Forem: Foster Kojo Luh The latest articles on Forem by Foster Kojo Luh (@kojoluh). https://forem.com/kojoluh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1124865%2Fe1626403-9f52-4c0a-b68b-eb94437a3382.jpeg Forem: Foster Kojo Luh https://forem.com/kojoluh en Building Production-Ready Kubernetes Infrastructure with Pulumi, AWS, and TypeScript Foster Kojo Luh Sat, 05 Jul 2025 17:20:25 +0000 https://forem.com/kojoluh/building-production-ready-kubernetes-infrastructure-with-pulumi-aws-and-typescript-3nng https://forem.com/kojoluh/building-production-ready-kubernetes-infrastructure-with-pulumi-aws-and-typescript-3nng <h1> Building Production-Ready Kubernetes Infrastructure with Pulumi and TypeScript </h1> <p><em>How to create a cost-optimized, secure, and scalable EKS cluster that's ready for production workloads</em></p> <p><em>"Infrastructure as Code is like having a recipe for your restaurant. You don't want your chef to wing it every night - unless you're running a 'Surprise Kitchen' and your customers are into that kind of chaos."</em></p> <h2> Introduction </h2> <p>Kubernetes has become the de facto standard for container orchestration, but setting up a production-ready cluster on AWS can be complex and time-consuming. It's like trying to assemble IKEA furniture without the instructions - you'll get there eventually, but there will be tears, broken parts, and probably a divorce.</p> <p>In this guide, we'll walk through building a complete Kubernetes infrastructure using <strong>Pulumi</strong> and <strong>TypeScript</strong> that includes cost optimization, security best practices, comprehensive monitoring, and CI/CD automation. Think of it as the "IKEA instructions" for your cloud infrastructure.</p> <p>By the end of this post, you'll have a production-ready EKS cluster that can handle real-world workloads while maintaining security, cost efficiency, and operational excellence. And hopefully, your marriage will still be intact.</p> <h2> Why This Approach? </h2> <h3> The Challenge </h3> <p>Traditional infrastructure setup often involves:</p> <ul> <li>Manual AWS console configuration (clicking buttons like you're playing a slot machine)</li> <li>Inconsistent deployments across environments (because who needs consistency, right?)</li> <li>Security gaps and compliance issues (it's not a bug, it's a feature!)</li> <li>High costs without optimization (money is just a social construct anyway)</li> <li>Limited monitoring and observability (ignorance is bliss, until it's not)</li> </ul> <h3> Our Solution </h3> <p>We'll use <strong>Infrastructure as Code (IaC)</strong> with Pulumi to create:</p> <ul> <li> <strong>Cost-optimized EKS cluster</strong> with Spot instances (because we're not made of money)</li> <li> <strong>Enhanced security</strong> with WAF, CloudTrail, and GuardDuty (paranoia is just good planning)</li> <li> <strong>Comprehensive monitoring</strong> with CloudWatch dashboards (we're watching you, infrastructure)</li> <li> <strong>Automated CI/CD</strong> with GitHub Actions (because manual deployments are so 2010)</li> <li> <strong>Modular architecture</strong> for easy maintenance (like LEGO, but for grown-ups)</li> </ul> <h2> Prerequisites </h2> <p>Before we begin, ensure you have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Node.js 20.11.0+ (because we're not savages using Node 14)</span> nvm use 20.11.0 <span class="c"># Pulumi CLI (the magic wand for infrastructure)</span> npm <span class="nb">install</span> <span class="nt">-g</span> @pulumi/pulumi <span class="c"># AWS CLI configured (because clicking buttons is so passé)</span> aws configure <span class="c"># kubectl for cluster management (the Swiss Army knife of Kubernetes)</span> brew <span class="nb">install </span>kubectl </code></pre> </div> <p><em>Pro tip: If you're still using AWS CLI v1, you're basically driving a horse and buggy on the information superhighway.</em></p> <h2> Step 1: Project Structure and Setup </h2> <p>Let's start by creating a well-organized project structure. Because chaos is so last season.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubernetes-infrastructure/ ├── modules/ │ ├── eks.ts # EKS cluster configuration (the main event) │ ├── network.ts # VPC and networking (the plumbing) │ ├── security.ts # Security components (the bouncer) │ └── monitoring.ts # CloudWatch dashboards (the surveillance system) ├── __tests__/ # Comprehensive test suite (because we're not gamblers) ├── scripts/ # Deployment automation (laziness is a virtue) ├── .github/workflows/ # CI/CD pipeline (the assembly line) └── config.ts # Centralized configuration (the control center) </code></pre> </div> <h3> Initialize the Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>kubernetes-infrastructure <span class="nb">cd </span>kubernetes-infrastructure npm init <span class="nt">-y</span> npm <span class="nb">install</span> @pulumi/pulumi @pulumi/aws @pulumi/awsx npm <span class="nb">install</span> <span class="nt">--save-dev</span> typescript @types/node jest </code></pre> </div> <p><em>This is like setting up your kitchen before you start cooking. You don't want to be running around looking for a spatula when your code is on fire.</em></p> <h2> Step 2: Core Infrastructure Components </h2> <h3> Network Layer (VPC with AWSX) </h3> <p>We'll use AWSX for simplified VPC creation with best practices. It's like having a sous chef who knows exactly what you need before you ask.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// modules/network.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">awsx</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@pulumi/awsx</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">NetworkStack</span> <span class="kd">extends</span> <span class="nc">pulumi</span><span class="p">.