {}).get("duration") # Ignore docs and schema if "/docs" in transaction_name or "/openapi.json" in transaction_name: return None # Always send server errors if 500 &lt;= status_code &lt;= 599: return event # Send slow requests if duration and duration &gt; 5: return event # Drop fast successful requests if request_method in ["GET", "POST", "PUT"] \ and 200 &lt;= status_code &lt; 400 \ and duration and duration &lt; 3: return None return event </code></pre> </div> <p>If this function returns:</p> <ul> <li>event → transaction is sent</li> <li>None → transaction is dropped</li> </ul> <p>Simple, predictable, and fully under your control.</p> <p>Initializing Sentry with Custom Filtering<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sentry_sdk.init( dsn="SENTRY_DSN", send_default_pii=True, traces_sample_rate=1.0, before_send_transaction=before_send_transaction, ) </code></pre> </div> <p>Instead of relying on random sampling, this approach gives deterministic filtering based on real behavior.</p> <h2> What Changed After This </h2> <h2> Lower Cost </h2> <p>Transaction volume dropped sharply.<br> Sentry usage slowed down immediately.</p> <h2> Cleaner Dashboards </h2> <p>Only slow or failing requests appeared.<br> Debugging became easier, not harder.</p> <p>Better Signal</p> <p>Every transaction in Sentry now means:</p> <ul> <li>“This is worth looking at.”</li> </ul> <h2> When This Approach Makes Sense </h2> <p>This works best when:</p> <ul> <li>Your API traffic is high</li> <li>Most requests are successful and fast</li> <li>You care more about issues than metrics</li> </ul> <p>If you want every request traced forever, this is not the right approach.<br> If you want useful observability without burning money, it absolutely is.</p> <p>Final Thoughts</p> <p>APM should help you find problems, not create new ones in your billing dashboard.</p> <h2> By combining: </h2> <ul> <li>SentryAsgiMiddleware</li> <li>A simple timing middleware</li> <li>before_send_transaction</li> </ul> <h2> You turn Sentry from: </h2> <p>“collect everything”<br> into<br> “collect what actually matters”</p> <p>And that small change makes a huge difference in real production systems.</p> sentry python Automating S3 Data Retention by Prefix Using Python (DevOps Automation Story) POTHURAJU JAYAKRISHNA YADAV Thu, 08 Jan 2026 06:25:05 +0000 https://forem.com/jayakrishnayadav24/automating-s3-data-retention-by-prefix-using-python-devops-automation-story-3kjk https://forem.com/jayakrishnayadav24/automating-s3-data-retention-by-prefix-using-python-devops-automation-story-3kjk <p>In many production systems, object storage slowly becomes a dumping ground.</p> <p>Logs, reports, media files, exports — everything lands in the same S3 bucket, but not all data needs to live forever. The real challenge is not deleting data, but deleting the right data at the right time, without relying on manual processes.</p> <p>This post explains how I automated folder-level retention policies in Amazon S3 using Python, turning a repetitive console task into a clean, auditable automation.</p> <p>The scenario (fictional but realistic)</p> <p>Imagine a shared S3 bucket used by multiple internal teams:</p> <p>company-shared-storage/<br> ├── analytics/<br> ├── audit-logs/<br> ├── temp-exports/<br> ├── media-processing/<br> └── legal-archive/</p> <p>Each folder has a different data lifecycle requirement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Prefix Retention &gt; analytics/ 3 months &gt; audit-logs/ 6 months &gt; temp-exports/ 30 days &gt; media-processing/ 90 days &gt; legal-archive/ retain forever </code></pre> </div> <p>Managing this manually in the AWS Console does not scale and is easy to misconfigure.</p> <p>Why automation was necessary</p> <p>Manually configuring lifecycle rules:</p> <ul> <li>Requires repetitive console work</li> <li>Is difficult to review and audit</li> <li>Does not fit infrastructure-as-code practices</li> <li>Is error-prone during changes</li> </ul> <p>So instead of treating retention as a one-time setup, I treated it as automation logic.</p> <p>Important constraints to understand first</p> <p>Before writing any automation, it’s critical to understand how S3 behaves:</p> <ul> <li>S3 lifecycle expiration is based on object creation time</li> <li>It does not track last access or last modification</li> <li>S3 has no real folders — only prefixes</li> <li>Lifecycle rules delete objects, not folders</li> <li>Buckets without versioning only need “expire current versions”</li> </ul> <p>Designing automation without knowing this leads to surprises later.</p> <p>Automation design approach</p> <p>The goal was simple:</p> <ul> <li>Define retention rules as data</li> <li>Convert retention into lifecycle policies programmatically</li> <li>Skip prefixes that should never be touched</li> <li>Make the process repeatable and reviewable</li> </ul> <p>Retention rules were expressed in a simple mapping structure, not hardcoded logic.</p> <p>Python automation example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import boto3 bucket_name = "company-shared-storage" profile = "prod-profile" retention_map = { "analytics/": 90, "audit-logs/": 180, "temp-exports/": 30, "media-processing/": 90, "legal-archive/": None } session = boto3.Session(profile_name=profile) s3 = session.client("s3") rules = [] for prefix, days in retention_map.items(): if not days: continue rules.append({ "ID": f"expire-{prefix.strip('/')}-{days}-days", "Status": "Enabled", "Filter": {"Prefix": prefix}, "Expiration": {"Days": days} }) if rules: s3.put_bucket_lifecycle_configuration( Bucket=bucket_name, LifecycleConfiguration={"Rules": rules} ) </code></pre> </div> <p>What this automation achieves</p> <ul> <li>Objects under analytics/ are deleted after 90 days</li> <li>Objects under audit-logs/ are deleted after 180 days</li> <li>Objects under legal-archive/ are never deleted</li> <li>Overwriting an object resets its expiration timer</li> <li>Lifecycle execution is handled asynchronously by S3 No human intervention required after setup.</li> </ul> <p>Why this is real automation</p> <p>This approach:</p> <ul> <li>Removes manual AWS Console dependency</li> <li>Makes retention policy code-driven</li> <li>Allows easy updates through version control</li> <li>Reduces the risk of accidental data loss</li> <li>Aligns with Infrastructure-as-Code principles</li> </ul> <p>Retention stops being “someone’s responsibility” and becomes system behavior.</p> <p>Key lessons learned</p> <ul> <li>Lifecycle policies are based on creation time, not inactivity</li> <li>Prefix-based retention works well when automation-driven</li> <li>Empty retention should explicitly mean “no rule”</li> <li>Lifecycle rules overwrite existing configuration — automation must be intentional</li> </ul> <p>Where this can be extended</p> <p>This automation can easily evolve into:</p> <ul> <li>Reading retention from a CSV or database</li> <li>A scheduled compliance check</li> <li>Validation against existing lifecycle rules</li> <li>Integration into CI/CD pipelines</li> </ul> <p>Final takeaway</p> <p>S3 lifecycle policies are powerful, but their real value comes when they are automated, not manually configured.</p> <p>Small automations like this reduce operational overhead and prevent long-term storage sprawl — which is exactly what good DevOps is about.</p> aws automation python devops