</span><span class="nx">ComponentResource</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpcId</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">Output</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">privateSubnetIds</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">Output</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">publicSubnetIds</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">Output</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">args</span><span class="p">:</span> <span class="nx">NetworkStackArgs</span><span class="p">,</span> <span class="nx">opts</span><span class="p">?:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">ComponentResourceOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="dl">"</span><span class="s2">kubernetes:network:NetworkStack</span><span class="dl">"</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="p">{},</span> <span class="nx">opts</span><span class="p">);</span> <span class="c1">// Create VPC with AWSX best practices</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">awsx</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-vpc`</span><span class="p">,</span> <span class="p">{</span> <span class="na">cidrBlock</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">vpcCidr</span><span class="p">,</span> <span class="na">numberOfAvailabilityZones</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// Because two is company, three is a party</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">public</span><span class="dl">"</span><span class="p">,</span> <span class="na">mapPublicIpOnLaunch</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="c1">// The front door</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">private</span><span class="dl">"</span><span class="p">,</span> <span class="na">mapPublicIpOnLaunch</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">// The back room</span> <span class="p">],</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-vpc`</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Network</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="c1">// Export values for other modules</span> <span class="c1">// Like leaving breadcrumbs for Hansel and Gretel</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcId</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">privateSubnetIds</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnetIds</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">publicSubnetIds</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">publicSubnetIds</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> EKS Cluster with Cost Optimization </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// modules/eks.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">EksCluster</span> <span class="kd">extends</span> <span class="nc">pulumi</span><span class="p">.</span><span class="nx">ComponentResource</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">cluster</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">Cluster</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">nodeGroup</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">NodeGroup</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">clusterName</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">Output</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">clusterEndpoint</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">Output</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">args</span><span class="p">:</span> <span class="nx">EksClusterArgs</span><span class="p">,</span> <span class="nx">opts</span><span class="p">?:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">ComponentResourceOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="dl">"</span><span class="s2">kubernetes:eks:EksCluster</span><span class="dl">"</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="p">{},</span> <span class="nx">opts</span><span class="p">);</span> <span class="c1">// Create EKS cluster</span> <span class="c1">// This is like building a restaurant - you need the kitchen (control plane) first</span> <span class="k">this</span><span class="p">.</span><span class="nx">cluster</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nc">Cluster</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-cluster`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-cluster-</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">clusterVersion</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">1.29</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Because 1.28 is so last year</span> <span class="na">roleMappings</span><span class="p">:</span> <span class="p">[{</span> <span class="na">groups</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">system:masters</span><span class="dl">"</span><span class="p">],</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">clusterRoleArn</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="p">}],</span> <span class="na">vpcConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetIds</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">privateSubnetIds</span><span class="p">,</span> <span class="na">securityGroupIds</span><span class="p">:</span> <span class="p">[</span><span class="nx">args</span><span class="p">.</span><span class="nx">clusterSecurityGroupId</span><span class="p">],</span> <span class="na">endpointPrivateAccess</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">endpointPublicAccess</span><span class="p">:</span> <span class="kc">true</span> <span class="c1">// We're not hermits</span> <span class="p">},</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-cluster`</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">EKS</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="c1">// Create cost-optimized node group</span> <span class="c1">// Using Spot instances because we're not made of money</span> <span class="c1">// It's like buying day-old bread - still good, just cheaper</span> <span class="k">this</span><span class="p">.</span><span class="nx">nodeGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nc">NodeGroup</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-nodegroup`</span><span class="p">,</span> <span class="p">{</span> <span class="na">clusterName</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">nodeGroupName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-nodegroup-</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">nodeRoleArn</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">nodeRoleArn</span><span class="p">,</span> <span class="na">subnetIds</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">privateSubnetIds</span><span class="p">,</span> <span class="na">instanceTypes</span><span class="p">:</span> <span class="p">[</span><span class="nx">args</span><span class="p">.</span><span class="nx">nodeGroupInstanceType</span><span class="p">],</span> <span class="na">capacityType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SPOT</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// The budget-friendly option</span> <span class="na">scalingConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">desiredSize</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">nodeGroupDesiredCapacity</span><span class="p">,</span> <span class="na">maxSize</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">nodeGroupMaxSize</span><span class="p">,</span> <span class="na">minSize</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">nodeGroupMinSize</span> <span class="p">},</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-nodegroup`</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">EKS</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Security Implementation </h2> <h3> Multi-Layer Security Approach </h3> <p><em>"Security is like wearing a condom - it might not feel as good, but you'll thank yourself later."</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// modules/security.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SecurityStack</span> <span class="kd">extends</span> <span class="nc">pulumi</span><span class="p">.</span><span class="nx">ComponentResource</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">wafWebAcl</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">wafv2</span><span class="p">.</span><span class="nx">WebAcl</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">cloudTrail</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudtrail</span><span class="p">.</span><span class="nx">Trail</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">guardDutyDetector</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">guardduty</span><span class="p">.</span><span class="nx">Detector</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">args</span><span class="p">:</span> <span class="nx">SecurityStackArgs</span><span class="p">,</span> <span class="nx">opts</span><span class="p">?:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">ComponentResourceOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="dl">"</span><span class="s2">kubernetes:security:SecurityStack</span><span class="dl">"</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="p">{},</span> <span class="nx">opts</span><span class="p">);</span> <span class="c1">// WAF for API protection</span> <span class="c1">// It's like having a bouncer at your API door</span> <span class="k">this</span><span class="p">.</span><span class="nx">wafWebAcl</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">wafv2</span><span class="p">.</span><span class="nc">WebAcl</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-web-acl`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-web-acl-</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">REGIONAL</span><span class="dl">"</span><span class="p">,</span> <span class="na">defaultAction</span><span class="p">:</span> <span class="p">{</span> <span class="na">allow</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="c1">// Innocent until proven guilty</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RateLimitRule</span><span class="dl">"</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="p">{</span> <span class="na">block</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="c1">// You're cut off!</span> <span class="na">statement</span><span class="p">:</span> <span class="p">{</span> <span class="na">rateBasedStatement</span><span class="p">:</span> <span class="p">{</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">2000</span><span class="p">,</span> <span class="c1">// 2000 requests per 5 minutes</span> <span class="na">aggregateKeyType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">IP</span><span class="dl">"</span> <span class="c1">// By IP address, not by feelings</span> <span class="p">}</span> <span class="p">},</span> <span class="na">visibilityConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">cloudwatchMetricsEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">metricName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RateLimitRule</span><span class="dl">"</span><span class="p">,</span> <span class="na">sampledRequestsEnabled</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}],</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Security</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="c1">// CloudTrail for audit logging</span> <span class="c1">// Because Big Brother is watching, and in this case, that's a good thing</span> <span class="k">this</span><span class="p">.</span><span class="nx">cloudTrail</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudtrail</span><span class="p">.</span><span class="nc">Trail</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-cloudtrail`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-cloudtrail-</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">s3BucketName</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">cloudTrailBucketName</span><span class="p">,</span> <span class="na">includeGlobalServiceEvents</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">isMultiRegionTrail</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// We're watching everywhere</span> <span class="na">enableLogFileValidation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">eventSelectors</span><span class="p">:</span> <span class="p">[{</span> <span class="na">readWriteType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">All</span><span class="dl">"</span><span class="p">,</span> <span class="na">includeManagementEvents</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}],</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Security</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="c1">// GuardDuty for threat detection</span> <span class="c1">// Like having a security guard who never sleeps</span> <span class="k">this</span><span class="p">.</span><span class="nx">guardDutyDetector</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">guardduty</span><span class="p">.</span><span class="nc">Detector</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-guardduty`</span><span class="p">,</span> <span class="p">{</span> <span class="na">enable</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">findingPublishingFrequency</span><span class="p">:</span> <span class="dl">"</span><span class="s2">FIFTEEN_MINUTES</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Because threats don't wait</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Security</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 4: Monitoring and Observability </h2> <h3> Comprehensive CloudWatch Dashboards </h3> <p><em>"Monitoring is like having a dashboard in your car - you don't need to look at it all the time, but when something goes wrong, you'll be glad it's there."</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// modules/monitoring.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MonitoringStack</span> <span class="kd">extends</span> <span class="nc">pulumi</span><span class="p">.</span><span class="nx">ComponentResource</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">dashboard</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudwatch</span><span class="p">.</span><span class="nx">Dashboard</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">args</span><span class="p">:</span> <span class="nx">MonitoringStackArgs</span><span class="p">,</span> <span class="nx">opts</span><span class="p">?:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">ComponentResourceOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="dl">"</span><span class="s2">kubernetes:monitoring</span><span class="dl">"</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="p">{},</span> <span class="nx">opts</span><span class="p">);</span> <span class="c1">// Create comprehensive dashboard</span> <span class="c1">// It's like having a control room for your infrastructure</span> <span class="k">this</span><span class="p">.</span><span class="nx">dashboard</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Dashboard</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-dashboard`</span><span class="p">,</span> <span class="p">{</span> <span class="na">dashboardName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-dashboard-</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">dashboardBody</span><span class="p">:</span> <span class="nx">pulumi</span><span class="p">.</span><span class="nx">interpolate</span><span class="s2">`{ "widgets": [ { "type": "metric", "properties": { "metrics": [ ["AWS/EKS", "cluster_cpu_utilization", "ClusterName", "</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">clusterName</span><span class="p">}</span><span class="s2">"], [".", "cluster_memory_utilization", ".", "."] ], "period": 300, "title": "Cluster Resource Utilization" } }, { "type": "metric", "properties": { "metrics": [ ["AWS/EKS", "cluster_failed_node_count", "ClusterName", "</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">clusterName</span><span class="p">}</span><span class="s2">"], [".", "cluster_active_node_count", ".", "."] ], "period": 300, "title": "Node Health Status" } } ] }`</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Monitoring</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="c1">// Create alarms for critical metrics</span> <span class="c1">// Because sometimes you need a wake-up call</span> <span class="k">this</span><span class="p">.</span><span class="nf">createAlarms</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">args</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">createAlarms</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">args</span><span class="p">:</span> <span class="nx">MonitoringStackArgs</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">alarms</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HighCPUUtilization</span><span class="dl">"</span><span class="p">,</span> <span class="na">metricName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cluster_cpu_utilization</span><span class="dl">"</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">High CPU utilization detected - your cluster is having a moment</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HighMemoryUtilization</span><span class="dl">"</span><span class="p">,</span> <span class="na">metricName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cluster_memory_utilization</span><span class="dl">"</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">High memory utilization detected - time for some spring cleaning</span><span class="dl">"</span> <span class="p">}</span> <span class="p">];</span> <span class="nx">alarms</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">alarm</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">MetricAlarm</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">alarm</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">alarm</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">args</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">comparisonOperator</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GreaterThanThreshold</span><span class="dl">"</span><span class="p">,</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="c1">// Two strikes and you're out</span> <span class="na">metricName</span><span class="p">:</span> <span class="nx">alarm</span><span class="p">.</span><span class="nx">metricName</span><span class="p">,</span> <span class="na">namespace</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS/EKS</span><span class="dl">"</span><span class="p">,</span> <span class="na">period</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">statistic</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Average</span><span class="dl">"</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="nx">alarm</span><span class="p">.</span><span class="nx">threshold</span><span class="p">,</span> <span class="na">alarmDescription</span><span class="p">:</span> <span class="nx">alarm</span><span class="p">.</span><span class="nx">description</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">Component</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Monitoring</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">parent</span><span class="p">:</span> <span class="k">this</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 5: Cost Optimization Strategies </h2> <h3> Spot Instances and Auto Scaling </h3> <p><em>"Cost optimization is like being frugal at a buffet - you want to get your money's worth, but you don't want to be that person who takes all the shrimp."</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Cost optimization in EKS configuration</span> <span class="kd">const</span> <span class="nx">costOptimizedConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Use Spot instances for up to 90% cost savings</span> <span class="c1">// It's like buying airline tickets on the day of the flight</span> <span class="na">capacityType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SPOT</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Smaller instance types for dev environments</span> <span class="c1">// Because your dev environment doesn't need to be a muscle car</span> <span class="na">instanceTypes</span><span class="p">:</span> <span class="nx">isDev</span> <span class="p">?</span> <span class="p">[</span><span class="dl">"</span><span class="s2">t3.small</span><span class="dl">"</span><span class="p">]</span> <span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">t3.medium</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// Reduced node counts for dev</span> <span class="c1">// One server is enough for development, unless you're testing how fast you can break things</span> <span class="na">scalingConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">desiredSize</span><span class="p">:</span> <span class="nx">isDev</span> <span class="p">?</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">maxSize</span><span class="p">:</span> <span class="nx">isDev</span> <span class="p">?</span> <span class="mi">3</span> <span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">minSize</span><span class="p">:</span> <span class="nx">isDev</span> <span class="p">?</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> <span class="c1">// Single NAT Gateway to reduce costs</span> <span class="c1">// Because one gateway is enough, unless you're running a toll booth business</span> <span class="na">natGatewayStrategy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">single</span><span class="dl">"</span> <span class="p">};</span> </code></pre> </div> <h3> Resource Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Pod disruption budgets for controlled scaling</span> <span class="c1">// It's like having a "Do Not Disturb" sign for your pods</span> <span class="kd">const</span> <span class="nx">podDisruptionBudget</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">k8s</span><span class="p">.</span><span class="nx">policy</span><span class="p">.</span><span class="nx">v1</span><span class="p">.</span><span class="nc">PodDisruptionBudget</span><span class="p">(</span><span class="dl">"</span><span class="s2">app-pdb</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">spec</span><span class="p">:</span> <span class="p">{</span> <span class="na">minAvailable</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// At least one pod must survive</span> <span class="na">selector</span><span class="p">:</span> <span class="p">{</span> <span class="na">matchLabels</span><span class="p">:</span> <span class="p">{</span> <span class="na">app</span><span class="p">:</span> <span class="dl">"</span><span class="s2">my-app</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="nx">k8sProvider</span> <span class="p">});</span> <span class="c1">// Resource limits to prevent waste</span> <span class="c1">// Because unlimited resources are like unlimited breadsticks - sounds great, ends badly</span> <span class="kd">const</span> <span class="nx">deployment</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">k8s</span><span class="p">.</span><span class="nx">apps</span><span class="p">.</span><span class="nx">v1</span><span class="p">.</span><span class="nc">Deployment</span><span class="p">(</span><span class="dl">"</span><span class="s2">app</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">spec</span><span class="p">:</span> <span class="p">{</span> <span class="na">template</span><span class="p">:</span> <span class="p">{</span> <span class="na">spec</span><span class="p">:</span> <span class="p">{</span> <span class="na">containers</span><span class="p">:</span> <span class="p">[{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">app</span><span class="dl">"</span><span class="p">,</span> <span class="na">resources</span><span class="p">:</span> <span class="p">{</span> <span class="na">requests</span><span class="p">:</span> <span class="p">{</span> <span class="na">cpu</span><span class="p">:</span> <span class="dl">"</span><span class="s2">100m</span><span class="dl">"</span><span class="p">,</span> <span class="na">memory</span><span class="p">:</span> <span class="dl">"</span><span class="s2">128Mi</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// The minimum</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">cpu</span><span class="p">:</span> <span class="dl">"</span><span class="s2">500m</span><span class="dl">"</span><span class="p">,</span> <span class="na">memory</span><span class="p">:</span> <span class="dl">"</span><span class="s2">512Mi</span><span class="dl">"</span> <span class="p">}</span> <span class="c1">// The maximum</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="nx">k8sProvider</span> <span class="p">});</span> </code></pre> </div> <h2> Step 6: CI/CD Pipeline </h2> <h3> GitHub Actions Workflow </h3> <p><em>"CI/CD is like having a personal assistant who never calls in sick and doesn't need coffee breaks."</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci-cd.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Kubernetes Infrastructure CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20.11.0'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Security scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm audit</span> <span class="na">preview</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20.11.0'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Pulumi</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">pulumi/setup-pulumi@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Preview changes</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pulumi preview --stack dev</span> <span class="na">deploy-dev</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">preview</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/develop'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20.11.0'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to dev</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">export PULUMI_CONFIG_PASSPHRASE=${{ secrets.PULUMI_CONFIG_PASSPHRASE }}</span> <span class="s">pulumi up --yes --stack dev</span> </code></pre> </div> <h2> Step 7: Deployment and Testing </h2> <h3> Deploy the Infrastructure </h3> <p><em>"Deployment is like cooking - you can follow the recipe perfectly, but you still need to taste it to make sure it's good."</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set up environment</span> <span class="nb">export </span><span class="nv">PULUMI_CONFIG_PASSPHRASE</span><span class="o">=</span><span class="s1">'your-secure-passphrase'</span> <span class="c"># Deploy infrastructure</span> pulumi up <span class="nt">--yes</span> <span class="c"># Configure kubectl</span> aws eks update-kubeconfig <span class="nt">--name</span> <span class="si">$(</span>pulumi stack output clusterName<span class="si">)</span> <span class="nt">--region</span> us-east-1 <span class="c"># Verify deployment</span> kubectl get nodes kubectl get pods <span class="nt">--all-namespaces</span> </code></pre> </div> <h3> Run Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Unit tests</span> npm <span class="nb">test</span> <span class="c"># Integration tests</span> npm run <span class="nb">test</span>:integration <span class="c"># Security tests</span> npm run <span class="nb">test</span>:security </code></pre> </div> <p><em>Testing is like proofreading your text messages before sending them - it might seem unnecessary, but it saves you from a lot of embarrassment.</em></p> <h2> Step 8: Production Considerations </h2> <h3> Security Hardening </h3> <ol> <li> <strong>Network Policies</strong>: Implement strict network policies (because trust no one)</li> <li> <strong>RBAC</strong>: Configure proper role-based access control (not everyone needs admin access)</li> <li> <strong>Pod Security Standards</strong>: Enable pod security admission (because pods can be sneaky)</li> <li> <strong>Secrets Management</strong>: Use AWS Secrets Manager (because hardcoding secrets is like writing your password on a billboard)</li> </ol> <h3> Monitoring and Alerting </h3> <ol> <li> <strong>Custom Metrics</strong>: Implement application-specific metrics (because generic metrics are like generic compliments - nice but not meaningful)</li> <li> <strong>Log Aggregation</strong>: Centralize logs with CloudWatch (because logs are like receipts - boring but important)</li> <li> <strong>Alert Escalation</strong>: Set up proper alert routing (because waking up the wrong person at 3 AM is bad for business)</li> <li> <strong>Dashboard Access</strong>: Provide team access to monitoring (because knowledge is power, and power is responsibility)</li> </ol> <h3> Backup and Disaster Recovery </h3> <ol> <li> <strong>ETCD Backups</strong>: Regular cluster state backups (because hope is not a strategy)</li> <li> <strong>Application Data</strong>: Persistent volume backups (because data is like money - you don't realize how much you have until you lose it)</li> <li> <strong>Multi-Region</strong>: Consider cross-region deployment (because putting all your eggs in one region is like putting all your money in one stock)</li> <li> <strong>Recovery Testing</strong>: Regular disaster recovery drills (because practice makes perfect, and perfect is expensive)</li> </ol> <h2> Cost Analysis and Optimization </h2> <h3> Monthly Cost Breakdown (Dev Environment) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Cost (USD)</th> </tr> </thead> <tbody> <tr> <td>EKS Control Plane</td> <td>$0.10/hour = $73/month</td> </tr> <tr> <td>Worker Nodes (3x t3.small Spot)</td> <td>~$45/month</td> </tr> <tr> <td>NAT Gateway</td> <td>$0.045/hour = $32/month</td> </tr> <tr> <td>CloudWatch Logs</td> <td>~$10/month</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$160/month</strong></td> </tr> </tbody> </table></div> <p><em>That's about the same as a Netflix subscription, but instead of watching movies, you're watching your infrastructure not break.</em></p> <h3> Production Cost Optimization </h3> <ul> <li> <strong>Reserved Instances</strong>: 1-3 year commitments for 30-60% savings (like buying in bulk at Costco)</li> <li> <strong>Spot Instances</strong>: Up to 90% savings on worker nodes (the budget-friendly option)</li> <li> <strong>Auto Scaling</strong>: Scale down during off-hours (because servers don't need to work overtime)</li> <li> <strong>Resource Limits</strong>: Prevent resource waste (because unlimited anything is usually a bad idea)</li> </ul> <h2> Best Practices and Lessons Learned </h2> <h3> Infrastructure as Code Benefits </h3> <ol> <li> <strong>Reproducibility</strong>: Identical environments every time (like having a recipe that actually works)</li> <li> <strong>Version Control</strong>: Track infrastructure changes (because "it was working yesterday" is not a debugging strategy)</li> <li> <strong>Collaboration</strong>: Team can review and contribute (because two heads are better than one, unless they're arguing)</li> <li> <strong>Testing</strong>: Validate changes before deployment (because testing in production is like learning to swim in the deep end)</li> </ol> <h3> Security First Approach </h3> <ol> <li> <strong>Least Privilege</strong>: Minimal required permissions (because giving everyone admin access is like giving everyone keys to your house)</li> <li> <strong>Network Segmentation</strong>: Private subnets for workers (because not everything needs to be on the internet)</li> <li> <strong>Audit Logging</strong>: Complete activity tracking (because if you're not logging it, it didn't happen)</li> <li> <strong>Threat Detection</strong>: Automated security monitoring (because security through obscurity is like hiding your keys under the doormat)</li> </ol> <h3> Operational Excellence </h3> <ol> <li> <strong>Monitoring</strong>: Comprehensive observability (because you can't fix what you can't see)</li> <li> <strong>Alerting</strong>: Proactive issue detection (because being reactive is expensive)</li> <li> <strong>Documentation</strong>: Clear runbooks and procedures (because tribal knowledge is like a game of telephone)</li> <li> <strong>Automation</strong>: Reduce manual operations (because humans are great at creativity, not repetition)</li> </ol> <h2> Conclusion </h2> <p>Building a production-ready Kubernetes infrastructure doesn't have to be overwhelming. By using Pulumi with TypeScript, we've created a solution that is:</p> <ul> <li> <strong>Cost-effective</strong> with Spot instances and optimization (because money doesn't grow on trees)</li> <li> <strong>Secure</strong> with multi-layer protection (because paranoia is just good planning)</li> <li> <strong>Observable</strong> with comprehensive monitoring (because ignorance is not bliss when it comes to infrastructure)</li> <li> <strong>Automated</strong> with CI/CD pipelines (because manual deployments are so 2010)</li> <li> <strong>Maintainable</strong> with modular architecture (because technical debt is like credit card debt - it compounds)</li> </ul> <p>This infrastructure can scale from development to production while maintaining security, cost efficiency, and operational excellence. The modular approach makes it easy to customize for your specific needs while following AWS and Kubernetes best practices.</p> <h3> Next Steps </h3> <ol> <li> <strong>Customize</strong> the configuration for your specific requirements (because one size doesn't fit all)</li> <li> <strong>Test</strong> thoroughly in a staging environment (because staging is like a dress rehearsal - it's not the real thing, but it's close enough)</li> <li> <strong>Monitor</strong> costs and performance closely (because what gets measured gets managed)</li> <li> <strong>Iterate</strong> based on real-world usage patterns (because the best plan is the one that adapts)</li> </ol> <p>Remember, infrastructure is never "done" - it's a continuous journey of improvement and optimization. Start with this foundation and build upon it as your needs evolve. Because in the world of infrastructure, the only constant is change, and the only certainty is that something will break when you least expect it.</p> <p><em>Ready to build your own production-ready Kubernetes infrastructure? The complete code and documentation are available in the <a href="https://github.com/kojoluh/kubernetes-pulumi-typescript-aws-infra" rel="noopener noreferrer">GitHub repository</a>.</em></p> <p><em>And remember: "The best time to plant a tree was 20 years ago. The second best time is now." The same applies to infrastructure - the best time to set up proper infrastructure was yesterday, but today is a close second.</em></p> <p><strong>Resources:</strong></p> <ul> <li><a href="https://www.pulumi.com/docs/" rel="noopener noreferrer">Pulumi Documentation</a></li> <li><a href="https://www.pulumi.com/registry/packages/awsx/" rel="noopener noreferrer">Pulumi Crosswalk for AWS - AWSx</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/best-practices.html" rel="noopener noreferrer">AWS EKS Best Practices</a></li> <li><a href="https://kubernetes.io/docs/concepts/security/" rel="noopener noreferrer">Kubernetes Security</a></li> <li><a href="https://docs.aws.amazon.com/cloudwatch/" rel="noopener noreferrer">CloudWatch Monitoring</a></li> </ul> <p><em>"Infrastructure as Code is like having a backup plan for your backup plan. It's not paranoia if they're really out to get your servers."</em> </p> aws kubernetes pulumichallenge typescript Exploring Port Scanning with the "net" Package in Go Foster Kojo Luh Sun, 03 Mar 2024 15:41:24 +0000 https://forem.com/kojoluh/exploring-port-scanning-with-the-net-package-in-go-2n0n https://forem.com/kojoluh/exploring-port-scanning-with-the-net-package-in-go-2n0n <h2> Table of Content: </h2> <ul> <li>Introduction</li> <li>Understanding the "net" Package</li> <li>TCP Port Scanning</li> <li>UDP Port Scanning</li> <li>Enhancing Security and Understanding Port States</li> <li>Conclusion</li> </ul> <p><strong>Introduction</strong></p> <p>Port scanning is a crucial aspect of network security analysis, allowing us to discover open ports on a target system. In this technical blog, we will delve into using the "net" package in Go to perform port scanning on both TCP and UDP protocols. Leveraging the powerful capabilities of Go, we can create efficient and customizable port scanning tools for various network security tasks.</p> <p><strong>Understanding the "net" Package</strong></p> <p>The "net" package in Go provides a rich set of functionalities for network-related operations, including socket programming, TCP/IP communication, and low-level networking tasks. With its comprehensive features, we can easily create network applications and tools, including port scanners.</p> <p><strong>TCP Port Scanning</strong></p> <p>TCP (Transmission Control Protocol) is a connection-oriented protocol widely used for reliable data transmission over networks. Port scanning on TCP ports involves attempting to establish a connection with each port to determine its status (open, closed, or filtered). Let's take a look at how we can perform TCP port scanning using the "net" package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>package main import ( "fmt" "net" ) func main() { target := "test.com" // use "localhost" for testing ports := []string{"80", "443", "8080", "3306", "5432", "1433", "1434"} // List of TCP ports to scan notable for http and db protocol := "tcp" for _, port := range ports { address := fmt.Sprintf("%s:%s", target, port) conn, err := net.Dial(protocol, address) // could also use the net.DialTimeout to timeout e.g. net.DialTimeout(protocol, address, 60*time.Second) to timeout 60 seconds if err != nil { fmt.Printf("Port %s is closed\n", port) continue } defer conn.Close() fmt.Printf("Port %s is open\n", port) } } </code></pre> </div> <p>In the code snippet above, we iterate through a list of TCP ports and attempt to establish a connection using net.Dial() function. One could also use the <code>net.DialTimeout</code> to timeout e.g. <code>net.DialTimeout(protocol, address, 60*time.Second)</code>. If the connection is successful, the port is considered open; otherwise, it is closed.</p> <p><strong>UDP Port Scanning</strong></p> <p>UDP (User Datagram Protocol) is a connectionless protocol used for lightweight communication where reliability is not critical. UDP port scanning involves sending UDP packets to each port and analyzing the responses (if any). Unlike TCP, UDP scanning does not establish a connection but rather sends packets and waits for a response. Let's see how we can perform UDP port scanning in Go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>package main import ( "fmt" "net" ) func main() { target := "test.com" ports := []string{"53", "123", "222"} // List of UDP ports to scan protocol := "udp" for _, port := range ports { address := fmt.Sprintf("%s:%s", target, port) conn, err := net.Dial(protocol, address) if err != nil { fmt.Printf("Port %s is closed\n", port) continue } defer conn.Close() fmt.Printf("Port %s is open\n", port) } } </code></pre> </div> <p>In this code snippet, we attempt to establish a UDP connection using net.Dial() function. However, UDP being connectionless, the success of the connection establishment does not necessarily indicate an open port. Therefore, in UDP scanning, we typically analyze the response (if any) to determine the port status.</p> <p><strong>Enhancing Security and Understanding Port States</strong></p> <p>Port scanning is not only about identifying open ports but also understanding the security implications associated with them. Here are some improvements and considerations to enhance the effectiveness and security of port scanning:</p> <p><strong>Comprehensive Port Scanning:</strong> While scanning well-known ports (such as HTTP, HTTPS, SSH) is essential, it's equally important to conduct broad or wide scanning of ports to uncover any hidden vulnerabilities. Attackers often exploit lesser-known ports to gain unauthorized access or launch attacks. Therefore, consider expanding your port scanning range to cover a wider spectrum of ports.</p> <p><strong>Understanding Port States:</strong> Ports can be in various states, including open, closed, or filtered. An open port signifies a service actively listening for connections, potentially indicating an accessible entry point for attackers. Closed ports, on the other hand, may indicate that no service is listening on that port, but it doesn't necessarily mean it's secure. Filtered ports indicate that a firewall or other network filtering mechanism is in place, possibly to restrict access intentionally. Understanding these states helps in assessing the security posture of the target system accurately.</p> <p><strong>Reasons for Open Ports:</strong> It's crucial to understand why certain ports are open on a system. Ports may be open for legitimate reasons such as running essential services like web servers, email servers, or database servers. However, sometimes open ports could be due to misconfigurations, outdated software, or unintentional exposure, posing security risks. Conducting port scanning helps in identifying such instances and taking necessary remedial actions to mitigate potential threats.</p> <p><strong>Security Implications:</strong> Open ports pose significant security implications, as they represent potential entry points for attackers. Therefore, it's essential to regularly scan and audit ports to detect any unauthorized access or vulnerabilities. Additionally, understanding the services running on open ports helps in assessing their security posture and applying appropriate security measures such as access controls, encryption, and patch management.</p> <p><strong>Utilizing Secure Communication Protocols:</strong> When performing port scanning, ensure that you're using secure communication protocols to avoid interception or tampering of sensitive information. For example, use HTTPS for web-based communication and SSH for secure shell access. Additionally, consider implementing encryption and authentication mechanisms to protect the integrity and confidentiality of port scanning activities.</p> <p>By incorporating these improvements and considerations into your port scanning practices, you can enhance both the security and effectiveness of your network reconnaissance efforts. Remember that port scanning should always be conducted responsibly and in compliance with applicable laws and regulations to avoid any unintended consequences or legal implications.</p> <p><strong>Conclusion</strong></p> <p>The "net" package in Go provides a powerful framework for performing port scanning on both TCP and UDP protocols. By leveraging its functionalities, we can create efficient and customizable port scanning tools tailored to our specific network security requirements. Whether for vulnerability assessment, penetration testing, or network monitoring, Go offers a robust solution for conducting comprehensive port scans.</p> <p>The code snippets can be found on this <a href="https://github.com/kojoluh/go-projects/tree/master/P15PortScanning">github repo</a>. For more examples and snippets into use of Go and various aspects such as goroutines, channels, api development with go, etc, please checkout my <a href="https://github.com/kojoluh/go-projects">github</a> repos here.</p> <p>Connect with me on:</p> <p><a href="https://www.linkedin.com/in/foster-kojo-luh-21785984">Linkedin</a><br> <a href="https://github.com/kojoluh">Github</a><br> <a href="https://twitter.com/kojoluh">Twitter</a></p> go netsecurity portscan security